ISPs spell out true cost of data retention

AOL alone would need 36,000 CDs a year to store all the data that the government is demanding, and the cost far exceeds the numbers that have been banded around Westminster

ISPs say the true cost of storing individuals' communications data as required by the Anti-Terrorism, Crime and Security Act (ATCS) that was rushed through parliament in 2001, will cost far in excess of the £20m estimated by the Government.

Giving evidence at the All Party Parliamentary Group (APIG) public inquiry on Wednesday, AOL's director of public policy Camille de Stempel, said it would cost about £30m just to set up the systems for AOL alone, and the same again in running costs.

Many ISPs already retain some communications data for various purposes, but the government is keen to make them extend the length of time it is retained to at least one year. Communications data means IP addresses of Web sites that people visit, and addresses of emails; it is distinct from content, although many in the industry believe it is just as invasive.

Although the government has been criticised for failing to show how ISPs would be reimbursed for the cost of retaining communications data, it is believed by many to be considering a figure in the region of £20m a year for the entire industry. This would, say ISPs, be totally inadequate.

For AOL, retaining communications data for one year would add an enormous cost, said de Stempel. "There are huge amounts of data involved. AOL has 329m user sessions a day, and its customers send 597m emails, and we're just one ISP." De Stempel said that to save all communications data on its UK customers for just one day would require 100 CDs. "If you multiply that (for a year) it will have an enormous impact on our business."

Further costs would be incurred because an ISP could not simply hand a whole year's worth of CDs (36,000 in the case of AOL) over to police or other law enforcement agency when a request was made because, they say, this would be an offence under Regulation of Investigatory Powers Act (RIPA). RIPA says that any requests for communications data has to be proportional. "We'd have to search for a particular piece of data," said de Stempel.

Clive Feather, an Internet expert at ISP Thus who also gave evidence, said AOL's figure of 36,000 CDs was if anything an underestimate of the scale of the problem. "This is raw data. If ISPs are retaining data so it can be searched later then it has to be organised and indexed," said Feather. "And this would all have to be paid for."

Feather said he had no idea where the government's estimate of £20m for the whole industry came from. "The cost would be £5m to £6m for us alone," he added. Like many other ISPs, Thus stores communications data for a couple of days in case something goes wrong and it has to restore its systems. "If we store too much, the machine fills up at 3.00am and we have to drag the engineer out of bed to fix it", said Feather. "If we were keeping data for one year we would need to build a dedicated system and have very good security because suddenly we'd have a lot of data that would be very attractive to criminals. This would be a major computing project, and a very expensive one."

Costs are likely to be exacerbated by the large number of government agencies that have access to the data once it is retained, say ISPs. Even if the government creates a reimbursement mechanism for data accessed under RIPA, many government agencies such as the Benefits Agency, the Department for Work and Pensions (formerly the Department of Social Security, and the Serious Fraud Squad can demand access to retained data under other laws. The government has not said how costs incurred by agencies using other laws would be reimbursed.

In written evidence to the inquiry, the UK's ISP Association (ISPA), expressed concern that there are no plans to address this problem and repeal existing powers that are reserved by some public authorities to order disclosure of data. Part 1 Chapter 2 of RIPA, and the associated code of practice and cost recovery mechanisms should be implemented as a matter of priority, said ISPA. "This will make the authorities named on the face of the Act fully compliant with the applicable data disclosure provisions."

Furthermore, said ISPA, the government should introduce a memorandum of understanding between these authorities and government to commit them to the use of RIPA procedures over any existing powers they may have under other statutes.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.