The government's controversial communications
surveillance laws, passed last month, will have a powerful impact
on internet service providers and their UK customers, but companies
are unclear on how to follow the laws.
The Lords passed an extension to the Regulation of Investigatory
Powers Act (RIPA) 2000, and gave the government more time to work
on the Anti-Terrorism, Crime and Security (ATCS) Act, first
proposed after the September 2001 terrorist attacks in New
York.
Under the RIPA extension, a broad swathe of UK government bodies
including local councils, will now be able to demand access to
citizens' communications data, such as who they called or e-mailed,
and when.
The ATCS Act aims to make sure that data is available from ISPs.
Under a voluntary code, ISPs will be asked to retain data on
consumers' internet and telephone activities, and to make sure the
data is searchable.
If the government finds that the voluntary code is not working,
it will then be able to make data retention compulsory for all
ISPs.
After an outcry when the extensions to RIPA and the introduction
of the ATCS Act were first proposed in 2001, the government backed
down and re-entered consultation with privacy campaigners and the
companies involved.
While ISPs and privacy groups generally agree that the latest
laws are an improvement on those first proposed in 2001, they said
there still are serious problems that need to be ironed out.
Data retention will, inevitably, cost ISPs money for storage and
administration, said Beatrice Rogers, a senior program manager for
Intellect, an industry body representing the UK's information
technology, communication and electronics businesses.
That could push up prices, or force ISPs out of business, she
added.
While many ISPs already keep data for billing purposes, they are
now being asked to hold it for longer and to make sure that it can
be searched for relevant data.
Telephone subscriber and call information should be kept for 12
months, e-mail and ISP subscriber data should be held for six
months, and web activity information for four days, said Matt
Brook, Home Office spokesman.
It is not clear how the government will reimburse ISPs for the
costs they incur, and the burden on small ISPs could be enormous,
Rogers said.
The government has said that it will provide funding, but no
figure has yet been set for the next financial year, Brook
said.
ISPs claim they have been left in the dark since the law was
passed.
"We were invited to Portcullis House a year ago and asked for
input, and the consensus of the industry was that we were happy to
do it," said Adrian Snell, business development manager of London
ISP Atlas Internet.
"As far as we're aware it was brought into effect two weeks ago,
but we've had no official notification of it, or of how to recover
costs, costs which could easily become quite sizable," he said.
Atlas has received few requests for information in the past, but
that is expected to rise now that more people are allowed to ask
for information.
The infrastructure needed to store and retrieve data could be
two or three times bigger than our entire operation, Snell
said. "The government is supposed to be putting money aside to help
ISPs out with that, but we can't make plans until we know how much
that is."
The legal ramifications of giving out customer data are still
not clear, either, Rogers said.
"The industry is very supportive of law enforcement, it's been
doing it on a daily basis, helping out the police, and it will
continue to do so. But [companies] want certainty on procedure as
well as any fiscal reimbursement from government," she said.
The Act could also put companies in a difficult position, since
it could conflict with the Human Rights Act 1998 (HRA) and the Data
Protection Act 1998 (DPA), which put limits on how personal data
can be collected and used.
In many respects, the industry would prefer a compulsory plan,
because it would relieve them of the possibility of being sued by
customers who did not consider that their data should have been
released under the terms of the HRA, Rogers said.
An ISP signing the voluntary agreement is also putting itself at
a competitive disadvantage compared with non-signatories if users
prefer more privacy.
"The general opinion is that not enough will sign up to the
voluntary scheme, and so it will have to go compulsory," she
said.
Intellect would have preferred a data preservation scheme, where
data is kept on specific individuals where the police decide there
is a good reason for doing so, rather than collecting data on
everyone, Rogers said.
Privacy campaigners also have continuing concerns. Richard
Clayton of pressure group Foundation for Information Policy and
Research (FIPR) said that while the rules governing access have
been tightened, opening up powers to more people, including local
authorities, there could still be problems with data being
misused.
"The government says the local authorities are acting as police,
in terms of things like trading standards, but a policeman would be
able to get a more efficient solution. And people trust the police
- how many people trust their local council?" he said.
The Act is not clear enough about what information can be given
to whom, Clayton said. While it does categorise subscriber data,
with different people allowed to access different levels of
information, the definition is loose and can be interpreted in
different ways.
A compulsory scheme will not solve all of the ISPs problems,
either, Clayton added.
"You'll just get people going offshore. For example, AOL will
just take its fingers out of the UK - its systems don't determine
whether a user is in the UK or Germany, or handle different laws,
so it will just move. It's not as easy as it sounds," he said. The
ISPs left in the UK will still face conflicts between the different
data laws, he added.
Intellect, and the companies it represents, would have preferred
that the legislation return to the drawing board.
"But we will continue to work with the government to ensure that
a reasonable schedule is put in place and that there's a true
understanding of the implications," Intellect's Rogers said.
Gillian Law writes for IDG News Service