Confusion continues over U.K. data retention laws

The U.K. government passed controversial communications surveillance laws last month, after a close-run debate in the House of Lords. These new laws will have a powerful impact on Internet service providers (ISPs ) and their U.K. customers. However, companies are not clear on how the law must be followed, ISPs and industry bodies say.

The Lords passed an extension to the Regulation of Investigatory Powers Act (RIPA) 2000, and gave the government more time to work on the Anti-Terrorism, Crime and Security (ATCS) Act, first proposed after the September 2001 terrorist attacks in New York.

Under the RIPA extension a broad swathe of U.K. government bodies, including local councils, will now be able to demand access to citizens’ communications data, such as who they called or e-mailed, and when. The ATCS Act aims to make sure that data is available from ISPs. Under a voluntary code, ISPs will be asked to retain data on consumers’ Internet and telephone activities, and to make sure the data is searchable.

If the government finds that the voluntary code is not working, it will then be able to make data retention compulsory for all ISPs.

After an outcry when the extensions to RIPA and the introduction of the ATCS Act were first proposed in 2001, the U.K. government backed down and re-entered consultation with privacy campaigners and the companies involved. While ISPs and privacy groups generally agree that the latest laws are an improvement on those first proposed in 2001, there still are serious problems that need to be ironed out, they say.

Data retention will inevitably cost ISPs money for storage and administration, said Beatrice Rogers, a senior program manager for Intellect, an industry body representing the U.K.’s information technology, communication and electronics businesses. That could push up prices, or force ISPs out of business, she said.

While many ISPs already keep data for billing purposes, they are now being asked to hold it for longer and to make sure that it can be searched for relevant data. Telephone subscriber and call information should be kept for 12 months, e-mail and ISP subscriber data should be held for six months, and Web activity information for four days, Matt Brook, a spokesman for the U.K. Home Office said.

It is not clear how the U.K. government will reimburse ISPs for the costs they incur, and the burden on small ISPs could potentially be enormous, Rogers said. The government has said that it will provide funding, but no figure has yet been set for the next financial year, Brook said.

ISPs say they have been left in the dark since the law was passed. “We were invited to Portcullis House (a recently built U.K. parliament building) a year ago and asked for input, and the consensus of the industry was that we were happy to do it,” Adrian Snell, business development manager of London ISP Atlas Internet Ltd. said.

“As far as we’re aware it was brought into effect two weeks ago, but we’ve had no official notification of it, or of how to recover costs, costs which could easily become quite sizable,” he said.

Atlas has received few requests for information in the past, “probably 10 in the past five years,” but expects that to rise now that more people are allowed to ask for information, Snell said.

The infrastructure needed to store and retrieve data “could be two or three times bigger than our entire operation. The government is supposed to be putting money aside to help ISPs out with that, but we can’t make plans until we know how much that is,” Snell said.

The legal ramifications of giving out customer data are still not clear, either, Rogers said. “The industry is very supportive of law enforcement, it’s been doing it on a daily basis, helping out the police, and it will continue to do so. But (companies) want certainty on procedure as well as any fiscal reimbursement from government,” she said.

The Act could also put companies in a difficult position, since it potentially conflicts with the Human Rights Act 1998 (HRA) and the Data Protection Act 1998 (DPA), which put limits on how personal data can be collected and used, Rogers said.

In many respects, the industry would prefer a compulsory plan, because it would relieve them of the possibility of being sued by customers who did not consider that their data should have been released under the terms of the HRA, Rogers said. An ISP signing the voluntary agreement is also putting itself at a competitive disadvantage compared to non-signatories, if users prefer more privacy. “The general opinion is that not enough will sign up to the voluntary scheme, and so it will have to go compulsory,” she said.

“It doesn’t work if it’s voluntary. If one ISP decides not to do it, all the crooks just go there,” Snell said. Intellect would have preferred a data preservation scheme, where data is kept on specific individuals where the police decide there is a good reason for doing so, rather than collecting data on everyone, Rogers said.

Privacy campaigners also have continuing concerns. Richard Clayton of U.K. pressure group Foundation for Information Policy and Research (FIPR) said that while the rules governing access have been tightened, opening up powers to more people, including local authorities, this move could still lead to problems with data being misused.

“The government says the local authorities are acting as police, in terms of things like trading standards, but a policeman would be able to get a more efficient solution. And people trust the police – how many people trust their local council?” he said.

The Act is not clear enough about what information can be given to whom, Clayton said. While it does categorize subscriber data, with different people allowed to access different levels of information, the definitions loose and can be interpreted in different ways, he said.

A compulsory scheme won’t solve all of the ISPs problems, either, Clayton said. “You’ll just get people going offshore. For example, America Online Inc.( AOL) will just take its fingers out of the U.K. – its systems don’t determine whether a user is in the U.K. or Germany, or handle different laws, so it will just move. It’s not as easy as it sounds,” he said. The ISPs left in the U.K. will still face conflicts between the different data laws, he said.

Intellect, and the companies it represents, would have preferred that the legislation return to the drawing board, Rogers said. “But we will continue to work with the government to ensure that a reasonable schedule is put in place and that there’s a true understanding of the implications,” she said.