Government e-comms tracking plans are 'confused and ill thought through'

The Home Office's plans for requiring internet service providers (ISPs) to store all communications data are "confused" and "ill thought through", according to information systems expert Peter Sommer.

The Home Office's plans for requiring internet service providers (ISPs) to store all communications data are "confused" and "ill thought through", according to information systems expert Peter Sommer.

Sommer, a professor in the Information Systems Integrity Group at the London School of Economics, says the proposals under the Interception Modernisation Programme would be expensive and technically difficult for ISPs.

The Internet Service Providers Association (ISPA), which represents companies such as Google and BT, says in a consultation document sent to the government that it is unhappy with the plans.

Sommer says that until now it has been relatively clear what constitutes communications data and what is content. Communications data might include the fact that X sent an e-mail to Y, while the content is what X wrote. Content cannot be stored or accessed without a warrant.

Clear definitions needed

But the proliferation of new types of communication such as social networking blurs this boundary, and the existing definitions in the Regulation of Investigatory Powers Act (RIPA) are "not very helpful", he says.

The ISPA says, "One of the difficulties in responding to the consultation is the absence of a consistent definition of which services are likely to be included. A further challenge of definition is determining what within a communication application constitutes communications data and, as such, would need to be retained, as opposed to data that would need to be collected through lawful intercept."

ISPs will not just be required to store the data, but perform analysis of it so the content data is not saved. They will also store it in a way that allows fast access so police can get the information they need quickly in serious crime cases.

"The concern of the ISPs is that they are being asked to commit to something for which the technology does not exist. They don't know how costly it will be because it's not a single purchase," Sommer says.

New website protocols are being developed all the time for services such as web-based e-mail, he says. The technology that moves through these pages and finds the relevant communications data would have to be constantly updated as these new protocols come out. A similar problem would arise if a new social networking site gained in popularity quickly, as Twitter did. ISPs will need technology that can search a data stream quickly, but that can also be easily and quickly reconfigured.

Massive storage volumes

A further problem is the sheer volume of data that must be stored. Social networking sites are now the fourth most popular online activity, and the ISPA says, "As more and more users communicate through social networking, ISPs are concerned about the volume of data they would need to retain."

Sommer says the RIPA needs to be overhauled to accommodate the new types of data. "Rather than tinkering around with the act, the government needs to go back to the fundamentals, look at the risks and the threats and what powers are needed. I have no idea what road it will go down, but it does seem to me to be fairly confused and ill-thought through."

From a technical point of view, Sommer says a centralised database of communications data would be the most straightforward answer. But this option was dropped by the government because of privacy concerns.

"To get an appropriate balance between the technical and legal aspects, you need people who understand both technology and the law, [and they] can be difficult to find," he says.

The ISPA says, "This proposal is clearly an attempt to extend the capability of what happens in the offline world insofar as it would create a capability to track relationships and interactions between individuals in multiple contexts and across multiple online environments where they meet. There is no offline equivalent of this capability - e.g. a requirement on the Royal Mail to retain copies of information on the face of envelopes originating from and delivered to certain addresses in the UK."

Picture: Rex Features

Read more on IT legislation and regulation