UK ISPs are poised to ignore a Home Office voluntary code of practice addressing retention of Internet data unless big changes are made to the wording.
The code of practice lays out the obligations of ISPs under the Anti-Terrorism, Crime and Security Act, which was rushed through parliament in the wake of the 11 September terrorist attacks. It obliges ISPs to retain communications data for law enforcement purposes, but, a year since the first draft was released, the Home Office has failed to explain how ISPs will be reimbursed for retaining the data, or how they can comply with the code without breaking numerous other laws.
The proposals have already been knocked back by European data protection commissioners.
In a letter to the ISP Association's members, ISPA general secretary Nicholas Lansman said he could not "recommend to members that they voluntarily comply with the proposed code of practice." According to the letter, which was seen and first reported by The Guardian, the industry had not been convinced that extending the length of time companies hold on to customer logs was necessary for the fight against terrorism and serious crime.
An ISPA spokesman confirmed the contents of the letter to ZDNet UK, but played down the significance, saying that it merely restates a position that ISPA has held for "many months". Furthermore, he said, if the ISP community refuses to abide by the voluntary code of practice then it will be forced upon them. "The government has said that if after a year the voluntary code of practice is seen, in the eyes of the home secretary, not to have worked then they will make it mandatory and so communications service providers will not have any option. It will be law," said the spokesman.
Nevertheless, ISPs say they still have many concerns about the code of practice, not least of which is the worry that by complying with it, ISPs may be forced to break other laws. "The ACTS law and code of practice has to reconciled with the Regulation of Investigatory Powers Act (RIPA), the Data Protection Act, the Human Rights Act, and the Police and Criminal Intelligence Act. ISPs need to know their legal position," said the spokesman. It's a concern that the ISP community and others have been voicing to the Home Office for more than a year now -- with no response.
ISPA is not alone is voicing such concerns. Shortly after the first draft was published last year a joint parliamentary committee warned it was likely to break European human rights legislation. The House of Lords and House of Commons Joint Committee on Human Rights said the code appeared to be incompatible with the European Convention on Human Rights (ECHR), and said safeguards are needed to prevent the government from compiling a stockpile of communications data on innocent citizens.
"We consider that measures should be put in place to ensure that the Code of Practice and any directions are compatible with the right to respect for private and family life, home and correspondence under Article 8 of the ECHR, and that those measures should be specified, so far as practicable, on the face of the legislation," the Committee concluded.
Even if the legal issues are sorted out, the costs of implementing the measures are likely to be high. "There is the initial set up," said the ISPA spokesman. "Then there are costs associated with management processes, storage and storage management, human resources, and then ISPs will also have to deal with requests from the data subjects themselves. There are so many problems that need to be resolved."
The spokesman said that ISPs are keen to work with law enforcement, but the Home Office must reply to the concerns of industry. "We need to know what the terms of the cost recovery process will be. We want to help, but law enforcement is not our job so we shouldn't have to pay for it."