Feeds

UK snoop system had 1,000 COCKUPS - including 2 duff cuffs

Whoops, sorry. Spied on you and locked you up by accident

Beginner's guide to SSL certificates

Police, security services and other public bodies bungled nearly 1,000 requests for citizens' communications data in a year, a new report has revealed.

Communication service providers (CSPs, which include ISPs and telcos) were also blamed for some of the cock-ups: the study for 2011 found that two people were wrongly arrested as a result of typos on information interceptions.

"Unfortunately in two separate cases where a CSP disclosed the incorrect data, the mistakes were not realised and action was taken by the police forces on the data received," said Interception Communications Commissioner Sir Paul Kennedy, the report's author.

He continued: "Regrettably, these errors had very significant consequences for two members of the public who were wrongly detained / accused of crimes as a result of the errors."

Kennedy noted that in those instances, which both have investigations underway, it was the same unnamed CSP at fault and not the public authority that had requested the data.

The snooping-on-the-snoopers commissioner added that after being initially unhappy with the CSP's explanations about what went wrong, the company had since introduced "sensible measures" that - it is hoped - should prevent similar errors in the future.

However, while it was decided that a CSP was responsible for the two worst cases of communications data request errors last year, the commissioner's report actually showed that public authorities were largely to blame for admin cock-ups resulting in the wrong British citizens being spied on.

Sir Paul's report was published as parliamentarians scrutinised Home Secretary Theresa May's drafted internet surveillance law, aka the Communications Data Bill.

Requests in numbers

In 2011, a total of 494,078 requests were made by public authorities including local councils, the UK Border Agency, the police and spooks, during which time 895 errors were reported to Sir Paul's office.

He said that approximately 80 per cent of those failures to submit the correct information had been down to public authorities, while CSPs were to blame for the remaining 20 per cent of communications data request errors.

The same report also highlighted the incompetence of two local councils for acquiring communications data by relying on "approval" from an individual who lacked the necessary authority to grant such access.

"In total 52 requests were made by these two local authorities and regrettably this data was therefore not acquired in accordance with the law," Sir Paul said.

"It was also shocking to find that the same person had acted as the applicant, SPoC [single point of contact] and DP [designated person] in one of those local authorities," he said. "Not only does this represent non-compliance with the Code of Practice, it also means that the requests had a complete lack of scrutiny in the individual local authority as they were effectively self-authorised."

He added that there had been two instances in which local councils had requested traffic data from CSPs, even though they are restricted from doing so under the The Regulation of Investigatory Powers Act (RIPA).

The commissioner's inspectors also uncovered one incident where a local authority had acquired communications data that did not meet the "necessity criteria" under RIPA.

Sir Paul explained that the "application related to an allegation that a parent living outside the catchment area of a school provided an address within the catchment area in order to secure a school place."

However, communications data was requested without the council in question specifying any criminal offences to justify the probe.

The commissioner said that "communications data must only be acquired for the purpose of preventing or detecting crime and where there is an intention to gather evidence for use in legal proceedings".

Just last week, Paul Bettison of the Local Government Association - who appeared before MPs and peers scrutinising the Home Office's draft communications law - dismissed accusations that local authority officials had abused their RIPA powers and said he wanted to "dispel the myths that we've been frivolous in the past".

During that same confab, it was revealed that public bodies including councils could yet - via secondary legislation - be granted access to communications data under May's proposed new law.

The Home Secretary had offered a tiny concession to Lib Dem opponents of her bill earlier this year, by proclaiming that councils and other public bodies would be excluded from such access requests, even though the vast majority of applications to spy on British citizens comes from spooks and the police.

On Friday, Prime Minister David Cameron said in a ministerial statement responding to the commissioner's report:

There have, regrettably, been breaches and errors in the use of these powers. While these have been few in number relative to the overall number of applications, the government is not complacent; the causes of these breaches and errors will need to be addressed.

Sir Paul's report can be viewed here [PDF]. ®

Security for virtualized datacentres

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.