23. Surveillance and data retention

- 23.1. Methods of technical surveillance
- 23.2. Dataveillance
- 23.3. Managing the impacts of surveillance
- 23.4. Data Retention

Surveillance has been practised within society for millennia. Sun Tsu’s text, The Art of War, written in the Fifth Century BC, contains details about surveillance and the ‘use of spies’.¹
Over the past century the technology of surveillance has become increasingly more advanced, as have the means of avoiding and counteracting it.

There are two general types of surveillance: direct and indirect. The main difference between them is that direct surveillance can give you an idea of what a person or organisation is doing now, and by good analysis, what they intend to do in the future. Indirect surveillance only gives access to the past, via the information we generate every day, and so any inferences on what a person may be doing today or in the future are prone to error.

There are various forms of direct surveillance – such as telephone intercepts, bugging, and tracking the movements of people – each involving a different level of contact with the subject under surveillance. The more ‘direct’ the surveillance is, the more it costs.

Indirect surveillance usually involves no contact between the agent and the subject of surveillance. Instead it seeks to trace the evidence of activities. The use of electronic communications has aided the development of indirect surveillance. The retention of the data produced by communications systems has emerged as a new and powerful form of indirect surveillance. ‘Dataveillance’ – the use of personal information to monitor a person’s activities – is a powerful means of monitoring the activities of an individual. What ‘data retention’ – the storage and use of information from communication systems – adds is the ability to map the interaction of groups of people as they communicate.

Computers have allowed the expansion of indirect surveillance because they can carry out a lot of work sifting information with minimal supervision. The impact of this process may also be to create so much information that the important facts are buried under a pile of other, less relevant information. The trade-off in the process of technological surveillance is that the information gathered is often not as good or as accurate as the old-fashioned human-based surveillance, carried out close to the subject. Often the information will be inaccurate, or out of the context in which it was gathered, and so may be interpreted wrongly.

There is very little that can be done to prevent surveillance – especially where it is carried out by the state. What can be done is to change your methods of working to make surveillance more difficult, or futile. This is called ‘counter-surveillance’, or in relation to computers and electronic communications, ‘information security’. These procedures aim to minimise the disclosure of information to anyone monitoring your activities.

Counter-surveillance is the use of methods and technologies that create niches of privacy within our work. You should not seek to avoid surveillance for issues that have no sensitivity – to evade all surveillance may make you a greater target for surveillance as the state may consider your activities ‘suspicious’. This of course assumes that sensitive work only constitutes a minor part of your work. If the sensitive parts of your work comprise a large part of your everyday workload, it would be more difficult to hide those activities within the patterns of your everyday life.

Information security aims to protect equipment with security procedures and barriers. When dealing with sensitive information, you should avoid generating any kind of documentation or opportunities that would facilitate surveillance. As governments begin to use communications and transactions data as a significant part of their effort to monitor the activities of their citizens, private communication is becoming harder to guarantee.

23.1. Methods of technical surveillance

Traditionally, the state has sought to intercept communications as a means of discovering the plans of individuals or groups. Although this process may be managed differently from state to state, in general there should be some form of judicial oversight or warrant to allow the interception of private communications. However, types of surveillance that do not involve intrusion into the privacy of communication do not always need judicial control. Controls over the intrusion into private communications have been further weakened as part of ‘the war on terrorism’, where the state may intrude into communications where under the guise of concerns about terrorist or criminal activity. The most significant of these is the use of communications data held by telecommunications companies or Internet service providers.

Telephone communications

For many working with information and communication technology, interception within the postal system is probably the least problematic. Almost every country that licenses postal or courier services including within the licensing process clauses on the interception of mail. The interception of telephone communications is more problematic. Intercepting mail requires the physical confiscation and opening of the mail, whereas a telephone intercept only requires that the line be tapped at the telephone exchange, and the information from that tap routed on another phone line to the surveillance operative.

The interception of telephone traffic has become more sophisticated in recent years. Forty years ago each telephone tap had to be monitored by an operative placed at each telephone exchange the call was routed through. Today, because all major exchanges are digital, the telephone traffic can be monitored by a computer. Instead of requiring manual connections, telephone taps can be set up changing the route your telephone calls take. The call can then be copied, and the copy routed to the agency that monitors phone calls for the state. Other features, such as ‘caller ID’ (where the number of the person calling is sent down the line and displayed), make it easier for the source of telephone calls to be discovered instantly.

The ability of digital exchanges to produce itemised bills for customers is also an indication of the level of information that can be produced for surveillance operatives. In many states, the use of this ‘communications information’, rather than the content of the telephone call itself, is not controlled under the same stringent legal procedures. This means that surveillance agencies are able to use billing data from phone companies, and any other organisation that keeps itemised information about your life, with far less controls than if they used direct tapping of your communications. Although this information does not contain the content of a particular action or communication, by merging information from a number of people’s billing records it is possible to determine relationships and habits between individuals that can disclose equally valuable information.

The media image of phone tapping is that of a surveillance operative with a bank of reel-to-reel tape recorders. These, like the telephone systems, have been replaced by digital systems. The latest telephone surveillance systems sort the faxes from the telephone calls from the computer data (and store the faxes/computer data for later investigation). They also listen for keywords within the telephone conversation, or the presence of a certain person’s voice on the line, and flag that particular call for analysis by a human operative. This increases the number of telephone taps that may be run by a single surveillance operative, making it easier to tap more lines.

The internet

The interception of Internet traffic is technically more problematic. Unless the interception can be fixed at the point where the person accesses the internet (their phone line or network connection), it is not possible to gather the information sent or received by one individual. This is because the communication is split into small ‘packets’ of data, and these may be routed by different communications channels. For this reason monitoring the Internet has preoccupied a number of states for the last decade. Their answer is, in short, to monitor everything and compile the ‘communications data’ gathered from this process for later use.

Tracing ‘Net usage involves the lowest level of Internet identification – IP addresses. Most internet systems, such as email servers, log additional data. Most email servers log the ‘header’ information of the emails they relay. At a minimum, which address the email has come from, which address it is going to, and the date and time. This pro-vides an even shorter route to finding the source, as an email address can be associated with a user account directly. From the service provider’s records, this then translates to a real identity. This identity may be uncovered simply by searching on-line for the user’s real name. Even if the source address of the email is forged or ‘spoofed’, the email server will still log the IP address of the machine it was sent from – so it can still be tracked back.

Mobile phones

It is also possible to track people’s physical location using wireless communication devices such as mobile phones or wireless computer networks. Mobile phones stay in constant communication (unless switched off) with their network’s nearest base station. Knowing the location of this base station gives a rough geographical location. But it is also possible for the telephone system operator to gather data from other base stations to track the phone’s position.

As well as recording which base station the phone is near to, most phone systems record a ‘signal to noise ratio’ (SNR) – a measure of how strong the signal from the phone is – for the signal to adjacent base stations. By getting the SNR from base stations near to the phone (which can be done in near real time with the co-opera-tion of the telephone operator) it is possible to estimate the position of the phone between the stations quite accurately. The more base stations there are, and the closer together they are, the more accurately the position of the phone can be determined. In rural areas base stations may be 5km or 10km apart. In urban areas, separation may only be a few kilometres, and much less in built-up cities. This means that a person’s position can easily be determined to within a few tens of metres in an urban area, or slightly more in a rural area.

The new ‘Third Generation’ (3G) mobile phones have a smaller separation distance between base stations. It is also proposed that 3G phones will use tracking routinely as part of the operation of the system. Not only to find a person’s location, but also to identify the location of phone numbers (public services, advertising information, etc.) for users. This will mean that more information about a person’s location at a specific date and time will be routinely generated and passed on to others. How states handle the security and privacy of this information will determine whether the 3G mobile phone will become a liability to personal privacy over the next few years. If communications and privacy regulators seek to protect this information as they do with other personal data, only official uses of this information will be possible. But if the data is poorly controlled, the collection or disclosure of this information could be used as a means of invading private life. It could also leave a person open to various types of fraud or crime because those directing the individual will know where the person is located.

In the future, as access from devices such as digital telephones and TVs, or 3G mobile phones becomes more widespread, accounts will be authenticated as belonging to a single person who owns that device. This trend for user authentication is at the forefront of many IT developments because it will enable the greater use of pay-per-use or subscription services on-line. It is enabled by systems such as Microsoft’s ‘.Net’ (‘dot-Net’) standard, which aim to build secure user authentication into networked systems. This uses a unique on-line ‘passport’, held by a verification server, to verify the identity of the individual as part of on-line transactions. But at the same time, it provides traceability, and a consequent reduction in anonymity, in a way similar to the way credit card transactions can be easily traced to a particular card holder.

Computers

Computers, and information systems in general, present various opportunities for surveillance. This is because they are technical systems that operate largely beyond the understanding of their user. An emerging new field is ‘spyware’ – computer software that is intended to collect information about a person’s use of information systems. In addition, companies that specialise in ‘computer security’ systems are producing software applications that are able to interrogate a computer and retrieve information, passwords, and even deleted files.

Many computer systems routinely log information when they are used. Other programs, such as web browsers or word processors, log information relating to the use of the program, the files looked at, and the identity of those accessing or modifying files. These logs can be extracted if someone has access to the computer, and are a critical source of information in the field of ‘computer forensics’.

The development of computer software that is specifically intended to spy on computer users represents a serious risk to privacy. Even where logging facilities do not exist on a computer, logging programs can be installed to monitor specific uses of the computer. These can collect information on the keys that are typed by the user, or the email or Internet addresses that are contacted. The program then stores the information for later retrieval, or the information could be emailed out covertly when users check their email. An example of this type of software is the US Federal Bureau of Investigations (FBI) ‘Magic Lantern’ program.²
This was designed to find its way into certain computer systems and send back details about the content of the computer, account passwords and encryption keys. Controversy was aroused when the FBI attempted to conclude an agreement with anti-virus system writers to make sure their virus programs ignored the Magic Lantern program when it had installed itself on someone’s computer.

One routine means of collecting information as part of the surveillance process is collecting people’s rubbish. Important information is routinely thrown away by many people. For users of information systems, what is thrown away may also disclose information about security procedures, and even large quantities of sensitive data. For example, throwing away old floppy disks, CDs, even if they do not appear to work, can disclose important information to those with the ability to read corrupted or damaged storage media.

23.2. Dataveillance

Whilst people may fear high-tech electronic surveillance, often what betrays information the most is human nature: mistakes, forgetfulness, or unintended disclosure. Indirect surveillance techniques, which study the information we generate as part of our everyday activities, are good at picking these up.

The significant process within indirect surveillance is the finding of audit trails or documentation trails. Before the widespread use of data processing this was a cumbersome business as paper had to be shuffled. Today, with so much information being digitised, and even sold in bulk by governments and corporations, the process has be-come far simpler. For this reason, indirect surveillance that concentrates on the use of digital information has be-come known as ‘dataveillance’.

To organise any information you must have an index or ‘key’. The key which everyone possesses is their name. But this key is not unique. Other people within a large town, and almost certainly within a country, will share that name. For this reason it is necessary to qualify the ‘name’ key with other identifiers, for example, an address, national identity or social security number, or credit card number. By increasing the number of additional key values that we group together we increase the likelihood that the surveillance subject, and only the surveillance subject, will be identified.

The state, via its security organisations or the police, is able to officially access large quantities of digital information. This can be done via state agencies, such as tax or social security agencies, or by the use of legal powers to obtain information from organisations that hold data about you, such as phone companies or banks. Depending on the nature of the ‘offence’ that you are being investigated for, the police and other agencies may also have access to legal powers to intercept direct communications and even enter a building to obtain additional information to enhance their analysis.

What this process produces is a ‘data profile’ – a set of information that relates to a person and describes his/her life, work, acquaintances, personal preferences and personal habits. More usefully, by merging information or ‘data matching’, using the information on more than one subject, it is possible to ‘map’ the interaction of a number of people. This may disclose further useful information, such as how an organisation relates to its supporters. Combining information that gives geographic data, such as the locations of purchases, or mobile phone tracking data, it is also possible to show patterns of collective activity, such as meetings, or travel to a particular location.

23.3. Managing the impacts of surveillance

For information-based surveillance techniques to work well there are certain pre-requisites:

• Information must be logged and stored, or routed in such as way as to make it available to those carrying out surveillance.
• Any encryption or technical encoding/compression must be susceptible to circumvention by those carrying out surveillance.
• Information must be identifiable with a unique, personalised key, or machine addresses, so the information may be tracked back to the people involved.
• For reliability, the surveillance process must work within the operation framework of the system supporting it so that it cannot be avoided or circumvented by the user.

When evaluating the surveillance potential of legislative proposals, or of technological innovations, we can use these three conditions as a guide. Conversely, any system that achieves the opposite of these conditions will lessen the impacts of surveillance.

For example, the greatest damage to civil liberties would be the ‘cashless society’, where every transaction had to be paid for with a credit or debit card. This is because cash, except for the larger value bank notes, is an anonymous form of payment. But in the cashless society, every payment made would be open to scrutiny. Likewise, if everyone across the globe would have a unique on-line identity that, like a passport or bank account, required verification before use, all anonymity on the ‘Net would be lost. What enables privacy and anonymity generally on the Internet is that a person need not prove their identity in order to gain access to the network. They need only produce a user name and password that satisfies access to a particular user account.

These examples may seem extreme, but in the virtual world there are already well-advanced projects to implement such systems on-line. The next generation of Microsoft operating systems will begin to implement ‘trusted computing platform’ controls. These protect intellectual property rights by monitoring the status of information on a system, and what is being done to it. However, the unique identifiers that will have to be applied to all files, based upon the registration of the software that generated them, will mean that information may be easily traced to its source.³
Also, the development of on-line e-commerce systems around the ‘dot Net’ model, where people use an on-line identity to verify access to sites or for payments (in place of a credit card number or password), means that the ability to track activity on-line will be enhanced.

The extension of intellectual property controls generally has a negative impact on privacy and security. It is more difficult to verify that the programs you use do not contain unknown data logging systems or ‘back doors’ that give access to password protected or encrypted data. If someone attempts to reverse-engineer the program in order to reveal such flaws, they could be prosecuted for damage to the developer’s intellectual property.

There are many applications in use on the ‘Net today that contain some form of user monitoring and reporting facility.⁴
Some of these involve the use of the program ‘ spyware’. Others are used as a means of targeting the user with adverts – ‘adware’. Program developers include these systems, particularly adware features, as a means of obtaining extra revenue from the use of their applications. Many widely used programs, such as Real Player, AOL Instant Messaging and Kazaa, contain these systems.

Unless you install the program on your system, most of these spyware and adware programs use the ‘cookies’ facility in the web browser to store data on your computer, to enable tracking of your activities on-line. ‘Cookies’ enable a web site to store information about your use or preferences on the site so that the server can personalise your access to the site when you next return. But they also allow tracking of an individual’s on-line activity, and thus can be used as a unique identifier available to web advertising agencies and others to follow you on-line. For this reason they are being restricted and controlled informally (the W3C Consortium’s ‘Platform for Privacy Preferences’ system), or formally (the recent proposals by the European Union to legislate against the use of cookies).

The alternative is of course, where possible, to use free software on computer systems. The fact that the computer source code is open means that it is far harder to hide ‘spyware’ within the code of a computer program. Those concerned with the impact of surveillance on their use of information systems should seek to change their patterns of use to make surveillance more difficult.⁵
However, increasingly the ‘intelligent appliances’ that we use, such as mobile phone or personal organisers, have their software sealed inside. So using open source alternatives to proprietary systems can only work up to a point. But wise use of these appliances, such as consciously switching off your mobile phone before going to sensitive meetings, can minimise the surveillance potential of these devices.

23.4. Data Retention

Most individuals and small organisations connect to the ‘Net via a ‘network connectivity provider’. This could be your local telephone company, your place of work, or a private Internet service provider. This provides you with access to the network via a local phone number. It also, although most people do not realise it, connects you via the local telephone exchange to the internet as part of the ‘domain’ of your service provider. Like your own name and telephone number, this provides you with a unique identity on the internet. Not everyone can have a address
– there are not enough to go around. Instead you will beallocated a number on the machine that logs you onto the Internet. This machine then relays the information between you and the internet.

Now that your computer has the IP number of the service you require, you make direct contact to that server via the Internet. Nearly all internet services – web, email, chat, file transfer – log the IP address of the communications they receive. This means that if someone can access the log data for a particular server, they are able to create a list of who accessed that server and when. The first stage of finding who accessed that server is to track back the IP address of the packet. This will take them to the server that logged you onto the internet. This may be your service provider’s server, or it may be another server that your service provider uses to provide local network access. Either way, there will be a log there that indicates the identity of the user account that logged onto the network with that IP address at that time. Using the local network identity, or the user account identity, it is then possible to match a user’s real name to their login account. If this account was at a cybercafé or university, if someone paid for the session using some sort of credit or debit card, it may also be possible to trace the person from the payment details attached to that period of usage. For further confirmation, the billing information kept by the phone company will also confirm that at that time and date that a person used the phone to connect to the Internet.

Even before the September 11th terrorist attacks, many states were drafting or introducing laws that enabled technological surveillance to take place within new digital information systems. For example, in the USA the Communications and Law Enforcement Act 1995 requires that manufacturers of telecommunications equipment get approval, to ensure they comply with tapping or surveillance requirements, before a new product is sold. Many of these new laws relate to the information or ‘communications data’ that digital systems generate. It is claimed that these systems do not represent the development of a ‘Big Brother’ state because access was not being granted to the content of communications. This misrepresents the impact of these new surveillance systems. The automated nature of these systems means that far more people can be monitored than was previously possible with humanbased systems.

Mandating data retention
Most communications network operators would not wish to keep large quantities of data about the operation of their systems. In some countries, such as European Union states, it creates legal liabilities because of data protection laws. In general, keeping this information is a time consuming, resource hungry and costly operation. For this reasons some states are now legislating to make data retention a legal obligation of the operators of electronic networks.

Keeping logs on a server costs money. It uses up some of the server’s processing capacity and disk space. If the logs have to be kept for a period of time, it will also be necessary to back-up these logs to some sort of storage media and store them securely for that period. To date, one of the principal obstacles to implementing the retention of log data has not been civil liberties, but cost. Internet service providers have been concerned that proposals to monitor network traffic would place high costs upon their businesses.

The other problem for governments has been how to handle this data. The traffic data produced by the telephone system is huge, including millions of numbers, each logging many outgoing calls every day. This may be dwarfed by the potential data harvest from electronic networks, including logs from internet service providers, email servers, web servers, and other sources such as the log information provided via the data retention systems of other states. For example, the Cybercrime Convention defines ‘traffic data’ as:

• a code indicating a network, equipment or individual number or account, or similar identifying designator, transmitted to or from any designated point in the chain of communication;

• information on the time, date, size, and duration of a communication;

• in any mode of transmission (including but not limited to mobile transmissions), any information indicating the physical location to or from which a communication is transmitted.

On top of this, other data streams are likely to be added. For example, in the USA, it is proposed that the ‘Total Information Awareness’ (TIA) programme (recently renamed the ‘Terrorist Information Awareness’ programme) will add data from sources such as public lending libraries, credit card transactions, ATM withdrawals or even seat reservations on aircraft in order to try and link geographical references to communications traffic.

The problem is that none of this data can be isolated to concentrate on a few individuals. Unless the state instructs a service provider to specifically tap the connection of a particular person, the data retained by a server operator must be collected for all users. That is a lot of data to store. The fact that people other than the principal targets of surveillance are included increases the probability that their privacy may be damaged as part of the retention and processing of communications data.

The UK was one of the first countries in the world to require the widespread monitoring of all network traffic. In the UK, the retention of log data by the government was under discussion in the mid-1990s. Initially, discussion within the police and security services assumed that it would be possible to limit monitoring to a few individuals. But when that was clearly not possible, the proposals were soon expanded to allow for the tapping of all network traffic. This was originally conceived as a ‘black box’ working inside every internet service provider’s machine. The proposals were later modified, taking advantage of the fact that most service providers are connected directly to one of the large telecommunications networks. For this reason, the proposals now target ‘upstream providers’, and the larger internet services, in order to reduce the number of locations that will have to log all traffic data.

The law that required the disclosure of traffic data in the UK, The Regulation of Investigatory Powers (RIP) Act 2000, was enacted almost a year before the attack on the Twin Towers and the launch of the ‘war on terrorism’. However, there were some gaps in this law. It required logs to be turned over, but did not explicitly require that they be kept. For this reason the proposals were updated in The Anti-Terrorism, Crime and Security Act 2001. In addition to requiring the operators of electronic networks to set up ‘interception capabilities’ on request, the RIP Act also sets up a ‘technical advisory body’ to advise the government. Its job is to assess the current technical capabilities for the collection of data, and the interception of communications, and to look for means to implement these as part of interception requests that government may issue to individual network operators. But recent difficulties have made its future uncertain.

Due to its pioneering steps in trying to develop data retention nationally, the UK has been one of the lead states in developing international systems for data retention. ⁶
The key agreement to date has been the Council of Europe’s Cybercrime Convention.⁷
The Cybercrime Convention requires that states take measures to preserve the data produced by electronic systems, such as telephone networks and the internet. States can then make requests to other signatories of the Cybercrime Convention to access data relating to the activities of certain individuals or groups resident in that state.

Other states are also seeking to develop their own systems to intercept and process communications information, as well as information from other sources. Perhaps the most high-profile of these at the moment is the proposal for a ‘Total Information Awareness’ (TIA) system in the USA.⁸
The original proposal in the USA, at the end of the 1990s, was a smaller system called ‘Carnivore’.⁹
This would have monitored the communications of certain ‘suspect’ individuals, groups or web sites. There was much debate over the legitimacy and legality of the Carnivore system. Following the September 11th 2001 attacks, the legal basis for mass surveillance has changed – hence the reason why the TIA system is able to do much more.

In many states in the developed world,¹⁰
after the September 11th attacks new legislation that broadened the surveillance powers of the state was introduced, using the attacks to silence dissent about the impact of these powers. These kinds of sweeping surveillance systems are not perfect, and This means that errors in the analysis provided by these systems are likely to crop up on a regular basis, leading to the potential for serious miscarriages of justice to take place.

What these new powers have introduced is a means whereby the state is able to conduct detailed indirect surveillance of the entire population. The problem is that the systems that enable this, and more importantly the information they relay on, are imperfect. Errors in the analysis of the data provided by these systems can lead to serious miscarriages of justice.

Carnivore campaigns The first anti-Carnivore campaigns simply called for email users to include key words, such as terrorist, bomb, explosive, White House, etc, in their emails, so as to confuse and clog up the classifying programs used in the Carnivore project. Later they became more explicitly political and attempted to influence the US government: “If we want to defeat Carnivore, we need to attack on all fronts. Any of the following steps could take you as little as one minute each to complete, and they will all make a big difference in the strength of our message. If you are able, spend a little extra time writing some comments of your own to send out to the various people below. If not, use our ready-made letters, and make a big difference in under 10 minutes! 1.1. Tell a friend about this site 2.2. Contact the President and Congress 3.3. Send a Letter to the Editor 4.4. Contact John Ashcroft 5.5. Check Your ISP Source: http://stopcarnivore.org/ how_to_stop_carnivore.htm

Problems with data retention
There are many ways in which data can be collected from diverse sources, and then used to create data profiles. This process is also described as ‘data matching’, be-cause it requires the sources of information to be matched around a common set of indexes or ‘keys’. This has the potential to create spurious results from matching different data sources that may lead to serious breaches of civil liberties.

One of the basic assumptions regarding electronic networks is that they are synchronised, and all log transaction data use a common date and time. This is often not the case. In the USA recently, as computer data has be-come an important investigative tool, there have been some miscarriages of justice due to inconsistencies in log data. In one case three young women were wrongly arrested and charged with murder, and spent three weeks in custody.¹¹
The evidence for the charge was that they had been photographed on an ATM machine’s video camera using the cash card of the murder victim.

Time is becoming an increasingly problematic issue within the operation of global electronic networks. Whilst there is a general ‘Universal Time Constant’ in use, there is no international agreement on the precise setting of the clocks that control the global electronic networks. The networks operated by different countries, or by different corporations, may be set to slightly different times. The greatest problem is that many electronic systems do not use one central time reference. They have to be manually updated, and this, due to the human element, does not reliably take place. This in turn results in the sort of error that occurred with the ATM video evidence in the murder investigation described above.

Another problem with collecting traffic data is that the same types of data may not be collected consistently. Errors may be introduced due to inconsistencies in the classifications of certain goods or services, or because of language differences. This can lead to the inclusion of erroneous information as part of data profiles.

Further problems may arise due to errors in the data matching software that excludes some information, or wrongly includes it. As the logging of data is not considered to be a ‘mission critical’ part of the operation of electronic networks, the logging of data may be subject to errors that do not show up in other parts of the system’s operation. In order to take into account the differences in data collection standards the systems developed for data matching may build-in some flexibility in their interpretation of data. This in turn may increase the likelihood that false positives will be produced as part of the process.

Perhaps the greatest challenge to the use of the data collected from monitoring networks is identity theft. At the basic level, an identity could be forged, or a user account or telephone line hacked into, in order to use the service without disclosing the true identity of the user. At a more complex level, if people can obtain sufficient information about an individual, they may be able to steal that person’s electronic identity outright. This practice is already widespread as part of credit card fraud. As networked systems increasingly use individual electronic identities, rather than a user account, to validate access, identity theft may create a new level of abuse. Rather than just defrauding banks and credit card companies, identity theft in the future may be a means of avoiding the interlinked web of monitored networks that data retention is creating.

The problems of false identities, or identity theft, have significant implications for the effectiveness of new surveillance systems. In particular, they strike at the heart of the justification for developing these systems. The groups with the capacity to undertake identity theft are organised criminals and terrorists – precisely the groups these systems are meant to detect. So, in practice, these systems are only fully effective against one particular group in society
– the general public.

If we look a few years ahead, when networking becomes more personalised, tampering with a person’s identity may become a major hazard to personal privacy and civil liberties. Locational data from wireless device, if poorly protected, could be used to target individuals for crime and aid in the execution of a crime, as well as undertake fraud or identity theft in a way that is far harder to trace. The problem with the systems being deployed today is that they are keyed to record data about an individual, or an individual’s access, thereby making fraud or identity theft easier to operate. The alternative, using anonymous systems of authentication, is not welcomed by financial institutions and governments because they do not allow the tracking or auditing of an individual person’s activity from the log of communications data. Anonymous systems of authentication – for example use-once credit card numbers issued by some card companies for use on-line – would make it far harder to obtain sufficient personal identifiers to impersonate or abuse electronic identities on-line.

Reasons why we should oppose dataveillance (summary) 1. People collect, or process information for a purpose. It is the intention of those who collect personal information, or who trade or database it, to create profiles of individuals. Individual users may not necessarily give consent to the use of their personal information for that purpose. 2. The sale of personal information is, for many Internet companies, a major income stream within the operation of Internet services. 3. The suppression of encryption may mean that those who break the law will encrypt anyway. 4. Information gathered in the process of technological surveillance is often not as good or as accurate as the old-fashioned human-based surveillance, carried out close to the subject. Often the information will be i naccurate, or out of the context in which it was gathered, and so may be interpreted wrongly. 5. Types of surveillance that do not involve intrusion into the privacy of communication do not always need judicial control 6. If the data is poorly controlled, the collection or disclosure of this information could be used as a means of invading a person's private life. It could also leave a person open to various types of fraud or crime because those directing the individual will know where the person is, or is not located. 7. 'Cookies' allow tracking of an individual's on-line activity, and so are useful as a unique identifier available to web advertising agencies and others to follow you online. 8.The fact that other people than the principle targets of surveillance are being included increases probability that their privacy may be damaged as part of the retention and processing of communications data. 9. Problems with the accuracy of data collected: -Data collected from different sources has the potential to create spurious results from the matching process, which may lead to serious breaches of civil liberties if the results are acted upon by law enforcement agencies. -The same types of data may not be collected consistently, which can lead to the inclusion of erroneous information as part of data profiles. -The networks operated by different countries, or by different corporations, may be set to slightly different times, which may lead to erroneous conclusions about persons' whereabouts at a certain time. -Another problem with collecting traffic data is that errors may be introduced due to inconsistencies in the classifications of certain goods or services, or because of errors introduced by language differences. This can lead to the inclusion of erroneous information as part of data profiles. 10. Perhaps the greatest challenge to the use of the data collected from monitoring networks is identity theft. Rather than just defrauding banks and credit card companies, identity theft in the future may be a means of avoiding the interlinked web of monitored networks that data retention is creating. 11. The groups who have the capability to routinely undertake identity theft are organised criminals and terrorists - precisely the groups who these systems are meant to detect. So, in practice, these systems are only fully effective against one particular group in the society - the general public.

2 FBI Confirms 'Magic Lantern' Project Exists, Reuters, 12th December 2001.

3 http://www.asp.net, http://www.passport.net/, http://alive.znep.com/~marcs/passport/

4 There are good reports on spyware/adware available online from ZDNet (http://www.zdnet.com/zdnn/stories/news/0,4586,2678941,00.html) and from BBC Online (http://news.bbc.co.uk/1/hi/in_depth/sci_tech/2000/dot_life/2487651.stm) also:http://www.cexx.org/adware.htm, http://www.doxdesk.com/parasite/

5 For a more detailed briefings on counter-surveillance and information security see the Association for Progressive Communications' Participating with Safety briefings at http:// secdocs.net/manual/lp-sec/ These outline the improvements that can be made to computers and working practices to improve security and reduce the effectiveness of surveillance.

6 For a recent review of the UK's influence on European developments see UK Pushes Boundaries of Citizen Surveillance,
The Guardian, 12th June 2002 - http://www.guardian.co.uk/netprivacy/article/0,2763,736011,00.html

7 See http://conventions.coe.int/Treaty/EN/ WhatYouWant.asp?NT=185&CM=1

8 See the archive kept by the Electronic Frontier Foundation for a digest of available information on TIA systems - http://www.eff.org/ Privacy/TIA/

9 The FBI revealed its work on the Carnivore programme in a presentation to Congress in April 2002 - see
http://www.house.gov/judiciary/corn0406.htm

10 For example, see UK Pushed Boundaries of Citizen Surveillance (Guardian, June 12th 2002). For other more detailed reports go to the Electronic Privacy
Information Centre, http://www.epic.org/, and Privacy International, http://www.privacyinternational.org/

11 See http://www.washingtonpost.com/wp-dyn/articles/A19633-2003Jun21.html