EURIM Evidence

APIG Communications Data Inquiry Oral Evidence
MR. WHITE: We start with the European Information Society Group – EURIM. I start by declaring an interest as chair of that Group. EURIM exists to bring together Parliamentarians, civil servants and the industry so that issues of IT can be discussed. We have Philip Virgo with us, who is the Secretary General of EURIM. We were going to hear from Brian Collins as well but I understand he is delayed.

Philip, do you want to make a statement to start with or go straight into questions?

MR. VIRGO: I think it might be useful if I say something about how EURIM got involved in this area in the first place. It actually began in 1995 when Viscount Chelmsford started organising meetings with the Law Commission on the consequences as electronic commerce started transitioning from structured electronic data interchange, because electronic commerce is actually more than a century old, towards the Internet and the areas where action was needed were a result of that.

That led us to review the IOCA issues and the issues to do with encryption technologies which were critical for many players. Then we worked with the Bill team on the Electronics Communication Bill, which became an Act of Parliament, and the split of that between the sections on electronic signatures and on interception. Then we worked on the long consultations with RIPA and, more recently, we have tried to broaden the debate to cover the issues of e-crime as a whole. The objective always is to try and bring the players together and find where there is a consensus, and where there is no consensus what is it that is at stake and why? So that is where we are coming from.

MR. ALLAN: Philip, you are very heavily involved in what I would describe as an informal form of pre-legislative scrutiny, in fairness?

MR. VIRGO: Yes.

MR. ALLAN: You try to bring people together at the time legislation is framed. I know that that is a very strong area of EURIM’s work.

One of the key questions which comes up in all technology legislation is: should it or should it not be technology neutral? I wonder if you have a view on that, particularly in the context of RIPA where there does seem to have been an attempt to make the technology neutral, which appears attractive, but at the same time that seems to have got us into trouble somewhat in that there is a difference — I do not know whether you agree with this — between asking, for example, for a log of telephone numbers which have been called by somebody, which is a practice which has gone on for years, and collecting all of this other data which an Internet service provider may hold about traffic and communications by an individual?

MR. VIRGO: The EURIM held view is very firm. The same law should apply on-line as off-line and we should try and have the law technology neutral.

There are some oddities with regard to RIPA. Some of the problems arise from the attempt to try to define what is communications data as distinct from other types of data, because much of the law which is knocking around, which gives statutory bodies and others access to information, applies to all sorts of information. One of the interesting things is whether it is actually worth trying to distinguish between communications data and other data that people claim access to, bearing in mind they are both stored and the meaning of communications data is itself a moveable feast. The moment you try and do definitions which rely on some kind of implicit technology model, then you know that those definitions are doomed, certainly within ten years and probably within five. It is better to apply the old test of trying to say, “What, really, is the difference between this and cable traffic?” or, “What is the difference between this and Charles II setting up the Royal Mail to intercept the Spanish Ambassador’s letters?” and going for genuinely technology neutral definitions as opposed to trying to draft the definitions which look as though they are technology neutral but really depend on a model of thinking of how, at the moment, the Internet works or rather the packets on which a sub-set of the Internet works. You have to bear in mind that the Internet is all of those things for which there are IP protocols, not just the packet switched part of that, which is what people normally think of.

MR. ALLAN: In terms of looking at weaknesses within the RIP Act, some provisions of which have not yet been implemented which suggests there are some questions which have brought us here today, the definitions area, or the attempt to define communications data which is contained within that legislation, you would suggest, is a weak area that ought to be looked at?

MR. VIRGO: I think so, particularly bearing in mind that it is the regulation of investigatory powers, and an awful lot of the investigatory power knocking around are under other legislation that gives access to stored data of all types. So why try to do a distinction between communications data and other data, bearing in mind that it is only the precise legislation under which you are claiming the access? What that actually means is do you have to pay for access? do you have to reimburse? and questions like that. An interesting question is if you should have to reimburse, should you not have to reimburse under the other legislation? Should not one actually be trying to make a reality of the regulation of all investigatory powers, not just that sub-set which was covered by the review of the Interception and Communications Act?

MR. ALLAN: In other words, RIPA purports to be an all-encompassing investigatory powers piece of legislation, but the reality is that there are lots of other pieces of legislation which apply and have a slightly different regime?

MR. VIRGO: Exactly.

MR. WHITE: One of the things which EURIM says in its evidence is that dealing with officials, because of the rotation system, means that you have to keep explaining to different officials what the real world is like. Is that a fair summation of what you were saying?

MR. VIRGO: Yes. It is not just the Home Office. This is a long-standing problem of dealings between industry and others in the Civil Service, the Civil Service rotations. Over the years people have come up with a lot of different solutions, one is staggered rotation, another is routines to provide continuity amongst those who have external liaison responsibilities, and that includes liasing with other departments, not just industry. Other solutions include external advisory panels. There are commonly no budgets for this. Rather than look at this purely within the RIPA angle, and RIPA is a particularly good case study, where the problems were particularly acute, I think one would reasonably argue that this is a very good topic for a follow on to some of the work by the Select Committee on Public Administration on some of the general problems with policy formation.

MR. WHITE: So you are suggesting it is an issue which the Cabinet Office and the new Government training body — I have forgotten what it is called — should be looking at?

MR. VIRGO: Absolutely. Given that rotation in the Civil Service is part of the career progression, how the handovers are handled and how you ensure continuity, where continuity is needed, does need to be looked at again because of the problems which are arising in all sorts of areas where you are dealing with situations which change over time. For example, the correct interpretation of the brief which you have inherited from your predecessor, who probably inherited it from his predecessor, may not be known — because none of civil servants were at the actual meetings and knew what lay behind certain decisions is any longer involved. It is a problem which is now really acute.

MR. WHITE: Does that apply to central Government or is it an issue for agencies and local government as well?

MR. VIRGO: Where policy responsibility has been devolved — for example, where you have agencies with policy responsibility, it may be less of a problem — I am thinking here of the Patent Office and copyright. The Patent Office has continuity — it is more of a problem, probably, within the central Civil Service than elsewhere.

MR. ALLAN: Let me pick up on the issue of oversight. With all of the regimes that potentially could be put in place, one of the key questions is whether there could be any leakage of sensitive information to those who should not have it. You have been quite robust in your evidence. I think it is worth quoting it, for the record. As representatives of law enforcement are here, perhaps they will want to have a word with you on the way out. (Laughter)

EURIM says: “Those responsible for security in major international and financial services users are well aware of incidents in recent years where those in national security, law enforcement and other public sector agencies in the US and UK have abused positions of trust for personal gain. Some agencies are known to have internal processes that would not be tolerated by any private sector regulator, let alone a financial services regulator.” That is quite a strong statement. People will be aware of press stories about misuse of the police national computer and so on, where people have been disciplined for that. Do you stand by that? Is that a serious concern for you in the context of retained data?

MR. VIRGO: It is a serious concern. There is also the oddity that most of the publicity is for those organisations which have better governance because they have processes for detecting the abuse. So the bigger issue is those where there is no publicity for abuse because there is no process for actually detecting abuse.

One of the issues is how do we handle this? One of the tests is whether an organisation is actually willing, able and enthusiastic about some kind of external inspection of its processes, because if it is not, then that may well be because it actually has not got any processes. The examples we were given some years ago were of major companies receiving grotty faxes at a branch office purporting to come from an agency saying they were going to call at some time to inspect their records because they wanted information about given employees. But there was nothing on the fax to enable you to check who it was. The really bad bit was that some of these were actually genuine as opposed to enquiry agents who were trying it on. Hence, the reason that some of the big EURIM members have clear-cut routines, any enquiry of that kind is passed to head office. The head office then inform whoever made the enquiry of the central point in that agency to which they will pass information and request reference information to go with it. They do not respond direct. But that is a labour intensive job, even actually to validate the request for information, let alone to then provide the information. There are a lot of issues there. In terms of tangible recommendation, one might be that any organisation claiming statutory access to information for law enforcement purposes, should have their processes subject to inspection. I am not going to say that it should necessarily be by HM Inspectorate of Constabulary, but we are talking about the regulation of investigatory powers, so those who claim such powers should have their processes liable to inspection.

As I said, going back, the published cases usually relate to those who actually have got processes. The issue is those who have not got processes at all.

MR. ALLAN: Are you concerned about the fact that, in some circumstances, this area is over-regulated and so confusingly regulated? We have received some other evidence which went through the chain of potential people to whom one could complain. I sat on the Bill. I cannot exactly remember who they were but there were people like the Information Commissioner, Surveillance Commissioner, the Surveillance and Information Commissioner, the Information and Surveillance Commissioner… You know. It went on and on, especially if you suspected something and had some reason to believe that some form of your personal data had been abused. Who you can take your complaint to is very confusing. Is that an area of concern?

MR. VIRGO: I think one can reasonably ask what is the collective noun for regulators? There are various of them. One is a cacophony. Another one is a confusion. Where you have a multitude of regulators covering the same type of complaint, it is almost the same as having no regulator at all. It actually makes it very difficult to have effective regulation.

MR. ALLAN: So you recommend a single point of contact for a complainant?

MR. VIRGO: I think a SPOC for regulators would be an interesting one.

LORD NORTHESK: In this context, do you think the relationship between RIP and the Data Protection Act works and melts together properly, and is the Data Protection Act in terms of affording the public oversight of RIP robust enough?

MR. VIRGO: I think most definitely not. One of the good things which has happened during the past year or so is that the Information Commissioner and the Home Office officials are now in regular and constructive conduct in a way that they were not when this legislation came in.

One of the most worrying of the EURIM meetings was when we introduced the people who were responsible at the DTI on the lawful interception of business communications, the people at the Home Office responsible for RIPA, and the people at the Office of the Information Commission responsible for their guidelines, and discovered that those currently in post had never previously met. Not only had they not previously met, they were not aware of what was on each other’s websites. That was a few years ago. Things have moved on, but that joining up is actually critical to get good workable policies.

MR. WHITE: One of the areas that we will be asking about in a few minutes, but I would like to hear what you have to say from the industry background, is that the strategy of the National High-Tech Crime Unit is to pick trained investigators, and then teach them about high-tech issues. There seems to be some suggestion that we ought to get a lot of ‘techies’ in and they can then become investigators. Do you have any comment about that?

MR. VIRGO: Yes. There is a lot of comment from industry on this point. The first thing is to point out that certainly in the City and in the multi-nationals, many, perhaps the majority of the heads of security actually have backgrounds in law enforcement or the national security agencies. They are not techies and they are not amateurs.

Interestingly, the American situation is very different. The kinds of people who are working at top levels in e-security there are the kind of people who are on “special” and “reserve” lists. I cannot remember the exact date, but about 20 years ago, in the UK, when civil defence was scrapped, so were many of the “special” and “reserve” lists of the armed forces and the police. When you left the police for a particular area, your name went on a list. The Americans still have those kinds of lists. What happens in America when they have a crisis is that they call in people from industry, and they remind those people from industry that they are now wearing their reserve hat or their law enforcement hat, and they are under dual governance. Perhaps the most famous example one can use, albeit from a slightly different area, is Rear Admiral Grace Hopper. Grace Hopper actually left the US Navy immediately after the war, and I cannot remember what her rank was. She then spent most of her career in the IT industry, but she was a reserve naval officer. She rose to the rank of Reserve Rear Admiral and was responsible for all the US Navy’s standards activities. So at various times she was wearing her industry hat or her Navy hat. A more recent example is from Canada. The Royal Canadian Mounted Police have a special adviser who is a special constable with rather interesting powers in Canada. The reverse side of the coin is that the chief executive of the Canadian Banking Association just happens to be the former head of the Canadian Security Service. You have people who are moving between and are switching hats. There are issues of governance there. In America they have the idea of pulling in the reservists. The reservist is not Dad’s Army, second best. The reservist is a specialist whose skills are not normally needed in peacetime. He may well be in senior in rank to the regulars he is dealing with and will take charge because he has skills which are not normally needed, and similarly these ones who are “specials” have skills in a particular area. They are not the Friday night punchbag. They are not the threat to police overtime or would-be vigilante with suspect motives who some think of in this country when you talk of “specials”.

We have to figure out how to go to the American idea of where these people are under governance, they are trained and they have a dual function. That is not an easy transition to make.

MR. ALLAN: In a sense, that is accepting the principle that the public service official or the law enforcement agencies will not ever be able to recruit all the high-tech stuff they need and, therefore, they will bring them in in a similar way to that which some academic institutions have para-academics, who work in industry and have a teaching role, particularly in IT where the academic institutions find it difficult to recruit.

MR. VIRGO: Particularly, when you are dealing with skills which are not normally needed. If you tried to have somebody within the service with those, the skills might atrophy because they are not normally practised. It is much better to bring them in when needed, but they do need to have the governance, the forensic training and the rest of it. As I say, it is a dual action. It is something which is going to emerge over time. We cannot recreate what the Americans do from scratch because we scrapped that approach ourselves 20 years ago. It needs to be re-built.

MR. WHITE: I am conscious of time. I do have one brief question. On costs to industry, which is one of the key areas which has come up, anything is possible in terms of information gathering if you spend enough money. Clearly, one of the key questions about data retention in particular is whether the costs to industry are justified by the end which are hoping to achieve, namely, to try and detect people. Do you have confidence in your dealings with industry in the kind of figures which have been put forward by the industry for the cost which that incurs, which is very significant?

In your submission, you seem to be suggesting that a data clearing house is the better option than everybody holding their own data. Is that based on the costs suggestion?

MR. VIRGO: It is not a data clearing house. It is a clearing house for the claims to do an investigation. When it comes down to it, the big concern is if you have to change systems to retain data. That can be very expensive. If you are retaining data and you are just dumping it in an archive and then you are going to analyse it, without knowing what you are going to analyse in advance, that can be incredibly expensive. The bigger issue is whether you have active co-operation. Some of the case studies which have been used of recent effective cooperation do not involve trawling large amounts of data. They involve using the system of the telco, the mobile operator or the company to go straight to the communications and the information that you want to get at. So those issues of cost depend very much on what you are trying to do and how you are trying to do it. If you are trying to set up general purpose frameworks, then the figures are quite horrendous. If you are setting up routines to work in close cooperation with governance to use existing systems to find out what is there, it can be very much cheaper.

MR. ALLAN: So you argue for data preservation rather than data retention, trying to preserve what is there, anyway, and use that?

MR. VIRGO: Exactly; but using the existing systems and routines for that.

MR. WHITE: Thank you, Philip. If I was to summarise what you are saying, it is to make sure that industry and the authorities keep their lines and levels of communications open?

MR. VIRGO: It is very much a matter of keeping the lines of communications open and treating this as a cooperative exercise and not a confrontational matter.

MR. WHITE: Thank you, Philip.