Skip to content or view screen version

Terrorist bill and the internet .

S A Mathieson | 17.11.2001 01:35

The net's eyes are watching
The new anti-terrorism bill may force internet firms to spy on us. S A Mathieson reports

The net's eyes are watching

The new anti-terrorism bill may force internet firms to spy on us. S A Mathieson reports

Thursday November 15, 2001
The Guardian

Anti-terrorism measures announced this week by the home secretary, David Blunkett, will dramatically increase the amount of information internet service providers can keep on their customers, the Home Office has admitted.
Part 11 of the emergency anti-terrorism, crime and security bill, announced on Tuesday, will allow internet service providers (ISPs) to keep a year's worth of information on their customers' internet activity. Two reasons are given: safeguarding national security, and the prevention and detection of crime.

Most ISPs currently retain such data on emails for, at most, three months. Others delete it immediately, or within days. None of the ISPs interviewed by the Guardian say they store data on general web-browsing against individual accounts.

Yet the Home Office says the bill is likely to allow the collection and storage of detailed information about web-browsing as well as email, subject to a planned voluntary code.

That would be an extension of monitoring likely to outrage civil liberties groups and spark protests from internet industry organisations.

Blunkett's bill would not oblige ISPs to hoard web browsing informa tion - yet. But clause 102 allows the home secretary to force traffic data retention if he feels the voluntary code is failing to work. He would force compulsory retention through a statutory instrument, a relatively easy procedure compared with getting a bill through parliament.

Under the Regulation of Investigatory Powers (RIP) Act, passed last year, police and other state investigators such as the Inland Revenue already have the ability to seize traffic data (see panel). This is effectively self-regulated, as it requires only the say-so of a police superintendent or equivalent rank to gather the data.

Seizures can be justified by minor crimes, tax evasion or health and safety inquiries, despite Mr Blunkett suggesting in an article for Tribune, a leftwing weekly newspaper, that the extensions to ISPs' powers to retain data were only designed to fight terrorism.

Today, applications for content data - listening to someone's phone calls, reading the content of their emails or seeing the pages they download - have to be passed by the home secretary. They are only allowed for serious crime, threats to national security and safeguarding national well-being.

The police see the proposed change as removing an anomaly. Under current data protection laws, personal information must be deleted when it is of no further use to the business. The police can only see traffic data while it exists - and at ISPs, this is not for very long, particularly for websites visited.

Phone companies have a legitimate business reason for keeping traffic data: they use it to calculate customers' bills. BT retains it for seven years for its 28m UK fixed lines.

But ISPs do not charge by the email, and so do not need to keep the information that long. AOL says it retains email traffic data for three months, Freeserve for 90 days. Claranet, an ISP that has campaigned for protection of its customers' data, retains it for just a fortnight, although it is now increasing this in preparation for the proposed laws.

The secretary-general of the Internet Service Providers Association, Nicholas Lansman, says the cost of a year's worth of traffic data retention could soar into the millions for some ISPs, should they choose - or be forced to - take up their proposed new rights.

As for web-browsing, Freeserve says it retains individualised data for its own chatrooms aimed at children, but that it retains only anonymous, aggregated data on its customers' general web-browsing. AOL retains only aggregated data.

Claranet does not keep even this much, and is shocked by the idea of retaining personalised logs. Steve Rawlinson, the company's chief technology officer, says keeping such logs would mean "a complete reorganisation of our network", and could lead to ISPs moving abroad to protect customers' privacy.

"It's extremely intrusive, and I think we would be very unhappy," he says.

The National Criminal Intelligence Service (NCIS), which produces intelligence for UK law enforcement authorities, has been asking for standardisation between phone and internet traffic retention for more than a year.

According to a document written by the NCIS deputy director-general Roger Gaspar in August 2000 (later leaked to the Observer), police forces, Customs and Excise, MI5 and MI6 would like all communications traffic data retained for seven years.

The NCIS now says the leaked document does not represent the organisation's view, but adds that the case for internet traffic data retention has strengthened since September 11.

"In the real world, you have witnesses, forensics, DNA profiling and fingerprints," says the spokesperson. "In the digital world, all you've got is data. If that data is being erased as it's created, you haven't got any equivalent of forensics. Our position is that law enforcement must be provided with a reasonable minimum."

Some think that law enforcement already has access to plenty of data. The RIP Act gives them some of the strongest powers in the industrialised world to tap communications.

Roger Bingham, spokesman for Liberty, the civil rights group, says: "In terms of exceptional circumstances, we can see how it might be reasonable to retain data a little longer, on the basis that police can get information on specific people where there is a clear and reasonable suspicion.

"As a safeguard, we think the police should seek a judicial warrant for reasonable suspicion of terrorist activity."

This is somewhat different to what is proposed - keeping everyone's data, then granting access for minor crimes on the strength of a police-issued warrant. Technically minded MPs, although supportive of the fight against terrorism, have doubts.

Richard Allan, the Liberal Democrat's IT spokesman, says: "I find it very difficult to see what point there is to it, in terms of catching anyone doing anything."

He calls for more work on targeting individuals, pointing out that any serious criminal would use anonymous library or web-café terminals.

And Brian White, a backbench Labour MP who chairs the IT industry-parliament liaison group Eurim, worries that this legislation will not be technically practicable. "I have some concerns that we won't repeat the problems we had with the RIP Act," he says.

The bill's voluntary code puts the onus on ISPs, and the two largest ISPs in the country are not keen to participate. David Melville, company secretary of Freeserve (with 18% of the UK's web-users), says the ISP could extend retention of email traffic data from 90 days to a year, without much technical difficulty.

But that's not the point. "I'm slightly worried that a period of retention beyond 90 days means me knowing a little bit more than I need to know," he says. "I think there's a creeping sense of worry about whether the response is proportional."

Freeserve's traffic goes through UK servers. But all AOL traffic, with 17% of UK subscribers, goes through servers in Virginia.

Caspar Bowden, director of the Foundation for Information Policy Research, an IT think-tank, says this means UK users may be hit by the strict USA Act. "If you're a British subscriber to AOL, your data could be raided by the FBI," he warns.

Bowden says the USA Act, passed late last month, means the US has overtaken the UK in the strength of its abilities to bug the internet. The act allows law enforcement agencies to collect both traffic and content data, and for the data to be passed to nearly any government department.

However, Clare Gilbert, AOL Europe's senior vice-president for public policy and regulatory affairs, says she would be very surprised if the USA Act affected UK users, as AOL knows which country its traffic streams comes from, even if it does all flow through Virginia.

But she says that UK law enforcement authorities have to obtain an international warrant to get access to UK-held AOL accounts. "It's an additional hoop. We make that process as painless as possible," she says.

Gilbert sees little need to extend AOL's retention of email traffic data beyond three months. "We've been working with the police since we established in the UK in 1996.

"Where we're dealing with police who are efficient in their duties, it works," she says. "There's never been an instance where the process in place has not worked. We question the need to force or allow ISPs to keep data for a year - it doesn't really make sense."

Gilbert says an alternative is data preservation: law enforcement authorities express interest in named individuals, and ISPs retain their account data until a warrant is produced. "It's much easier to preserve specific data than randomly keep vast amounts. You're talking about billions and billions of IP addresses over a 12-month period."

Yet this is what UK ISPs will soon to be allowed to do - with the pressure of compulsion if the home secretary decides they don't volunteer enough.

· The bill is published in PDF format at: www.publications.parliament.uk/pa/cm200102/cmbills/049/2002049.htm


S A Mathieson