ISPs and Government still deadlocked on data retention

Internet service providers (ISPs) in the UK are still waiting for government clarification on seven key points of legislation...

Internet service providers (ISPs) in the UK are still waiting for government clarification on seven key points of legislation requiring them to retain records of their customers' communications for use by law enforcement agencies investigating terrorism and serious crime.

The Anti-Terrorism Crime and Security (ATCS) Act, which became law last December, asks ISPs to voluntarily retain details of customers' communications for long periods to help law enforcement agencies with their investigations, in accordance with a code of practice still to be agreed on by industry and government.

ISPA secretary general Nicholas Lansman wrote to Home Office officials last month to inform them that ISPA members remained unconvinced that retaining the data is necessary for the fight against terrorism and serious crime.

"We are waiting for clarification of seven points," said ISPA communications officer Brian Ahearne yesterday. "We cannot recommend a voluntary code of practice the terms of which have not been codified."

There is as yet no sign from the Government as to whether these answers will be forthcoming.

"There is no specific time scale" for the negotiations, a Home Office spokesman said, but "We understand the concerns that have been raised and intend to work with the industry to address them."

Both parties denied a report in the online edition of The Guardian newspaper yesterday suggesting that negotiations with the Home Office had apparently collapsed.

"I wouldn't say that was the case," the Home Office spokesman said. "We want to make sure we can get agreement on this."

Ahearne confirmed that all was not over yet. "Negotiations are still going on," he said.

The ISPA is happy to work with law enforcement on any request that is reasonable, proportional and enforceable under UK law, he added. "We need decisions from the Government because they haven't given us the information that's needed."

One matter needing clarification is how the ATCS Act relates to other laws covering similar matters.

An earlier law, the 1998 Data Protection Act, requires that ISPs retain customer data no longer than is necessary to bill for the activities and limits their powers to disclose the data.

Other laws, however, can already require an ISP to reveal confidential customer information. Under the 2000 Regulation of Investigatory Powers (RIP) Act, certain agencies can get access to data such as billing information retained by the ISP. A warrant issued under the Police and Criminal Evidence (PACE) Act can also be used to obtain confidential information held by an ISP.

Where the ATCS Act differs is that it seeks to extend the period for which ISPs keep the information, obliging them to store data they do not otherwise need to run their businesses.

"The whole process is a big cost," Ahearne said, referring to the expense ISPs face in building and managing the additional storage capacity.

"It could have an unfair effect on the UK industry. What about companies whose servers are based abroad?" he said.

Read more on IT risk management