Privacy campaigners claim it is the realisation of a Big Brother state, while some law enforcers insist it is a necessary response to the growing global threat of terrorism. For telecommunications groups and internet services providers, though, the prospect of Europe-wide laws requiring them to retain, and hand over, electronic communications data is a potential headache and extra cost burden.
A European directive is in preparation that will require the providers of publicly available communications services to retain details of fixed-line, mobile phone and e-mail communications for at least six months, and possibly up to two years. It is a requirement that even the US has not imposed in its war on terror.
Last-minute concessions in the highly charged European political process of securing agreement on the principles of data retention have meant the directive is unlikely to be as restrictive as many have feared. Reinhard Schu, an e-commerce lawyer at Morrison & Foerster, the law firm, says: “Traditional fixed-line and mobile operators have got out of this with just a black eye. But internet service providers [ISPs] will face a substantial burden.”
He warns that there are many grey areas in the proposed law that could cause confusion.
Storage of communications data so that law-enforcement agencies can access it as part of their investigations into terrorism and other serious crimes has been a bone of contention between some European governments and industry for years. The UK had identified securing a deal on data retention as a priority during its six-month presidency of the European Union last year and in December the European parliament finally approved proposals after lengthy shuttle diplomacy between London, Brussels and Strasbourg.
Some countries, such as the UK and Spain, already make substantial use of internet and phone records in serious criminal inquiries. Others, including Germany and Finland, have been less enthusiastic because of concerns over the costs and the impact on existing data- protection laws.
The directive will require storage of data necessary to trace the identity, source, destination, routing, date and time, location and device used in a communication, including failed calls. That means information such as callers’ identities, names of subscribers, mobile-phone location cells, the sender and receiver of e-mails. It does not mean the content of a call or e-mail, or specific web pages accessed by individuals.
A six-month minimum storage requirement in the law should pose little problem for phone operators, who already keep such data for billing purposes. However, an extension of up to two years might be more problematic.
In the UK, a voluntary code of practice already requires communications groups to store some data for up to a year, and the government has reimbursed costs on an ad-hoc basis. For example, O2, the mobile phone operator, recently secured an £875,000 ($1.5m) deal to cover the cost of providing a system capable of retrieving specific information for law-enforcement agencies. The UK’s Home Office says it remains committed to meeting providers’ “reasonable costs”, and to working “with industry, not against it”.
However, the directive will leave the issue of cost reimbursement to member states’ discretion, and some countries – including Germany – have said no money will be made available.
An executive at one UK-based leading mobile phone operator claims the directive is an attempt to export UK policing standards across Europe. “We are getting data requests every day from police in this country but very, very few from overseas authorities. Why should everyone incur costs if the police are never going to go to them? If they never use traffic records in Germany, what is the point in preserving them?”
For ISPs, the issues are more complex as they tend to bill according to a flat rate or capacity used, rather than by individual communications, so many systems are not geared up to retaining such detailed traffic data.
Mr Schu says it is “much less clear how the directive will apply to ISPs and what the cost implications are”. He suggests the law might jeopardise some free web mail services offered by ISPs. “Suddenly, they have the cost and responsibility to make sure data is retained accurately, completely and securely. They may just stop providing free web mail.”
Data retention will require systems that not only store data but also allow it to be easily and quickly sought and retrieved and then kept secure. That requires not just hardware but trained staff. Mr Schu adds: “You can’t just stick a hard drive in a safe somewhere.”
It is unclear how quickly data will need to be made available, but Mr Schu says companies will have to be able to provide it within “hours rather than days, and certainly not weeks”.
AOL, the ISP, has estimated that a year’s worth of data, as required under the UK’s voluntary retention code, could be stored on 36,000 compact discs.
The Internet Service Providers’ Association, an industry group, says a mandatory law might provide some clarity as existing arrangements raise concerns over breaches of human rights or data-protection laws. But: “It is not a cheap option. The money will have to come from somewhere.”
The ISPA is cautious over the prospect of cost recovery, particularly since there is no formal, transparent cost-recovery scheme operating for the UK’s voluntary code, which was introduced by an act of parliament about four years ago.
Some basic questions remain, particularly over internet telephony. Some in the industry say it is unclear how networks based on new and emerging technologies will be treated by the directive, how voice-over-internet-protocols (VoIP) phone services such as Skype will be affected or how peer-to-peer internet phone services with no obvious provider will be covered.
They also question whether the definition of e-mail communications will encompass instant messaging, internet chat services and even multiplayer games.
In addition, there are suggestions that the directive will ask for the wrong things, such as the date and times of log-in and log-off of e-mail services rather than the exact time each e-mail was actually sent, opened or responded to.
The directive is expected to emerge this spring, although doubt remains as officials in some countries are understood to have challenged the European Commission’s right to publish such a directive on the grounds that security issues are outside its remit.
Privacy campaigners say the directive will be a fundamental shift in individuals’ rights. Gus Hosein, of Privacy International and a visiting fellow at the London School of Economics, says: “Everything you do in the new age will be registered, maintained and logged, and it doesn’t end here. Eventually the law will require people to register their identity before they communicate.”
He is convinced that the requirement to store huge amounts of data will inevitably lead to it being lost, misused or falling into the wrong hands. “We are going to find people using this information when they have no business getting it.”
Hotels and web cafés may also be hit
Hotels, internet cafés and universities could be forced to track records of calls and e-mails under the European directive on data retention, according to lawyers.
Some say a new law could impose obligations on organisations that would not consider themselves to be communication service providers.
For example, a hotel might be required to keep records of calls made from each room and of the guest in residence at the time, as the fixed-line telecoms company would know only that a certain call came from the hotel but not from which room.
An internet café with publicly available terminals, academic institutions and even public authorities that provide wireless access in certain areas could all be caught by the directive.
Such details are likely to be decided by the way each member state chooses to implement the directive into national law.
The UK Home Office has said it is aware of the “does it mean me?” issue, and is exploring the scope for putting certain organisations “on notice” when it implements the directive as a way of removing uncertainty.
The directive is due to be implemented by about October 2007 for fixed and mobile telephony, and by about April 2009 for internet data.