UK police workshop and paper on data retention
On Monday 5 and Tuesday 6 September the UK presidency tried its best to convince member of the European Parliament to give up their resistance against mandatory data retention. On Monday the parliamentary committee on civil liberties was addressed by the UK chairman of the criminal matters working group, Simon Watkin and by the London police special operations veteran David Johnson. Watkin made it clear the Council would continue to work on its proposal, ignoring all the legal advices that only the European Commission is qualified to propose data retention, with full co-decision rights from the European Parliament.
Johnson gave the committee several examples how GSM traffic data were used to solve murders and kidnappings. He saw it fit to also present pictures of a burned body. Funnily, at the end of his presentation, he showed a copy of the EDRI petition website, with the 3 objections that data retention is invasive, illegitimate and illusory. "Do these claims really stand up to scrutiny?" asked Johnson, in stead of asking himself if his own claims about the usefulness of data retention could really stand up to any scrutiny.
While Watkin promised the indignant MEPs that the UK Presidency would present a major new study into the effectiveness and viability of the measures the next day, the disappointment was enormous when the UK presidency paper was finally released. In stead of scientific research into the need and benefits of data retention in Europe, as urgently requested by the LIBE members, the paper is a thin narrative with some emotional examples of the use of traffic data in police investigations. The only seemingly good news from a privacy perspective is the fact that the UK is now limiting its demand to a maximum of 12 months and excludes all internet data, except for login/logoff access data. The extreme danger of this approach is the proposed flexibility in upgrading the retention requirements every instant, without any democratic control.
The study mentions 4 examples of the use of traffic data, all of which seem to fall within a 3 months framework. All these data should thus have been available by the telephony companies for their own purposes irrespective of any law on data retention.
"In Sweden, a bomb threat was made to police by e-mail that a bomb had been placed at Stockholm Central Station. Using logs of the allocation of IP addresses retained by an Internet Service Provider, the source of the e-mail was traced to a public library in Stockholm. The library staff was able to provide information to the police that enabled the identification of the offender."
EDRI cannot help but wonder how long after the threat the request was made for the logs. Secondly, the current proposals do not require the identification of the users of public Internet terminals; will that be introduced later?
"In the UK a suspect was eliminated from a murder investigation with unsuccessful call data. He gave evidence that he did not know the victim was dead and had, in fact been, calling her all day. His mobile phone call records showed no calls to the victim (because no calls to her had incurred a charge). The mobile phone company did not keep a record of connected-unanswered calls. However because calls from a mobile to a landline will pass via the cheapest route, they can be present on another provider’s interconnectivity records, which incur a charge (from one provider to another) and thus a record is generated. Communications data evidence showed 27 connected-unanswered calls between the suspects' mobile and the victim's landline, corroborating the man's explanation and eliminating him from enquiries."
Again EDRI wonders how long after the murder these data were requested? How long would interconnect records be kept for standard business purposes?
Thirdly, the paper mentions a series of burglaries in 2002 in a city in the UK. "Mobile phone data was obtained which proved links between the offences. Because data from the time of the earliest burglaries had been deleted evidence of the full extent of the criminality was lost."
But this only points to the fact that retained data might have provided a small additional amount of evidence, but not helped in solving the crimes.
And the fourth example is equally unconvincing: "The family reported the ransom to police in Ghana who contacted the UK police. The UK and Dutch authorities co-operated with the investigation. After four days there had been no contact from the hostage for more than 24 hours and the UK police were contacted to help identify the hostage's London contact." Would more than four days of data retention have been required in this case?
Finally, the paper refers to "A recent study of the requirements for disclosure of data made by the police in the UK established that the majority of data required (85%) was less than six months old. However, where data between 7 and 12 months old was required, it was used to investigate the most serious crimes, mostly murder."
If this research was made public, it would be interesting to see how many cases it included, and in how many of those cases the disclosure of data lead to identification of the perpetrator. But the Presidencypaper contains no footnotes or other references to controllable sources.
Adding to the immense concern about civil liberties, half of the paper is devoted to other law enforcement demands related to biometrics, passenger name data and camera surveillance.
UK Presidency paper on data retention
Data-retention moves worry MEPs (06.09.2005)
(Thanks to Ian Brown, EDRI board member)