The government's controversial communications surveillance laws, passed last month, will have a powerful impact on internet service providers and their UK customers, but companies are unclear on how to follow the laws.
The Lords passed an extension to the Regulation of Investigatory Powers Act (RIPA) 2000, and gave the government more time to work on the Anti-Terrorism, Crime and Security (ATCS) Act, first proposed after the September 2001 terrorist attacks in New York.
Under the RIPA extension, a broad swathe of UK government bodies including local councils, will now be able to demand access to citizens' communications data, such as who they called or e-mailed, and when.
The ATCS Act aims to make sure that data is available from ISPs. Under a voluntary code, ISPs will be asked to retain data on consumers' internet and telephone activities, and to make sure the data is searchable.
If the government finds that the voluntary code is not working, it will then be able to make data retention compulsory for all ISPs.
After an outcry when the extensions to RIPA and the introduction of the ATCS Act were first proposed in 2001, the government backed down and re-entered consultation with privacy campaigners and the companies involved.
While ISPs and privacy groups generally agree that the latest laws are an improvement on those first proposed in 2001, they said there still are serious problems that need to be ironed out.
Data retention will, inevitably, cost ISPs money for storage and administration, said Beatrice Rogers, a senior program manager for Intellect, an industry body representing the UK's information technology, communication and electronics businesses.
That could push up prices, or force ISPs out of business, she added.
While many ISPs already keep data for billing purposes, they are now being asked to hold it for longer and to make sure that it can be searched for relevant data.
Telephone subscriber and call information should be kept for 12 months, e-mail and ISP subscriber data should be held for six months, and web activity information for four days, said Matt Brook, Home Office spokesman.
It is not clear how the government will reimburse ISPs for the costs they incur, and the burden on small ISPs could be enormous, Rogers said.
The government has said that it will provide funding, but no figure has yet been set for the next financial year, Brook said.
ISPs claim they have been left in the dark since the law was passed.
"We were invited to Portcullis House a year ago and asked for input, and the consensus of the industry was that we were happy to do it," said Adrian Snell, business development manager of London ISP Atlas Internet.
"As far as we're aware it was brought into effect two weeks ago, but we've had no official notification of it, or of how to recover costs, costs which could easily become quite sizable," he said.
Atlas has received few requests for information in the past, but that is expected to rise now that more people are allowed to ask for information.
The infrastructure needed to store and retrieve data could be two or three times bigger than our entire operation, Snell said. "The government is supposed to be putting money aside to help ISPs out with that, but we can't make plans until we know how much that is."
The legal ramifications of giving out customer data are still not clear, either, Rogers said.
"The industry is very supportive of law enforcement, it's been doing it on a daily basis, helping out the police, and it will continue to do so. But [companies] want certainty on procedure as well as any fiscal reimbursement from government," she said.
The Act could also put companies in a difficult position, since it could conflict with the Human Rights Act 1998 (HRA) and the Data Protection Act 1998 (DPA), which put limits on how personal data can be collected and used.
In many respects, the industry would prefer a compulsory plan, because it would relieve them of the possibility of being sued by customers who did not consider that their data should have been released under the terms of the HRA, Rogers said.
An ISP signing the voluntary agreement is also putting itself at a competitive disadvantage compared with non-signatories if users prefer more privacy.
"The general opinion is that not enough will sign up to the voluntary scheme, and so it will have to go compulsory," she said.
Intellect would have preferred a data preservation scheme, where data is kept on specific individuals where the police decide there is a good reason for doing so, rather than collecting data on everyone, Rogers said.
Privacy campaigners also have continuing concerns. Richard Clayton of pressure group Foundation for Information Policy and Research (FIPR) said that while the rules governing access have been tightened, opening up powers to more people, including local authorities, there could still be problems with data being misused.
"The government says the local authorities are acting as police, in terms of things like trading standards, but a policeman would be able to get a more efficient solution. And people trust the police - how many people trust their local council?" he said.
The Act is not clear enough about what information can be given to whom, Clayton said. While it does categorise subscriber data, with different people allowed to access different levels of information, the definition is loose and can be interpreted in different ways.
A compulsory scheme will not solve all of the ISPs problems, either, Clayton added.
"You'll just get people going offshore. For example, AOL will just take its fingers out of the UK - its systems don't determine whether a user is in the UK or Germany, or handle different laws, so it will just move. It's not as easy as it sounds," he said. The ISPs left in the UK will still face conflicts between the different data laws, he added.
Intellect, and the companies it represents, would have preferred that the legislation return to the drawing board.
"But we will continue to work with the government to ensure that a reasonable schedule is put in place and that there's a true understanding of the implications," Intellect's Rogers said.
Gillian Law writes for IDG News Service