British ISPs Required to Store E-Mail Data for a Year

April 07, 2009 11:59 AM
by Denis Cummings
An EU directive that requires ISPs to store e-mail data has sparked outrage over Internet privacy.

E-Mail Data to Be Saved for a Year

Under an EU directive taking effect Monday, Internet service providers in the United Kingdom are required to store data from user e-mails for 12 months. The Directive 2006/24/EC, created in the wake of the 2005 London bombings, is intended to help European governments investigate crimes and prevent terrorist attacks.

Part of the directive, which calls for phone companies to store cellular phone call data for 12 months, has already been implemented. For both phone calls and e-mails, “information about ‘who sent what to whom’ must be stored but not the content of those messages,” according to The Daily Telegraph. The information will be accessible to authorities through warrants.

“Access to communications data is governed by Regulation of Investigatory Powers Act which ensures that effective safeguards are in place and that the data can only be accessed when it is necessary and proportionate to do so,” explained a Home Office spokesman.

Many EU countries have implemented all or part of the directive, though Sweden has chosen to ignore it. It is facing a court challenge in Germany. In Britain it has sparked outrage from ISPs, taxpayer groups—who are upset that taxpayer money will fund the creation of information databases—and privacy groups, who claim that it is something reminiscent of George Orwell’s Big Brother.

“Inch by inch, the Government’s plans to map and monitor everyone’s communications are creeping into place,” said Phil Booth, national coordinator of privacy group NO2ID. “Today it’s retention of data, soon it’ll be a giant database to suck it all up. And unless we speak out and stop this, what used to be private—details of your relationships and personal interests—will end up in the ever-widening control of the stalker state.”

Qwidget is loading...

Analysis: Storing data from Web site visits and social networking sites

There have been conflicting reports over whether Britain ISPs are required to store information on Web site visits. Many sources, including The Daily Telegraph and The Independent, are reporting that ISPs are required to track visits but the BBC stated in a Monday article, “In an earlier version of this story we incorrectly stated that ISPs would be storing details of website visits. This is not the case.”

Regardless of whether ISPs must begin storing Web site visits on Monday, it appears that the British government is intent on expanding the scope of the directive. Last month it was revealed that the government is planning to begin monitoring social networking Web sites such as Facebook and MySpace, which are not covered under the directive.

“Security services fear that this is a loophole that terrorists and criminals could exploit,” writes The Times of London. Predictably, the news drew concerns over Internet privacy. “Will membership of Facebook groups or people listing ‘suspicious’ interests be caught in their dragnet?” asked the Liberal Democrats Home Affairs spokesman.

Related Topic: Phorm

In another controversy over Internet security, many British privacy advocates are calling for a boycott of Phorm, an online advertising company that has created technology allowing ISPs to track their users’ online activities. Several British telecommunications giants are interested in employing Phorm’s “behavioral targeted advertising” technology, however Google—which is launching its own behavioral tracking service—and several other companies may boycott it.

On March 31, the EU Consumer Affairs Commissioner Meglena Kuneva issued a warning to ISPs to protect their users’ privacy from services such as Phorm that use data of their online activities for commercial use.

“The current work on privacy has concentrated on eliminating personally identifiable information such as name or IP addresses from the public domain,” she said. “Consumer policy needs to go beyond that and address the fact that users have a profile and can be commercially targeted based on that profile, even if no one knows their actual name.”

Reference: Directive 2006/24/EC and Internet Security Guide


Most Recent Beyond The Headlines