Government's data retention back-pedal fails to impress

ISPs will have to retain traffic data for less time than originally planned, and access to that data will be more tightly restricted, but the government has still failed to address many concerns

The government is scaling down its data retention plans in a renewed effort to quell public and industry disquiet, but even the toned-down policy has met a mixed response, with one prominent think-tank already labelling it a "sham".

On Tuesday, the government launched two consultation papers: one addressing data retention, and the other addressing who has access to communications data and how they can access it. It is the first of these -- the consultation paper on a Code of Practice for Voluntary Retention of Communications Data, which is required under the Terrorism Act -- that appears to have drawn the most flak.

Among the paper's concessions to concerns from industry and the public are reduced terms for how long ISPs and communications providers will have to retain data: 12 months maximum for subscriber information and telephony data, compared to the seven years that the government originally called for. Subscriber information includes the telephone number of an individual, their email address, log-in names for dial-up Internet accounts and other data (including the MAC addresses of network cards where held) that can be used to identify users. Telephony data typically covers numbers called, and location of mobile phones when those calls were placed.

Under the draft code of conduct, which is now open to public consultation, SMS and MMS data, along with details of where emails were sent to and received from, would be kept for six months, and details of Web sites visited would be kept for four months.

It is this consultation that has drawn the most ire, with Ian Brown, director of the Foundation for Information Policy Research, calling it "disingenuous". Brown criticised the Home Office for not addressing in the draft the concerns expressed by the information commissioner, the communications industry or by the parliamentary All Party Internet Group (APIG), which published a critical report earlier this year. Industry had called for the code of practice to be made mandatory, so that ISPs would be protected from legal action under the Human Rights Act and the Data Protection Act when complying with the measures in the code of practice.

Under the new draft code of practice, said Brown, companies will still be breaking the law by retaining data for anti-terrorist purposes and then making it available for access for other purposes, whether they are criminal investigations or civil lawsuits.

Furthermore, he said, the Home Office seems to be avoiding the issue of cost. ISPs say that retaining all the data will cost huge amounts.

"The data retention consultation is a sham," said Brown. "The Home Office has failed to address any of the well-known substantive issues and is merely going through the motions so it can come back with a compulsory scheme." But, he said, the compulsory scheme is also likely to be unlawful and will also be incredibly expensive: "The Home Office needs to drop data retention and start again, perhaps with a targeted preservation scheme such as seems to be successful in the USA."

The consultation on access to communications data under RIPA is a second attempt to regulate who should be able to access communications data: the first, last summer, drew widespread public concern when it became apparent just how many agencies would have access to communications data, and how easily they would have access.

New proposals contained in the revised consultation paper introduce the idea of vetting by the Information Commission of each request to access communications data. Introducing the consultation documents, Bob Ainsworth MP, parliamentary undersecretary of state at the Home Office, said a "double lock" would be applied to make sure that requests are proportional.

Under this idea, access would be restricted by purpose and by type of data. "Agencies would have to satisfy the Information Commission that their systems are suitable, and then they would have to seek prior approval from the Information Commission for access to the data," said Ainsworth. However, he could not say whether the Information Commission would have enough resources to deal with the expected flood of requests.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Let the editors know what you think in the Mailroom.