Within hours of the July, 2005 terrorist bombings in London, UK anti-terror forces were on the telephone with telecommunications companies and ISPs, setting up a digital dragnet. Charles Clarke, then home secretary, would later predict records of suspects’ e-mails and phone calls would be a “very important use for intelligence”.
The cyber-sleuthing paid off. Italian police, acting on tips from British authorities, arrested Osman Hussein, a suspect in the failed 21 July bombings. Investigators traced his movements across the continent largely by tracking calls placed on his mobile phone.
Access to such phone, e-mail and fax data, police contend, is crucial in dismantling organised crime gangs and terrorist cells. Under an EU data retention proposal expected to be ratified by each member state this year, police will be granted access to the largest cache of personal communications data ever amassed to fight such crimes.
The EU directive calls for ISPs and telecommunications companies to store all phone, fax, SMS and e-mail traffic data for a period of six months to two years; some countries, such as Italy, are pressing for a four-year commitment.
While law enforcement is heralding this as a huge victory, telecommunications companies and ISPs are bemoaning the hefty costs in investing in data warehouses, retrieval software and the latest data protection initiatives.
The Internet Services Provider Association, or ISPA, estimates the costs of storing the terabytes of extra data and implementing a quick retrieval system will run to £35m in the first year and £9m each subsequent year for a large ISP with 1m-2m customers.
Naturally, the ISPs, who currently keep email traffic data for no more than a week, want to be compensated. The UK government is considering picking up the tab. But in Germany and Italy, the costs, industry observers say, will probably be borne by the companies and their customers.
“Under a ‘preserve everything’ system, it can be incredibly expensive,” says Shelagh Gaskill, head of information law practice at Pinsent Masons in London. “You need enhanced processing power, enhanced storage – storage isn’t free – the dedicated time to make the searches, a software upgrade. Each data request could cost thousands of pounds.”
Some industries such as financial services and law are already required to keep customer information for more than a year. But the volume of data required to be stored under the data retention directive would be unprecedented, telecommunications industry observers say.
Each day, Deutsche Telekom stores 240m lines of customer data corresponding to the time and location of each call.
Currently, that data is stored for no more than 90 days, a Deutsche Telekom spokesman said. Extending the storage period to up to two years will mean Deutsche Telekom having to expand its storage capacity by a factor of 200 per cent, at a minimum, and 800 per cent, at a maximum.
“We have no idea what this will cost us, but only because nobody knows whether we will be required in Germany to preserve the data for six or 24 months. But we know it will cost us something additional,” said Mark Nierwetberg of Deutsche Telekom.
Telecoms companies did win a significant victory during negotiations last year. Originally, the proposed law stipulated that traffic data on dropped phone calls also be stored, a requirement that would have meant significant upgrades to call networks and cost, by one estimate, €200m for each telecommunications company.
In the US
In the US the impetus for the revamp of data protection law is theft. A series of security breaches has spooked Americans, and Congress is demanding companies develop rigorous data protection measures to secure consumers’ security numbers, birthdates and account details.
Under draft legislation proposed by senators Arlen Spectre and Patrick Leahy, companies with databases containing personal information on more than 10,000 US citizens must establish and implement data privacy and security programs and vet third-party contractors hired to process data. If the law passes, analysts expect companies will be scrambling to invest in the latest data encryption measures or develop protocol, such as multiple-party authentication, for granting access to customer information. The aim is to avoid another ChoicePoint incident in which 145,000 credit card customers had their accounts exposed to an illegitimate business.
“Incidents like this have caused consumers to develop a lack of trust in the people holding their data,” says Gartner analyst John Pescatore. And now companies will have to pay, he contends.
Gartner estimates that for a company with 100,000 customers the costs of investing in heightened data security would cost less than $6 per customer per year. The cost of a data breach, however, could cost $90 per customer in system overhauls and auditing expenses.