Internet data-retention law comes into force

Internet data-retention law comes into force

Summary: From Monday, internet service providers will be obliged to retain details of internet communications, including email, for 12 months

SHARE:
TOPICS: Networking
1

Internet service providers will have to retain details of internet communications, including email, under UK law which came into force on Monday.

The Data Retention (EC Directive) Regulations 2009 require service providers to retain details of user internet access, email and internet telephony for 12 months. ISPs must also be able to respond to access requests by law enforcement and other designated authorities.

The details of UK citizens' communications to be retained include which IP address people have been assigned, plus log-in and log-off times; the sender, recipient, date and time of emails; and the caller and recipient of internet telephone calls.

In addition, the regulations state that telecommunications companies must also retain details of all fixed and mobile telephony usage, including the geographical location of the caller.

These regulations supercede the Data Retention (EC Directive) Regulations 2007, which required fixed and mobile telephony data retention, but did not require the retention of internet communications.

Privacy campaigner Simon Davies, director of Privacy International, told ZDNet UK on Monday that data preservation, in which ISPs and telcos retain the data of specific suspects rather than of all citizens, would have been "less privacy intrusive and achieves the same objectives".

"It's not necessary to retain all of that data," he said.

Davies noted that retention of data could lead to local authorities using that data in a similar way to their use of the Regulation of Investigatory Powers Act (RIPA). Local government has been criticised by various agencies, including the Home Office, for using the legislation to monitor people putting their bins out, or dog-fouling.

"Once the data is held under this particular regime, you will probably find it will be used for a whole range of other purposes, just as RIPA has been," Davies said. "With data preservation, what would not have occurred is the gross infringement of local authorities using that data to investigate dog-fouling or littering."

Davies added that public trust in government may be eroded if communications data is misused by local authorities.

The Home Office said in a statement on Monday that it does not want to see data retention or RIPA powers "being used to target people for putting their bins out in the wrong day or for dog-fouling offences". However, legitimate actions would include local authorities using data to target "dodgy traders", fly tippers and noisy neighbours, the Home Office said.

Currently, covert surveillance, such as accessing the data retained under the Data Retention (EC Directive) Regulations 2009, can be authorised in local authorities by junior executive officers. The Home Office said it is considering raising the level of authorisation to senior executives, with possible oversight by elected councillors.

Home secretary Jacqui Smith said in December that the Home Office would consult on use of RIPA. This consultation would occur "shortly", the Home Office said.

The HomeOffice statement added that retention of communications data was necessary as a crime-fighting and anti-terrorist tool. "This data is a vital tool to investigations and intelligence gathering in support of national security and crime," the statement said. "Communications data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time."

Topic: Networking

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • This story has been updated

    Many thanks to Arjan van Bentem for querying whether ISPs must retain websites visited. Arjan, you are quite right -- it is IP adresses assigned to named subscribers, and log-on and log-off times, which ISPs must now retain by law. The government is considering proposing logging which websites users have visited, as part of the Interception Modernisation Programme (IMP). The government is expected to launch the IMP consultation paper in the week of 20 April.
    Tom Espiner