ISPs, telcos and police voice fears over data retention cost

ISPs, telcos and police voice fears over data retention cost

Summary: The data retention directive contains some serious flaws but the most serious is that it does not make clear who will pay for it, experts say

SHARE:
TOPICS: Government UK
3

European legislation on data retention which is in soon to become law in Britain contains some serious flaws, according to technical and legal experts.

The data retention directive that the UK, Ireland and Sweden pushed into EU law last month would make it a requirement for telecommunications companies and ISPs to save information about customers' phone calls and electronic communications for up to two years.

However, the directive has been criticised for not putting the question of who pays the cost of retaining data into law, instead relying on informal negotiations between individual ISPs, telcos and the Home Office.

"No mention is made of costs. The directive says 'Article 10 — Costs. Deleted'," said Internet expert Clive Feather, speaking at the Internet Service Providers Association (ISPA) Annual Parliamentary Advisory Forum in Westminster.

Italian ISP Tiscali also believes this is a serious issue if the law is to work. "There is a concern that the directive makes no provision for reimbursement to ISPs for extended data retention," said Emeric Miszti, Security and AUP Officer at Tiscali. "Data retention is not simply about disk drives. The development, management, and security costs must be taken into account." .

This is a view shared by the police who will be expected to pay part of the cost.

"There should be recognition of the cost of data retrieval, and also the cost of the mechanism and process of data retention," said Jim Gamble, Deputy Director General, National Crime Squad. "We pay a portion of the cost of recovery, and believe industry should have reasonable recompense."

Feather also raised other concerns about the wording of the directive says that it still "contains nonsense".

"It includes provision for the retention of the date and time for 'log in' and 'log off' an Internet email service, but most email programs connect to the email server every five minutes. The directive doesn't ask for the time mail is sent and received. It doesn't ask for the sender of received emails," said Feather.

The directive also does not specify exactly what an Internet service provider is, said Feather, leaving companies and organisations from universities to Internet cafes in a legal limbo.

Feather also reckons that the legislation is not keeping up-to-date with current developments and pointed to the omission in the legislation of emerging technology such as Internet telephony and instant messaging.

Tiscali's Miszti said he was concerned that the security of emerging technology had not been given sufficient consideration: "With more unsecured Wi-Fi networks and Internet cafes, there are more opportunities for crime that are not targeted by the directive. Why should criminals sign up for an ADSL account when they know they're being monitored?"

A concern for ISPs is that this legislation will open the door for more far reaching legislation that will force them to retain entire data communications, including data packets. "It's not as bad as we feared. Not every single data packet has to be retained — yet," said Feather.

Questions were also raised about the human rights implications of storing large amounts of communications data.

The Earl of Erroll, President of the E-business Regulatory Alliance, an organisation that examines legal and regulatory issues in Brussels and Westminster, asked: "Is the directive necessary, legal, and balanced? Will it protect citizens from unnecessary access to confidential information?"

The Home Secretary, Charles Clarke, gave an assurance that human rights legislation would be conformed to.

Topic: Government UK

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • I was very interested to see your article on compliance:
    anonymous
  • It takes me days to go through ex employees emails to find and forward important stuff. That is with only a few well ordered messages. Who is going to pay for anyone to sort and sift through this data? Us the taxpayer again. It is the same as the backup principals. If the data is unusable there is no point in keeping it.
    anonymous
  • The data retention directive is badly designed and has many ambiguities in it. If this cannot be rectified into a simple yet effective directive before it is to be incorporated into UK law, then it is up to our Home Office (??) experts to prove that they can act responsibly and sensibly and ensure that the British laws do not include the anomolies, ambiguities and errors of Brussels.
    Although it appears that the cost of retaining the data will be initially borne by ISPs, this should be costed by ISPs and an appropriate charge, sufficient only to cover costs, be made to the accessing body, be it police (shouldn't be) or our security and defence services.
    anonymous