Who will pay price for EU data-retention plans?

EU rules covering ISP transaction records raise privacy, as well as financial, issues, reports Manek Dubash
Written by Manek Dubash, Contributor

EU rules obliging ISPs to store transaction data for two years could have significant cost and privacy implications, reports Manek Dubash.

People have never been more aware of incursions into their privacy than they are today. From the growth of CCTV cameras on Britain's streets, to the numerous accounts of mislaid personal data or hacks into central databases, the security of our personal information is a growing concern.

Now there is a measure on the statute books that helps cement the government's surveillance capabilities: the EU's Data Retention Directive (DRD), which the government must implement.

The directive mandates ISPs to keep records for two years of every transaction that passes though their hands. The directive's purpose is not to force ISPs to retain data — the Regulation of Investigatory Powers Act 2000 (Ripa) kick-started that process in 2000 — but to harmonise the retention period across the EU.

Note that ISPs must retain not content but connections: the fact you sent me an email, or I called you, for example, rather than the actual email or recording of a call.

No big deal?
So what does the directive mean for ISPs, and how much will cost them to comply — and does it mean your broadband bills will go up? We contacted a number of ISPs and, while all said their customers' privacy was important, they confirmed they would be abiding by the law of the land. Most also said that the directive was no big deal, as much of this information is kept by ISPs anyway, for billing purposes.

A spokesman for Virgin Media said: "DRD is not a fundamental change in what's already done. All this data is kept as standard by ISPs — DRD just mandates a time period by which that data must be kept.

"We are discussing implementation with the Home Office. It's early on in the process."

The spokesman was unable to give a timescale for implementation of the directive, but added: "We understand the needs of law enforcement, but as a consumer-centric ISP our consumer privacy is critical. Our approach is to find the right balance between the two positions."

Crunching the numbers
Among the issues Virgin Media will be discussing with the Home Office is the cost of implementing the directive, which the ISP said it expected to be borne by the government.

BT, the UK's largest ISP, said: "This is a complex topic and we look forward to studying the detail of the government's proposals and responding in due course. We will, of course, continue to adhere to whatever rules and regulations apply to us." A spokesman added that BT was still reading the directive and that it would respond to the government rather than issue a press statement.

Be Broadband, now part of O2 and a leading local-loop unbundler, said: "We are serious about protecting our customers' privacy and information. At the same time, we have a duty in law to assist the police and others in the fight against serious crime and terrorism. We expect that other ISPs take a similar position."

One vendor of technology to the ISP community said there were other issues at stake. Duncan Pauley, chief technology officer of CopperEye, a vendor of ISP-grade indexing technology, said ISPs needed to invest...

...in technology which allowed them to be more accurate and precise about what information they released, and which could index the information faster to comply with the DRD.

Pauley said costs to ISPs of compliance could vary enormously, depending on the size of the ISP and the route it took to resolve the issue. He added that part of the equation is that ISPs will end up with bigger databases and that issue would have to be managed.

Privacy-rights campaign group No2ID took a different approach. The campaign's press officer Michael Parker said: "[Home secretary] Jacqui Smith proposed to build a huge database containing all information about everyone, but it's very difficult to build. So with some fanfare the Home Office eventually said that, having listened, it would drop that idea.

"But all it's done is drop the idea of a central repository. Instead the ISPs will do it for them, and the cost passes on to you."

'Quite a cross to bear'
Parker said ISPs have to keep "a huge amount" of information about users already, but they now have a legal duty to do so. "ISPs have to keep databases, and they still need to be managed. The responsibility that all this involves means they have quite a cross to bear," he added.

The rationale for the directive is that it helps protect against terrorism. However, according to Parker, there is evidence that the directive is part of a wider move to increase the surveillance powers of central governments across Europe.

Today, under Ripa, government agencies need to ask ISPs for any data before they can use it. Parker said this procedure will no longer apply: "Under the Interception Modernisation Programme — a future upgrade to Ripa — there's no requirement to establish a need for surveillance. This is still going on but it's all frightfully vague, very thin in detail and large of proposition."

Bigger than ID cards
According to one press report: "The scope of the project — classified top secret — is said by officials to be so vast that it will dwarf the estimated £5bn ministers have set aside for the identity cards programme."

No-one we contacted saw the directive as anything other than cementing existing practices into a legal framework. However, campaigners such as StateWatch argue that more surveillance is on its way. For example, the campaign describes the EU's Future Group as "pursuing unfettered powers to access and gather masses of personal data on the everyday life of everyone — on the grounds that we can all be safe and secure from perceived 'threats'".

From the practical point of view of cost, the directive may not result in increased broadband charges. However, it seems highly likely that, in addition to the privacy issues, the increasing cost of government-mandated surveillance will be borne by the customer.

Editorial standards