Privacy and IT security experts have reacted with horror to reported government plans that would see UK citizens' internet and telephony usage details stored in a massive centralised database.
As details begin to emerge about the Communications Data Bill, included in very detail-light form in last week's draft Queen's Speech, the Home Office on Tuesday declined to deny reports suggesting it wanted such a database. Initial interpretations of the draft bill had internet service providers (ISPs), rather than the government, holding such data, but it now appears that Home Office officials may want their own database.
To come into line with the requirements of the European Data Retention Directive, introduced in 2006, UK communications providers have, for some time, had to retain telephony data — who the subscriber is; who he or she was calling or texting; when the communication took place, and so on — for a minimum period of one year. The government held off on applying the same requirements to internet-usage data, and it is that data that is particularly affected by the new Communications Data Bill, set to come into force by the end of March 2009.
At first appearances, the bill requires certain data — logon and logoff information, how long the user was online for, who was emailed and when, and the user's IP address — to be held by ISPs for six months, with users' basic subscriber data to be held for at least one year. This sort of data is retained by many ISPs for their own internal purposes, and many ISPs already voluntarily hold the data to make available to law-enforcement officials, the intelligence community and the taxman.
"I've worked at a number of ISPs and this is day-to-day activity anyway," said Gareth Niblett, head of information security at the Kingston-upon-Hull-based ISP KCom. Niblett pointed out that the Home Office intended to pay ISPs back for any costs they might incur in keeping such data longer than they had in the past, a situation he described as "certainly better than in Ireland or other places where there is no financial support for delivering and operating such a platform".
However, a spokesperson for the ISP Association (ISPA) told ZDNet.co.uk on Monday that the association was still "looking to find out what's meant" by certain phrases in the draft legislation, particularly the part referring to a need to "modify the procedures for acquiring communications data and to allow this data to be retained".
On Tuesday, an article in The Times provided a possible interpretation of this phrase, claiming Home Office officials wanted to establish a centralised database for telephony and internet usage information under the auspices of...
...the government itself — a very different proposition from simply asking ISPs and telecoms companies to hang onto the data for longer than they had previously.
Asked by ZDNet.co.uk on Tuesday if this really was the case, a Home Office spokesperson said: "Ministers have made no decisions on whether a central database will be in that draft bill. Full details of the draft bill will be published later this year."
The Information Commissioner's Office was quick to respond to the prospect of yet another large centralised database of citizens' personal data. "If the intention is to bring all mobile and internet records together under one system, this would give us serious concerns and may well be a step too far," said Jonathan Bamford, the assistant information commissioner. "We are not aware of any justification for the state to hold every UK citizen's phone and internet records. We have real doubts that such a measure can be justified, or is proportionate or desirable."
Bamford called for a public debate on the issue, and for safeguards to "ensure that the data is only used for the proper purpose of detecting crime".
"We have warned before that we are sleepwalking into a surveillance society," he continued. "Holding large collections of data is always risky; the more data that is collected and stored, the bigger the problem when the data is lost, traded or stolen. Defeating crime and terrorism is of the utmost importance, but we are not aware of any pressing need to justify the government itself holding this sort of data."
Data-protection companies also weighed into the debate. "Whilst these plans are a positive step towards tackling terrorism and protecting its citizens, the UK government will need to prove its ability to keep data secure if these proposals are to achieve widespread support," said Brian Spector, general manager of Workshare's content protection group. "Since losing the details of over 25 million child benefit claimants last November, the government has failed to effectively address the issue of data security."
"The project will be expensive, risk failure (as with all large projects) [and] could threaten civil liberties," said Chris Dean, director of the independent IT consultancy DMW Group. "The UK needs to decide whether or not this is a reasonable price to pay for protection from terrorists. If it is decided that we should proceed, the government must make sure it gets the project right first time or this will be much worse than losing child-benefit records. A simple technical design flaw could easily bring a government down."