Anti-terrorism laws threaten Internet users' peace of mind

Emergency anti-terrorism laws risk damaging consumer confidence in e-commerce. Bill Goodwin reports

Emergency anti-terrorism laws risk damaging consumer confidence in e-commerce. Bill Goodwin reports

Businesses are reacting with growing concern as the Government begins work on sweeping new anti-terrorism laws in the wake of the 11 September tragedy.

The Emergency Anti-terrorism Bill, which will come into force by the end of next month, will give the police new powers to access records of e-mails, Web traffic and telephone calls.

The bill is designed to make it easier for law enforcement agencies to gather intelligence about the terrorists behind the New York attacks.

Although little of the detail has been made public, there are fears that the new legislation is being thrown together too quickly, and with little consultation, and that the result will be a law that has serious implications for e-commerce, but does little to combat terrorism.

The Confederation of British Industry (CBI) has already warned that the emergency powers legislation risks damaging consumers' confidence in e-commerce, and risk slowing down the commercial exploitation of the Internet in the UK.

Telephone companies and Internet service providers (ISPs) are concerned about the high costs of storing and retrieving data, if they are requested to do so by the law enforcement agencies.

But the implications could be far wider: large businesses with their own private data and voice networks, and e-commerce trading sites that collect details of their customers, could also fall under the new laws, observers believe.

Some of the UK's leading businesses added their voices to these fears at some hastily arranged meetings held this week by the CBI, the Alliance for Electronic Businesses, E-centre and the political lobby group Eurim.

Ian Walden, vice-chairman of the Alliance for Electronic Business's legal advisory group, and a consultant with law firm Baker and McKenzie, summed up the mood among the large telephone companies, software companies and law firms represented.

"The Government response is a knee-jerk reaction and not properly considered in terms of the need for this data, the burdens placed on the communications industry and the potential impact on individuals' rights of privacy. I would encourage the Government to engage in a serious dialogue with the various interested parties before proceeding further," he said.

Part of the problem is that the civil servants involved in drafting the emergency powers legislation appear to have little understanding of the technical implications of their proposals.

The officials responsible for drafting the Regulation of Investigatory Powers Act, who understood the issues, have been moved on to other duties.

Pressure for data retention has been building up from the law enforcement agencies for some time. Last year, a leaked report from the National Criminal Intelligence Service (NCIS), urged the government to require ISPs and telcos to store e-mail and telephone traffic for up to seven years.

At the time, Government officials said they had no such intention. But the US terror attacks have placed ministers under pressure to reconsider.

Meanwhile, President Bush has reportedly written to the Belgian prime minister, urging Europe to change telecommunications laws to allow call data held by phone and Internet companies to be held for use in criminal investigations.

The UK's proposals, outlined to a closed group of telephone companies and major ISPs on 24 October, are less Draconian than some had feared.

The Home Office has made it clear that any system of data retention will be voluntary, and regulated through a code of practice that will be drawn up after consultation with industry.

But businesses fear that a voluntary system is an inevitable pre-cursor to compulsory data retention. They argue that there is little value in the law enforcement agencies having access to data from some ISPs and telcos but not others.

Some of the delegates to the meetings this week have suggested that civil servants are setting up a voluntary system in the knowledge that it will fail so that they can press the case for a compulsory system later on.

"The $64,000 question is whether, when the bill is published, there will be a reserve power to make this compulsory," said Caspar Bowden, director of the Foundation for Information Policy Research.

According to one telephone operator, a voluntary system will be the worst of all worlds. "We are going to be upsetting customers and we are going to be seen as the stool-pigeon for law enforcement."

With so little detail available about the Government's plans, it is impossible to calculate the financial impact on telephone companies and ISPs. Storing the data could be the least of their problems. Managing it, data retrieval, and any legal liability if the data proves inaccurate, could be far more expensive.

As one operator commented, "We would have the liability for storing data and we would have the expense of data subject access. That could be a massive expense. We have no assurances that there will be compensation."

Alarmingly, some Home Office officials favour abandoning the right of subject access altogether - one of the key principles of data protection and an important safeguard against inaccuracies and abuse of the investigatory process.

The biggest unanswered question is whether the mass storage of telephone and e-mail traffic will actually help law enforcement agencies in the fight against terrorism. Fighting terrorism requires rapid access to focused intelligence, but data retention will generate data in such large volumes that many fear it will be impossible to analyse it quickly, if
at all.

"The people doing the policy work are not aware of the sheer scale of data they are talking about because they have not had experience of the private sector .

"What they are trying to do is probably not possible: it takes too long," said Philip Virgo, director general of Eurim.

Your chance to shape anti-terrorism legislation

The IT lobby group Eurim believes that the Government's proposals to require telephone and Internet companies, and possibly e-commerce businesses, to keep databases of their customers' e-mail and phone call activities will prove little help in the fight against terrorism. The group is drawing on its expertise in using IT to fight crime in the finance industry and the public sector to suggest a better solution to the Home Office.

"We need to enlist the skills and co-operation of the heads of security in the city and multinationals who have been analysing large volumes of traffic and transactions for years. Many of these not only have the the skills the Government lacks, but the motivation, because they have lost colleagues in New York, " said Eurim director general Philip Virgo.

Computer Weekly is helping Eurim to collect views from IT professionals, with a view to offering the Government a better alternative to data retention. Your answers to the following questions will be used to brief ministers and civil servants. Eurim will also pass your comments to the Home Affairs Select Committee, which is carrying out a rapid review of the emergency powers legislation.

  • How would you set about trying to identify people quickly who are using your network for something they should not ?

  • How do you think your business should be asked to work with law enforcement agencies in a terrorist situation?

  • How do you think your organisation should work with law enforcement agencies in a peace-time situation, for example for fighting drugs and everyday crime?

Send your responses and any other thoughts, by 14 November, to Chris Sundt, Eurim's e-crime rapporteur: [email protected]

Read more on IT legislation and regulation