ISPs, telcos and police voice fears over data retention cost

The data retention directive contains some serious flaws but the most serious is that it does not make clear who will pay for it, experts say

European legislation on data retention which is in soon to become law in Britain contains some serious flaws, according to technical and legal experts.

The data retention directive that the UK, Ireland and Sweden pushed into EU law last month would make it a requirement for telecommunications companies and ISPs to save information about customers' phone calls and electronic communications for up to two years.

However, the directive has been criticised for not putting the question of who pays the cost of retaining data into law, instead relying on informal negotiations between individual ISPs, telcos and the Home Office.

"No mention is made of costs. The directive says 'Article 10 — Costs. Deleted'," said Internet expert Clive Feather, speaking at the Internet Service Providers Association (ISPA) Annual Parliamentary Advisory Forum in Westminster.

Italian ISP Tiscali also believes this is a serious issue if the law is to work. "There is a concern that the directive makes no provision for reimbursement to ISPs for extended data retention," said Emeric Miszti, Security and AUP Officer at Tiscali. "Data retention is not simply about disk drives. The development, management, and security costs must be taken into account." .

This is a view shared by the police who will be expected to pay part of the cost.

"There should be recognition of the cost of data retrieval, and also the cost of the mechanism and process of data retention," said Jim Gamble, Deputy Director General, National Crime Squad. "We pay a portion of the cost of recovery, and believe industry should have reasonable recompense."

Feather also raised other concerns about the wording of the directive says that it still "contains nonsense".

"It includes provision for the retention of the date and time for 'log in' and 'log off' an Internet email service, but most email programs connect to the email server every five minutes. The directive doesn't ask for the time mail is sent and received. It doesn't ask for the sender of received emails," said Feather.

The directive also does not specify exactly what an Internet service provider is, said Feather, leaving companies and organisations from universities to Internet cafes in a legal limbo.

Feather also reckons that the legislation is not keeping up-to-date with current developments and pointed to the omission in the legislation of emerging technology such as Internet telephony and instant messaging.

Tiscali's Miszti said he was concerned that the security of emerging technology had not been given sufficient consideration: "With more unsecured Wi-Fi networks and Internet cafes, there are more opportunities for crime that are not targeted by the directive. Why should criminals sign up for an ADSL account when they know they're being monitored?"

A concern for ISPs is that this legislation will open the door for more far reaching legislation that will force them to retain entire data communications, including data packets. "It's not as bad as we feared. Not every single data packet has to be retained — yet," said Feather.

Questions were also raised about the human rights implications of storing large amounts of communications data.

The Earl of Erroll, President of the E-business Regulatory Alliance, an organisation that examines legal and regulatory issues in Brussels and Westminster, asked: "Is the directive necessary, legal, and balanced? Will it protect citizens from unnecessary access to confidential information?"

The Home Secretary, Charles Clarke, gave an assurance that human rights legislation would be conformed to.