Costs to rise despite data law retreat

Government's double climbdown over data retention and e-mail snooping laws still leaves users facing higher bills as suppliers...

Government's double climbdown over data retention and e-mail snooping laws still leaves users facing higher bills as suppliers look to pass on costs

Police and intelligence agencies have softened demands that organisations should keep records of telephone and Internet communications for more than 12 months, as required by the Government's anti-terrorism laws.

The climbdown, from initial demands that communications companies keep records of customers' phone, Web and e-mail transactions for up to seven years, follows concerns raised by phone and Internet companies about the technical difficulties, and increased costs, which could be passed on to business customers.

The data retention laws contained in the Anti-Terrorism Crime and Security Act and the Regulation of Investigatory Powers Act provoked a backlash among MPs, business groups and civil liberties groups.

In a separate development, home secretary David Blunkett was forced this week to postpone indefinitely plans to give snooping powers to a raft of government agencies after a storm of protest from MPs and members of the House of Lords.

Although geared to phone and Internet use, in practice the anti-terrorism laws will enable government agencies to force any business with its own private phone network, Web server or e-mail service to store records of communications traffic for retrieval on demand.

A voluntary anti-terrorism code of practice, currently being negotiated between communication service providers and the Home Office, is now expected to specify retention periods of months rather than years. It will tailor retention times according to the type of data being stored.

"There is an understanding by law enforcement agencies that some categories of data will only be retained for a short time. That is a step forward. There was a time when we wanted all traffic to be retained for years," said detective chief superindentent Len Hynds, head of the High-Tech Crime Unit.

The reversal, which follows a secret report from the National Criminal Intelligence Service to the Home Office two years ago calling for all data to be held for seven years, represents a growing recognition by the police of the costs and technical difficulties involved.

Communications company Energis told Home Office officials at a meeting last year that the costs of storing all of the data carried across its network, including 1.2 billion Web addresses a day, would approach £25m a year.

"The Home Office is being much more realistic. They are on a steep learning curve now. Since meeting the industry they have come to understand what information will assist them, rather than a blanket 'we want to retain all information'," said Carl Gibsons, director at Energis.

Despite the climbdown, organisations could still face significant bills for retrieving stored data in response to requests from government agencies, which will be given powers to issue warrants for data for a variety of reasons, not limited to terrorism.

"It is not the cost of storage, it is the cost of retrieval. If the requests from law enforcement increase dramatically, we have to put more people on retrieving data," said Energis.

The London Internet Exchange said a data retention time of less than a year would not affect its estimates of the cost of the measures, which put the bill at £40m a year for UK telephone and Internet service providers.

Read more on IT risk management