EU plans expansion of data retention laws

The European Union is planning to bring in new legislation that will force telcos to retain traffic data for 12 months,...

The European Union is planning to bring in new legislation that will force telcos to retain traffic data for 12 months, ostensibly in a bid to fight terrorism. 

If approved, communication service providers (CSPs), such as Thus and America Online would have to spend millions of pounds a year to store tens of terabytes of information, increasing communications costs. 

The measure aims to harmonise EU members' existing patchwork retention policies, but it has generated great conflict with privacy-protecting organisations. 

Privacy International's report on the proposals show that they require CSPs to store traffic data for 12 months. This goes far beyond simple voice telephone calling records: start time, stop time, caller, destination number, and duration of call. It is the registering of all things that are read, received, searched for, in which places, at which dates, for how long and with varying people.

The EU proposal recognises technology has moved on from the original plain old telephone system. "As much as possible it should take into account technology developments in eg VoIP, broadband," it said. 

The amount of data involved is staggering. An AOL representative said it would require "$40m (£22m) just to set up the system and then around $14m to run it." AOL has 392 million sessions a day on average and sends 597 million e-mails a day . This amounts to around 24Tbytes of data a year.

Thus, in its response to the EU, said, "We have this figure of 36,000 CDs. That's one year's data." That's also about 24Tbytes.

Across all CSPs in the EU the amount of data to be collected per year would run into hundreds of terabytes, all of which would have to be organised and indexed before it could be searched with any effectiveness. The annual costs of this would approach and probably pass £100m across the EU, all of which users would have to pay.

The data is not necessarily collected now. For example, there is no reason for a broadband internet service provider to collect information about website access or duration. But if the proposals come to pass then even search call data would be collected, specifying which search topics were keyed in. Such "traffic data" has clearly moved over into the realm of traffic content which, Privacy International contends, contravenes a specific EU article of law. 

The data is not even reliable. A London Internet Exchange submission said that it, "employs the unreliable UDP protocol for traffic data, so packets may have been dropped on the floor in the face of congestion."

If so the previous user of an internet port will be assumed to be responsible for the new traffic. The Privacy International report asserts that the EU proposals are out of all proportion as just 0.2% of the data is likely to be used at all. 

The big worry is that, should the proposals become law, it would be the thin end of the wedge with governments given an unprecedented level of surveillance over their citizens and nearly all online activities being subject to review. 

One particularly worrying aspect will be VoIP calls. Currently there are significant legal barriers and obstacles to the authorities being allowed to listen in on telephone conversations. However with the different classification given to internet traffic thanks to intense lobbying by the security services and other government bodies, it may soon be the case that a phone conversation held over the Internet could be simply and easily accessed by the government without even the need for a court order. 

And that is likely to impact on a rapidly expanding market with little or no real gain for citizens or the government.

Chris Mellor writes for Techworld

Read more on IT legislation and regulation

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.