PMs and the law

[martin_wynne]

I have just posted this message on Templot Club forum. It is for Andy and Warners to decide policy for RMweb, but these concerns seem to me to be equally relevant here.

______________   

 

"Today there is new emergency UK legislation announced in regard to private electronic communications and record-keeping by service providers. This usually refers to email and telephone records, but it seems to me that it must equally apply to private messages on web forums such as Templot Club.

Currently anyone anywhere in the world can join Templot Club anonymously and send private messages between them via Templot Club. As the owner of Templot Club there is little I can do to prevent this -- I check new registrations against known spammer lists but I can't check whether new members are criminals or terrorists.

As the owner of Templot Club it seems that the laws requiring the keeping of records, responding to requests for such records, and warrants to divulge message contents must apply to me.

I really do not want such legal obligations. Templot Club is intended to provide a forum for discussion about my software, not a means of private international communication. A forum requires all communication to take place in public.

Accordingly I'm minded to remove the PM capability from Templot Club. If members need to contact each other privately there are other means such as email, text or telephone, or even writing a letter.

If necessary I can act as an intermediary in providing email address contact details to members by email.

regards,

Martin."

 

 http://85a.co.uk/forum/view_topic.php?id=2486&forum_id=1

 

[Miss Prism]

As usual, our politicians, aided by their spooks, are making a mess of things they don't know much about, but it seems to me that the new emergency law will be directed at "phone companies and ISPs", thus if I were running a forum with a PM system, I would not regard such a PM system to be within the new law's scope.

 

Let's not forget that this is another round of Cameron's political fight with the EU. What Merkel does in response to the ECJ ruling will be more important.

[Horsetan]

As usual, our politicians, aided by their spooks, are making a mess of things they don't know much about, ...

 

...and you think they care?

[Andy Y]

In principle I don't have any problem with the practical elements of the legislation with respect to RMweb. The content of PMs between members and records of times and dates of messages is recorded within the database. There's nothing sinister about that but it's necessary for the facility to function. It's also necessary to be able to access that information if a member were to report that they'd received abusive message, spam or other unwelcome solicitations so that appropriate action can be taken if necessary. We had to install such safeguards sometime back as there was a concern that the facility could have been used for 'grooming' of a junior member. Thankfully there wasn't anything that was such but at least were were able to satisfy ourselves that the system wasn't being abused.

 

And if someone were using the PM facility of RMweb to mastermind terrorist activities and GCHQ needed that info I wouldn't have a problem; I don't really think the PM system used on a railway modelling forum is where the government's real interest lies.

[martin_wynne]

And if someone were using the PM facility of RMweb to mastermind terrorist activities and GCHQ needed that info I wouldn't have a problem; I don't really think the PM system used on a railway modelling forum is where the government's real interest lies.

 

Hi Andy,

 

If I were criminally minded it occurs to me that the PM system on a web forum about model trains or flower arranging might be an excellent place to hide my tracks. But I can't help thinking that if GCHQ really needed access to the RMweb database they wouldn't have any difficulty.

 

As a professional board owner with financial implications you no doubt have a different perspective from my own, and you are obviously willing to accept the legal obligations. For example when making backups of the database, preserving records, clearing cached data, controlling who has access, etc. But as a hobby owner of a hobby forum I just don't want to have to consider such matters or accept such legal obligations. I think there are probably many other board owners in a similar position.

 

regards,

 

Martin.

[martin_wynne]

thus if I were running a forum with a PM system, I would not regard such a PM system to be within the new law's scope.

 

Hi MP,

 

Unfortunately it would not be you who gets to decide that.

 

Martin.

[Miss Prism]

Hi MP,

 

Unfortunately it would not be you who gets to decide that.

 

Martin.

  

Quite so, and I should have added something to the effect that "at least, not until case law or future legal judgement indicate otherwise". That said, whether PM systems are within the future law's scope or not, Andy has indicated PMs are 'on the system', so would be available should the powers that be ever want to inspect them, i.e. however the law is phrased, Andy is compliant in respect of extant PMs. I take your point about not feeling obliged, as an amateur board owner, to keep 'everything', but then we, as individual members, can always delete PMs (if only to clear needed space in the PM system), so ancient PMs get washed away with history one way or another.

 

Not worth worrying about in my view. NSA and GCHQ will continue to vacuum up terabytes of data each day whatever the law says. It's not our role to solve dubious personal agendas of politicians.

[alfsboy]

What we know about it all is just skimming the surface .We are only told about the stuff that makes the courts .Its far more than that .I can only surmise but I suspect that many a potential terrorist has hopped back to where his tribe originally came from after getting a rather obvious feeling he was being watched .Its not convictions or publicity  that is in the frame ,its STOPPING  suicide bombers .We havnt come across this kind of threat before .Bin laden killed as many Americans as the Japanese at Pearl Harbor .A few email intercepts may well have stopped it all .Freedom to live is more important than a scan of our trivial messaging .

[cromptonnut]

It has often been said "the law is an ass".

 

Unfortunately so are most of those who decide them.

[ZiderHead]

As the owner of Templot Club it seems that the laws requiring the keeping of records, responding to requests for such records, and warrants to divulge message contents must apply to me.

I really do not want such legal obligations. Templot Club is intended to provide a forum for discussion about my software, not a means of private international communication. A forum requires all communication to take place in public.

 

Accordingly I'm minded to remove the PM capability from Templot Club. If members need to contact each other privately there are other means such as email, text or telephone, or even writing a letter.

 

The PMs are held in the same database as the forum posts so in terms of the obligation to retain the records you are already compliant (I'm assuming the database is regularly backed up by your hosting provider, if it isn't you need to sort this out today!)

 

The other issue is the data requests. Its somewhat of a grey area but my reading is that any request would be made to the service provider, not to you as the publisher.

 

One thing I would suggest (if you haven't done it already) is to make sure that the forum T&Cs make it clear that the PMs are private only in the sense that they are not published for all to see, and that they will be retained permanently and available for the forum owner and administrators to inspect at any time, and also available to the courts in the very unlikely event that a warrant is issued.

 

In short - keep calm and carry on!

[Miss Prism]

One thing I would suggest (if you haven't done it already) is to make sure that the forum T&Cs make it clear that the PMs are private only in the sense that they are not published for all to see, and that they will be retained permanently and available for the forum owner and administrators to inspect at any time, and also available to the courts in the very unlikely event that a warrant is issued.

 

Even if the new law does apply to the PMs of a forum, I understand it would require retention of metadata only for a 12-month period.

[AndrewC]

Any crook or terrorist worth his name will simply use an offshore provider for such activities. Encrypted vpn to and from an overseas server. The only UK footprint will be the ip address of the vpn gateway. Trolling through UK based ISP, telecom, and forum messages will be nothing more than a make work exercise for the spooks to justify their existence.

[martin_wynne]

I take your point about not feeling obliged, as an amateur board owner, to keep 'everything', but then we, as individual members, can always delete PMs (if only to clear needed space in the PM system), so ancient PMs get washed away with history one way or another.

 

This is exactly my point. I may be required to keep a record of such deletions. And any edits. It's not as simple as it may appear. We can disregard the politics but not the law of the land.

 

Martin.

[mcowgill]

You would be surprised how limited the knowledge of some of those involved in policing this type of thing is.  I have to be careful what I say but not too many years ago I acted as a unofficial technical advisor to UK anti-terrorist law enforcers where not a single member of the forensic analysis group had ever seen Linux. 

[Andy Reichert]

The celery stalks at midnight.

 

A

[martin_wynne]

The PMs are held in the same database as the forum posts so in terms of the obligation to retain the records you are already compliant (I'm assuming the database is regularly backed up by your hosting provider, if it isn't you need to sort this out today!)

 

The other issue is the data requests. Its somewhat of a grey area but my reading is that any request would be made to the service provider, not to you as the publisher.

 

The reality of whether anyone would actually use the PM system on my forum for nefarious purposes isn't really the issue. It strikes me as extremely unlikely.

 

The issue is the legal obligations to which as web site and forum owner I may be subject. For example if someone deletes (or edits) a PM it disappears from the database. At present there is then no record of it ever existing to which I have access, other than in the rolling daily and weekly backups if the content appeared for more than 24 hours. It may be legally necessary to record every such deletion as it occurs.

 

Not all members are in the UK, and nor is the hosting. The hosting provider (Jim Hale) in Columbus Ohio, the data centre (cera.net in Columbus), overseas member's own ISPs and the network servers in between do keep detailed logs, but probably not for 12 months and it's far from clear whether they are all subject to UK law. But I know I am.

 

I don't know the answer to such questions, but what I do know is that I don't want such hassle.

 

regards,

 

Martin.

[phil-b259]

Whilst I am not in a position to know the inns and outs of what the law may or may not mean, or how it affects PMs, if the legislation is needed to catch and prosecute people like child abusers it seems worthwhile to me

 

From no. 10s website:- (bold bits highlighted by me)

 

But this capability is under threat. The European Courts recently struck down their legal underpinning for companies to hold on to information for 12 months, which is vital for our security and intelligence agencies to conduct their investigations.

Without a clear legal basis in UK law, and unless they retain it for business need, companies will soon stop providing this data on the regulated, authorisation basis that they have done for many years and may even start deleting data which is essential for law enforcement and national security. The government therefore plans to introduce a simple piece of fast track legislation to restore the legal basis for companies to hold this data - it will take due account of the recommendations the ECJ made in its judgment.

Were these powers lost, it would be harder or impossible to effectively investigate a range of crimes, including:

• murder – those who conspired to assist the killers of Rhys Jones were caught using evidence from mobile phones, which proved they were associating at certain key times and places
• sexual exploitation – the men who groomed young girls in Rochdale were prosecuted, in part, using mobile phone call evidence which showed their association with each other and contact with victims
• drugs – a gang operating in Merseyside, Lancashire, Glasgow and South Wales in 2011 was found with 30kg of drugs and £37,000. Mobile phone call and text evidence was used to determine the gang’s hierarchy and identify key individuals. This resulted in the arrest of two gang members not otherwise identified using normal surveillance techniques
• doorstep fraud – a gang who conned an 85-year-old were prosecuted using evidence that they had called the victims repeatedly from their mobile phone
• locating vulnerable people – mobile phone location data was used to direct a search by Mountain Rescue and locate an elderly man with medical conditions, who had gone missing following a hospital appointment.

Although it is difficult to be definitive about the impact of not requiring companies to retain this data, a major recent Europol investigation into online child sexual exploitation (known as Operation Rescue) gives an indication of what the impact would be:

Of 371 suspects identified in the UK, 240 cases were investigated and 121 arrests or convictions were possible. One man was sentenced in March 2010 to 6 years’ imprisonment for sexual abuse of 2 minors after police discovered more than 60,000 indecent images on his computer.

In contrast, of 377 suspects identified in Germany, which has no such data retention arrangements, only 7 could be investigated and no arrests were made.

[Kenton]

 

"Today there is new emergency UK legislation announced in regard to private electronic communications and record-keeping by service providers. This usually refers to email and telephone records, but it seems to me that it must equally apply to private messages on web forums such as Templot Club.

 

Martin.

 

Technically not quite true. This knee jerk legislation is a proposal from the Cabinet Office. Although it is likely to go through unopposed as it is supported by most MPs it is being driven, yet again, by a EU court ruling that has dismissed previous law. The proposed legislation is "not as freely enabling as current legislation" (for example current dismissed legislation allowed councils to access this information). The proposal is merely to over-rule the EU court - we can still do this by passing laws in our parliament, thankfully).

 

Therefore there has been no change in the status of the previous legislation. Once this "law" is passed early next week the permitted authorities will still be able to collect (or insist on ISP's to collect this information. It will not mean more access to private data or a Big Brother trawling through all our emails to Aunty May or Cousin Pete. It will not mean any person in Cheltenham or Langley checking on our ebay purchases or our interest in a model of a GWR pannier or photo collection of stations/track or infrastructure.

 

Do people really think that there are so many "agents" that they can be bothered monitoring such things? Come on credit the boys and girls in the back room with a little more intelligence.

 

This does not impact individual website or owners of them - it applies to the ISP and telecom providers. The data that will be searched has more to do with what "terrorist" sites were visited by whom and a telephone call made to numbers. Searches are based on intelligence and not a trawl of every email / web post on the planet for the occurrence of the word "president" and "bomb" in the same sentence. That is just TV/Film fiction - even Cheltenham cannot afford such computational power!

[ZiderHead]

For example if someone deletes (or edits) a PM it disappears from the database. At present there is then no record of it ever existing to which I have access, other than in the rolling daily and weekly backups if the content appeared for more than 24 hours. It may be legally necessary to record every such deletion as it occurs.

 

Rolling daily and weekly backups are industry standard for servers, and should therefore be sufficient for compliance with UK regulation under the principle of Reasonable Endeavours. My business is very tightly regulated and I'm happy that this backup scheme is sufficient for compliance

[martin_wynne]

Martin. Technically not quite true.

 

What isn't quite true? I said there has been an announcement today, and there has been such.

 

I know it doesn't change the existing law, but it has still prompted me to consider the implications. The issue of whether it makes sense or who is or isn't monitoring what, is not my present concern.

 

My concern in this topic is the legal obligation to which I am subject as the owner of a web site which allows anonymous members to send private messages to each other.

 

It's noticeable that whenever I start a topic on RMweb someone invariably veers it off-topic. In this case it happened with the very first reply.

 

Martin.

[woodenhead]

It's an interesting point you have raised Martin and one anybody contemplating any sort of forum should consider - how might my facilities be used that are not the way I intended them to be.  I think most people can be quite naive when starting a web site, blog or forum that everybody who will join will be like minded and most are, it's spotting those who intend to use your site/blog/forum for their own purposes that is the challenge.

 

I think you are very right to consider the implications and it is very much your choice how much freedom to do stuff people have on your site/blog/forum.  At the end of the day, you don't want to have to explain yourself to the authorities because of the actions of somebody else on your site/blog/forum.

[ZiderHead]

… equally it would be a real shame to severely restrict the services you offer in fear of regulation, when in fact you have no need to.

[Revolution Mike]

Martin

 

I think you might have the wrong end of the stick here.  The emergency legislation is a replacement for the ECJ's striking down of the Data Retention Directive which was specifically aimed at "communication service providers" and was squarely aimed at telcos (traditional or internet based eg VoIP etc) providing "publicly available electronic communications services or of public communications networks". 

 

The requirements were only about metadata and not content.

 

You can see the details here: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF

 

Mike

[martin_wynne]

Martin

 

I think you might have the wrong end of the stick here.

 

Hi Mike,

 

I hope so, but I can't be sure. I don't want to be the one chosen for a test case. As far as I can see at present I am providing via my web site a "publicly available electronic communications service" in your words. Social networking sites offering similar services are being specifically mentioned in relation to the new legislation, although admittedly they are running their own servers.

 

The PM function on Templot Club is provided as part of the forum software. If it were not, I doubt that I would have bothered to install or provide such a service. Since anyone on the planet can send a private message to anyone else via email, texting, phone call, social networks, skype, written letter, fax, telex, etc., the need for me to provide an additional service is just not there. And I would think the same applies to many web forums, where the prime purpose is shared communication in public, not private.

 

So while the legal framework remains a grey area, even if a very pale grey, I'm still minded to remove the PM function. It is not sufficiently essential to be retained while any doubt remains. If after someone else's test case it is declared beyond doubt that web site owners are not subject to such legislation, I may reinstate it.

 

regards,

 

Martin.

[brianusa]

As a layman, I know little of such things but it doesn't bother me a bit that my comments or whereabouts are recorded for posterity.  In this land of personal paranoia, any surveillance is useful considering the amount of crime especially gun and drug  related, that exists.  PM's are not exactly the method of choice for professional crooks or terrorists but they are useful to enable normal minded forum users a means of personal communication other than a direct E mail.

 

Brian.