Snooping laws caught in catch-22

Not even Joseph Heller could have dreamt this one up: two laws break a third, but plugging the hole would be illegal. Meanwhile, ISPs face mounting costs

ISPs want the government to plug a loophole in the law that lets government agencies demand access to customer data -- and which could leave ISPs out of pocket and open to prosecution.

The trouble is, say legal experts, that plugging this loophole would be illegal under human rights legislation.

Ian Walden, head of IT law at Queen Mary College, giving evidence to an inquiry in data retention by the All-Party Parliamentary Internet Group, said the loophole stems from a conflict between two laws: the Anti-Terrorism Crime and Security Act (ATCS), and the Regulation of Investigatory Powers Act (RIPA).

The Anti-Terrorism and Crime Act (ATCS) was rushed through Parliament in the wake of the 11 September terrorist attacks. In what was pitched as a measure to help law enforcement officials track terrorists, the government included a clause in ATCS requiring that all ISPs and other communications service providers retain all records of their customers' emails and Web surfing habits for one year for purposes of national security.

"The Regulation of Investigatory Powers Act lays down where interception is lawful, but it does not control access," said Walden. "While the ATCS in itself is not incompatible with the Human Rights Act, when taken in conjunction with RIPA it is."

Even though the whole point of ATCS is to make sure that data is only retained for purposes of national security, ISPs say that once the data has been retained a large number of people have access to it under a large number of different laws. Complying with these access requests will incur huge costs, they say.

One major area of concern is where defendants in a court case need to access data to aid their defence. Under current legislation, they are allowed access to communications data that has been retained.

When ATCS comes fully into power, ISPs are expecting a large number of requests for data, which will not necessarily be made under RIPA. While RIPA includes provisions for reimbursing ISPs, requests made under the other laws could incur substantial new costs for ISPs.

"You could not rewrite RIPA to say that defendants cannot access data for a trial. This would be a breach of the defendant's right to a fair trial under the Human Rights Act," said Walden. "You just cannot plug that hole. If you try, you simply open another."

In written evidence to the inquiry, the UK ISP Association recommended a solution whereby the government introduce a memorandum of understanding with the agencies that have access to data, committing them to the use of RIPA procedures. However, said ISPA, the Home Office maintains there is no need to resolve the conflict.

Some go further. "We want data access for agencies (other than police) to be repealed," said Clive Feather, Internet expert at Thus. Feather said it is essential that anybody who needs access to the data comes in through the same channel.

"Trading Standards have the power to demand records under Trading Standards Act, and Social Security have powers under the Social Security Act, and the Serious Fraud squad under separate powers," said Feather. "None of them are required to compensate us for costs incurred during access."

Feather said that Thus, along with other ISPs, already retains data for operational purposes -- in case a system fails and they have to restore it -- and they receive requests from various government agencies for this data. But when the relevant part of ATCS comes into power and they are forced to retain a whole year's worth of data, they are expecting a "flood" of requests from numerous agencies under numerous laws, and a corresponding rise in costs.

At Thus, costs are expected to be in the region of £5m, while AOL has estimated its costs at £30m to set up the systems and then a further £30m a year. The government is believed to have estimated the costs for the entire industry at £20m, though its reticence in discussing costs with industry has exasperated the ISP Association.

Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section.

Have your say instantly, and see what others have said. Go to the ZDNet news forum.

Let the editors know what you think in the Mailroom.