Code to curb terrorism resisted by ISPs

Should plans to retain e-mail data be voluntary or mandatory? Raffi Varoujian weighs up the pros and cons

Internet Service Providers (ISPs) are refusing to sign up to Home Office plans for a voluntary code of practice in relation to the retention of e-mail data, to which law enforcement agencies would have access under the Anti-Terrorism, Crime and Security Act 2001 (ATCSA).

The Act was hastily passed in December 2001 as a direct response to the 11 September 2001 terrorism attacks in the US, and is designed to protect the 'rights and freedoms' of British citizens.

Of particular concern to both ISPs and Europe's data protection commissioners is part 11 of the Act, which would place the onus on communications providers to retain data about their customers.

This, say ISPs, may breach European law and conflict with existing UK legislation on data protection and privacy.

'Communications data' under ATCSA reflects that of 'traffic data' under the Regulation of Investigatory Powers Act 2000 (RIPA) - that is, data collected in the normal course of business by all communications service providers.

These might include everything from call and location records for mobile telephone users to what Web sites an individual has visited, what they have downloaded, whom they have e-mailed it to, where and when.

It does not include the content of a telephone call or an e-mail.

Currently, ISPs are obliged to erase this data once it is no longer required for commercial purposes such as billing.

The government argues that this 'has a severe impact on criminal investigations', whereas civil libertarians have criticised this stance on the grounds that transmission data alone is sufficient for a profile to be created of a person's life.

At the time of its enactment, the RIPA was much criticised for the extent to which it allowed the government to intercept communications.

But the ATCSA appears to have further strengthened these powers.

While the requirement for ISPs to retain data under the code is intended to be voluntary, the Home Office retains the right under the Act to impose mandatory provisions where it was held that voluntary provisions are considered to be unsatisfactory.

In its July annual report, the Information Commission raised concerns over the increase of law enforcement agency access to personal electronic information, noting that there had been: 'A noticeable shift in the balance between respect for an individual's private life and the needs of society to protect itself against such criminal actions.

Although this shift has occurred in the name of terrorism, the measures deployed often go much further into areas of general criminality.'

Those opposed to the code are concerned about the potential increase in government access to personal data about their customers which such a code could bring about.

They are also worried that communications data retained by ISPs for national security purposes could be accessed in relation to any of the law enforcement activities covered by the RIPA, for example, in the interests of the detection of crime, public safety, or tax assessment or collection.

Meanwhile, the government argues that this broad scope is necessary as 'crime funds and fuels terrorism'.

However, this latter argument has holes in it and certainly does not sit comfortably alongside the right to privacy enshrined in the Human Rights Act 1998.

Civil libertarians had hoped that the European Parliament would vote against data retention in May last year.

Instead, Euro MPs voted in favour of giving governments broader powers to monitor Internet, telephone and e-mail traffic.

Moreover, the parliament amended the Directive on Protection of Telecommunications Data and Information to oblige member states which have not yet implemented data interception legislation to do so, lending further weight to the UK government's resistance to watering down the legislation.

At present, the government is calling for communications providers to retain data for at least 12 months.

Failure to abide by mandatory provisions, if voluntary provisions were considered inadequate, would leave them open to prosecution.

However, the cost to communications providers in creating the additional capacity required to store such data would be huge.

Earlier this year, Roland Perry, the director of public policy for the London Internet Exchange (Linx), reportedly put the overall annual cost of ISP and telecommunications company compliancy with the ATCSA code in the UK at about 40 million.

This includes set-up and procurement costs, as well as costs for network redesign, but it does not include costs associated with the right of access under the Data Protection Act 1998 (DPA) for subjects, nor requests for access by state bodies.

Quite how this figure is to be fully recovered is uncertain.

An additional issue is the fact that retained data would also include 'personal data' as defined by the DPA.

This requires that data is processed fairly and lawfully and kept for no longer than necessary.

At present, if a customer closes a dial-up account, the ISP must delete their records within a reasonable period of time.

However, under the proposed code the ISP would be expected to keep such data for a minimum period (at least 12 months has been suggested).

This creates a clear conflict between the ATCSA and the DPA, which the Home Office has so far failed to address.

It is possible that the DPA may be subordinate to the interests of national security, though statutory guidance has not been issued.

Otherwise, an ISP could potentially face a significant sanction for breach of the DPA if it retained data under ATCSA, which is longer than necessary under the 1998 Act.

With so many points of law still unclear, it is no wonder that the ISPA - the trade association representing the UK's ISPs - has highlighted several issues which it wants to see resolved before it recommends adoption of the proposed code to members.

The same view is not held by Home Office minister Beverley Hughes, who has accused them of 'reopening debates already settled by Parliament'.

The European Union's position was also criticised recently by the European data protection commissioners who revealed that they had had 'grave doubts as to the legitimacy and legality'.

The commissioners also stated that: 'Where traffic data is to be retained in specific cases, there must be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law.'

This statement by the commissioners is bound to place pressure on the UK government to consider its position carefully and to bring the matter in the UK to resolution.

It may mean that less stringent measures are initially imposed, and also adds weight to the argument of maintaining a voluntary as opposed to a mandatory code.

Finally, it is worth considering how effective the measures are likely to be - recent terrorist attacks have shown that it is possible to evade surveillance and the use of a stolen or unregistered mobile telephone seems an obvious step for someone wanting to avoid leaving a trail.

MPs are reported to be holding a public inquiry covering the Internet, data retention and the effect on ISPs some time this month.

However, it appears as though the ATCSA was a knee-jerk reaction to a perceived threat and has not been properly thought through.

The conflicting issues of privacy, data protection and national security must be resolved before a workable code of conduct can be negotiated between the government and communications providers.

Raffi Varoujian is a solicitor in the IT and e-commerce group of City law firm Field Fisher Waterhouse