The National Criminal Intelligence Service wants data records kept
for up to seven years
Demands that the police and intelligence services should have
access to historical records of every telephone call, Internet
communication and e-mail sent in the UK, have unleashed a storm of
protest from businesses.
The proposals are contained in a confidential paper written by
Roger Gaspar, deputy director-general of the National Criminal
Intelligence Service (NCIS). They have the backing of the
Association of Chief Police Officers, Customs & Excise, and the
intelligence services MI5, MI6 and GCHQ.
The paper, which was dated 21 August, rejects self regulation in
favour of new laws that would force communications service
providers (CSPs) to keep records of calls, faxes, e-mail and
Internet traffic for seven years, and to make them available, when
needed, to the police and intelligence agencies.
"Legislation should require every CSP to retain all
communications data originating or terminating in the UK, or routed
through UK networks, including any data that is stored off-shore,"
Gaspar says.
Failure to provide an adequate legislative framework, he adds,
"will result in the early destruction of data and in consequence a
serious impact on law enforcement".
But Internet and telecommunications companies claim those
demands fly in the face of human rights and data protection laws
and could seriously damage the UK's potential for e-commerce. They
fear the proposals will encourage businesses to opt for overseas
internet providers, or avoid the UK altogether.
The paper calls for the Home Office and the Department of Trade
& Industry to work with the communications industry to develop
"a statutory framework for the retention of communications data".
The paper's claims that a data store will make it easier for people
wrongly accused to prove their innocence have been given short
shrift by civil liberties campaigners, but other arguments appear
more convincing.
Gaspar highlights the Omagh bomb investigation as an example of
the need for law enforcement agencies to access historical
telephone records. In this case police were able to use mobile
phone records to establish the location of suspects at the time of
the bombing. Deletion of this sort of data, the report claims,
would seriously damage the ability of agencies to investigate acts
of terrorism.
Similarly organised terrorist groups, drug traffickers, migrant
smugglers, peado-philes, money launderers, race hate groups, and
computer hackers are exploiting the Internet to hide their
activities. Agencies, the report says, need access to Internet
records because they are often the only evidence available of
criminal activities.
The paper calls for communications companies to store traffic
data for seven years either in-house, outsourced to a trusted third
party or delivered to a national government data warehouse.
Although the idea of a government communications data warehouse is
politically contentious, it probably represents the cheapest
solution for the communications industry. NCIS estimates that such
a facility could be set up for only £3m with annual running costs
of £9m - though some experts suggest these figures are a grossly
underestimated.
The proposals come as telecoms and Internet service providers
face increasing regulatory and financial pressure to store data for
shorter periods. Although some telecoms companies retain records
for as long as five years, most retain records for 12 months.
Draft European data protection legislation will add to the
pressure by requiring companies to destroy data once it ceases to
be of commercial value - generally after three months. Internet
service providers routinely delete their records within 24
hours.
NCIS is probably stretching a point with its claim that law
enforcement agencies need access to records for seven years. An
analysis of police requests for telephone records contained in the
report shows that for serious crime, 85% of requests are made
within two years. Only a handful of cases require data up to five
years old.
Yet even storing five years' worth of data could mean
significant extra costs for communications companies. The paper
does not make it clear what proportion of the costs would be
covered by government and what would fall to the communications
companies. What is clear, is that the law enforcement agencies want
to pay as little as possible for access to the data. The report
notes "while all agencies recognise the commercial sense of
charging for special services, some question the moral position of
companies charging for subscriber and billing data".
The chances of any of these proposals becoming law so soon after
the government's controversial Regulation of Investigatory Powers
Act, are slim. But the NCIS paper is a clear indication of where
the law enforcement agencies would like to go.
To see the report click www.cryptome.org/ncis-carnivore.htm
Industry reaction
- "There are real issues in this area which need to be debated
publicly, not behind closed doors. The private nature of much
debate to date means time and effort can all too easily be spent on
impractical proposals," Philip Virgo strategic adviser to the
Insititute for the Management of Information Systems.
- "Apart from the practical difficulties and the costs associated
with this rather silly proposal, it really raises issues of civil
liberties and Big Brother," David Harrington, director general of
the Communications Management Association.
- "I think they will be saying to the communications service
providers, 'you do want to help us, don't you, because legislation
might come in and it might more draconian than you would like'."
Peter Sommer, security expert, London School of
Economics.
- "Clearly ISPs are very concerned about the costs and whether
they will be compensated." Roland Perry, acting chief executive of
the London Internet Exchange.
- " ISPs will realise that it could put the UK out of business as
a traffic hubÉ none of their clients could expect any
confidentiality whatsoever over any records of communications
logged by a UK ISP or telecoms operator." Caspar Bowden, director,
FIPR.
- "It is difficult to see how the proposals would not breach UK
data protection and privacy legislation and the Human Rights Act.
The proposals significantly under-estimate the true costs and
resources in retaining such data - it would be extremely difficult
for companies to comply with such legislation," Vodafone.