Users voice fears over cybertapping

The National Criminal Intelligence Service wants data records kept for up to seven years

The National Criminal Intelligence Service wants data records kept for up to seven years

Demands that the police and intelligence services should have access to historical records of every telephone call, Internet communication and e-mail sent in the UK, have unleashed a storm of protest from businesses.

The proposals are contained in a confidential paper written by Roger Gaspar, deputy director-general of the National Criminal Intelligence Service (NCIS). They have the backing of the Association of Chief Police Officers, Customs & Excise, and the intelligence services MI5, MI6 and GCHQ.

The paper, which was dated 21 August, rejects self regulation in favour of new laws that would force communications service providers (CSPs) to keep records of calls, faxes, e-mail and Internet traffic for seven years, and to make them available, when needed, to the police and intelligence agencies.

"Legislation should require every CSP to retain all communications data originating or terminating in the UK, or routed through UK networks, including any data that is stored off-shore," Gaspar says.

Failure to provide an adequate legislative framework, he adds, "will result in the early destruction of data and in consequence a serious impact on law enforcement".

But Internet and telecommunications companies claim those demands fly in the face of human rights and data protection laws and could seriously damage the UK's potential for e-commerce. They fear the proposals will encourage businesses to opt for overseas internet providers, or avoid the UK altogether.

The paper calls for the Home Office and the Department of Trade & Industry to work with the communications industry to develop "a statutory framework for the retention of communications data". The paper's claims that a data store will make it easier for people wrongly accused to prove their innocence have been given short shrift by civil liberties campaigners, but other arguments appear more convincing.

Gaspar highlights the Omagh bomb investigation as an example of the need for law enforcement agencies to access historical telephone records. In this case police were able to use mobile phone records to establish the location of suspects at the time of the bombing. Deletion of this sort of data, the report claims, would seriously damage the ability of agencies to investigate acts of terrorism.

Similarly organised terrorist groups, drug traffickers, migrant smugglers, peado-philes, money launderers, race hate groups, and computer hackers are exploiting the Internet to hide their activities. Agencies, the report says, need access to Internet records because they are often the only evidence available of criminal activities.

The paper calls for communications companies to store traffic data for seven years either in-house, outsourced to a trusted third party or delivered to a national government data warehouse. Although the idea of a government communications data warehouse is politically contentious, it probably represents the cheapest solution for the communications industry. NCIS estimates that such a facility could be set up for only £3m with annual running costs of £9m - though some experts suggest these figures are a grossly underestimated.

The proposals come as telecoms and Internet service providers face increasing regulatory and financial pressure to store data for shorter periods. Although some telecoms companies retain records for as long as five years, most retain records for 12 months.

Draft European data protection legislation will add to the pressure by requiring companies to destroy data once it ceases to be of commercial value - generally after three months. Internet service providers routinely delete their records within 24 hours.

NCIS is probably stretching a point with its claim that law enforcement agencies need access to records for seven years. An analysis of police requests for telephone records contained in the report shows that for serious crime, 85% of requests are made within two years. Only a handful of cases require data up to five years old.

Yet even storing five years' worth of data could mean significant extra costs for communications companies. The paper does not make it clear what proportion of the costs would be covered by government and what would fall to the communications companies. What is clear, is that the law enforcement agencies want to pay as little as possible for access to the data. The report notes "while all agencies recognise the commercial sense of charging for special services, some question the moral position of companies charging for subscriber and billing data".

The chances of any of these proposals becoming law so soon after the government's controversial Regulation of Investigatory Powers Act, are slim. But the NCIS paper is a clear indication of where the law enforcement agencies would like to go.

To see the report click

Industry reaction

  • "There are real issues in this area which need to be debated publicly, not behind closed doors. The private nature of much debate to date means time and effort can all too easily be spent on impractical proposals," Philip Virgo strategic adviser to the Insititute for the Management of Information Systems.

  • "Apart from the practical difficulties and the costs associated with this rather silly proposal, it really raises issues of civil liberties and Big Brother," David Harrington, director general of the Communications Management Association.

  • "I think they will be saying to the communications service providers, 'you do want to help us, don't you, because legislation might come in and it might more draconian than you would like'." Peter Sommer, security expert, London School of Economics.

  • "Clearly ISPs are very concerned about the costs and whether they will be compensated." Roland Perry, acting chief executive of the London Internet Exchange.

  • " ISPs will realise that it could put the UK out of business as a traffic hubÉ none of their clients could expect any confidentiality whatsoever over any records of communications logged by a UK ISP or telecoms operator." Caspar Bowden, director, FIPR.

  • "It is difficult to see how the proposals would not breach UK data protection and privacy legislation and the Human Rights Act. The proposals significantly under-estimate the true costs and resources in retaining such data - it would be extremely difficult for companies to comply with such legislation," Vodafone.

  • Read more on IT risk management