Legislation Relating to Data Retention in the UK

The following laws in the UK Relate to data retention


ISP Data Retention (US)

A survey by Wired Magazine was conducted in 2007 to find out about the privacy policies of the top ISPs. Out of the 8 largest ISPs asked the 10 question survey in the US only 4 responded: AOL, AT&T, Cox and Qwest. Comcast, EarthLink, Verizon and Time Warner didn’t respond to the survey at all.

IP Retention

Cox’s IP Log retention times is: six months.

AOL IP log retention time is: “limited period of time,”

AT&T IP log retention time si  “within industry standards.”

URL Retention

The question of “how long are the URLs” retained was asked of the companies. The URLs contain a lot of detail about an individuals habits: What they read, buy, and like how often, and how much.  w

AOL, AT&T and Cox all statd that they do not the URLs at all. Qwest avoided the question.

ISPs Opinion on Data Retention

Qwest said that the market should decide how long data is kept

Cox stated it was “studying the issue” of data retention

AOL stated it isis working with the industry and Congress.

A&T stated it is  “ready to work with all parties.”

In the UK the data retention laws of ISPs are currently governed by the Retention of communications data under part 11: Anti-Terrorism, Crime & Security Act 2001

Data Retention and Interception

Data Retention

(More detailed information on these retention times is available here)

In December 2001, the Parliament approved the Anti-terrorism Crime and Security Act 200 (ATCS)

This law allows the Home Secretary to issue a code of practice for the voluntary retention of communications data by communications providers” for the purpose of protecting national security or preventing or detecting crime that relates to national security.

It only applies to data that is already being held by the Communication Service Providers (e.g ISP/telecomms) for business purposes. The Code of Practice was first approved in December 2003

The government has since proposed modifying the ATCS and RIPA to make data retention mandatory and expanding its use to include serious crimes, not just terrorism offenses.

A leaked submission by the police and intelligence services to the Home Office in 2000 proposed a seven-year data retention policy, however this has not been followed up and the current voluntary times remain.

Despite the government constantly pushing data retention times, and increasing surveillance and interception, to stop the ever present threat of terrorism, the reality is that the data will almost certainly be used for reasons other than prevention and detection of terrorism.

An opinion commissioned by the Information Commissioner’s Office (ICO) found that the access to information retained under the act for non-national security purposes would violate human rights and would be unlawful.

Who has access to this data?

Despite this the government had fully intended to allow a whole host of government agencies to access the data, from local police to the  local council. And in June 2002, the Home Office stated that the list of government agencies allowed under RIPA to access communications data was being extended to over 1,000 different government departments including local authorities, health, environmental, trade departments and many other public authorities.

The ICO stated that “I clearly cannot carry out meaningful oversight of so many bodies without assistance“, following this and the pubic outcry of so many people accessing so much information the then Home Secretary (David Blunkett) withdrew the order. Though the governments intentions and mindset were clear. Monitor everyone and give access to even the smallest council.

Data Retention Times

The code provides for the following retention time periods:

  • SMS, EMS and MMS: Data retention period 6 months.
  • Email: Data retention period 6 months
  • ISP Logs: Data retention period 6 months
  • Web Activity Logs: Data Retention period 4 day

More detailed information on these retention times is available here.

Interception of Communications

Before the ATCS 2001 Act was created the government created RIPA, Regulation of Investigatory Powers Act, which covers a variety of aspects including encryption and interception of communications. Section 12 of RIPA makes it an obligation of CSP (Communication Service Providers) to maintain an ability to intercept traffic” and “content” of communications, which then allows the govermenment to monitor communications as and when needed, or the in the case of Echelon, all of the time.

An explanation of the terms “traffic” and “content” in relation to RIPA are available on other posts on this site.

RIPA is often in the news for its repeated misuse by councils, from covertly following families, to ensure they go to the right school, to setting up cameras and covert surveillance to monitor dog fouling.

Data Retention: Anti-Terrorism, Crime and Security Act

Currently the home office has put in place a voluntary code of practice for ISP and telecommunication service providers relating to the retention of data this is comes under the “Retention of communications data under part 11: Anti-Terrorism, Crime & Security Act 2001

The code provides for the following retention time periods:

  • SMS, EMS and MMS: Data retention period 6 months.
  • Email: Data retention period 6 months
  • ISP: Data retention period 6 months
  • Web Activity Logs: Data Retention period 4 days

The following data is required to be stored for the retention times mentioned above:

SMS, EMS and MMS: Calling number, IMEI – Called number, IMEI – Date and time of sending – Delivery receipt – if available – Location data when messages sent and received, in form of lat/long reference.

Email: Log-on (authentication user name, date and time of log-in/log-off, IP address logged-in from) – sent email (authentication user name, from/to/cc email addresses, date and time sent) – received email (authentication user name, from/to email addresses, date and time received)

ISP: Log-on (authentication user name, date and time of log-in/log-off, IP address assigned, Dial-up: CLI and number dialed, Always-on: ADSL end point/MAC address (If available)

Web Activity Logs: Proxy server logs (date/time, IP address used, URL’s visited, services)

The code is quite clear that information stored should on be “Communications Data” only and exclude content of communication.

The Web browsing information to be retained should only be to the extent that only the host machine or domain name is disclosed.

The example the Home Office gives is that if the URL visited was http://www.homeoffice.gov.uk/kbsearch?qt=ripa+traffic=data

then only the domain “www.homeoffice.gov.uk” is to be stored . The reason is that the:

within a communication, data identifying http://www.homeoffice.gov.uk would be traffic data, whereas data identifying would be content and not subject to retention.

Traffic Data – RIPA

“Traffic” data, for the purposes of data interception and retention is defined in RIPA:

(i) any data identifying, or purporting to identify, any person, apparatus or location to or from which the communication is or may be transmitted.

(ii) any data identifying or selecting, or purporting to identify or select, apparatus through which, or by means of which, the communication is or may be transmitted.

(iii) any data comprising signals for the actuation of apparatus used for the purposes of a telecommunication system for effecting (in whole or in part) the transmission of any communication.

(iv) any data identifying the data or other data as data comprised in or attached to a particular communication, but that expression includes data identifying a computer file or computer program access to which is obtained, or which is run, by means of the communication to the extent only that the file or program is identified by reference to the apparatus in which it is stored.

Data Retention: Google

Google is to cut the length of time it holds users’ personal search data.

The move comes in response to a data protection group that wrote to the firm questioning its privacy policies. The European advisory body, called Article 29, said Google’s current data retention practices could be breaking European privacy laws.

The search giant has said it will now keep personally identifiable search data for 18 months rather than the previous period of 18 to 24 months.