Internet Data Retention Measure Sparks Growing Privacy Concerns
Storage of Internet and VoIP traffic data in the U.K. will be mandatory as of March, under plans announced Tuesday by the Home Office. It’s seeking feedback on a proposal to extend existing traffic data-holding rules relating to fixed and mobile telephony to Internet access, e-mail and IP telephony, as the EU Data Retention Directive requires. As with earlier data retention debates, the issue continues to spark privacy concerns.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The U.K. adopted the EU directive’s telephony portions in the 2007 Data Retention (EC Directive) Regulations, but put off action on Internet-related provisions until March 2009. That area is “a more complex issue involving much larger volumes of data and a considerably broader set of stakeholders within the industry,” said the Home Office consultation document. The new regulation replaces the 2007 version.
The measure applies to communications data generated or processed in the U.K. by public communications providers, including unsuccessful call attempts that, in the case of Internet data, are logged in Britain. It forbids retaining content, but requires storage of data needed to: (1) Trace and identify a communication’s source, such as an allocated user ID or an Internet Protocol address. (2) Identify a communication’s destination, such as a recipient’s user ID. (3) Identify a communication’s date, time and duration.
The regulation requires retention of data that identify the Internet service used and the user’s communications equipment, such as the phone number for dial-up access or a communication originator’s digital subscriber line. Data must be held for 12 months from the instance in question, and be kept secure. The Information Commissioner’s Office must monitor the security of stored data.
Conflict centers on covering communications services providers’ costs to comply with the EU directive. That measure doesn’t require reimbursement, but the Home Office said national law on retention of Internet-related data requires the U.K. to ensure “appropriate contributions” toward provider costs.
Most EU countries say they won’t reimburse providers, but to avoid unsettling the market the U.K. will continue to do so for additional data retention and retrieval costs, the Home Office said. It wants to ensure that the same data aren’t stored by several providers.
Super-Snooping?
The U.K. Internet Services Providers’ Association will comment on the proposal after polling members, a spokesman said. Privacy advocates slammed the government for using the “war on terror” to allow nearly unfettered surveillance of Britons. “This started off with a bill that was sold as being about terrorism,” said Cambridge University Security Engineering Professor Ross Anderson. “Now they want traffic data to be more widely used by all sorts of state sector investigators, even local councils investigating people for such heinous crimes as dog fouling,” he said.
Stored data will be available to all bodies licensed under the Regulation of Investigatory Powers Act, said Open Rights Group Executive Director Becky Hogge. Data can be used to investigate Britons for crimes and civil offenses unrelated to terror or serious organized crime, she said. Opposition parties tag the proposed powers a “snooper’s charter” and they have a point, she said.
The Home Office seems to be eyeing centralization of records held by telecommunications companies, Hogge said. The Guardian reported this week that the database would allow police and other authorities to access stored information directly without having to request it from the individual company holding it.
The Home Office expects to publish a data communications bill this fall, a spokesman told us. It will overlap slightly with the proposal in the consultation but will cover only use of communications data within the U.K., not shared between EU countries, he said. Its content hasn’t been finalized, despite press reports, he said. Asked about the possibility of a central database of retained traffic data, he said The Guardian is “putting two and two together and getting five.”
But Britain’s privacy watchdog warned in May that if the government intends to bring all mobile and Internet records together in one system, “this would give us serious concerns and may well be a step too far.” The office sees no justification for the state to hold every U.K. citizen’s phone and Internet records, said Assistant Information Commissioner Jonathan Bamford. Besides, he said, the more data collected, the bigger the risks of it being lost, stolen or traded.
The ICO statement “shows that this is not just being invented by the press,” Hogge said. Comments on the Internet data retention proposal are due Oct. 31 -- commsdata@homeoffice.gsi.gov.uk.