EURIM Evidence
APIG Communications Data Inquiry Oral Evidence
European Information Society Group
Wed, 18 December 2002
MR. WHITE: We start with the European Information Society Group -
EURIM. I start by declaring an interest as chair of that Group. EURIM
exists to bring together Parliamentarians, civil servants and the
industry so that issues of IT can be discussed. We have Philip Virgo
with us, who is the Secretary General of EURIM. We were going to hear
from Brian Collins as well but I understand he is delayed.
Philip, do you want to make a statement to start with or go straight into questions?
MR. VIRGO: I think it might be useful if I say something about how
EURIM got involved in this area in the first place. It actually began
in 1995 when Viscount Chelmsford started organising meetings with the
Law Commission on the consequences as electronic commerce started
transitioning from structured electronic data interchange, because
electronic commerce is actually more than a century old, towards the
Internet and the areas where action was needed were a result of that.
That led us to review the IOCA issues and the issues to do with
encryption technologies which were critical for many players. Then we
worked with the Bill team on the Electronics Communication Bill, which
became an Act of Parliament, and the split of that between the sections
on electronic signatures and on interception. Then we worked on the
long consultations with RIPA and, more recently, we have tried to
broaden the debate to cover the issues of e-crime as a whole. The
objective always is to try and bring the players together and find
where there is a consensus, and where there is no consensus what is it
that is at stake and why? So that is where we are coming from.
MR. ALLAN: Philip, you are very heavily involved in what I would
describe as an informal form of pre-legislative scrutiny, in fairness?
MR. VIRGO: Yes.
MR. ALLAN: You try to bring people together at the time legislation
is framed. I know that that is a very strong area of EURIM's work.
One of the key questions which comes up in all technology
legislation is: should it or should it not be technology neutral? I
wonder if you have a view on that, particularly in the context of RIPA
where there does seem to have been an attempt to make the technology
neutral, which appears attractive, but at the same time that seems to
have got us into trouble somewhat in that there is a difference -- I do
not know whether you agree with this -- between asking, for example,
for a log of telephone numbers which have been called by somebody,
which is a practice which has gone on for years, and collecting all of
this other data which an Internet service provider may hold about
traffic and communications by an individual?
MR. VIRGO: The EURIM held view is very firm. The same law should
apply on-line as off-line and we should try and have the law technology
neutral.
There are some oddities with regard to RIPA. Some of the problems
arise from the attempt to try to define what is communications data as
distinct from other types of data, because much of the law which is
knocking around, which gives statutory bodies and others access to
information, applies to all sorts of information. One of the
interesting things is whether it is actually worth trying to
distinguish between communications data and other data that people
claim access to, bearing in mind they are both stored and the meaning
of communications data is itself a moveable feast. The moment you try
and do definitions which rely on some kind of implicit technology
model, then you know that those definitions are doomed, certainly
within ten years and probably within five. It is better to apply the
old test of trying to say, "What, really, is the difference between
this and cable traffic?" or, "What is the difference between this and
Charles II setting up the Royal Mail to intercept the Spanish
Ambassador's letters?" and going for genuinely technology neutral
definitions as opposed to trying to draft the definitions which look as
though they are technology neutral but really depend on a model of
thinking of how, at the moment, the Internet works or rather the
packets on which a sub-set of the Internet works. You have to bear in
mind that the Internet is all of those things for which there are IP
protocols, not just the packet switched part of that, which is what
people normally think of.
MR. ALLAN: In terms of looking at weaknesses within the RIP Act,
some provisions of which have not yet been implemented which suggests
there are some questions which have brought us here today, the
definitions area, or the attempt to define communications data which is
contained within that legislation, you would suggest, is a weak area
that ought to be looked at?
MR. VIRGO: I think so, particularly bearing in mind that it is the
regulation of investigatory powers, and an awful lot of the
investigatory power knocking around are under other legislation that
gives access to stored data of all types. So why try to do a
distinction between communications data and other data, bearing in mind
that it is only the precise legislation under which you are claiming
the access? What that actually means is do you have to pay for access?
do you have to reimburse? and questions like that. An interesting
question is if you should have to reimburse, should you not have to
reimburse under the other legislation? Should not one actually be
trying to make a reality of the regulation of all investigatory powers,
not just that sub-set which was covered by the review of the
Interception and Communications Act?
MR. ALLAN: In other words, RIPA purports to be an all-encompassing
investigatory powers piece of legislation, but the reality is that
there are lots of other pieces of legislation which apply and have a
slightly different regime?
MR. VIRGO: Exactly.
MR. WHITE: One of the things which EURIM says in its evidence is
that dealing with officials, because of the rotation system, means that
you have to keep explaining to different officials what the real world
is like. Is that a fair summation of what you were saying?
MR. VIRGO: Yes. It is not just the Home Office. This is a
long-standing problem of dealings between industry and others in the
Civil Service, the Civil Service rotations. Over the years people have
come up with a lot of different solutions, one is staggered rotation,
another is routines to provide continuity amongst those who have
external liaison responsibilities, and that includes liasing with other
departments, not just industry. Other solutions include external
advisory panels. There are commonly no budgets for this. Rather than
look at this purely within the RIPA angle, and RIPA is a particularly
good case study, where the problems were particularly acute, I think
one would reasonably argue that this is a very good topic for a follow
on to some of the work by the Select Committee on Public Administration
on some of the general problems with policy formation.
MR. WHITE: So you are suggesting it is an issue which the Cabinet
Office and the new Government training body -- I have forgotten what it
is called -- should be looking at?
MR. VIRGO: Absolutely. Given that rotation in the Civil Service is
part of the career progression, how the handovers are handled and how
you ensure continuity, where continuity is needed, does need to be
looked at again because of the problems which are arising in all sorts
of areas where you are dealing with situations which change over time.
For example, the correct interpretation of the brief which you have
inherited from your predecessor, who probably inherited it from his
predecessor, may not be known -- because none of civil servants were at
the actual meetings and knew what lay behind certain decisions is any
longer involved. It is a problem which is now really acute.
MR. WHITE: Does that apply to central Government or is it an issue for agencies and local government as well?
MR. VIRGO: Where policy responsibility has been devolved -- for
example, where you have agencies with policy responsibility, it may be
less of a problem -- I am thinking here of the Patent Office and
copyright. The Patent Office has continuity -- it is more of a problem,
probably, within the central Civil Service than elsewhere.
MR. ALLAN: Let me pick up on the issue of oversight. With all of
the regimes that potentially could be put in place, one of the key
questions is whether there could be any leakage of sensitive
information to those who should not have it. You have been quite robust
in your evidence. I think it is worth quoting it, for the record. As
representatives of law enforcement are here, perhaps they will want to
have a word with you on the way out. (Laughter)
EURIM says: "Those responsible for security in major international
and financial services users are well aware of incidents in recent
years where those in national security, law enforcement and other
public sector agencies in the US and UK have abused positions of trust
for personal gain. Some agencies are known to have internal processes
that would not be tolerated by any private sector regulator, let alone
a financial services regulator." That is quite a strong statement.
People will be aware of press stories about misuse of the police
national computer and so on, where people have been disciplined for
that. Do you stand by that? Is that a serious concern for you in the
context of retained data?
MR. VIRGO: It is a serious concern. There is also the oddity that
most of the publicity is for those organisations which have better
governance because they have processes for detecting the abuse. So the
bigger issue is those where there is no publicity for abuse because
there is no process for actually detecting abuse.
One of the issues is how do we handle this? One of the tests is
whether an organisation is actually willing, able and enthusiastic
about some kind of external inspection of its processes, because if it
is not, then that may well be because it actually has not got any
processes. The examples we were given some years ago were of major
companies receiving grotty faxes at a branch office purporting to come
from an agency saying they were going to call at some time to inspect
their records because they wanted information about given employees.
But there was nothing on the fax to enable you to check who it was. The
really bad bit was that some of these were actually genuine as opposed
to enquiry agents who were trying it on. Hence, the reason that some of
the big EURIM members have clear-cut routines, any enquiry of that kind
is passed to head office. The head office then inform whoever made the
enquiry of the central point in that agency to which they will pass
information and request reference information to go with it. They do
not respond direct. But that is a labour intensive job, even actually
to validate the request for information, let alone to then provide the
information. There are a lot of issues there. In terms of tangible
recommendation, one might be that any organisation claiming statutory
access to information for law enforcement purposes, should have their
processes subject to inspection. I am not going to say that it should
necessarily be by HM Inspectorate of Constabulary, but we are talking
about the regulation of investigatory powers, so those who claim such
powers should have their processes liable to inspection.
As I said, going back, the published cases usually relate to those
who actually have got processes. The issue is those who have not got
processes at all.
MR. ALLAN: Are you concerned about the fact that, in some
circumstances, this area is over-regulated and so confusingly
regulated? We have received some other evidence which went through the
chain of potential people to whom one could complain. I sat on the
Bill. I cannot exactly remember who they were but there were people
like the Information Commissioner, Surveillance Commissioner, the
Surveillance and Information Commissioner, the Information and
Surveillance Commissioner... You know. It went on and on, especially if
you suspected something and had some reason to believe that some form
of your personal data had been abused. Who you can take your complaint
to is very confusing. Is that an area of concern?
MR. VIRGO: I think one can reasonably ask what is the collective
noun for regulators? There are various of them. One is a cacophony.
Another one is a confusion. Where you have a multitude of regulators
covering the same type of complaint, it is almost the same as having no
regulator at all. It actually makes it very difficult to have effective
regulation.
MR. ALLAN: So you recommend a single point of contact for a complainant?
MR. VIRGO: I think a SPOC for regulators would be an interesting one.
LORD NORTHESK: In this context, do you think the relationship
between RIP and the Data Protection Act works and melts together
properly, and is the Data Protection Act in terms of affording the
public oversight of RIP robust enough?
MR. VIRGO: I think most definitely not. One of the good things
which has happened during the past year or so is that the Information
Commissioner and the Home Office officials are now in regular and
constructive conduct in a way that they were not when this legislation
came in.
One of the most worrying of the EURIM meetings was when we
introduced the people who were responsible at the DTI on the lawful
interception of business communications, the people at the Home Office
responsible for RIPA, and the people at the Office of the Information
Commission responsible for their guidelines, and discovered that those
currently in post had never previously met. Not only had they not
previously met, they were not aware of what was on each other's
websites. That was a few years ago. Things have moved on, but that
joining up is actually critical to get good workable policies.
MR. WHITE: One of the areas that we will be asking about in a few
minutes, but I would like to hear what you have to say from the
industry background, is that the strategy of the National High-Tech
Crime Unit is to pick trained investigators, and then teach them about
high-tech issues. There seems to be some suggestion that we ought to
get a lot of 'techies' in and they can then become investigators. Do
you have any comment about that?
MR. VIRGO: Yes. There is a lot of comment from industry on this
point. The first thing is to point out that certainly in the City and
in the multi-nationals, many, perhaps the majority of the heads of
security actually have backgrounds in law enforcement or the national
security agencies. They are not techies and they are not amateurs.
Interestingly, the American situation is very different. The kinds
of people who are working at top levels in e-security there are the
kind of people who are on "special" and "reserve" lists. I cannot
remember the exact date, but about 20 years ago, in the UK, when civil
defence was scrapped, so were many of the "special" and "reserve" lists
of the armed forces and the police. When you left the police for a
particular area, your name went on a list. The Americans still have
those kinds of lists. What happens in America when they have a crisis
is that they call in people from industry, and they remind those people
from industry that they are now wearing their reserve hat or their law
enforcement hat, and they are under dual governance. Perhaps the most
famous example one can use, albeit from a slightly different area, is
Rear Admiral Grace Hopper. Grace Hopper actually left the US Navy
immediately after the war, and I cannot remember what her rank was. She
then spent most of her career in the IT industry, but she was a reserve
naval officer. She rose to the rank of Reserve Rear Admiral and was
responsible for all the US Navy's standards activities. So at various
times she was wearing her industry hat or her Navy hat. A more recent
example is from Canada. The Royal Canadian Mounted Police have a
special adviser who is a special constable with rather interesting
powers in Canada. The reverse side of the coin is that the chief
executive of the Canadian Banking Association just happens to be the
former head of the Canadian Security Service. You have people who are
moving between and are switching hats. There are issues of governance
there. In America they have the idea of pulling in the reservists. The
reservist is not Dad's Army, second best. The reservist is a specialist
whose skills are not normally needed in peacetime. He may well be in
senior in rank to the regulars he is dealing with and will take charge
because he has skills which are not normally needed, and similarly
these ones who are "specials" have skills in a particular area. They
are not the Friday night punchbag. They are not the threat to police
overtime or would-be vigilante with suspect motives who some think of
in this country when you talk of "specials".
We have to figure out how to go to the American idea of where these
people are under governance, they are trained and they have a dual
function. That is not an easy transition to make.
MR. ALLAN: In a sense, that is accepting the principle that the
public service official or the law enforcement agencies will not ever
be able to recruit all the high-tech stuff they need and, therefore,
they will bring them in in a similar way to that which some academic
institutions have para-academics, who work in industry and have a
teaching role, particularly in IT where the academic institutions find
it difficult to recruit.
MR. VIRGO: Particularly, when you are dealing with skills which are
not normally needed. If you tried to have somebody within the service
with those, the skills might atrophy because they are not normally
practised. It is much better to bring them in when needed, but they do
need to have the governance, the forensic training and the rest of it.
As I say, it is a dual action. It is something which is going to emerge
over time. We cannot recreate what the Americans do from scratch
because we scrapped that approach ourselves 20 years ago. It needs to
be re-built.
MR. WHITE: I am conscious of time. I do have one brief question. On
costs to industry, which is one of the key areas which has come up,
anything is possible in terms of information gathering if you spend
enough money. Clearly, one of the key questions about data retention in
particular is whether the costs to industry are justified by the end
which are hoping to achieve, namely, to try and detect people. Do you
have confidence in your dealings with industry in the kind of figures
which have been put forward by the industry for the cost which that
incurs, which is very significant?
In your submission, you seem to be suggesting that a data clearing
house is the better option than everybody holding their own data. Is
that based on the costs suggestion?
MR. VIRGO: It is not a data clearing house. It is a clearing house
for the claims to do an investigation. When it comes down to it, the
big concern is if you have to change systems to retain data. That can
be very expensive. If you are retaining data and you are just dumping
it in an archive and then you are going to analyse it, without knowing
what you are going to analyse in advance, that can be incredibly
expensive. The bigger issue is whether you have active co-operation.
Some of the case studies which have been used of recent effective
cooperation do not involve trawling large amounts of data. They involve
using the system of the telco, the mobile operator or the company to go
straight to the communications and the information that you want to get
at. So those issues of cost depend very much on what you are trying to
do and how you are trying to do it. If you are trying to set up general
purpose frameworks, then the figures are quite horrendous. If you are
setting up routines to work in close cooperation with governance to use
existing systems to find out what is there, it can be very much cheaper.
MR. ALLAN: So you argue for data preservation rather than data
retention, trying to preserve what is there, anyway, and use that?
MR. VIRGO: Exactly; but using the existing systems and routines for that.
MR. WHITE: Thank you, Philip. If I was to summarise what you are
saying, it is to make sure that industry and the authorities keep their
lines and levels of communications open?
MR. VIRGO: It is very much a matter of keeping the lines of
communications open and treating this as a cooperative exercise and not
a confrontational matter.
MR. WHITE: Thank you, Philip.
(The witness withdrew)
Back to main Oral Evidence Page.
Back to 18th December Oral Evidence Page.
