If you search for news articles about the European Union Data Retention Directive 2006/24/EC, you will, unfortunately find several articles, even from the computer and telecommunications technical press, which claim that the new mandatory requirement to store Communications Traffic Data logfiles for 12 months came into force yesterday, something which is not strictly accurate in the United Kingdom.
This Mandatory Data Retention is regardless of whether an Internet Service Provider or Telecommunications Company has any business need for this data any more , and which would therefore have been destroyed or anonymised under the Principles of Data Protection under the Data Protection Act. This data is not data identified as being useful for a particular targeted criminal investigation, but is mass surveillance snooping on the vast majority of the 450 million innocent people in the European Union.
The first part of this EU Directive, regarding landline telephones and mobile phones has already been in force in the UK since October 2007.
Remember that none of the "serious crime" or"terrorism" cases which were trotted out in support of this Data Retention policy actually involved any investigations which needed out of data communications traffic data as old as 12 months. The Soham murders investigation and the tracking of the July 2005 failed terrorist bomber who fled from London to Italy, all used current, Communications Traffic Data no more than a few days old or even in "real time", which would not yet have been deleted by the telcos in the normal course of their business anyway.
Like many other EU countries, the UK cried off from implementing the Internet aspects of the Directive for a further 18 months, which, based on the date on which the original Directive was passed, crudely puts the start data for the new scheme as the 15th March 2009 i.e.yesterday, a Sunday. - see the Official Journal of the European Union:
DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (.pdf)
However, the new Regulations do not appear to come into force in the UK for another 3 weeks, i.e. Monday 6th April 2009 - why the delay ? They have had at least 18 months to prepare for this date:
See the Draft Statutory Instrument, which will presumably be rubber stamped, without debate and without amendment, by being "laid" before the House of Commons and the House of Lords, sometime soon.
Coming into force 6th April 2009
Obligation to retain communications data
(5) No data revealing the content of a communication is to be retained in pursuance of these Regulations.
4.--(1) It is the duty of a public communications provider to retain the communications data specified in the following provisions of the Schedule to these Regulations--
PART 3 INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY
Data necessary to trace and identify the source of a communication
11.--(1) The user ID allocated.
(2) The user ID and telephone number allocated to the communication entering the public telephone network.
(3) The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.
Data necessary to identify the destination of a communication
12.--(1) In the case of internet telephony, the user ID or telephone number of the intended recipient of the call.
(2) In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication.
Data necessary to identify the date, time and duration of a communication
13.--(1) In the case of internet access--
(a) The date and time of the log-in to and log-off from the internet access service, based on a specified time zone,
(b) The IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and
(c) The user ID of the subscriber or registered user of the internet access service.
(2) In the case of internet e-mail or internet telephony, the date and time of the log-in to and log-off from the internet e-mail or internet telephony service, based on a specified time zone.
Data necessary to identify the type of communication
14. In the case of internet e-mail or internet telephony, the internet service used.
Data necessary to identify users' communication equipment (or what purports to be their equipment)
15.--(1) In the case of dial-up access, the calling telephone number.
(2) In any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.
We have criticised the vagueness of terms like "internet e-mail" or "internet telephony" before.
Which protocols and which data fields will be specifically logged by an ISP ?
See our comments on the public consultation document, which we submitted formally to the Home Office.
We were not the only people who demanded greater specific detail of exactly what is and what is not to be retained and snooped on, but the Home Office, in their official response to the public consultation back in February, made the incredible and arrogant claim that:
10. Some respondents suggested that more technical detail should be provided within the draft Regulations. However, the Government's experience of working with public communications providers under the ATCSA voluntary code of practice and the first phase implementation of the DRD suggests that it is unhelpful to provide a high level of technical detail in the legislation as terms that might be meaningful to one business area, may be completely inappropriate for another or may already be given meaning within other legislation.
To whom, precisely, is specific technical detail "unhelpful" ? Not to the industry, and not to the public.
It is the Home Office's job to state clearly and precisely what technical details are required and which ones are exempt from the regulations.
Unless and until they do state in detail, what exactly is, and what is not to be logged and retained, then all their "cost estimates" in the Impact Assessment are fiction.
This response from the Government is not acceptable.
The "European Union" aspect of this is a bit misleading as well, since it was not Malta or Poland or Luxembourg etc. which forced this through the EU bureaucracy and the European Parliament, but the disgraced Home Secretary Charles Clarke, when the UK was last in charge of the rotating presidency of the Council of Europe i.e. a prime example of "policy laundering".
We already have almost identical law already on the statute book since the Anti Terrorism Crime and Security Act 2001 Part 11 Retention of Communications Data, which set up a "voluntary" data retention scheme, with the ability to convert it into a mandatory one at any time - the Home Office just never succeeded in properly agreeing the exact details and the financial compensation with the telcos and ISPs.
This EU Mandatory Data Retention is not the same as the the Home Office's evil plans for snaffling all such Communications Data logfiles into a centralised, secret database, something which they appear to be trying to bolt on to the existing Interception Modernisation Programme plans for new equipment etc. for GCHQ - i.e. the recipe for yet another Government IT project cost and delivery overrun in the making.
Such a a database would then allow them to evade even the weak scrutiny by the Interception of Communications Commissioner , Rt. Hon. Sir Paul Kennedy (who only has the power to audit a small sample of the requests made by the list of intelligence agencies, police forces, Whitehall Departments and quangos and Local Government Councils for requests to Communications Services Providers, and to evade any of the restraints on excessive snooping and on speculative mass data trawling through innocent people's data, which the existing system of having to pay for each request, something which attracts external financial and budgetary scrutiny by senior management of the financial audit trail.
None of this has yet been spelled out in any detail, in spite of the promise of a Communications Data Bill in the Queens Speech in November 2008 (delayed) or a public consultation in January 2009 (delayed), promised by Home Home Secretary Jacqui Smith, back last October.