The seven-year itch

How would you and your clients feel if your firm’s entire e-mail traffic data for the last seven years was held in a digital vault to the order of MI5? Or if the police had online access to records of every e-mail user and internet site your firm had dealt with in the last twelve months?

The ‘Observer’ of December 2000 carried a report that GCHQ, MI5 , NCIS, and ACPO favoured new legislation requiring ISPs and e-commerce companies that provide messaging services (a) to retain all their e-mail and internet traffic data for seven years and (b) perhaps more significantly, the building of a government-run national data-warehouse in which to keep the most recent year of data available online.

The Government at the time dismissed this issue. There have been more recent restatements of that position. Patricia Hewitt, Labour’s Minister for small business and e-commerce, went online with The Guardian newspaper on Friday May 11 2001 to discuss the election, Labour’s campaign, and the role of the internet. She was asked  -  “The police (NCIS and ACPO) are still pressing for a new law to compel ISPs to log the addresses of all e-mails sent and received, websites browsed, newsgroups perused, for ALL their customers indiscriminately, for up to 7 years (or 3 or 5 depending on the audience). Will Labour enact such a law in its next term?” The answer given was an unequivocal “No”.

So much for the Government’s position, however Britain is also part of a Euro-group of six countries [Belgium, Germany, France, Netherlands, Spain and the UK] that lent support to a recent European Council of Ministers ‘Conclusion’ (“ENFOPOL 23”) dated 30th March 2001. ENFOPOL 23 has again raised the spectre of a draconian data retention regime that will indeed force relevant businesses to retain traffic data for up to seven years and also provide unlimited access to that data, to law enforcement agencies. That has enormous consequences for solicitors, both as businesses in their own right who make regular use of ISPs often for client-confidential matters, and as advisers of businesses affected by the proposals.

Consider the comments of Caspar Bowden, director of internet think-tank FIPR www.fipr.org/rip#media, who has said: “These proposals would allow fishing expeditions into the online activity, browsing habits, and Internet associations of every citizen in the EU for up to seven years - without any warrant or court order. The Government has repeatedly denied supporting these quasi-totalitarian measures, but it turns out they have been secretly lobbying at European level all along. This is sheer duplicity”.

Strong stuff indeed, so what is the fuss about? First you need to grasp the distinction between interception (access to content) and traffic-data (who or what talking to whom). Traffic data can still be extremely sensitive. Powerful data-mining software already exists. For an example unconnected with any issue raised in this article, see http://www.xanalys.com/intelligence_tools/products/watson_fs.html. Once access is granted to traffic data under The Regulation of Investigatory Powers Act 2000 Part I Chapter.2 http://www.hmso.gov.uk/acts/acts2000/00023—c.htm#22,  without the need for judicial or executive approval, there are no hard and fast statutory rules on the exploitation, accumulation, and retention by police or intelligence agencies. Not even the requirement that the data be gathered in relation to ‘serious’ crime: any alleged crime will do.

In January 1995 the EU adopted euphemistically titled “Requirements” for interception agreed with the FBI no less. In September 1998 an attempt to extend by reinterpreting these “Requirements” to cover the internet and satellite phones was shelved because of a public outcry (ENFOPOL 98). EU member states began amending their national laws on interception. However last year it seems that two proposals from the European Commission on personal data protection and privacy and “combating computer-related crime” were perceived as threatening to undermine the demands of the law enforcement agencies for access to all telecommunications data. The group of six countries is understood to have led the opposition to the erasure of traffic data that is presently required under current community law. [Only “understood” because Council discussions are not made publicly available – yet].

The current UK legal position under the Telecoms Data Protection Directive - http://www.dti.gov.uk/eurobrief/4_ebr_7.htm bolstered by the Data Protection Act 1998 is a requirement to destroy or anonymise personal data once its purpose is spent. The position argued for by ENFOPOL 23 seems to be a requirement to retain, from which it is a short step to specifying the types of log that must be kept. The justification for such blanket retention of data is the familiar refrain that it will facilitate the detection of crime. There are technical arguments against this position. For example, if the police are trying to trace a hacker who has defaced a web server by a buffer overload attack it is common to find the log has not recorded the level of detail that would be required to identify the origin of the attack – further, that required level of detail would be totally infeasible to keep for hours let alone longer periods. Or take the case of tracking someone who uses hotmail to send death threats. Here the only possibility of tracing is via IP numbers [allocated to each computer on the internet], an exercise involving terabytes of data. It may be physically impossible to store and/ or cost effectively to access such information, even for short periods let alone for seven years. Lastly, most hackers will have used perfectly legitimate ‘Secure Shell’ encryption software to hop between hosts, making tracing virtually impossible.

The most fundamental objection is to the proposition advanced by law enforcement agencies that all cyberspace is somehow public space, where citizens should have no greater expectation of privacy than a street monitored by CCTV cameras. If this reasoning is accepted all internet traffic data is up for grabs, as a hedge against potential criminal investigations into every citizen’s affairs.

The offending draft Council Conclusions (ENFOPOL 23, 30.3.01) says:

1. The obligation for operators to erase and make traffic data anonymous “seriously obstructs” criminal investigations;
2. It is of the “utmost importance” that “access” be “guaranteed” for criminal investigations;
3. It calls on the European Commission to: (a) take immediate action to ensure that law enforcement agencies now and “in the future” get access in order to “investigate crimes where electronic communications systems are or have been used” (b) the action should be “a review of the provisions that oblige operators to erase traffic data or to make them anonymous”

Bear in mind that a cornerstone of the OIC code of Conduct was the right of autonomy of an employee and that one of the OIC proposals was the technical ability of an employee, in furtherance of that right, to “expunge” data. So virtually in less time than it has taken the ink to dry on RIP, Lawful Business Regs, and the OIC’s draft code, the Council aided and abetted by the ‘Group of Six’ apparently – will have to tear up existing EU laws on data protection and privacy, to enable the retention of traffic data for the investigation of “crime” however minor. And any future legislation or regulation must recognise the primacy of the retention of data principle. All the protections for personal freedom and privacy put in place through international data protection rules and privacy Directives would be dealt a mortal blow if such legislation were enacted.

These unwelcome and oppressive provisions were scheduled for adoption at the next meeting of the EU Justice and Home Affairs Council on 28-29 May, though the latest position (at time of writing) is that they are going to be dropped from agenda: whether this is due to adverse industry reaction and hostile comment or just embarrassment is not clear. The key date however is 27th June when adoption of the “Conclusions”, if agreement can be reached on the text, has been pencilled in for the meeting of the Telecommunications Council – at the same meeting where the Council will adopt a “common position” on the new data protection and privacy Directive.

The Statewatch.org website that monitors this sort of legislative issue claims that it was denied access to Council minutes on grounds that it “could impede the efficiency of ongoing deliberations” – an approach which if true is hardly transparent!

The Electronic Commerce Committee of the Law Society of Scotland feels that the executive must clarify its stance on the preservation of personal traffic data. The Profession has to know where the interests of both its members and clients lie in the matter. The Committee has brought forward its next meeting to 14th June, in advance of the Telecoms Council meeting, and we will let the profession know what representations it has made in the next edition of the Journal. However, if the claims are correct and the policy is adopted by the EU, then the oft-repeated aspiration that “Britain will be the best place in the world to do e-business by 2002” will sound even more hollow.

Paul Motion is a partner with Ledingham Chalmers, Edinburgh and Convener of the Society’s Electronic Commerce Committee