British? Online? Concerned about privacy? Danny O'Brien's compiled an excellent (and witty) guide to who can request what information from your ISP, now online on the STAND site:
To avoid this, the police and the ISPs (and indeed the phone companies and post office) use a form called a S29(3). Here is an example form (it's called a 28(3) there. Long, dull story.).
The S29(3) is one of those documents that you'll find either incredibly disturbing, or strangely reassuring. It's pretty good at ensuring that both sides cover their arses while understanding that they're about to do something fairly serious and potentially damaging to both sides. On the other hand, it shows ISPs and the police in a tacit arrangement to share customer data. (for a more detailed and sympathetic look at how ISPs handle this, have a peek at the London INternet eXchanges' Best Current Practice on User Privacy. It has a reasonably full description of the procedures, as well as much advice on how users can still preserve their privacy).
As we've said, ISP's don't have to respond to S29(3)s. If they don't, there's a good chance that the police will get Very Irritated, and may mutter something about Obstructing Justice. If they're serious, they could then go out an get a court order anyway. Police caught like this have been known to get warrants to seize whole racks of ISP servers, so from the point of view of the ISP, this is to be avoided. Most ISPs play along – but they have been known to say no if the police request is insanely disproportionate.
(via Oblomovka)
