ISPs face data interception deadline
 http://news.zdnet.co.uk/story/0,,t269-s2118894,00.html
17:03 Wednesday 10th July 2002
Matt Loney

From 1 August, ISPs in the UK will be required to be able to intercept your data. Yet the Home Office has failed to explain how they will be reimbursed. And the rules mean that criminals will easily be able to avoid interception

ISPs across the UK will have to start intercepting and storing electronic communications including emails, faxes and Web surfing data from 1 August, but there still appear to be glaring loopholes in the legislation.

Not only has the Home Office still failed to tell ISPs how they will be compensated for maintaining their interception capabilities, but the measures, which the government said were introduced to combat terrorism and organised crime, only apply to large ISPs. Any criminal organisation wishing to avoid interception simply has to find an ISP that has fewer than 10,000 customers.

The interception capability is mandated by the Regulation of Investigatory Powers Act (RIPA), which was introduced to give police and other law enforcement authorities the same powers to intercept digital communications as they already possess to intercept telephone calls and letters. On 1 August, the RIP (Maintenance of Interception Capability) Order 2002 is due to come into force.

Several classes of communications service providers are exempt from the regulations: those which do not intend to supply services to more than 10,000 people in the UK, and financial institutions such as banking, insurance and investment houses.

Not every big ISP will have to provide an interception capability from day one, but if they are told by police or other law enforcement officers that an interception has been authorised, they have one working day to provide a mechanism to do so. Furthermore, they must ensure that the intercepted data is transmitted in real time to the person who applied for the warrant

Each service provider must be able to simultaneously intercept the communications of up to 1 in every 10,000 people who use its service.

But with only weeks to go, ISPs say they have still not been told how they will be reimbursed for the cost of intercepting communications data. A spokesperson for the ISP Association said, "We have not been provided too much detail (on costs). There are still a lot of issues that have to be resolved."

Part of the problem, said the spokesman, is that the new regulations are also intertwined with the Anti-Terrorism, Crime and Security Act 2001, which says that ISPs and telcos have to store communications data.

"They are producing a code of practice that lays out types of data that should be retained and how long it should be retained for," said the spokesman.

The trouble, is, he said, that for ISPs to install all the capabilities will cost a lot of money: "Dealing with the two laws will have a big impact on cost and the Government has to provide guidance." Costs will come from storage, staff time, new management processes, setup and running costs, said the spokesman, and will vary because each ISP is likely to have a different method of intercepting and storing the data and managing access.

A Home Office spokesperson said, "arrangements will be put in place to ensure they (ISPs) will receive fair refunds for costs incurred," but could not provide details.

Claire Walker, a solicitor with city law firm Olswang, who specialises in e-commerce, said part of the problem is that the Home Office does not have a technical perspective. "They tend to say to ISPs, 'tell us what is involved,' and then the ISPs say, 'no, you tell us exactly what you want first and then we'll tell you what is involved,'" said Walker. "It is likely that individual ISPs will reach individual agreements with the Home Office on reimbursement."

Tim Snape, who chairs the law enforcement group ISPA, told ZDNet UK earlier this year that the costs of intercepting could, in combination with the costs of logging data, be crippling. "The actual data acquisition costs could be low," he said, "but the costs for data retention, processing, hand-over, billing, management and regulatory compliance will all be very high."

Although RIPA has a provision for ISPs to recover their costs, said Snape at the time, this does not mean profit. "We don't want to be seen profiting from crime, so we have asked for just cost recovery," he said. "But because this means there will be a requirement to demonstrate costs, there will be a requirement to audit so the process of cost recovery will incur its own costs."

Sources close to the negotiations say it has been suggested to the Home Office that the compensation to industry should merely cover the storage costs.