APPENDIX 4
Memorandum submitted by BT
Introduction
The Home Secretary's announcement on 15 October
of a legislative package to combat terrorism said that there would
be "measures to enable communication service providers to
retain data generated in the course of their business, namely
the records of calls made and other datanot the content.
Government will work with the industry on a Code of Practice to
take this forward."
The Home Office has been consulting with industry
and civil liberties groups about the proposed Code but nothing
has been published yet. BT is, of course, supportive of measures
that will increase security, but we are anxious to ensure that
whatever legislation is introduced is (a) effective, (b) proportionate,
(c) does not conflict with other obligations, and (d) does not
expose those who will have to implement the new requirements to
liabilities over which they have no control. BT is grateful for
the opportunity to submit this short paper to examine these issues.
Expected Proposals
We understand that there may be a requirement
to retain communications data for a period of, perhaps, twelve
months. The data concerned would cover internet as well as telephony
communications. It would need to be made available to law enforcement
agencies, but not necessarily just in connection with terrorism.
The Communications Service Provider (CSP) collecting the information
would not be entitled to use information collected for this purpose
for its own purposes, unless it is entitled to do so already under
Data Protection rules. The likelihood is that the requirement
will be expressed in terms of a voluntary Code of Practice rather
than as a mandatory requirement, so that CSPs "may"
store data rather than being legally obliged to do so.
Issues arising
Our main concern is that a voluntary Code is
unlikely to deliver the security that the Government is seeking,
because:
not all CSPs will follow it;
customers who might be intending
to use communications systems for terrorist purposes could very
easily switch to non-complying CSPs;
there would be inconsistency even
between complying CSPs, let alone between complying and non-complying
CSPs, since different CSPs hold different types of data for different
purposes.
There may be real technical issues arising depending
on what information is required and for what periods, particularly
going into the future as CSPs increasingly move from traditional
switched telephony networks to Internet Protocol networks.
It needs to be understood that the integrity
of information concerning internet calls is much less robust than
that associated with voice calls. Data retrieval is a difficult
process and its accuracy cannot be guaranteed, because of the
nature of internet calls, where there is 'dynamic' allocation
of addresses (ie for the duration of the call), where encryption
is used, where data transmissions may pass through several time
zones, networks, servers etc all of which are 'timed' independently.
As a general rule, there are significant costs
savings for billing for IP services, where the trend is towards
flat rate pricing rather than per-occasion charging. The data
requirements for billing purposes are much reduced in this scenario.
On the other hand, the volume of traffic data
associated with internet calling is many times higher than that
arising from voice calls, so a requirement to store such information
would involve considerable expense.
In any event, there will be additional costs
for data collection and storage for those CSPs that comply and
these should be recoverable from government.
Even with reimbursement, data retention will
move the CSP away from being a commercial entity towards being
a public authority resource.
Data retention could run counter to other legislation
(eg Data protection rules, Human Rights Act) and, if so, those
who have to execute the requirements must be protected from any
liability under other legal measures, either personally or corporately.
There are concerns that the data involved will
not be 'ring-fenced' for dealing only with terrorism issues but
may also be available to any public authority permitted to request
communications data under the Regulation of Investigatory Powers
Act. We are opposed to any extension of the power of Law Enforcement
Agencies being achieved via the back door afforded by the need
for Anti-Terrorism legislation. Apart from procedural propriety
issues there are serious commercial risks associated with the
inevitable increase in requests for data, and public confidence
risks if requests become too numerous or poorly targeted.
Proposal
To be most effective we believe that the legislation
should be proportionate, non-discriminatory, justified and targeted
in accordance with UK and EU law. We know that the EU is currently
considering data retention in the context of revised Data Protection
rules, but these discussions will not be finalised in the timescale
envisaged for the Anti-Terrorism legislation.
A mandatory requirement on all CSPs would make
the legislation more effective by overcoming the problems of migration
from one CSP to another diluting the effectiveness of the legislation.
It would also ensure fairness as between CSPs.
Mandatory regulations would bring clarity to
the question of which organisations were covered, for what types
of information, who was entitled to request the information and
for what purposes. They would provide protection for those properly
executing them from any liability under other legal measures,
either personally or corporately.
This would raise public confidence both that
action was being taken to deal with potential terrorist activity
and that appropriate safeguards were in place to protect legitimate
personal privacy.
Mandatory regulations could be made very flexible
to allow for speedy amendment in the light of developing terrorist
threats. The model of Food Safety regulations could be followed.
Contrary to some suggestions, we believe that
mandatory regulations would have a longer shelf life than a voluntary
code, precisely because they carry the force of law but can be
amended quickly. A Code would, inevitably, fall into disrepute
over time and be followed less carefully and by fewer organisations.
November 2001
|