lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: jc at farm9.com (Jeremiah Cornelius)
Subject: Data Retention Legislation in Violation of EU Human Rights Laws

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

UK 'snoopers charter' claimed to break EU law
By John Lettice
Posted: 15/10/2003 at 22:02 GMT

The data retention regimes in operation or preparation in at least ten
European states are unlawful, and breach the European Convention on Human
Rights, according to a legal opinion released today. According to the
opinion, comissioned by Privacy International from law firm Covington &
Burling, the European Commission's framework directive on the retention of
communications data is in itself unlawful, which means that any state in the
process of actually implementing it may have to think again.

In the UK, this could add another chapter to the tortuous and - so far -
unfortunate history of the 'snooper's charter, which is currently before
Parliament as a series of Statutory Instruments. Although a little watered
down from its previous version, this still requires widespread retention of
data as regards web sites visited, email addresses, phone calls and mobile
phone location data, and still gives numerous public authorities access to
that data.

According to the opinion, it's precisely this scattergun approach that
breaches the Convention on Human Rights:

"Article 8 of the European Convention on Human Rights (ECHR) guarantees every
individual the right to respect for his or her private life, subject only to
narrow exceptions where government action is imperative. The Framework
Decision and national laws similar to it would interfere with this right, by
requiring the accumulation of large amounts of information bearing on
individuals' private activities. This interference with the privacy rights of
every user of European-based communications services cannot be justified
under the limited exceptions envisaged by Article 8 because it is neither
consistent with the rule of law nor necessary in a democratic society.

"The indiscriminate collection of traffic data offends a core principle of
 the rule of law: that citizens should have notice of the circumstances in
 which the State may conduct surveillance, so that they can regulate their
 behaviour to avoid unwanted intrusions. Moreover, the data retention
 requirement would be so extensive as to be out of all proportion to the law
 enforcement objectives served. Under the case law of the European Court of
 Human Rights, such a disproportionate interference in the private lives of
 individuals cannot be said to be necessary in a democratic society."

Privacy International is to pursue test cases in at least two EU countries
where mandatory data retention is already in place, and has also lodged a
complaint with the UK Information Commissioner, alleging that the
government's regulations and voluntary code on retention breach at least
three core principles of the Data Protection Act. Blanket retention of data,
it argues, breaches the principle of proportionality, and flouts the
specificity principle, while "the existence of a voluntary code for
communications providers takes no account of the consent principle." PI has
also lodged an Open Government request for disclosure of the government's
legal advice relating to the regulations currently before Parliament.

PI director Simon Davies commented that the government was forcing "unwilling
companies to be complicit in an unprecedented and disproportionate
surveillance regime", and called on communications providers to "support
their customers' rights by ignoring the government's proposals." Which would
be fun - any takers?

Davies told The Register that the first test case is likely to be brought in
Denmark. The second has yet to be determined, but as legislation is well
advanced in several other cases, this may be an influential factor.

There will be a debate on the legal opinion at the LSE on 22nd October,
details and registration here. ?
- - --
Jeremiah Cornelius, CISSP
farm9 Information Security
email: jc@...m9.com
Phone: 510.835.3276
mobile: 415.235.7689

"Be cheerful while you are alive"
- - --Phathotep, 24th Century B.C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/jdtDJi2cv3XsiSARAm6nAKDvflsjS+YlTlsxmzyM86GAp+aQ+ACbBO5F
T+aNwsIT3Cbkk/ssTu+NdnY=
=DyCS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ