Data retention plans draw further criticism

Privacy fears over directive that will allow organisations to view emails, texts and web use

EU countries are affected by the retention of private data directive

Last week’s consultation paper on communications data retention from the Home Office drew criticism over the number of government and public sector bodies that will have access to data on email, texting and web use.

But while MPs and other interested parties express discomfort over the fact that the data is being retained, the challenge of ensuring the data is stored securely will be a big problem for telcos, mobile providers and ISPs.

The consultation paper is based on a directive which originated at the European parliament on 15 March 2006 “on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks”.

The term communications data, which is expressed in the directive and draft regulations, does not refer to the content of communications. It is about who is communicating with whom? When and where are they communicating? And what type of communication is it?

A key part of the EU directive concerns system separation. “In particular, the systems for storage of data for public order purposes should be logically separated from the systems used for business purposes,” it says.

This requirement might lie at the heart of the £50m in extra costs that the Home Office paper identified and for which the taxpayer will foot the bill.

A spokesman for the Internet Service Providers Association (ISPA) said it would respond directly to the consultation paper before the October deadline. He said the ISPA did not know how the Home Office had arrived at the figure of £50m, but that it was a case of “the more the better for our members”.

A Home Office spokeswoman told Computing that the cost calculation was based on the roughest estimate of about 40 terabytes of data being col lected and that its preferred option was to fund a maximum of £30m in capital cost for storage and pay £60m in running costs.

John Bantleman, chief executive at archive storage specialists Clearpace said: “The requirement of 12 months’ retention will be extended to three, then five years because that is how these things go. The industry will say it is intrusive and expensive and that the cost of compliance will add to the cost of providing services.”

Information commissioner Richard Thomas believes the database would be a step too far. He said: “I entirely agree that before major new databases are launched, careful consideration must be given to the impact on individuals’ liberties and on society as a whole. Sadly, there have been too many developments where there has not been sufficient openness, transparency or public debate.”

EC security directorate’s data retention guidelines

Purpose specification: The data should only be retained for specific purposes. Therefore, the term “serious crime” should be clearly defined and delineated. Any further processing should be ruled out or limited stringently on the basis of specific safeguards.

Access limitation: The data should only be available to specifically designated law enforcement authorities where necessary for the investigation, detection, and prosecution of the offences referred to in the Directive. A list of such authorities should be made public. Any retrieval of the data should be recorded and the records made available to the supervisory authority/ies to ensure effective supervision.

Data minimisation: The data to be retained should be kept to a minimum, and any changes to that list should be subject to a strict necessity test.

No data mining: Investigation, detection and prosecution of the offences should not entail large-scale data mining based on retained data, in respect of the travel and communication patterns of people unsuspected by law enforcement authorities.