IT Managers support regulation of investigatory powers but not data retention
“We very much support the regulation of investigatory powers but have three concerns: the bodies and powers left out, the authentication routines and the risk/reward ratio of data retention” Philip Virgo, Strategic Advisor to IMIS, the Institute for the Management of Information Systems at Scrambling for Safety 7, organised by Privacy International and the Foundation for Information Policy Research, co-sponsored by IMIS and Microsoft.
The “Industry” perspective on the issues was provided by Beatrice Rogers (Intellect) for suppliers and Philip Virgo (IMIS) for users.
The text for Philip Virgo’s opening comments was:
IMIS is the professional body for the management of information systems. Information systems managers and their systems administrators are the individuals in industry most likely to receive the orders to give access to the information in their systems.
That includes the systems of the banks, insurance companies, universities and so on, who may or may not be communications services providers, depending on which lawyer you speak to - but who are certainly covered by the legacy powers of many departments and agencies to access unspecified information.
We therefore thoroughly support the need to regulate investigatory powers. Our concern is that RIPA does not yet do all the regulation that is necessary. However it is a great step forward.
That said, we have three major concerns:
The first is with the investigatory powers left out of the regime
Second is the need for it to be both practical and easy to check the authority of someone claiming access to data
Third is the cost, practicality and desirability of retaining data beyond the time it is needed for direct business purposes
To put these into practical context:
What should one of our members do when he receives a fax or e-mail saying that some-one purporting to be from the Department of Administrative Affairs wants information on an employer or customer or their e-mails or phone calls?
One of the high street banks, which regularly receives such requests to branches all over the country, instructs that these then be routed to a Group Security who employ four staff, full time, reading such requests, giving them reference numbers and then asking for the request to be confirmed with the addition of the local contact details to be quoted when the information is passed to the agreed central contact point for that department or agency.
At that point three quarters of the requests vanish.
How many were from “enquiry agents” looking for husbands and wives or from stalkers researching victims?
How many were from fraudsters seeking back-up information for identity theft?
How many were from temporary staff who did not understand the system?
What our members who work in this area do know, is that unless they can contact a single point of contact, the equivalent of Whitehall 1212, to check the authority and identity of the person making the request, they may well have compromised the security and safety of the individual concerned, let alone that of the organisation.
IMIS is an international professional body and over half our members are overseas. I would therefore also like to remind you of one of the most chilling examples of the consequences of failing to have adequate authorisation checks and of retaining data after the time it was needed for operational purposes.
Around 25 years ago, well before most law enforcement agencies got round to appreciating the value of communications data for intelligence led policing, one of the Columbian drug cartels used the call records of the local telco to identify everyone who called or was called by the local US Drug Enforcement Agency liaison officer. They located the safe houses and informer network. They then killed them.
Retained data is vulnerable data.
To recap, we very much support the regulation of investigatory powers but have three concerns:
In answer to questions Philip Virgo said that:
- the routines being tested for authorising the information request issued by traditional law enforcement were among the best such routines he had ever seen reviewed - that was one of the reasons IMIS was so supportive of what was now happening with RIPA. The reservations of IMIS members and their employers are to do with retaining data beyond the period for which it is being actively used, maintained and protected.
- there was a major training and information task not just for law enforcement but for industry, both trade associations and professional bodies, in providing guidance on what to do when an access request was received, including how to work with law enforcement once a request was known to be genuine.