UK cops: Give us ONE journo's phone records. Vodafone: Take the WHOLE damn database!
Telco spaffed info on 1,700 staffers, watchdog says
Blundering Vodafone leaked the phone records of 1,760 Brit journalists and their colleagues to London's Met Police, a UK watchdog confirmed on Tuesday.
The cops had used surveillance laws to demand information on one particular journo's calls.
But after realizing Vodafone had handed over records on hundreds of journalists, the capital's plod used the files to create a list of everyone called by the hacks over a three-year period, it's reported.
Not only does it mark an intrusion into press freedom, it also highlights the dangers of telecoms companies holding onto logs of people's communications.
The journalists in question worked for News UK, publisher of The Sun and The Times, which on Tuesday night revealed that Scotland Yard had obtained hundreds of staffers' outgoing-call records from Vodafone – which provides the Rupert Murdoch-run publisher's comms.
According to The Times, in October last year, the Met had used RIPA powers to demand the call records of a journalist at The Sun amid an investigation into hacks allegedly paying public officials for confidential information.
In response, Vodafone handed over the records of 1,757 people at News UK. The Times said individuals exposed included "journalists, lawyers, secretarial staff and senior executives covering the years 2005-07."
In March this year, the information from Vodafone was bunged on CDs by police staff, who only then noticed there was a lot of extra data. The records were then used to create a spreadsheet of the staffers' contacts, it's claimed.
Three months later, the plod informed the UK's Interception of Communications Commissioner's Office (IOCCO) of Vodafone's cockup. The commissioner's office then told News UK of the blunder. The police say they've given copies of the leaked information back to Vodafone.
Voda and the Met did not respond to The Register's requests for comment late on Tuesday, UK time. However, Vodafone told The Times the call records were part of a "corrupted dataset", and it had urged the cops to delete the leaked information.
“We wrote to the Met to express our grave concern that the police continued to retain the data released to them in error and made it clear to them that any assumption that meaningful conclusions could be drawn from any aspect of the corrupted dataset was highly questionable,” a Vodafone spokesman said.
A Met spokesman, meanwhile, told The Times:
We recognised the sensitivity of the excess data provided and ensured it was retained securely, until it was returned to Vodafone. The Metropolitan Police consulted with the Interception of Communications Commissioner’s Office, and the Information Commissioner on how this error should best be managed.
The Met agreed that it would only use the material for a policing purpose, when in the interests of justice to do so, and where people were already charged and facing criminal proceedings.
The IOCCO, which is supposed to oversee the police's use of surveillance powers, confirmed Vodafone had indeed wrongfully disclosed more data than the police had asked for, but concluded the telco had not done so on purpose.
The Metropolitan Police Service (MPS) has been undertaking an investigation (Operation Elveden) into the unlawful payment of money to public officials by journalists in exchange for confidential information. The investigation has identified and charged a number of persons, including public officials and journalists, with criminal offences relating to misconduct in a public office and conspiracy to do the same.
During the course of the investigation the MPS used their powers under the [Regulation of Investigatory Powers Act] to require Vodafone to disclose data that included the outgoing calls from a mobile telephone which was used by a journalist who was a subject of investigation.
When Vodafone responded to the legal requirement from the MPS it disclosed data in excess of that required. The data disclosed contained both excess data on the requested mobile telephone (i.e. a larger time span than that required by the MPS), and, in addition, wrongly disclosed data on a very significant number of other telephones which were part of the same corporate account relating to News UK.
"We reminded the MPS of their obligations under the Criminal Procedure and Investigations Act (CPIA) 1996 to record and retain any information that comes into their possession which is relevant to a criminal investigation," the watchdog added, referring to the reported stowing of the data on CD.
"We informed News UK of their ability to seek redress through the Investigatory Powers Tribunal and provided them with sufficient details of the error should they wish to do so."
The IOCCO asked the plod to explain their actions in more detail, and to prevent any remaining copies of the data from being accessed by anyone not working on Operation Elveden.
Mike Darcey, chief executive of News UK, added in the pages of The Times: “A senior Vodafone executive has personally apologised to me for what he insists was ‘human error’. Vodafone accepts that the data was ‘wrongly disclosed’ and that our trust and confidence in them have been badly damaged.
"They also recognise that the mobile phone records of journalists – and lawyers – contain privileged information and we have made clear to them that we regard this as a very serious issue. I am personally appalled that this could happen and have relayed this in the strongest terms when speaking with Vodafone.” ®
Sponsored: Global DDoS threat landscape report