23. Surveillance and data retention
- 23.1. Methods of technical surveillance
- 23.2. Dataveillance
- 23.3. Managing the impacts of surveillance
- 23.4. Data Retention
Surveillance has been practised within
society for millennia. Sun Tsu’s text, The Art of War,
written in the Fifth Century BC, contains details about surveillance
and the ‘use of spies’.1
Over the past century the
technology of surveillance has become increasingly more advanced,
as have the means of avoiding and counteracting it.
There are two general types of surveillance: direct and indirect.
The main difference between them is that direct surveillance
can give you an idea of what a person or organisation is doing
now, and by good analysis, what they intend to do in the future.
Indirect surveillance only gives access to the past, via the
information we generate every day, and so any inferences on what
a person may be doing today or in the future are prone to error.
There are various forms of direct surveillance – such as
telephone intercepts, bugging, and tracking the movements of
people – each involving a different level of contact with
the subject under surveillance. The more ‘direct’ the
surveillance is, the more it costs.
Indirect surveillance usually involves no contact between the
agent and the subject of surveillance. Instead it seeks to trace
the evidence of activities. The use of electronic communications
has aided the development of indirect surveillance. The retention
of the data produced by communications systems has emerged as
a new and powerful form of indirect surveillance. ‘Dataveillance’ – the
use of personal information to monitor a person’s activities – is
a powerful means of monitoring the activities of an individual.
What ‘data retention’ – the storage and use
of information from communication systems – adds is the
ability to map the interaction of groups of people as they communicate.
Computers have allowed the expansion of indirect surveillance
because they can carry out a lot of work sifting information
with minimal supervision. The impact of this process may also
be to create so much information that the important facts are
buried under a pile of other, less relevant information. The
trade-off in the process of technological surveillance is that
the information gathered is often not as good or as accurate
as the old-fashioned human-based surveillance, carried out close
to the subject. Often the information will be inaccurate, or
out of the context in which it was gathered, and so may be interpreted
There is very little that can be done to prevent surveillance – especially
where it is carried out by the state. What can be done is to
change your methods of working to make surveillance more difficult,
or futile. This is called ‘counter-surveillance’,
or in relation to computers and electronic communications, ‘information
security’. These procedures aim to minimise the disclosure
of information to anyone monitoring your activities.
Counter-surveillance is the use of methods and technologies that
create niches of privacy within our work. You should not seek
to avoid surveillance for issues that have no sensitivity – to
evade all surveillance may make you a greater target for surveillance
as the state may consider your activities ‘suspicious’.
This of course assumes that sensitive work only constitutes a
minor part of your work. If the sensitive parts of your work
comprise a large part of your everyday workload, it would be
more difficult to hide those activities within the patterns of
your everyday life.
Information security aims to protect equipment with security
procedures and barriers. When dealing with sensitive information,
you should avoid generating any kind of documentation or opportunities
that would facilitate surveillance. As governments begin to use
communications and transactions data as a significant part of
their effort to monitor the activities of their citizens, private
communication is becoming harder to guarantee.
23.1. Methods of technical surveillance
Traditionally, the state has sought to intercept communications
as a means of discovering the plans of individuals or groups.
Although this process may be managed differently from state
to state, in general there should be some form of judicial
oversight or warrant to allow the interception of private communications.
However, types of surveillance that do not involve intrusion
into the privacy of communication do not always need judicial
control. Controls over the intrusion into private communications
have been further weakened as part of ‘the war on terrorism’,
where the state may intrude into communications where under
the guise of concerns about terrorist or criminal activity.
The most significant of these is the use of communications
data held by telecommunications companies or Internet service
For many working with information and communication technology,
interception within the postal system is probably the least
problematic. Almost every country that licenses postal or courier
services including within the licensing process clauses on
the interception of mail. The interception of telephone communications
is more problematic. Intercepting mail requires the physical
confiscation and opening of the mail, whereas a telephone intercept
only requires that the line be tapped at the telephone exchange,
and the information from that tap routed on another phone line
to the surveillance operative.
The interception of telephone traffic has become more sophisticated
in recent years. Forty years ago each telephone tap had to be
monitored by an operative placed at each telephone exchange the
call was routed through. Today, because all major exchanges are
digital, the telephone traffic can be monitored by a computer.
Instead of requiring manual connections, telephone taps can be
set up changing the route your telephone calls take. The call
can then be copied, and the copy routed to the agency that monitors
phone calls for the state. Other features, such as ‘caller
ID’ (where the number of the person calling is sent down
the line and displayed), make it easier for the source of telephone
calls to be discovered instantly.
The ability of digital exchanges to produce itemised bills for
customers is also an indication of the level of information that
can be produced for surveillance operatives. In many states,
the use of this ‘communications information’, rather
than the content of the telephone call itself, is not controlled
under the same stringent legal procedures. This means that surveillance
agencies are able to use billing data from phone companies, and
any other organisation that keeps itemised information about
your life, with far less controls than if they used direct tapping
of your communications. Although this information does not contain
the content of a particular action or communication, by merging
information from a number of people’s billing records it
is possible to determine relationships and habits between individuals
that can disclose equally valuable information.
The media image of phone tapping is that of a surveillance operative
with a bank of reel-to-reel tape recorders. These, like the telephone
systems, have been replaced by digital systems. The latest telephone
surveillance systems sort the faxes from the telephone calls
from the computer data (and store the faxes/computer data for
later investigation). They also listen for keywords within the
telephone conversation, or the presence of a certain person’s
voice on the line, and flag that particular call for analysis
by a human operative. This increases the number of telephone
taps that may be run by a single surveillance operative, making
it easier to tap more lines.
The interception of Internet traffic is technically more problematic.
Unless the interception can be fixed at the point where the person
accesses the internet (their phone line or network connection),
it is not possible to gather the information sent or received
by one individual. This is because the communication is split
into small ‘packets’ of data, and these may be routed
by different communications channels. For this reason monitoring
the Internet has preoccupied a number of states for the last
decade. Their answer is, in short, to monitor everything and
compile the ‘communications data’ gathered from this
process for later use.
Tracing ‘Net usage involves the lowest level of Internet
identification – IP addresses. Most internet systems, such
as email servers, log additional data. Most email servers log
the ‘header’ information of the emails they relay.
At a minimum, which address the email has come from, which address
it is going to, and the date and time. This pro-vides an even
shorter route to finding the source, as an email address can
be associated with a user account directly. From the service
provider’s records, this then translates to a real identity.
This identity may be uncovered simply by searching on-line for
the user’s real name. Even if the source address of the
email is forged or ‘spoofed’, the email server will
still log the IP address of the machine it was sent from – so
it can still be tracked back.
It is also possible to track people’s physical location
using wireless communication devices such as mobile phones or
wireless computer networks. Mobile phones stay in constant communication
(unless switched off) with their network’s nearest base
station. Knowing the location of this base station gives a rough
geographical location. But it is also possible for the telephone
system operator to gather data from other base stations to track
the phone’s position.
As well as recording which base station the phone is near to,
most phone systems record a ‘signal to noise ratio’ (SNR) – a
measure of how strong the signal from the phone is – for
the signal to adjacent base stations. By getting the SNR from
base stations near to the phone (which can be done in near real
time with the co-opera-tion of the telephone operator) it is
possible to estimate the position of the phone between the stations
quite accurately. The more base stations there are, and the closer
together they are, the more accurately the position of the phone
can be determined. In rural areas base stations may be 5km or
10km apart. In urban areas, separation may only be a few kilometres,
and much less in built-up cities. This means that a person’s
position can easily be determined to within a few tens of metres
in an urban area, or slightly more in a rural area.
The new ‘Third Generation’ (3G) mobile phones have
a smaller separation distance between base stations. It is also
proposed that 3G phones will use tracking routinely as part of
the operation of the system. Not only to find a person’s
location, but also to identify the location of phone numbers
(public services, advertising information, etc.) for users. This
will mean that more information about a person’s location
at a specific date and time will be routinely generated and passed
on to others. How states handle the security and privacy of this
information will determine whether the 3G mobile phone will become
a liability to personal privacy over the next few years. If communications
and privacy regulators seek to protect this information as they
do with other personal data, only official uses of this information
will be possible. But if the data is poorly controlled, the collection
or disclosure of this information could be used as a means of
invading private life. It could also leave a person open to various
types of fraud or crime because those directing the individual
will know where the person is located.
In the future, as access from devices such as digital telephones
and TVs, or 3G mobile phones becomes more widespread, accounts
will be authenticated as belonging to a single person who owns
that device. This trend for user authentication is at the forefront
of many IT developments because it will enable the greater use
of pay-per-use or subscription services on-line. It is enabled
by systems such as Microsoft’s ‘.Net’ (‘dot-Net’)
standard, which aim to build secure user authentication into
networked systems. This uses a unique on-line ‘passport’,
held by a verification server, to verify the identity of the
individual as part of on-line transactions. But at the same time,
it provides traceability, and a consequent reduction in anonymity,
in a way similar to the way credit card transactions can be easily
traced to a particular card holder.
Computers, and information systems in general, present various
opportunities for surveillance. This is because they are technical
systems that operate largely beyond the understanding of their
user. An emerging new field is ‘spyware’ – computer
software that is intended to collect information about a person’s
use of information systems. In addition, companies that specialise
in ‘computer security’ systems are producing software
applications that are able to interrogate a computer and retrieve
information, passwords, and even deleted files.
Many computer systems routinely log information when they are
used. Other programs, such as web browsers or word processors,
log information relating to the use of the program, the files
looked at, and the identity of those accessing or modifying files.
These logs can be extracted if someone has access to the computer,
and are a critical source of information in the field of ‘computer
The development of computer software that is specifically intended
to spy on computer users represents a serious risk to privacy.
Even where logging facilities do not exist on a computer, logging
programs can be installed to monitor specific uses of the computer.
These can collect information on the keys that are typed by the
user, or the email or Internet addresses that are contacted.
The program then stores the information for later retrieval,
or the information could be emailed out covertly when users check
their email. An example of this type of software is the US Federal
Bureau of Investigations (FBI) ‘Magic Lantern’ program.2
This was designed to find its way into certain computer systems
and send back details about the content of the computer, account
passwords and encryption keys. Controversy was aroused when the
FBI attempted to conclude an agreement with anti-virus system
writers to make sure their virus programs ignored the Magic Lantern
program when it had installed itself on someone’s computer.
One routine means of collecting information as part of the surveillance
process is collecting people’s rubbish. Important information
is routinely thrown away by many people. For users of information
systems, what is thrown away may also disclose information about
security procedures, and even large quantities of sensitive data.
For example, throwing away old floppy disks, CDs, even if they
do not appear to work, can disclose important information to
those with the ability to read corrupted or damaged storage media.
Whilst people may fear high-tech electronic surveillance, often
what betrays information the most is human nature: mistakes,
forgetfulness, or unintended disclosure. Indirect surveillance
techniques, which study the information we generate as part
of our everyday activities, are good at picking these up.
The significant process within indirect surveillance is the finding
of audit trails or documentation trails. Before the widespread
use of data processing this was a cumbersome business as paper
had to be shuffled. Today, with so much information being digitised,
and even sold in bulk by governments and corporations, the process
has be-come far simpler. For this reason, indirect surveillance
that concentrates on the use of digital information has be-come
known as ‘dataveillance’.
To organise any information you must
have an index or ‘key’.
The key which everyone possesses is their name. But this key
is not unique. Other people within a large town, and almost certainly
within a country, will share that name. For this reason it is
necessary to qualify the ‘name’ key with other identifiers,
for example, an address, national identity or social security
number, or credit card number. By increasing the number of additional
key values that we group together we increase the likelihood
that the surveillance subject, and only the surveillance subject,
will be identified.
The state, via its security organisations or the police, is able
to officially access large quantities of digital information.
This can be done via state agencies, such as tax or social security
agencies, or by the use of legal powers to obtain information
from organisations that hold data about you, such as phone companies
or banks. Depending on the nature of the ‘offence’ that
you are being investigated for, the police and other agencies
may also have access to legal powers to intercept direct communications
and even enter a building to obtain additional information to
enhance their analysis.
What this process produces is a ‘data profile’ – a
set of information that relates to a person and describes his/her
life, work, acquaintances, personal preferences and personal
habits. More usefully, by merging information or ‘data
matching’, using the information on more than one subject,
it is possible to ‘map’ the interaction of a number
of people. This may disclose further useful information, such
as how an organisation relates to its supporters. Combining information
that gives geographic data, such as the locations of purchases,
or mobile phone tracking data, it is also possible to show patterns
of collective activity, such as meetings, or travel to a particular
23.3. Managing the impacts of surveillance
For information-based surveillance techniques to work well there
are certain pre-requisites:
• Information must be logged and stored, or routed in such
as way as to make it available to those carrying out surveillance.
• Any encryption or technical encoding/compression must
be susceptible to circumvention by those carrying out surveillance.
• Information must be identifiable with a unique, personalised
key, or machine addresses, so the information may be tracked
back to the people involved.
• For reliability, the surveillance process must work within
the operation framework of the system supporting it so that it
cannot be avoided or circumvented by the user.
When evaluating the surveillance potential of legislative proposals,
or of technological innovations, we can use these three conditions
as a guide. Conversely, any system that achieves the opposite
of these conditions will lessen the impacts of surveillance.
For example, the greatest damage to civil liberties would be
the ‘cashless society’, where every transaction had
to be paid for with a credit or debit card. This is because cash,
except for the larger value bank notes, is an anonymous form
of payment. But in the cashless society, every payment made would
be open to scrutiny. Likewise, if everyone across the globe would
have a unique on-line identity that, like a passport or bank
account, required verification before use, all anonymity on the ‘Net
would be lost. What enables privacy and anonymity generally on
the Internet is that a person need not prove their identity in
order to gain access to the network. They need only produce a
user name and password that satisfies access to a particular
These examples may seem extreme, but in the virtual world there
are already well-advanced projects to implement such systems
on-line. The next generation of Microsoft operating systems will
begin to implement ‘trusted computing platform’ controls.
These protect intellectual property rights by monitoring the
status of information on a system, and what is being done to
it. However, the unique identifiers that will have to be applied
to all files, based upon the registration of the software that
generated them, will mean that information may be easily traced
to its source.3
Also, the development of on-line e-commerce systems
around the ‘dot Net’ model, where people use an on-line
identity to verify access to sites or for payments (in place
of a credit card number or password), means that the ability
to track activity on-line will be enhanced.
The extension of intellectual property controls generally has
a negative impact on privacy and security. It is more difficult
to verify that the programs you use do not contain unknown data
logging systems or ‘back doors’ that give access
to password protected or encrypted data. If someone attempts
to reverse-engineer the program in order to reveal such flaws,
they could be prosecuted for damage to the developer’s
There are many applications in use on the ‘Net today that
contain some form of user monitoring and reporting facility.4
Some of these involve the use of the program ‘ spyware’.
Others are used as a means of targeting the user with adverts – ‘adware’.
Program developers include these systems, particularly adware
features, as a means of obtaining extra revenue from the use
of their applications. Many widely used programs, such as Real
Player, AOL Instant Messaging and Kazaa, contain these systems.
Unless you install the program on your system, most of these
spyware and adware programs use the ‘cookies’ facility
in the web browser to store data on your computer, to enable
tracking of your activities on-line. ‘Cookies’ enable
a web site to store information about your use or preferences
on the site so that the server can personalise your access to
the site when you next return. But they also allow tracking of
an individual’s on-line activity, and thus can be used
as a unique identifier available to web advertising agencies
and others to follow you on-line. For this reason they are being
restricted and controlled informally (the W3C Consortium’s ‘Platform
for Privacy Preferences’ system), or formally (the recent
proposals by the European Union to legislate against the use
The alternative is of course, where possible, to use free software
on computer systems. The fact that the computer source code is
open means that it is far harder to hide ‘spyware’ within
the code of a computer program. Those concerned with the impact
of surveillance on their use of information systems should seek
to change their patterns of use to make surveillance more difficult.5
However, increasingly the ‘intelligent appliances’ that
we use, such as mobile phone or personal organisers, have their
software sealed inside. So using open source alternatives to
proprietary systems can only work up to a point. But wise use
of these appliances, such as consciously switching off your mobile
phone before going to sensitive meetings, can minimise the surveillance
potential of these devices.
23.4. Data Retention
Electronic networks, be they the wires that make up national
telephone networks, or the network of networks that is called
the ‘internet’, are becoming the main means by which
society works. Over the last 10 years various governments around
the globe have taken the view that ability to monitor, and perhaps
police the use of electronic networks is a key part of keeping
order within the new information society. The problem with monitoring
networks is the volume of data involved.
It is not possible to just jack-in to the network and monitor
everything that is sent. Or rather, it is technically possible,
but not physically, practically or economically viable. For this
reason, states are addressing the problem by seeking to ensure
that certain types of communications data be ‘retained’ by
the providers of network services. This data can then be accessed
by the state.
To begin, we need to understand a little about the workings of
the network itself. When you make a phone call, you dial the
number of the receiving station, and you are connected. This
is because your number, and the number you are calling, are unique,
and can be easily identified by the equipment that makes the
network function. A route is then set up between these two points
for the communication to flow along. The internet applies this
same principle, albeit with a little more complexity. The diagram
on the right shows a number of computers linked to the internet.
The internet has no fixed structure. Packets of data can be routed
randomly. For this reason we can only show it as an amorphous
mass to which computers connect at specific nodes.
Most individuals and small organisations connect to the ‘Net
via a ‘network connectivity provider’. This could
be your local telephone company, your place of work, or a private
Internet service provider. This provides you with access to the
network via a local phone number. It also, although most people
do not realise it, connects you via the local telephone exchange
to the internet as part of the ‘domain’ of your service
provider. Like your own name and telephone number, this provides
you with a unique identity on the internet. Not everyone can
have a address
– there are not enough to go around. Instead you will beallocated
a number on the machine that logs you onto the Internet. This machine
then relays the information between you and the internet.
Now that your computer has the IP number of the service you require,
you make direct contact to that server via the Internet. Nearly
all internet services – web, email, chat, file transfer – log
the IP address of the communications they receive. This means
that if someone can access the log data for a particular server,
they are able to create a list of who accessed that server and
when. The first stage of finding who accessed that server is
to track back the IP address of the packet. This will take them
to the server that logged you onto the internet. This may be
your service provider’s server, or it may be another server
that your service provider uses to provide local network access.
Either way, there will be a log there that indicates the identity
of the user account that logged onto the network with that IP
address at that time. Using the local network identity, or the
user account identity, it is then possible to match a user’s
real name to their login account. If this account was at a cybercafé or
university, if someone paid for the session using some sort of
credit or debit card, it may also be possible to trace the person
from the payment details attached to that period of usage. For
further confirmation, the billing information kept by the phone
company will also confirm that at that time and date that a person
used the phone to connect to the Internet.
Even before the September 11th terrorist attacks, many states
were drafting or introducing laws that enabled technological
surveillance to take place within new digital information systems.
For example, in the USA the Communications and Law Enforcement
Act 1995 requires that manufacturers of telecommunications equipment
get approval, to ensure they comply with tapping or surveillance
requirements, before a new product is sold. Many of these new
laws relate to the information or ‘communications data’ that
digital systems generate. It is claimed that these systems do
not represent the development of a ‘Big Brother’ state
because access was not being granted to the content of communications.
This misrepresents the impact of these new surveillance systems.
The automated nature of these systems means that far more people
can be monitored than was previously possible with humanbased
Mandating data retention
Most communications network operators would not wish to keep
large quantities of data about the operation of their systems.
In some countries, such as European Union states, it creates
legal liabilities because of data protection laws. In general,
keeping this information is a time consuming, resource hungry
and costly operation. For this reasons some states are now legislating
to make data retention a legal obligation of the operators of
Keeping logs on a server costs money. It uses up some of the
server’s processing capacity and disk space. If the logs
have to be kept for a period of time, it will also be necessary
to back-up these logs to some sort of storage media and store
them securely for that period. To date, one of the principal
obstacles to implementing the retention of log data has not been
civil liberties, but cost. Internet service providers have been
concerned that proposals to monitor network traffic would place
high costs upon their businesses.
The other problem for governments has been how to handle this
data. The traffic data produced by the telephone system is huge,
including millions of numbers, each logging many outgoing calls
every day. This may be dwarfed by the potential data harvest
from electronic networks, including logs from internet service
providers, email servers, web servers, and other sources such
as the log information provided via the data retention systems
of other states. For example, the Cybercrime Convention defines ‘traffic
• a code indicating a network, equipment or individual number
or account, or similar identifying designator, transmitted to or
from any designated point in the chain of communication;
• information on the time, date, size, and duration of a communication;
• in any mode of transmission (including but not limited to
mobile transmissions), any information indicating the physical
location to or from which a communication is transmitted.
On top of this, other data streams are likely to be added. For
example, in the USA, it is proposed that the ‘Total Information
Awareness’ (TIA) programme (recently renamed the ‘Terrorist
Information Awareness’ programme) will add data from sources
such as public lending libraries, credit card transactions, ATM
withdrawals or even seat reservations on aircraft in order to
try and link geographical references to communications traffic.
The problem is that none of this data can be isolated to concentrate
on a few individuals. Unless the state instructs a service provider
to specifically tap the connection of a particular person, the
data retained by a server operator must be collected for all
users. That is a lot of data to store. The fact that people other
than the principal targets of surveillance are included increases
the probability that their privacy may be damaged as part of
the retention and processing of communications data.
The UK was one of the first countries in the world to require
the widespread monitoring of all network traffic. In the UK,
the retention of log data by the government was under discussion
in the mid-1990s. Initially, discussion within the police and
security services assumed that it would be possible to limit
monitoring to a few individuals. But when that was clearly not
possible, the proposals were soon expanded to allow for the tapping
of all network traffic. This was originally conceived as a ‘black
box’ working inside every internet service provider’s
machine. The proposals were later modified, taking advantage
of the fact that most service providers are connected directly
to one of the large telecommunications networks. For this reason,
the proposals now target ‘upstream providers’, and
the larger internet services, in order to reduce the number of
locations that will have to log all traffic data.
The law that required the disclosure of traffic data in the
UK, The Regulation of Investigatory Powers (RIP) Act 2000, was
enacted almost a year before the attack on the Twin Towers and
the launch of the ‘war on terrorism’. However, there
were some gaps in this law. It required logs to be turned over,
but did not explicitly require that they be kept. For this reason
the proposals were updated in The Anti-Terrorism, Crime and Security
Act 2001. In addition to requiring the operators of electronic
networks to set up ‘interception capabilities’ on
request, the RIP Act also sets up a ‘technical advisory
body’ to advise the government. Its job is to assess the
current technical capabilities for the collection of data, and
the interception of communications, and to look for means to
implement these as part of interception requests that government
may issue to individual network operators. But recent difficulties
have made its future uncertain.
Due to its pioneering steps in trying to develop data retention
nationally, the UK has been one of the lead states in developing
international systems for data retention. 6
The key agreement
to date has been the Council of Europe’s Cybercrime Convention.7
The Cybercrime Convention requires that states take measures
to preserve the data produced by electronic systems, such as
telephone networks and the internet. States can then make requests
to other signatories of the Cybercrime Convention to access data
relating to the activities of certain individuals or groups resident
in that state.
Other states are also seeking to develop their own systems to
intercept and process communications information, as well as
information from other sources. Perhaps the most high-profile
of these at the moment is the proposal for a ‘Total Information
Awareness’ (TIA) system in the USA.8
The original proposal
in the USA, at the end of the 1990s, was a smaller system called ‘Carnivore’.9
This would have monitored the communications of certain ‘suspect’ individuals,
groups or web sites. There was much debate over the legitimacy
and legality of the Carnivore system. Following the September
11th 2001 attacks, the legal basis for mass surveillance has
changed – hence the reason why the TIA system is able to
do much more.
In many states in the developed world,10
after the September 11th
attacks new legislation that broadened the surveillance powers
of the state was introduced, using the attacks to silence dissent
about the impact of these powers. These kinds of sweeping surveillance
systems are not perfect, and This means that errors in the analysis
provided by these systems are likely to crop up on a regular
basis, leading to the potential for serious miscarriages of justice
to take place.
What these new powers have introduced is a means whereby the
state is able to conduct detailed indirect surveillance of the
entire population. The problem is that the systems that enable
this, and more importantly the information they relay on, are
imperfect. Errors in the analysis of the data provided by these
systems can lead to serious miscarriages of justice.
The first anti-Carnivore campaigns simply called for email users
to include key words, such as terrorist, bomb, explosive, White
House, etc, in their emails, so as to confuse and clog up the
classifying programs used in the Carnivore project. Later they
became more explicitly political and attempted to influence the
“If we want to defeat Carnivore, we need to attack on all
fronts. Any of the following steps could take you as little as
one minute each to complete, and they will all make a big difference
in the strength of our message. If you are able, spend a little
extra time writing some comments of your own to send out to the
various people below. If not, use our ready-made letters, and make
a big difference in under 10 minutes!
1.1. Tell a friend about this site
2.2. Contact the President and Congress
3.3. Send a Letter to the Editor
4.4. Contact John Ashcroft
5.5. Check Your ISP
Source: http://stopcarnivore.org/ how_to_stop_carnivore.htm
Problems with data retention
There are many ways in which data can be collected from diverse sources, and
then used to create data profiles. This process is also described as ‘data
matching’, be-cause it requires the sources of information to be matched
around a common set of indexes or ‘keys’. This has the potential
to create spurious results from matching different data sources that may
lead to serious breaches of civil liberties.
One of the basic assumptions regarding electronic networks is that they are
synchronised, and all log transaction data use a common date and time.
This is often not the case. In the USA recently, as computer data has be-come
an important investigative tool, there have been some miscarriages of
justice due to inconsistencies in log data. In one case three young women were
wrongly arrested and charged with murder, and spent three weeks in custody.11
The evidence for the charge was that they had been photographed on an ATM machine’s
video camera using the cash card of the murder victim.
Time is becoming an increasingly problematic issue within the operation
of global electronic networks. Whilst there is a general ‘Universal Time
Constant’ in use, there is no international agreement on the precise
setting of the clocks that control the global electronic networks. The
networks operated by different countries, or by different corporations,
may be set to slightly different times. The greatest problem is that many
electronic systems do not use one central time reference. They have to
be manually updated, and this, due to the human element, does not reliably
take place. This in turn results in the sort of error that occurred with
the ATM video evidence in the murder investigation described above.
Another problem with collecting traffic data is that the same types of data
may not be collected consistently. Errors may be introduced due to inconsistencies
in the classifications of certain goods or services, or because of language
differences. This can lead to the inclusion of erroneous information as part
of data profiles.
Further problems may arise due to errors in the data matching software
that excludes some information, or wrongly includes it. As the logging
of data is not considered to be a ‘mission critical’ part of the operation
of electronic networks, the logging of data may be subject to errors that do
not show up in other parts of the system’s operation. In order to
take into account the differences in data collection standards the systems
developed for data matching may build-in some flexibility in their interpretation
of data. This in turn may increase the likelihood that false positives
will be produced as part of the process.
Perhaps the greatest challenge to the use of the data collected from monitoring
networks is identity theft. At the basic level, an identity could be forged,
or a user account or telephone line hacked into, in order to use the service
without disclosing the true identity of the user. At a more complex level,
if people can obtain sufficient information about an individual, they may
be able to steal that person’s electronic identity outright. This
practice is already widespread as part of credit card fraud. As networked
systems increasingly use individual electronic identities, rather than
a user account, to validate access, identity theft may create a new level
of abuse. Rather than just defrauding banks and credit card companies,
identity theft in the future may be a means of avoiding the interlinked
web of monitored networks that data retention is creating.
The problems of false identities, or identity theft, have significant implications
for the effectiveness of new surveillance systems. In particular, they
strike at the heart of the justification for developing these systems.
The groups with the capacity to undertake identity theft are organised
criminals and terrorists – precisely
the groups these systems are meant to detect. So, in practice, these systems
are only fully effective against one particular group in society
– the general public.
If we look a few years ahead, when networking becomes more personalised, tampering
with a person’s identity may become a major hazard to personal privacy
and civil liberties. Locational data from wireless device, if poorly protected,
could be used to target individuals for crime and aid in the execution of a crime,
as well as undertake fraud or identity theft in a way that is far harder to trace.
The problem with the systems being deployed today is that they are keyed to record
data about an individual, or an individual’s access, thereby making fraud
or identity theft easier to operate. The alternative, using anonymous systems
of authentication, is not welcomed by financial institutions and governments
because they do not allow the tracking or auditing of an individual person’s
activity from the log of communications data. Anonymous systems of authentication – for
example use-once credit card numbers issued by some card companies for use on-line – would
make it far harder to obtain sufficient personal identifiers to impersonate
or abuse electronic identities on-line.
1 See Chapter XIII, The Art of War, by Sun Tzu. This can be found at many locations on the Internet if you conduct a search for the title and the author's name. Or try http://www.chinapage.com/sunzi-e.html
Reasons why we should oppose dataveillance (summary)
1. People collect, or process information for a purpose. It is the intention of those who collect personal information, or who trade or database it, to create profiles of individuals. Individual users may not necessarily give consent to the use of their personal information for that purpose.
2. The sale of personal information is, for many Internet companies, a major income stream within the operation of Internet services.
3. The suppression of encryption may mean that those who break the law will encrypt anyway.
4. Information gathered in the process of technological surveillance is often not as good or as accurate as the old-fashioned human-based surveillance, carried out close to the subject. Often the information will be i naccurate, or out of the context in which it was gathered, and so may be interpreted wrongly.
5. Types of surveillance that do not involve intrusion into the privacy of communication do not always need judicial control
6. If the data is poorly controlled, the collection or disclosure of this information could be used as a means of invading a person's private life. It could also leave a person open to various types of fraud or crime because those directing the individual will know where the person is, or is not located.
7. 'Cookies' allow tracking of an individual's on-line activity, and so are useful as a unique identifier available to web advertising agencies and others to follow you online.
8.The fact that other people than the principle targets of surveillance are being included increases probability that their privacy may be damaged as part of the retention and processing of communications data.
9. Problems with the accuracy of data collected:
-Data collected from different sources has the potential to create spurious results from the matching process, which may lead to serious breaches of civil liberties if the results are acted upon by law enforcement agencies.
-The same types of data may not be collected consistently, which can lead to the inclusion of erroneous information as part of data profiles.
-The networks operated by different countries, or by different corporations, may be set to slightly different times, which may lead to erroneous conclusions about persons' whereabouts at a certain time.
-Another problem with collecting traffic data is that errors may be introduced due to inconsistencies in the classifications of certain goods or services, or because of errors introduced by language differences. This can lead to the inclusion of erroneous information as part of data profiles.
10. Perhaps the greatest challenge to the use of the data collected from monitoring networks is identity theft. Rather than just defrauding banks and credit card companies, identity theft in the future may be a means of avoiding the interlinked web of monitored networks that data retention is creating.
11. The groups who have the capability to routinely undertake identity theft are organised criminals and terrorists - precisely the groups who these systems are meant to detect. So, in practice, these systems are only fully effective against one particular group in the society - the general public.
2 FBI Confirms 'Magic Lantern' Project Exists, Reuters, 12th December 2001.
3 http://www.asp.net, http://www.passport.net/, http://alive.znep.com/~marcs/passport/
4 There are good reports on spyware/adware available online from ZDNet (http://www.zdnet.com/zdnn/stories/news/0,4586,2678941,00.html) and from BBC Online (http://news.bbc.co.uk/1/hi/in_depth/sci_tech/2000/dot_life/2487651.stm) also:http://www.cexx.org/adware.htm, http://www.doxdesk.com/parasite/
5 For a more detailed briefings on counter-surveillance and information security see the Association for Progressive Communications' Participating with Safety briefings at http:// secdocs.net/manual/lp-sec/ These outline the improvements that can be made to computers and working practices to improve security and reduce the effectiveness of surveillance.
6 For a recent review of the UK's influence on European developments see UK Pushes Boundaries of Citizen Surveillance,
The Guardian, 12th June 2002 - http://www.guardian.co.uk/netprivacy/article/0,2763,736011,00.html
7 See http://conventions.coe.int/Treaty/EN/ WhatYouWant.asp?NT=185&CM=1
8 See the archive kept by the Electronic Frontier Foundation for a digest of available information on TIA systems - http://www.eff.org/ Privacy/TIA/
9 The FBI revealed its work on the Carnivore programme in a presentation to Congress in April 2002 - see
10 For example, see UK Pushed Boundaries of Citizen Surveillance (Guardian, June 12th 2002). For other more detailed reports go to the Electronic Privacy
Information Centre, http://www.epic.org/, and Privacy International, http://www.privacyinternational.org/
11 See http://www.washingtonpost.com/wp-dyn/articles/A19633-2003Jun21.html