Emergency anti-terrorism laws risk damaging consumer confidence in
e-commerce. Bill Goodwin reports
Businesses are reacting with growing concern as the Government
begins work on sweeping new anti-terrorism laws in the wake of the
11 September tragedy.
The Emergency Anti-terrorism Bill, which will come into force by
the end of next month, will give the police new powers to access
records of e-mails, Web traffic and telephone calls.
The bill is designed to make it easier for law enforcement agencies
to gather intelligence about the terrorists behind the New York
attacks.
Although little of the detail has been made public, there are fears
that the new legislation is being thrown together too quickly, and
with little consultation, and that the result will be a law that
has serious implications for e-commerce, but does little to combat
terrorism.
The Confederation of British Industry (CBI) has already warned that
the emergency powers legislation risks damaging consumers'
confidence in e-commerce, and risk slowing down the commercial
exploitation of the Internet in the UK.
Telephone companies and Internet service providers (ISPs) are
concerned about the high costs of storing and retrieving data, if
they are requested to do so by the law enforcement agencies.
But the implications could be far wider: large businesses with
their own private data and voice networks, and e-commerce trading
sites that collect details of their customers, could also fall
under the new laws, observers believe.
Some of the UK's leading businesses added their voices to these
fears at some hastily arranged meetings held this week by the CBI,
the Alliance for Electronic Businesses, E-centre and the political
lobby group Eurim.
Ian Walden, vice-chairman of the Alliance for Electronic Business's
legal advisory group, and a consultant with law firm Baker and
McKenzie, summed up the mood among the large telephone companies,
software companies and law firms represented.
"The Government response is a knee-jerk reaction and not properly
considered in terms of the need for this data, the burdens placed
on the communications industry and the potential impact on
individuals' rights of privacy. I would encourage the Government to
engage in a serious dialogue with the various interested parties
before proceeding further," he said.
Part of the problem is that the civil servants involved in drafting
the emergency powers legislation appear to have little
understanding of the technical implications of their proposals.
The officials responsible for drafting the Regulation of
Investigatory Powers Act, who understood the issues, have been
moved on to other duties.
Pressure for data retention has been building up from the law
enforcement agencies for some time. Last year, a leaked report from
the National Criminal Intelligence Service (NCIS), urged the
government to require ISPs and telcos to store e-mail and telephone
traffic for up to seven years.
At the time, Government officials said they had no such intention.
But the US terror attacks have placed ministers under pressure to
reconsider.
Meanwhile, President Bush has reportedly written to the Belgian
prime minister, urging Europe to change telecommunications laws to
allow call data held by phone and Internet companies to be held for
use in criminal investigations.
The UK's proposals, outlined to a closed group of telephone
companies and major ISPs on 24 October, are less Draconian than
some had feared.
The Home Office has made it clear that any system of data retention
will be voluntary, and regulated through a code of practice that
will be drawn up after consultation with industry.
But businesses fear that a voluntary system is an inevitable
pre-cursor to compulsory data retention. They argue that there is
little value in the law enforcement agencies having access to data
from some ISPs and telcos but not others.
Some of the delegates to the meetings this week have suggested that
civil servants are setting up a voluntary system in the knowledge
that it will fail so that they can press the case for a compulsory
system later on.
"The $64,000 question is whether, when the bill is published, there
will be a reserve power to make this compulsory," said Caspar
Bowden, director of the Foundation for Information Policy
Research.
According to one telephone operator, a voluntary system will be the
worst of all worlds. "We are going to be upsetting customers and we
are going to be seen as the stool-pigeon for law
enforcement."
With so little detail available about the Government's plans, it is
impossible to calculate the financial impact on telephone companies
and ISPs. Storing the data could be the least of their problems.
Managing it, data retrieval, and any legal liability if the data
proves inaccurate, could be far more expensive.
As one operator commented, "We would have the liability for storing
data and we would have the expense of data subject access. That
could be a massive expense. We have no assurances that there will
be compensation."
Alarmingly, some Home Office officials favour abandoning the right
of subject access altogether - one of the key principles of data
protection and an important safeguard against inaccuracies and
abuse of the investigatory process.
The biggest unanswered question is whether the mass storage of
telephone and e-mail traffic will actually help law enforcement
agencies in the fight against terrorism. Fighting terrorism
requires rapid access to focused intelligence, but data retention
will generate data in such large volumes that many fear it will be
impossible to analyse it quickly, if
at all.
"The people doing the policy work are not aware of the sheer scale
of data they are talking about because they have not had experience
of the private sector .
"What they are trying to do is probably not possible: it takes too
long," said Philip Virgo, director general of Eurim.
Your chance to shape anti-terrorism legislation
The IT lobby group Eurim believes that the Government's proposals
to require telephone and Internet companies, and possibly
e-commerce businesses, to keep databases of their customers' e-mail
and phone call activities will prove little help in the fight
against terrorism. The group is drawing on its expertise in using
IT to fight crime in the finance industry and the public sector to
suggest a better solution to the Home Office.
"We need to enlist the skills and co-operation of the heads of
security in the city and multinationals who have been analysing
large volumes of traffic and transactions for years. Many of these
not only have the the skills the Government lacks, but the
motivation, because they have lost colleagues in New York, " said
Eurim director general Philip Virgo.
Computer Weekly is helping Eurim to collect views from IT
professionals, with a view to offering the Government a better
alternative to data retention. Your answers to the following
questions will be used to brief ministers and civil servants. Eurim
will also pass your comments to the Home Affairs Select Committee,
which is carrying out a rapid review of the emergency powers
legislation.
- How would you set about trying to identify people quickly who
are using your network for something they should not ?
- How do you think your business should be asked to work with law
enforcement agencies in a terrorist situation?
- How do you think your organisation should work with law
enforcement agencies in a peace-time situation, for example for
fighting drugs and everyday crime?
Send your responses and any other thoughts, by 14 November, to
Chris Sundt, Eurim's e-crime rapporteur: csecrime@netcomuk.co.uk