An all-party parliamentary inquiry has recommended that the government drop its plans to make ISPs indiscriminately keep records of every email sent or received, and every Web site visited, by UK citizens.
In a hard-hitting report, the All-party Parliamentary Internet Group (APIG), said the data retention powers, contained in the Anti-Terrorism, Crime and Security (ATCS) Act, should be scrapped. Neither a voluntary nor a mandatory data retention scheme would work, said the inquiry.
The plan was to keep what is called communications data -- email addresses and the IP addresses of Web sites that people visit, information about the origin and destination of requests and messages. It is distinguished from content in the same way that a dialled telephone number is distinguished from a recording of the actual call. However, many in the industry believe communications data is just as invasive as the content because it can reveal a great deal about an individual.
A voluntary scheme, under which ISPs would choose to adhere to a code of practice on data retention, could leave them open to prosecution, said the inquiry. The problem is that under ATCS communications data would only be retained for national security related purposes but laws such as the Regulation of Investigatory Powers Act (RIPA) include measures that let a wide range of government bodies access that data for reasons not related to national security, raising conflicts with the Human Rights Act.
Meanwhile a mandatory scheme would, while protecting ISPs from prosecution under the Human Rights Act, be like "insisting that every office in the country ensure that they have a 'visitors book' and a camera in every room," said the report. In this analogy, the book and the videotapes would have to be safely retained on the off-chance that an investigator turn up and ask for the records from 12 months earlier. "Of course we can appreciate that such as scheme would be occasionally useful to the police in solving an ancient crime, but we don't believe this usefulness would be so great that the imposition on businesses would be reasonable."
The report should come as little surprise to the Home Office, which admitted in December that it had "got data retention a little bit wrong" and was "now back to square one." However, the report goes further than saying it is merely a UK problem, and recommends that the government "urgently enter into Europe-wide discussions to dismantle data retention regimes and to ensure that data preservation becomes EU policy."
Data preservation is different from data retention because it tends to deal with specific bits of communications data. It is typically targeted at a certain individual and is therefore considered more proportional than data retention. A typical routine is for police to request an ISP to keep a particular piece of data that would otherwise be deleted after a couple of days.