G8 and ILETS discussed problems of "data retention and implications of data protection legislation" in 1999

Both the G8 countries technical group on high-tec crime and the International Law Enforcement Seminar (ILETS) raised the issue of data retention and the problems created by data protection and privacy laws in the EU in 1999. The two reports below emphasise the influence of secret, unaccountable, meetings of officials including those on the EU's Working Party on Police Cooperation. As the ILETS's minutes say:

"Recommendations emanating from the seminar can be put to their respective governments"

ILETS annual meeting 1999

The annual meeting of ILETS in Saint Cyr au Mont dOr, France in November 1999 has as its topic title: "Reconciling data protection and privacy requirements in the 21st century". The European Commission representatives the two EU directives in force: the 1995 Directive on data protection and the 1997 Directive on personal data and privacy in the telecommunications sector - the latter with the remark:

"which orders the operators to erase or to make anonymous historic data upon the termination of a call"

On the issue of "Data retention and implications of data protection legislation" the meeting agreed that: "All delegations to consider options for improving the retention of data by Communications Service Providers".

The ILETS meeting was clearly sensitive to public and media attention. The minutes state that "ILETS must control its documents" and that in future it would not formally submit them to the EU Working Party on Police Cooperation (though, of course, all officials on the working party will have copies). A "chapeau" ("hat") would be created for their "governments for publication".

The media should be told that "ILETS is not a formal group, and therefore has no formal membership" and:

"ILETS does not rely upon a resolution or directive of any international organisation or group of countries for its existence. Attendance at ILETS is by invitation only"

but if questions are asked for example by "national parliaments" such "exposure" should be notified to all members. Later they say: "it was stressed that ILETS must not become political".

Full-text ILETS `99: draft report  (Word 97) with thanks to cryptome.org

Background to ILETS

ILETS (International Law Enforcement Telecommunications Seminar). ILETS was initiated by the FBI in 1993. The founding members were Australia, Canada, Hong Kong, United States and the United Kingdom plus Norway, Denmark, France, Germany, Netherlands, Spain and Sweden. Representatives from both law enforcement agencies and national security agencies attend.

One of the main issue discussed through ILETS are the International User Requirements (IUR) first put forward by the FBI in 1992 were adopted by the EU on 17 January 1995. These "Requirements" were put out, in the name of the FBI and the Council of the European Union, for other countries to sign up to in November 1996. An attempt in 1998 to update the IURs in the EU ("ENFOPOL 98") to cover mobile, satellite phones and the internet use was put on hold because of adverse public reaction.

ILETS works directly with the Standards Technical Committee (STC) and its semi-public side is organised through the renamed "Policy and Legal Advisory Group" (PLAG).

ILETS meets annually and provides in-between an informal contact network for participants. It has held the following meetings:

1993 Quantico, Virginia, USA

Attended by: Australia, Canada, Hong Kong, Norway United States, Denmark, France, Germany, Netherlands, Spain, Sweden, United Kingdom.

1994 Bonn, Germany

Australia, Canada, Hong Kong, Norway, United States, Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Luxembourg, Netherlands, Portugal, Spain, Sweden, United Kingdom.

1995 Canberra, Australia

Australia, Canada, Hong Kong, New Zealand, Norway, United States, Belgium, France, Germany, Greece, Ireland, Italy, Netherlands, Spain, Sweden, United Kingdom.

1997 Dublin, Ireland

Australia, Canada, Hong Kong, New Zealand, Norway, United States, Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, United Kingdom

1998 Ottawa, Canada

Not known

1999 Saint Cyr au Mont d'Or, France

Not known, but the European Commission was represented. Japan, Switzerland and Czech Republic applied to become members.

Source of meetings: Duncan Campbell's report

G8 Subgroup on High-Tec Crime

While ILETS works on technical matters (and their policy implications) a much more high-powered driving force on the global interception of telecommunications is the "Lyon Group" and especially its "High-tech Crime Subgroup of G8 Senior Experts' Group on Transnational Organised Crime."

The G8 Senior Experts' Group on Transnational Organised Crime came out of the G8 Prime Ministers meeting on 27 June 1996 in Lyon, France. The first "G" Prime Ministers' Summit was held in Rambouillet, France in 1975 comprised of US, France, UK, Germany, Italy and Japan. Canada joined in 1976 (making G7) and in 1977, at the London Summit, the European Community joined its membership. The European Community's delegation is made up of a EU Presidency representative (currently Finland), the head of the European Commission (Romano Prodi, who previously attended as part of the Italian delegation) plus the Commissioner for external affairs (Chris Patten). Since 1994 Russia attended its meetings and became a full member at the Birmingham Summit in 1998, making up G8.

Sub-Group on High-Tec Crime

The "problems" for the G8/P8 states were broadly defined at the 1998 Birmingham Summit under the UK Presidency as:

"The main obstacle facing a G8 achievement of any goals set out in Birmingham appears to be the barrier of red tape obstructing law enforcement agencies from cooperating across national jurisdictions. The G8 will need to address the inconsistencies between justice systems from one member country to another if the
problem of international crime is to be dealt with effectively."

The key phrases here are "red tape" (procedures, control and accountability) and "inconsistencies between justice systems" (data protection and legal restrictions). In this context the Minutes of the G8 Subgroup on High-Tec Crime held in Paris on 18-21 May 1999 set out a whole agenda influencing the EU-FBI plan.

The first issue the Minutes cover is the "Preservation of Traffic data" covering "historical traffic data" and the
"collection of future data". The Minutes state that:

"Delegations agreed that privacy legislation (e.g. implementing the 1995 and 1997 EU Data Protection Directives), national laws implementing the Directives, and market forces are among the significant obstacles to law enforcement's ability to obtain historical data for use in criminal investigations. (Disclosure of that traffic to foreign investigators is also complicated by these and other impediments). Privacy directives, to the extent they require the deletion of connection information, can effectively erase the trail of connections that might otherwise
identify the source of criminal activity."

It goes say that a further impediment is "anonymous free Internet services.. contribute to the absence of useful traffic data." Two solutions are suggested for this "problem". The meeting of G8 Justice and Interior Ministers in Moscow on 19-20 October adopted "Principles on Transborder access to stored computer data" defined simply as covering "law enforcement agents employed by law enforcement agencies.. investigating criminal matters".

The "Principles" say "each State" will ensure that data is preserved, "particularly data held by third parties such as
service providers" for the purpose of seeking:

"access, search, copying, seizure or disclosure, and ensure that preservation is possible even if necessary only to assist another State."

The second "problem" with "historical data" is that there is no obligation for service and internet providers to keep data of their users messages etc. The 1997 EU Directive on Telecommunications Sector Data Protection allows service providers to keep traffic data for billing disputes but this is rarely used as users are not billed by individual connection.

Some countries allow traffic data to be preserved to guard against subscriber fraud but the Minutes observe there are no provisions for "infrastructure protection" or "other suspected illegal activity". The Sub-Group's view is that G8 should prepare "G8 Recommendations on Data Preservation" and that at national level the EU Directive should "either mandate or allow ISPs to retain particularly critical categories of traffic data for minimum time periods."

As to "future traffic data" ("real-time connection information", as it is happening) a number of delegations
reported that national laws "imposed heightened limitations" on the "ability of law enforcement" to obtain future traffic data and "share it with foreign law enforcement". Several countries treated "future traffic data" as "interception" which "involves more stringent prerequisites and may only be available for certain offences". Moreover, although national laws may permit the "capture of future traffic data for domestic purposes, its
laws may not permit it to do so solely for the benefit of a foreign state". The Sub-Groups solutions to this "problem"
include treating "future traffic data" on the same basis as "historical data" to avoid being defined as interception and
amending Mutual Legal Assistance Agreements (MLAA's) and national laws to allow interception on behalf of foreign states and agencies.

It also suggests that "important investigative techniques" could be used: "for the benefit of a foreign government and in the absence of a criminal offence or serious criminal offence, in the conduit country". This perhaps fits in with the
"hypothetical intrusion exercise" the Sub-Groups agencies are testing their investigative techniques on - this suggests an interventionist, pro-active approach which could "interfere" with telecommunications.

The "Principles on Transborder Access", agreed in Moscow, also covered instances where there was a formal request for access to data (under MLAA's) and "Transborder access to stored data not requiring legal assistance" - this latter aspect covers accessing "publicly available (open source) data" and:

"accessing, searching, copying, or seizing data stored in a computer system located in another State, if acting in accordance with the lawful and voluntary consent of a person who has the lawful authority to disclose to it that data."

In effect, US or UK security agencies could gain access to data where authorised to do so by a US or UK multinational operating in the surveilled country.

Sources: Statewatch bulletin; P8 - Senior Experts Group Recommendations: "To combat Transnational Organised Crime" (Paris, 12 April 1996); Summit Performance Assessments by Issue: G8 1998 Birmingham: Crime.

back to S.O.S.Europe

© Statewatch ISSN 1756-851X.Material may be used providing the source is acknowledged. Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.