Return to Cyberspace Law Seminar 2003 Main Web Page www.uiowa.edu/~cyberlaw/cls03
 
 

In response to the threat posed by the growing use of the Internet as a conduit for criminal activity, the United Kingdom has pursued legislation to assist law enforcement personnel in gaining access to internet service provider (ISP) users' activity logs.

Legislation to combat Internet crimes must balance effective enforcement mechanisms with individual privacy rights, and all without unduly hindering the development of the Internet.  The existing U.K. legal framework fails to achieve this balance.  Current legislative provisions authorizing access to ISP-controlled user data are extensive, and curtail users' privacy rights as well as British ISP economic competitiveness.  Moreover, legislation imposing data retention obligations on ISPs is likely to prove costly and ineffective.

UK legislation should focus on allowing ISPs to preserve data for a limited time, granting law enforcement access to user data on a case-by-case basis, as has proved successful in the U.S.  Such a proposal will be less costly and more protective of privacy, while providing law enforcement with effective tools to bring Internet criminals to justice.

Part I of this paper discusses the nature and extent of Internet crimes and the particular difficulties they present for law enforcement personnel in the U.K.  Part II focuses on current U.K. law regulating investigations of Internet crimes.  Part III compares and contrasts the current U.K. data retention proposals with the data preservation approach favored by the ISP industry and currently used in the U.S.  Part IV concludes by summarizing the main arguments in favor of using the data prevention model in the U.K., and offers suggestions for implementing that approach.

Internet crime includes traditional crimes that utilize the Internet, as well as crimes specific to the Internet context.1  Of particular concern are Internet attacks on information systems.2  Such attacks can disrupt essential services such as hospital care or government, and can seriously harm personal or economic interests.3  Attacks against information systems have become increasingly evident with the explosion of the Internet for personal, organizational and business use.  Statistics are few and unreliable, owing to the difficulties posed by non-reporting and undetected offenses.  The statistics that are available make clear the need for urgent measures to address computer-related crime in order to maintain the confidence and security essential to the success of the Internet.4

Internet crimes can be committed from anywhere in the world, creating procedural and substantive legal difficulties for law enforcement personnel (LEP) attempting to bring perpetrators to justice.5  Thus, in order to effectively combat Internet crime, cooperation with LEP in other jurisdictions is required.

However, before foreign LEP assistance is given, conduct must generally be recognized as a crime in the assisting country.  Recognizing these difficulties, international organizations have attempted to standardize national definitions of Internet crimes, as well as the procedural legal standards applicable to Internet crime investigations.  The Council of Europe has been at the forefront of these efforts.6  Its recommendations have shaped both European Union and U.K. law regarding Internet crime.

In keeping with the recommendations contained in the Council of Europe's 2001 Convention on Cybercrime7, the European Union has recently proposed a Directive aimed at standardizing Member State (MS) criminal law regarding attacks against information systems.8  These attacks may consist of unauthorized access to information systems (hacking), disruption of information systems (denial of service attacks or "DoS"), execution of malicious software (viruses), interception of communications ("sniffing") and malicious representation ("spoofing").9  The directive requires Member States to criminalize these activities,10 granting broad jurisdiction to States to pursue parties engaged in Internet crimes.11  The proposal also mandates that States establish 24/7 information exchange offices to ensure cooperation of law enforcement personnel (LEP) across the E.U.

The Computer Misuse Act of 1990 provides the basis for U.K. law regarding the Internet crimes set forth in the proposed E.U. Directive.12  Although the Act has been around for more than a decade, only a handful of criminals have been successfully prosecuted under the Act.  This is astoundingly low given the large number of both reported and unreported attacks, as well as the speed at which such attacks are increasing.13  The gross disparity between the high number of Internet-related crimes and the small amount of successful prosecutions is nevertheless understandable, as the Internet presents unique difficulties for the evidence gathering capabilities of LEPs.

Evidence of an Internet crime sufficient to support a prosecution is difficult to obtain for a number of reasons.  Difficulties arise in ensuring that Internet evidence is accurate, reliable, and relevant.  Because data transmitted over the Internet is in digital form, there is no loss of quality from one copy to another, making it difficult to ensure that data has not been tampered with.14  Since Internet data is transmitted virtually instantaneously, if LEP do not have the ability to record and store transmission activity the period in which to identify criminal activity is practically non-existent.  This makes it nearly impossible to authenticate the time and content of Internet crimes.15  In addition, the form in which evidence exists may change in the process of collecting it from a computer, raising questions as to whether the evidence is accurately represented.

Computers not only record and produce evidence, but they create it as well, internally processing data independent of specific individual commands.16  Because most evidence of Internet crimes exist in technical computer terminology or code, demonstrative evidence and expert testimony is needed in order to "connect the dots" for a jury.17  Attempts to show that such demonstrative evidence accurately describes the data are particularly susceptible to challenge by defense counsel.
In order to obtain a conviction, LEP generally must establish a continuous chain of evidence linking the perpetrator to the crime.  In the Internet context this is especially difficult.  Internet evidence is likely to arise from numerous computers, networks or ISPs.  Some of these sources may lack recorded data.  All lack specific means of identifying the perpetrator as the one who initiated the criminal activity.18

These are just a few of the properties of the Internet that raise difficult evidentiary questions regarding accuracy, reliability and relevancy.  Without access to pertinent information regarding a suspect's Internet communications, criminals will continue to wreak havoc in cyberspace without fear of prosecution.  To prevent that unfavorable result, the U.K. has enacted laws to ensure that LEPs have access to the necessary communications data.

U.K. law enforcement personnel seeking to investigate a suspected Internet crime must comply with laws regulating both their access to communications data and the preservation of privacy rights.  U.K. LEP can intercept anticipated illicit communications or search stored data for evidence of criminal activity.  The rules regarding interception and search of Internet data are broad.  However, strict privacy laws have prohibited ISPs from retaining the user transmission data that is often crucial to LEP investigations.

New E.U. legislation erodes this existing privacy law obstacle and allows the U.K. to impose data retention obligations on ISPs in order to aid essential criminal investigations.

The legal framework for ISP data retention is provided by two acts: The Regulation of Investigatory Powers Act 2000 (RIPA) and the Anti-Terrorism, Crime and Security Act 2001 (ATCSA).  The provisions of both Acts must comply with the extensive privacy obligations enshrined in Article 8 of the European Convention on Human Rights (ECHR),19 implemented in the U.K. by the Human Rights Act 1998 (HRA).20  Retention of data must be "proportional" to comply with E.U. data protection obligations incorporated into U.K. law by the Data Protection Act 1998 (DPA).21

A.  The Regulation of Investigatory Powers Act 2000 (RIPA)

Access to communications data in the U.K. is governed by RIPA, commonly known as the "snooping bill."22  RIPA creates a new tort of "unlawful interception", making it a crime for any person not duly authorized under the Act to intercept communications traveling over any public or private telecommunications system.23  Authorities may intercept communications over the Internet if they obtain the consent of at least one of the parties to the communication.24  Under the definitions contained in the act, any Internet-connected PC could be seen as a part of the public telecommunications system, thereby making any Internet user a potential spy.  Any party with whom a user is communicating could authorize LEP to intercept their exchanges.25  RIPA sets forth certain procedural safeguards to restrain authorities from unreasonably exercising search and interception privileges.  Warrants must be obtained before interceptions or searches can be carried out, and such intrusions are limited to the minimum amount necessary to achieve their authorized purpose.26
§ 12 of RIPA deals with interception capabilities of telecommunications providers, and is of particular concern to ISPs.  Under §12, the Secretary of State (SoS) can require ISPs to maintain technical capabilities sufficient to allow LEPs to intercept communications and other data passing through their systems.27  If necessary, the SoS will issue specific instructions to each ISP to tailor their level of interception capability to the scope of their operations.  § 24 provides that the SoS shall ensure that ISPs are compensated for the costs they incur in establishing the interception capabilities required under RIPA.28

Exactly how much it will cost ISPs to develop and maintain the capabilities RIPA requires is a subject of considerable debate.  Original U.K. government reports placed the costs of compliance in the $32 million range, and that amount has since been allocated to pay for compliance through 2004.29  The assertion that this figure accurately represents compliance costs has been greatly disputed by the ISP industry, which has estimated the costs to be as high as £4.6 billion over five years.30

Much of the dispute as to overall costs of the RIPA program stems from uncertainty regarding exactly what the government is promising to pay for.  The initial cost to ISPs of developing or acquiring sufficient technical means to intercept and monitor data are going to be a considerably lower than if continuing operating costs are included in the reimbursement proposal.  For now, the government is vague regarding the extent of its financial commitments to ISPs for additional business costs imposed on them by RIPA.31  To the extent that government reimbursement falls short of actual costs, British ISPs will find themselves at a competitive disadvantage to ISPs outside RIPA's scope.32

Even with the costly interception capabilities imposed on ISPs, RIPA's provisions are unlikely to be effective in combating Internet crime.  This is because any criminal seeking to escape the watchful eye of LEP can simply choose to access the Internet through an ISP with less than 10,000 U.K. customers.  Under RIPA, such small-scale ISPs are not required to maintain interception or monitoring capabilities.33  This glaring loophole, intended to minimize the financial and regulatory burden on burgeoning small enterprises, allows small ISPs to serve as safe-havens for Internet criminals.

B) U.K. Privacy Obligations

Once large ISPs have acquired the technical surveillance capabilities mandated by RIPA, they are under a legal obligation to ensure that user data is not "processed" or accessed in an improper manner.34  E.U. legal requirements regarding privacy and data protection are an outgrowth of the obligations enshrined in the European Convention on Human Rights.35  Article 8 of the ECHR establishes a right to privacy in home life and correspondence, as well as a general prohibition on the interception of communications.36  Other important rights that must be upheld according to the ECHR include the right to a fair trial, a presumption of innocence37, and the right to liberty and security.38

The Human Rights Act of 1998 incorporates the ECHR provisions into the national law of Great Britain.39  Under § 4 of the HRA, any legislation deemed incompatible with the provisions of the ECHR is invalid.  The HRA grants a right to legal proceedings to those parties seeking to enforce its provisions.40  The HRA provides grounds upon which to mount legal challenges to the validity of RIPA's interception requirements either on their face or as applied to a specific investigation.  RIPA is most likely to face legal challenges regarding searches or interceptions of "related communications data."
RIPA § 20 defines the "related communications data" that may be intercepted pursuant to a warrant under § 5.41 Virtually any reasonable connection between data located on different computers could justify making a third party's data subject to search under § 20.  Such wide search powers are understandably cause for concern.

Because of the "packet switching" technology utilized to send information over the Internet, each segment of an intercepted transmission contains information allowing the recipient computer to identify both the sender and the content of the communication.42  Modern interception technology can capture both the source43 and the content of Internet communications.  Given the broad definition of "related communications data" contained in RIPA, the "http string"44 associated with a given ISP user's communication (giving both the source and content of a communication - site visited, pages viewed, etc.) can easily be accessed by LEP.45  While authorities promise that content information is excluded from the definition of traffic data and will not be used in investigations46, such a claim is understandably viewed with skepticism.  Independent oversight currently does not exist, making it difficult to believe that LEP presented with potentially relevant content information contained in an "http string" (or "click stream" as it is also known), will simply choose to look the other way.

C) E.U. Data Protection Law

For ISPs, providing access to the far reaching personal information about their users that RIPA allows may be seen as a breach of their obligations not only under E.U. and U.K. privacy law, but data protection law as well.  ISPs granting access to information beyond the extent required by LEP, or to parties that are not LEPs47, may be in breach of data protection law.  E.U. Directives 95/46/EC, 97/66/EC and 2002/55/EC spell out the standards that ISPs must observe when handling user data.  These laws grant data subjects broad rights over how their information can be used.

Directive 95/46/EC governs the protection of individuals with regard to the general processing of personal data.  It gives individuals a great deal of control over the processing and movement of their personal data.  The Directive requires Member States (MS) to protect the fundamental rights and freedoms of individuals, in particular their right to privacy with respect to the processing of personal data.48  Individuals must give their consent (via opt in provisions) before an ISP or other third party can process their data49, and they have the right to object to processing except where prohibited by law.50  Access to user data in the absence of consent is allowed only in very limited situations set forth in Article 13.

Article 13 of the Directive allows MS to adopt legislative measures to obtain user data without consent in the event access to such data is necessary to safeguard public security or to assist in criminal investigations.51  Liability for breaches of a user's right to data privacy rests with the ISP as the "data controller", unless applicable national legal exemptions (i.e., compliance with art. 13 measures) provide them a defense to the breach.  A user's suit for breach of privacy is a troubling proposition for ISPs, who would presumably assist LEP in their investigations absent the threat of breach of privacy liability.

Directive 97/66/EC addresses the processing of personal data and the protection of privacy in the telecommunications sector.  It requires telecommunications providers (ISPs) to ensure confidentiality and prohibit storage or interception of communications except under the same limited exceptions contained in article 13 of Directive 95/46/EC.52  The Directive contains prohibitions on the retention of data that are especially problematic for LEP attempting to combat Internet crime.  Article 6 requires ISPs to erase traffic and billing data upon the termination of user communications unless the data is kept for the purpose of billing a subscriber.  Data retained for billing purposes may only be kept until the end of the billing period.  As the ISP industry has moved to a standard "flat rate" pricing structure, ISPs have no justification under 97/66/EC to retain the user communications data that are essential to LEP investigations.

Recognizing the obstacles strict privacy protection imposes on efforts to combat Internet crime, Directive 2002/58/EC on privacy and electronic communications overrides some of the provisions of 97/66/EC as they apply to ISPs.53  The Directive requires that location data other than traffic data must be made anonymous in order to be processed.54  It also contains exceptions to the protection of user data privacy similar to those in article 13(1) of 95/46/EC, but allows MS to adopt legislative measures providing for the retention of data for a period justified on article 13(1) grounds.55  This derogation from previous data protection law clears the way for the adoption of U.K. legislation permitting ISPs to engage in blanket data retention.

D)  Data Retention under the ATSCA

The Anti-Terrorism, Crime and Security Act 2001 legalizes data retention by ISPs in the U.K.56  ATCSA states that the Secretary of State shall issue a voluntary code of practice for ISPs under which ISPs will retain user communications data for a period of one year.57  If the voluntary provisions are ineffective, mandatory rules could be forthcoming.58  Failure to comply with the code of practice does not of itself render an ISP liable to any criminal or civil proceedings.59  The specific requirements of individual ISPs will be determined after consultations with the SoS.60

The lack of transparency inherent in the consultation process concerns some in the ISP industry who worry that certain ISPs will be given favorable treatment. The SoS is authorized to pay compensation to ISPs for their efforts to comply with the code of practice to the extent he sees fit.61  This wide discretion may allow some ISPs to get a larger portion of the reimbursement pie than their actual additional costs entitle them to.

Because ATCSA places ISPs under no legal obligation to comply with the code of practice, any ISP who voluntarily retains data may be breaking data protection law in addition to the HRA.  The data protection obligations set forth by the E.U. Directives find their U.K. legal expression in the provisions of the Data Protection Act 1998 (DPA).62  Under DPA, any communications data referencing individuals must be protected from disclosure to unauthorized parties.  DPA allows ISPs to grant data access to LEP in order to assist crime-fighting efforts.  Regardless of their good-faith intentions to assist LEP, ISPs retain the legal obligation to protect the privacy of their users.63  Access to user data must be appropriate, necessary, and proportionate to the purposes of the inquiry.64  Where a sufficient case has not been made to the ISP and access is granted, the ISP may be liable for a breach of privacy.65

Beyond merely preventing British ISPs from selling personnel information about their users, the DPA obligations require that parties wishing to obtain access to user data without the user's consent must first obtain a warrant.66  While the RIPA warrant provisions can force an ISP to allow LEP to intercept communications across their network,67 they cannot compel an ISP to maintain stored data on all the traffic attributable to an individual ISP user.  A mandatory data retention scheme under ATCSA would protect ISPs from prosecution under the HRA and DPA for retaining user data being held for national security or other permissible purposes.68  However, a mandatory scheme continues to raise the same financial and individual privacy concerns associated with a voluntary system of data retention.69

Whether voluntary or mandatory, a system of data retention will impose large financial costs on ISPs seeking to meet the government's desired standards.  Considerable uncertainty exists as to whether the funds set aside by the government to assist ISPs in meeting data retention costs will adequately compensate the ISPs for their expenses.  To the extent ISPs are left holding the bill, the data retention measures act as a barrier to the ISP market, forcing ISPs to locate activity elsewhere.  Neither RIPA nor ATCSA provide guidance as to how stored data will be evaluated, or whether LEPs or ISPs will bear the labor costs associated with data filing.  The task of sifting through huge stores of data to uncover information relevant to the prosecution of an Internet crime will be an expensive and time-consuming endeavor.

The general snooping powers conferred by RIPA raise serious doubts regarding their compatibility with established privacy rights.  The lack of clear standards and safeguards restricting abuse of the investigatory process will lead to public distrust of the Internet as a safe medium of communication, information gathering and expression.  Faced with extensive difficulties in implementing what LEPs see as a necessary tool in combating Internet crime, it is essential to look at practices other than data retention that can assist Internet criminal investigations while minimizing associated problems.  A policy of data preservation pursuant to LEP requests provides the necessary balance.

Data preservation differs from data retention in that instead of gathering information on every data transmission linked to an ISP user, data preservation is targeted at specific persons, data, and time periods.70  Limiting LEP access to data on a case-by-case basis provides LEP with less sensitive user information, making LEP abuse of data less likely.  Because data preservation requests are undertaken pursuant to investigations of specific offenses, their intrusions into personal privacy rights are more proportional, creating less cause for concern.  While the fulfillment of data preservation requests imposes costs on ISPs, the costs are well below those associated with implementing blanket data retention measures.

Many LEP see data prevention as a useful approach, but flawed in comparison to data retention.  This is because while data preservation can assist investigations into the activities of someone already under suspicion, it cannot aid in the investigation of a person not currently suspected of criminal activity - such as involvement with a terrorist organization.  Some argue that the inability of data prevention to identify emerging threats from unfamiliar parties makes it a poor policy tool to combat the grave threat posed by sophisticated terrorist groups trained to minimize their traceability.

While it is true that data retention may be more effective at combating crime on the Internet, the added effectiveness is minimal and the associated financial and privacy costs are high.  The likelihood of an LEP being able to identify threats such as a terrorist attack out of the vast stores of Internet user data retained by ISPs, absent an initial lead, is practically zero.  Even if LEPs were monitoring the content information of transmissions (which the government has denied it would do under a data retention system), sophisticated terrorist organizations could simply use techniques such as "steganography"71, or make use of anonymous accounts on ISPs outside the reach of U.K. courts.  Under a data preservation system, once LEP had a lead worth following up on they could make a request to an ISP to preserve data for a limited time while they investigate the quality of their information.  This practice is likely to have far lower associated costs, while being virtually identical in its crime-fighting effectiveness.

Data preservation in the U.S. under the Patriot Act, and the U.K. experience with ISP data preservation requests immediately following September 11, 2001, illustrate that data preservation can be carried out effectively without unreasonable cost to business and personal privacy interests.72  Following the terrorist attacks of 9/11, LEP in the U.S. and U.K. requested ISPs to preserve traffic data.  This approach was viewed as entirely satisfactory by both LEP and the Information Commissioner charged with overseeing U.K. data privacy.73  In the U.S., where laws do not forbid ISPs from retaining data, data preservation by ISPs has been used extensively to assist LEP investigations without greatly compromising important privacy interests.74

Data preservation requests are initiated when LEP present warrants to ISPs that communicate the need to preserve data because of an investigation.75  The warrant procedure acts as an important due process safeguard to ensure data access requests do not unreasonably impinge on individual privacy rights.  The Council of Europe in its Convention on Cybercrime has endorsed the data preservation approach utilized in the U.S. as one consistent with important privacy interests.76  This support reinforces the view held by many government, LEP, and ISP industry leaders that data preservation requests can be effective in combating Internet crime without the problems associated with a data retention regime.

The ISP industry strongly favors allowing data preservation, and believes that such an approach offers many advantages.  Both ISPs and LEPs view mandatory data destruction laws as the greatest obstacle to Internet crime investigations.  By preserving data according to their own needs and capabilities, ISPs help to ensure societal benefits in excess of those gained by assisting LEP in Internet crime investigations.  By using stored network traffic data to analyze the needs of their systems, ISPs promote network security and protect against fraud.  These efforts benefit public safety and help ensure the confidentiality and integrity of personal data across telecommunications systems that are vital to the growth of the Internet.
While abandoning data destruction requirements is a necessary step to effectively fight Internet crime, imposing data retention obligations in place of data destruction ones will create more problems than it will solve.  Requiring ISPs to retain user data logs will add significant operating costs to ISPs, resulting in decreased user services and higher prices.  Broad scale data retention will result in massive duplication of efforts, as Internet traffic data passing through numerous ISPs will have to be retained by all of them.  The use of clever encryption technology, steganography, and other secure communication techniques to evade detection will render nearly all stored data useless absent specific clues as to what to look for.  In addition, individuals fearful of ISPs amassing stores of data on their personal habits and interests may shun the Internet, stunting its growth.

As ISPs pursue measures to insulate themselves from Internet attacks, they are investing in measures such as more sophisticated intrusion detection systems that will allow for better data preservation.  The adoption of this software by ISPs is quickened by falling prices and greater ISP recognition of rising security threats.  It is these factors, not mandatory data retention requirements, that best allow the rapid growth of stored data necessary to fight Internet crime.77

Internet crime is a serious threat to the safety and security of Internet communications as well as to society at large.  Current U.K. privacy and data protection law requiring the immediate destruction of ISP user data that is not kept for billing purposes is a significant obstacle to LEP efforts to fight Internet crime.  The current solutions contemplated under U.K. legislation - either voluntary data retention under a non-binding industry code of practice or, failing that, a mandatory data retention regime - impose high costs on U.K. business and society.  Data retention obligations entail massive financial costs on ISPs operating in the U.K., and create serious concerns about the protection of personal privacy rights.  The added benefits of a data retention system are minimal, as authorities are unlikely to have either the necessary personnel or technical ability to identify Internet criminals absent a prior cause for suspicion.

Requiring ISPs to delete data in order to protect individual privacy is a disproportionate response in light of the severe threats posed by criminal activity on the Internet.  The adoption by ISPs of more sophisticated technical barriers can help prevent the damaging effects associated with Internet attacks on information systems.  Because technology and business needs change rapidly in the high-tech industry, legislative mandates for data retention measures are a poor solution.  Allowing ISPs to preserve data on their systems for a period of time, while allowing for more extended data preservation pursuant to an ongoing investigation, is an approach that is both financially practicable and more protective of individual privacy interests.  Therefore, the U.K. should abandon its current data retention plans in favor of a system allowing ISPs to preserve data according to their needs and resources for up to one year, with initial access to the data granted to authorities on the basis of a warrant.

In order to preserve privacy interests regarding LEP access to content info contained in user traffic data such as "http strings", such data should be held and access to it authorized by an impartial committee or organ of the judicial branch.78  Where authorities direct ISPs to preserve data for a period longer than one year, or in excess of regular ISP practice due to ongoing events such as investigations or a trial, compensation for added ISP preservation costs should be provided by the government.  The funds for such a program should be assessed and administered according to established criteria, while respecting the ISP interests in keeping secret their intrusion detection and storage methods.

Data preservation has been, and currently is, the most appropriate approach to fighting Internet crime while simultaneously seeking to uphold recognized privacy rights.  In adopting a data preservation approach, the U.K. would be following in the path chosen by both the Council of Europe and the United States of America, two respected leaders in efforts to combat Internet crime.  A data preservation approach is the correct way to balance the interests of ISPs, individual ISP users, and law enforcement personnel seeking to maintain a safe and secure society in the Internet age.

1 An example of a traditional crime as "Internet crime" is a threat transmitted via email, or using the Internet as an aid to evading customs law via smuggling, counterfeiting, etc.  An example specific to the Internet context is the crime of "hacking."  Hacking can be thought of as using the Internet to gain unauthorized access to personal or organizational data.

2"Information system" is a broad term meant to include virtually any connection between an electronic communication network and their connected systems.  This could include a personal computer, mobile phone, company intranets, extranets, networks, servers and other Internet infrastructure.  Proposal for a Council Framework Decision on Attacks Against Information Systems, COM/2002/0173 final - CNS 2002/0086, O.J. 2002 C 203E/109, August 27, 2002

3 Personal interests might include a desire to keep certain information private, such as group affiliation or personal contacts.  Unwanted access to such information will at least cause embarrassment, at worst, serious physical harm.  Economic interests threatened by unauthorized access include personal or organizational financial records or transaction data that might be exploited for commercial gain or used to inflict financial losses.

4 Proposal, supra note 2.  See also The Cybercrime Survey 2001, www.cbi.org.uk; European Economic Crime Survey 2001, www.pwcglobal.com; Computer Crime and Security Survey, www.gocsi.com.

5 As long as someone has a mechanism capable of connecting to the Internet (via a PC, mobile phone, network terminal, etc.) and a portal through which to gain Internet access (such as an ISP), they have the potential to commit Internet related crimes regardless of their physical location.  This is so because the Internet itself is not a tangible medium, but rather a network of interconnected systems.  On the nature of the Internet, see Lawrence Lessig, The Law of the Horse: What Cyberlaw Might Teach, 113 Harv. L. Rev. 501, December 1999.

6 Recommendation No. R 89(9) on Computer Related Crime, Council of Europe, Strasbourg, 1989.  Recommendation No. R 95(13) Concerning Problems of Criminal Procedural Law Connected to Information Technology and Explanatory Memorandum, Council of Europe, Strasbourg, 1995.  Convention on Cybercrime, Council of Europe, Budapest, November 2001, available at http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm (March 25, 2003).  By approximating national law regarding Internet crimes, international policing efforts will not be hampered by the "dual criminality" requirement.  This refers to the necessity of conduct being a crime in both countries before mutual assistance in criminal investigations is assured.

7 Id.

8 Proposal, supra note 2.

9 Id., Explanatory Memoranda, Introduction 1.1

10 Id., articles 3, 4, 5.

11 Id., art. 11.

12 UK ST 1990 c 18.  The UK laws regarding offences involving the use of a computer are contained in §§ 1, 2 and 3 of the Act.

13Indira Carr and Katherine S. Williams, Cyber-Crime and the Council of Europe: Reflections on a Draft Convention, Int. T.L.R. 2001, 7(4), at 95.  See also Cybercrime Survey 2001, supra note 4.

14 Peter Sommer, Downloads, Logs and Captures: Evidence From Cyberspace, C.T.L.R. 2002, 8(2), 33-42, *35

15 Id.

16 Id.

17 Id.

18 For instance, DNA testing, fingerprinting, photographic evidence, or other tangible means to link the specific individual with the crime.  A suspect can easily claim that someone else had merely misappropriated his or her Internet identity - password, account, etc.  In order to prove beyond a reasonable doubt that the suspect is the guilty party, extraneous corroborative evidence will likely be essential.  This can come in the form of witness testimony about conversations, or content contained in  Internet transactions or communications that could only be attributable to the suspect.

19 European Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter ECHR), Nov. 4, 1950, art. 8, 213 U.N.T.S. 221.  Article 8(2) of the ECHR permits an interference with individuals right to privacy if it is necessary in the interests of national security and the prevention and detection of crime.

20 UK ST 1998 c 42.

21 UK ST 1998 c 29.  Proportionality depends on assessing a number of factors, including
1) Degree of intrusion into an individual's private life;
2) Strength of the public policy justification;
3) Adequacy of the safeguards to prevent abuse.

22 UK ST 2000 c 23.  "Communications data" under RIPA includes:
? Traffic data - information identifying who the ISP user contacted, when they contacted them and     the location of both parties.
? Service data - identifies the services used and for what duration.
? Subscriber data - information identifying the user of the service, and giving contact information such as their name, address and phone number.
"Communications data" under RIPA does not include the content of any ISP user's communication.  See  Home Office Consultation Paper on a Code of Practice for Voluntary Retention of Communications Data, March 11, 2003, at 6, available at http://www.homeoffice.gov.uk/oicd/antiterrorism/vol_retention.pdf (March 24, 2003).

23 Id., § 1.

24 Id., § 3.

25 Donald Ramsbottom, Regulation of Investigatory Powers Act - Updating or Snoopers Charter, C.T.L.R. 2000, 6(8), 205-208, *205.

26 UK ST 2000 c 23, § 15.  § 15 contains a number of general safeguards, including the "minimum that is necessary" restriction (§ 15 (2)) and a requirement to destroy data as soon as there are no longer grounds for retaining it (§ 15 (3)).  Of concern to some is the fact that those parties authorized to obtain a warrant under RIPA are not limited to traditional LEPs, but include a wide range of offices including the Commissioners of Customs and Excise (§ 6 (2)).

27 Ramsbottom, supra note 25, at 205-6.  See also UK ST 2000 c 23, § 22.

28 UK ST 2000 c 23, § 24.

29 Paul Stevens, RIPA Demands Push up ISP Costs, ZDnet UK Tech Update (July 9, 2002), available at http://techupdate.zdnet.co.uk/story/0,,t481-s2118813,00.html (March 26, 2003).  The U.K. government has allocated £20 million to pay for ISP compliance costs.

30 Ramsbottom, supra note 25, at 206.

31Matt Loney, ISPs Face Data Interception Deadline, ZDnet UK Tech Update (July 10, 2002), available at http://news.zdnet.co.uk/story/0,,t269-s2118894,00.html (March 26, 2003).

32 The definition of telecommunications service providers covered by RIPA is contained in § 2 of the Act.  UK ST 2000 c 23, § 2.  The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 sets forth the scope of ISP coverage under RIPA, granting exceptions to coverage for those ISPs that do not serve more than 10,000 users in the U.K.  See The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002, Statutory Instrument 2002 No. 1931, August 1, 2002, at 2(3), available at http://www.hmso.gov.uk/si/si2002/20021931.htm (March 28, 2003).

33 Id.

34 Under E.U. law, "data processing" is a far-reaching term.  Regarding the processing of personal data, it means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction."  Directive 95/46/EC, O.J. L281/31/1995, article 2(b) (24 October 1995).

35 Article 8 of the ECHR, supra note 19.

36 The general prohibition on the interception of communications does not bar law enforcement personnel from intercepting communications in furtherance of a criminal investigation, but does bar broad-scale surveillance of parties not under investigation. Malone v. UK, 7 E.H.R.R. 14 (1984).

37 ECHR art. 6(2), Saunders v. U.K, 23 E.H.R.R. 31 (1996).

38 ECHR art 5.

39 UK ST 1998 c 42, paragraph 1.

40 Id., § 7.  Complaints under § 7 of the HRA will be handled by an Investigatory Powers Tribunal under Part IV of RIPA.  RIPA Part IV also sets out the role of the Interception of Communications Commissioner.  This person will be charged with the task of reviewing the work of the Secretary of State and to conduct oversight of all those involved with the interception of communications under Part I of RIPA.  The commissioner is to ensure that the safeguards contained in the Interception of Communications Code of Practice (pursuant to §71 of RIPA) are upheld.  See Interception of Communications Code of Practice, § 6, available at http://www.homeoffice.gov.uk/ripa/ioccop.htm (March 29, 2003).  Many critics worry that the task is simply too great to be entrusted to a commissioner, and that review will be less than adequate to protect fundamental privacy interests.

41 "Related communications data" means so much of any communications data as-
(a) is obtained by, or in connection with, the interception; and
(b) relates to the communication or to the sender or recipient, or intended recipient, of the communication;
See § 20 of RIPA, supra note 22.

42 For more information on "packet switching" and the nature of Internet communications, see Lessig, supra note 5.

43 Each terminal connected to the Internet has a unique Internet protocol address (IP address) identifying that computer as the source or recipient of a given communication.  IP address information is essential to LEP seeking to identify the perpetrator of an Internet crime.

44 "Http string" refers to the information contained in an Internet communication that is traditionally displayed in a box in a web browser.  The http string information allows a user to identify the party with whom they are communicating.  Hypertext transfer protocol (http) is the code that serves as the communications language between machines connected to the Internet.

45 Ramsbottom, supra note 25, at 206.

46 § 21 of RIPA, supra note 22.  See also Home Office Consultation Paper, supra note 22, at 6.

47 § 6 of RIPA allows for a broad range of parties to obtain a warrant.  See RIPA, supra note 26.

48 Article 1(1) of Directive 95/46/EC, supra note 34.

49 Id., art. 7.

50 Id., art. 14.

51 Id., art 13(1).

52 Directive 97/66/EC, O.J. L 24/1/1998, articles 5, 14 (15 December 1997).

53 Directive 2002/58/EC, O.J. L. 201/37/2002 (12 July 2002).

54 Id., article 9.  This is understood to mean that where content information is attached to communications data, that information must be made anonymous.  For a definition of "traffic data" under U.K. law, see UK ST 2000 c 23, supra note 22.

55 Id., article 15(1).  Article 13(1) of Directive 95/46/EC exemptions and restrictions include:
(a) national security
(b) defense
(c) public security
(d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for regulated professions
....
(g)   the protection of the data subject or the rights and freedoms of others.

56 UK ST 2001 c 24 Pt 11.

57 Id., §§ 103, 104.  The current draft of the Code of Practice for Voluntary Retention of Communications Data is awaiting comment, and is available online at http://www.homeoffice.gov.uk/oicd/antiterrorism/vol_retention.pdf (March 30, 2003).

58 Id., § 104.

59 Id.

60 Id., § 102.

61 Id., § 106.

62 UK ST 1998 c 29.

63 Id., § 29(1), (3).

64 Communication From the Commission to the Council, The European Parliament, the Economic and Social Committee and the Committee of the Regions, Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime, COM/2000/0890 final, para. 5.2 (26 January 2001).  Access to data under DPA must comply with the 8 Data Protection Principles set forth in the E.U. Directives.  Under the Data Protection Act, personal data must be:
1) fairly and lawfully processed
2) processed for limited purposes
3) adequate, relevant and not excessive
4) accurate
5) not kept longer than necessary
6) processed in accordance with the data subject's rights
7) kept secure
8) not transferred to countries outside the EEA without adequate protection
See Crime Reduction Toolkits: The Data Protection Act 1998, available at http://www.crimereduction.gov.uk/toolkits/ui040504.htm (March 28, 2003).

65 Sufficient grounds would be those within the exceptions contained in article 13 of Directive 95/46/EC.  See supra note 55.  One significant concern for ISPs is that because RIPA § 6(2) allows parties that are not traditionally associated with article 13 interests (such as national security) to gain access to user data, such broad group access may be seen to not be proportional, and thus violate ECHR article 8 rights of privacy. ISPs face difficulties in knowing exactly which authorized parties to deal with during an investigation.  Releasing user data to a party that is not authorized, or in excess of approved authorization, could subject ISPs to a suit for breach of privacy.  For this reason, ISPs believe that "single points of contact" offices are needed to ensure efficiency and encourage the development of personnel trained in Internet crime procedures.  For a well articulated criticism of the data retention scheme, see All Party Internet Group (APIG), Communications Data: Report of an Inquiry by the All Party Internet Group , January 2003, at 20-22, available at http://www.apig.org.uk/ (March 30, 2003).

66 Part I ch. II of RIPA imposes a legal obligation on ISPs to assist LEP in investigations of Internet crime when a warrant has been obtained, and injunctions may issue requiring ISPs to cooperate.  § 22 (4), (8) of RIPA, supra note 22.

67 RIPA, supra note 22, § 12(7).

68 This is so because in retaining data the ISPs would be acting pursuant to a statutory measure enacted according to a purpose acceptable under article 13 of Directive 95/46/EC, and DPA § 29(1).

69 APIG, supra note 65, at 26.

70 Id., at 27.  "Data preservation relates to the holding of specific data at the request of the agencies on a case-by-case basis as such data is created.  Data retention, is the blanket routine keeping of an identified set of data for a specific period in event of a subsequent need for access."  Home Office Consultation Paper, supra note 22, at 15.

71 This refers to the practice of embedding criminal messages in otherwise innocent communications.

72 APIG, supra note 65, at 27-30.

73 Id., at 28.  The Information Commissioner is charged with ensuring that the provisions of the DPA are adhered to.

74 Mark Richard, United States Department of Justice, Criminal Division, Prepared Statement of the United States of America, Presented at EU Forum on Cybercrime, Brussels, 27 November 2001, available at http://www.cybercrime.gov/intl/MMR_Nov01_Forum.doc (March 30, 2003).

75Id.

76 Convention on Cybercrime, supra note 6, at § 2,Titles 2-4.  Safeguards for personal privacy under the Convention are set forth in article 15.

77 Where data retention obligations are imposed, an ISP must devote resources to that activity beyond its usual requirements.  These added costs could actually harm LEP crime-fighting efforts.  While more data may be kept, there are no guarantees that ISPs will be able to afford the added personnel necessary to go about the task of ordering and filtering the data.  This swamping of data retention personnel could lead to criminal activity passing unnoticed that may have otherwise been detected under previous data storage practices.

78 This approach is used in Germany, where police only have access to material deemed relevant by the judiciary.  Indira Carr and Katherine S. Williams, Council of Europe on the Harmonisation of Criminal Procedural Laws Relating to Information Technology (Recommendation No. R95(13)) - Some Comments, J.B.L. 1998, Sep, 468-484, at 475.