Out-Law News 2 min. read
11 Mar 2003, 12:00 am
Insiders have suggested that the voluntary Code will be rejected by industry and that a mandatory Code will follow. However, the retention periods proposed in today's document – just four days for web site logs – are less onerous than many observers had feared.
This is one of two Home Office consultations out today. See below for a link to our story on the other consultation, regarding access to data.
The Anti-Terrorism, Crime & Security Act of 2001 was rushed through Parliament in the wake of September 11th. It extends some powers introduced in the controversial Regulation of Investigatory Powers Act of 2000 – better known as RIPA.
The legislation does not oblige telcos and ISPs to retain data. However, it is worded such that if the industry doesn't accept a voluntary code of practice, the Government can make the retention requirement mandatory. And the views expressed within the industry have suggested that a voluntary Code will be rejected.
This view is not just to do with the obvious technical and financial burden: it is largely because of the difficulty in balancing the requirements of a voluntary Code with obligations provided in legislation. And this concern, it seems, may persist notwithstanding today's publication.
The Foundation for Information Policy Research (FIPR), a non-profit think-tank for IT policy, argues that the new 28-page consultation document, published today, is a "sham". The FIPR argues:
"The Home Office have not addressed the concerns expressed by the Information Commissioner, the communications industry or indeed by the parliamentary All-Party Internet Group (APIG), who published a critical report earlier this year."
"Companies will be breaking the law by retaining data for anti-terrorist purposes and then making it available for access for other purposes, whether they be criminal investigations or for civil lawsuits."
The Home Office document invites views on whether the approach being taken is appropriate considering the threat to national security and data protection legislation, its likely effect on industry – including cost, and whether new legislation is needed.
It proposes that subscriber information – including name, date of birth, billing address and credit card details - be held by telcos and ISPs for 12 months. So-called "telephony data" – being the numbers called, dates and times of call and location data, should also be held for 12 months. For text messages, similar data will be retained, but only for 6 months. The content of the text message will not – since content data is not part of the communications data.
E-mail and ISP data should be stored for six months. This data includes log-on name, dates, times, IP address details and e-mail addresses involved in communications. Again, no content data must be retained – so the contents of the e-mail communications are hidden.
Perhaps the biggest surprise is the proposal that web activity logs – which include IP addresses used, URLs visited and date/time details – need only be held for four days.
The proposal also states that for instant messaging, the log-on/off time data, if available, should be retained for a period relative to the service provided – which seems rather ambiguous.
The periods stated are significantly less than had been anticipated. A blanket 12-month retention period was the period most widely expected.
Comments should be sent to the Home Office by 3rd June 2003, to [email protected]