« Introducing The Open Rights Group | Main | BBCi: UK digital rights group sets up »

September 08, 2005

Clarke fails to understand his own data retention proposal

Charles Clarke manages to misunderstand his own EU data retention proposal and thinks we have too many rights anyway.

From Sky News:

[Charles Clarke] told Euro MPs at the parliament in Strasbourg: "Of course criminals and terrorists use modern technology - the internet and mobile communications - to plan and carry out their activities.

"We can only effectively contest them if we know what they are communicating. Without that knowledge we are fighting them with both hands tied behind our backs."

The data retention draft framework would require telecos and ISPs to retain traffic data - traffic about where you were when you made a call, and who you called, for example - not the actual phone call itself. Even if this legislation makes it on to the EU books, Clarke still won't be able to listen to your mobile phone conversations, although I suspect he'd really like to.

As for human rights, well, Clarke seems to think we don't really need them:

He stressed that a rethink of the [European] Convention [on Human Rights] - which prevents terror suspects being deported to countries where they may face persecution - will be central to the EU's response to the bombings.

He also made a dig at the reluctance of Euro MPs to agree access to information technology used by terrorists because of fears of breaching human rights.

He warned: "This European Parliament, as well as national parliaments, needs to face up to the fact that the legal framework within which we currently operate makes the collection and use of this intelligence very difficult, and in some cases impossible."

The legal framework which protects citizens from undue harassment, invasion of privacy and loss off free speech? That framework? I rather liked it, myself.

The BBC, meanwhile, tells us that according to the Home Office, data retention won't really cost all that much, honest guv:

A Home Office dossier published on Wednesday - entitled Liberty and Security: Striking the Right Balance - hits back at industry fears the cost of retention would be excessive.

It says that a government-funded project by a mobile phone company to keep data for 12 months had cost £875,999 (1,291m euros).

I'd like to see independent and comprehensive studies completed for a number of telecos and ISPs before I believed that this isn't going to put smaller ISPs out of business and increase our phone bills.


you can find the UK Presidency paper at http://www.edri.org/docs/UKpresidencypaper.pdf

You might find this article I wrote for the Times interesting:-
Terror law change could cost small firms
The Government's plans to make all internet service providers record the details of every e-mail sent and received will add to the cost of maintaining a website, writes Benjamin Cohen

In the wake of the terror attacks on London, the Government has received renewed support in Brussels for regulations allowing the retention of e-mails and mobile telephone records.

Under the proposals, mobile operators and owners of e-mail servers will have to store the sender and receiver’s details together with the time of the calls/messages for upwards of a year. There will not be the requirement for service providers to retain the actual content of messages.

The Government claims that the retention of these details will help it track down those involved in planning terrorist activities.

The plans are unlikely to cause a huge amount of controversy from human rights groups because the actual content of messages will not be stored, so, in theory, it would be no different from the records that BT and other phone companies keep for billing purposes.

And because there are only five mobile network operators in the UK (T-Mobile, O2, Orange, Vodafone and 3) the logistics of keeping phone records should not be too difficult.

However, it is a different matter when it comes to e-mail. There are thousands of Internet Service Providers (ISPs) and website hosting companies in the UK, with upwards of 10,000 in the EU as a whole.

They vary in size from telecom giants like Cable & Wireless to one man and his dog operations such as ServerStream (who host my website). There are also hundreds of thousands of web servers owned and operated by small businesses across the EU.

While BT, Wanadoo and Tiscali could, despite the considerable costs, store the necessary data and be able to retrieve it easily, it might not be so straightforward for the thousands of small businesses that could also be hit if the Government decides to implement the legislaiton across the board.

My website, for example, has its own "e-mail server", which could make my company, in effect, a service provider, because the server is used to provide e-mail addresses for members of staff.

I would be required to retain a copy of the details of every e-mail sent to and from my company. Thousands of other small businesses would be in a similar position.

At present, I cannot find any reasonably priced software that automatically performs this task. Assuming that the software was available, it would still take considerable resources to apply and would undoubtedly add to the cost of maintaining a website. These costs would ultimately be passed on to consumers.

Meanwhile, the value of the measures are also questionable. Any terrorist with a degree of technical knowledge could delete messages or choose to disable the storage software. Alternatively, they could easily decide not to record the details in the first place.

It is simply not feasible for the police to inspect every server to ensure that it is recording data; it is not even possible to prove that particular message details are not being stored. Also, terrorists could simply decide to base their e-mail server outside of the EU where the legislation would not be in force.

An alternative to this flawed scheme is the establishment of an internet regulator, ideally linked to a global regulatory system that in addition to protecting consumers and businesses could also be used for anti-terrorism intelligence gathering.

By intercepting messages during the transit between servers, the intelligence community would be able to gain the information that they say they require. But I have always imagined that they did that anyway.

He also appears to misunderstand the nature of the European Convention on Human Rights, which was not created by the EU, and therefore it's difficult to conceive how it could be altered by any of the EU's bodies, whether European Parliament, Commission or Council.

ben - the UK presidency wants to exclude smaller/irrelevant service providers from the proposal to stop things like your example taking place. the legislative process on this proposal has already been extremely drawn out and will continue to be so.

part of the reason why reimbursement is such an issue is because of the legal basis of the council's proposal - due to it being a pillar 3 (ie intergovernmental / JHA) agreement it is legally awkward (read impossible) for them to mandate reimbursement by govts because this puts it into the area of pillar 1, i.e. the Commission's prerogative which would mean the bill would have to go thru the EP where it is likely to be voted down.
all extremely complicated :)

John -

The impression I'm getting from folk closer to the current EU process is that the Pillar 3 folk are going to "defer" to the Pillar 1 process, and allow for the first step to go through the Commission and EP. (EDRI has both the Commission and Council proposals on their site)

This is an intriguing strategy - an attempt to allay the MEP's irritation that they are being bypassed. That said, I hope that that is not *all* the MEPs are angry about: that their reticence to accept data retention is also due to their worries about the serious civil liberties implications.

You say that keeping traffic data for 12 months is unwanted and costly. I agree, but it is a matter of public record (that is on various versions of my CV) that as a contractor I was involved in the production of an interim solution to do *just that* using spare SAN storage capacity at the headquarters of a mobile telecoms company. This was described to me by my customers as a legally mandated task in 2003.

Just to add that the information observed being collected in 2003 excluded geographic data below the country and network level.

danny - i guess you mean co-decision? the only problem with that is that it will take ~2yrs for it to pass thru the legislative process and the council does not want to have to wait that long. however, if they proceed with their own framework decision they are more than likely to get taken to the ECJ which is also likely to take 18months-2yrs so it is fairly likely they will have to go thru codecision. the only worry there again (for the JHA types) is that it might either get shot down in parliament or they are going to end up with a REACH-esque scenario with 800 amendments to seperate bits of the proposal and they lose a lot of control!
personally, i think most of the MEPs are engaged with this as more of a power play between institutions than any concern for our civil liberties :)

One of the points I'd like to research on the mobile phone data side is how much data is currently being kept, for how long, and for what use. I think we need to take this as an opportunity to find out what's happening to our data. I've heard anecdotally that BT keeps data for 6 years, and I'd like to know on what basis they feel it necessary to keep data that long.

I think this is a good chance to ask some very awkward questions!

suw http://www.thefourthplace.net/b2e/ seems to have some good analysis

commission proposal coming 21 september


Since you expressed an interest in the technical side, I thought I'd try and dig up some further information. In particular, I thought I'd try and find data format specifications so that we can see the plethora of facts stored on a per call basis.

Now, I know that T-Mobile marks its format specs "Confidential" (since I've used them) and expect other operators do the same, but Cisco and GSM World are publishing documents regarding there products and areas of interest.

TAP Specs:

TAP is a feed put together by an industry group that works a bit like a clearing house forwarding call data around between operators all over the world. They publish some documents behind a lengthy licence which I haven't read or agreed to so I don't know what kind of documents are pulished at the link above.

This is usually post-pay data (or mixed post/pre pay) and there is a separate protocol for pre-pay where the fee for the call has to be authorised across borders in realtime. These two protocols are of obvious relevence to the European context. Both of the these, but especially TAP, could provide a central collection point for greedy GCHQ analysts and probably already serve that function (I'm speculating).

IP Telephony

Cisco have published some field definitions for the data produced by their equipment here:


I imagine their equipment will be subject to the proposed regulations in some contexts and deserve some attention but the GSM stuff is the really interesting bit.

Above all, I'd be most interested in getting hold of IP CDR format information captured for 3G and GPRS services. I seem to recall that this was to include IP address and Port numbers for all IP traffic, transport protocol flags (UDP, TCP etc) and URL information for Http traffic. If I'm recalling that correctly then this is in the data produced for billing and it would be well within the scope of some of the rhetoric, though there are exceptions later in the proposal.

Perhaps Suw can exert some charm with the fraud and revenue assurance people at the the major operators? Don't forget the virtual operators too.

Sorry, I know very little about the PSTN system or BT. I certainly didn't know they kept data for 6 years!

Post a comment