Records Access

Communication Records Access

The United States PATRIOT Act permits ISPs to hand over any transactional data to law enforcement without court order or subpoena. Data can include not only “the name, address, local and long distance telephone toll billing records, telephone number or other subscriber number or identity, and length of service of a subscriber” but also session times and durations, types of services used, communication device address information (e.g. IP addresses), payment method and bank account and credit card numbers. [1]

The 2008 amendments to FISA also the Attorney General and Director of National Intelligence to direct any electronic communication service provider immediately to ‘provide the Government with all information, facilities and assistance necessary to accomplish acquisition.’ This development has led to numerous media stories of US intelligence agencies ‘piggybacking’ their own monitoring devices on privately operated networks by installing the devices on a permanent basis.[2]

Provisions covering the CSE in Canada’s ATA stipulate the organization is broadly empowered to ‘acquire information from the global information infrastructure for the purpose of providing foreign intelligence through means including interception of communications of foreign targets abroad, and to ensure the security of electronic information and government computer networks’.

This intelligence is to be acquired for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities; to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.[3]

Data retention provisions following passage of RIPA in the UK also provide British authorities with broad access to communications records. These provisions allow any public authority designated by the Home Secretary to access “communications data” without a warrant.

Accessible data includes subscriber information, records of calls made and received, e-mails sent and received, websites access, the location of mobile phones, identity information relating to a person, apparatus or location e.g. calling line identity and mobile phone cell site location details, data identifying or selecting apparatus e.g. routing information.

Communications data can be accessed for the following purposes under s.22(2) RIPA:

• in the interests of national security;
• for the purpose of preventing or detecting crime or of preventing disorder;
• in the interests of the economic well-being of the United Kingdom;
• in the interests of public safety; (e) for the purpose of protecting public health;
• for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department;
• for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health.[4]

In 2005-2006, there were over 439,000 requests for communications data. According to the Home Office, most of the requests were for address information. There has been considerable controversy about who has access to communications data.

Again, following trends in the UK, French authorities have made widely accessible transactional data for investigatory purposes. The LSQsetsretention for up to one year for the purpose of prevention, investigation, detection and prosecution of criminal offences.

While data should not reveal the content of communication, be it e-mail content or the content of the visited web site. The penalty for non-compliance ISPs is one year jail and 75,000 Euros fine.

The AFA (French association of ISPs) has published a document evaluating the requests for data that they have received from the judicial authorities, and it is stated in this public document that they received approximately 500 requests monthly.

French provisions on data retention and disclosure may be extended. A draft version published in April 2007 would require webmasters, hosting companies, fixed and mobile telephony operators and Internet service providers to retain all information on Internet users and telephone subscribers and to deliver it to the police or the State at a simple request, and would even require retaining the passwords supplied when subscribing to a telephone service or an Internet account or payment details such as amount, date or type.

The draft text also proposes data retained by ISPs and hosting companies and obtained by the police can be kept by the latter for a period of three years in the automatic processing systems provided by the Ministry of Interior and the Ministry of Defence.

As mentioned above, the LEN provides for additional data retention requirements in telecommunications, namely stipulation of personally identifying information (including name, address, and log data) that must be collected on users by all operators of electronic networks. The LEN also requires all persons wishing to post content on the Internet to identify themselves, either to the public, by publishing their name and address on their website (in the case of a business), or to their host provider (in the case of a private individual).

In both the UK and France, these data retention provisions for telecommunications providers have since been supplemented by an EU directive on data retention for law enforcement and national security purposes. This requires communications companies throughout Europe to retain and make available traffic data “for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law” for periods up to two years.

Only Germany, Denmark, Italy and Ireland implemented the Directive in an early stage. In some case, they require retention for 24 months. However, the European Commission wrote formally to 19 EU member states about their failure to meet the deadline for implementing the directive. This approach has been sharply resisted in both the US and Canada.

Source: Jennifer Stoddart, Privacy Commissioner of Canada

Access to Electronic Records

Electronic records in the format requested

When a request for access to a record is made under the Acts, the government organization will ordinarily provide a paper copy of the record, or give the requester the opportunity to view the original. Where the request is for an electronic record, there may be a variety of ways that the request can be fulfilled, depending on what the requester wants and the capabilities of the technology in use by the institution.

Where the information is stored in a video or audio tape, the organization could provide a copy of the tape, if such is the request, or give the requester the opportunity to listen to or view the tape. Ordinarily, to provide a copy of an audio or video tape is neither time-consuming, nor unduly expensive.

With the increasing use of various forms of information technology, it is often practical to provide access to an electronic record in the format requested. Thus, an institution may hold requested information in a database that is accessible by means of a commercially available software package. The requester could ask that the information be copied to a disk or diskette. A request of this kind neither entails difficult procedures nor a lot of time and should be responded to routinely.

Government organizations should modify their software

Electronic records may not exist in paper form. A record could be data or text assembled in a particular way through the use of a software program. A discrete record or file may not exist, but could be created with the assistance of software or technical knowledge available to the government organization.

The Acts and regulations recognize the obligation of government organizations to create electronic records when requested, except where to do so would unreasonably interfere with the operations of the government organization. That obligation would be satisfied through the use of the appropriate hardware and software to create the document.

Such a scenario would arise where a government database held “raw data” or statistics, and the government organization had a computer software program that allowed the data to be manipulated in a variety of ways for its purposes. A request could be made for the data to be assembled in a way not anticipated by the organization. How should the organization respond?

The spirit and purpose of many record legislations is to make government information available to the public. To keep to these principles, the organization should modify the software program as may be appropriate, provided that to do so would not unreasonably interfere with the organization’s operations. Information technology has developed to the extent that relatively little time and effort is often required to make such modifications. A fee for such a service would be applicable pursuant to the schedule set out in the regulations to the Acts.

Less problematic are requests for access to video or audio tapes, microfilm, and microfiche. More challenging is a request for access to a record on-line, that is, where the institution has, for example, created a database comprising discrete pieces of information, and the requester would like to have direct access to that database through his home or work computer.

Some government organizations are placing certain files on the Internet, thereby allowing individuals to access that information if they have a modem attached to their home computer. This development is still in its infancy, but potentially could lead to direct on-line access to government information.

Source: based on a Paper of the Ontario’s Privacy and Information Commissioner

Resources

See Also

• Telecommunications
• Privacy

Notes

1. See USA PATRIOT Act (U.S. H.R. 3162, Public Law 107-56), Title II, Sec. 212. Act also allows for the disclosure of electronic communications to law enforcement as well, as companies who operate a “protected computer” can allow authorities to intercept communications routed through the machine, bypassing warrant requirements, under USA PATRIOT Act (U.S. H.R. 3162, Public Law 107-56), Title II, Sec. 217. For expanded subpoenas issued to Internet Service Providers, see USA PATRIOT Act (U.S. H.R. 3162, Public Law 107-56), Title II, Sec. 210.
2. Once authorized under the Act, the Attorney General and Director of National Intelligence may direct any electronic communication service provider immediately to ‘provide the Government with all information, facilities and assistance necessary to accomplish the acquisition’; see H.R. 3773: FISA Amendments Act of 2008, sec. 702(h)(1)(A).
3. These activities shall not be directed at Canadians or any person in Canada; and shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information. See section 273.64 of the National Defence Act.
4. Access to data related to the use of communications service may be self-authorised by a wide range of government bodies under Part I Chapter 2. In June 2002, the Home Office announced that the list of government agencies allowed under RIPA to access communications data was being extended to more than 1,000 different government departments including local authorities, health, environmental, trade departments and many other public authorities.