Select Committee on Home Affairs Appendices to the Minutes of Evidence


APPENDIX 4

Memorandum submitted by BT

Introduction

  The Home Secretary's announcement on 15 October of a legislative package to combat terrorism said that there would be "measures to enable communication service providers to retain data generated in the course of their business, namely the records of calls made and other data—not the content. Government will work with the industry on a Code of Practice to take this forward."

  The Home Office has been consulting with industry and civil liberties groups about the proposed Code but nothing has been published yet. BT is, of course, supportive of measures that will increase security, but we are anxious to ensure that whatever legislation is introduced is (a) effective, (b) proportionate, (c) does not conflict with other obligations, and (d) does not expose those who will have to implement the new requirements to liabilities over which they have no control. BT is grateful for the opportunity to submit this short paper to examine these issues.

Expected Proposals

  We understand that there may be a requirement to retain communications data for a period of, perhaps, twelve months. The data concerned would cover internet as well as telephony communications. It would need to be made available to law enforcement agencies, but not necessarily just in connection with terrorism. The Communications Service Provider (CSP) collecting the information would not be entitled to use information collected for this purpose for its own purposes, unless it is entitled to do so already under Data Protection rules. The likelihood is that the requirement will be expressed in terms of a voluntary Code of Practice rather than as a mandatory requirement, so that CSPs "may" store data rather than being legally obliged to do so.

Issues arising

  Our main concern is that a voluntary Code is unlikely to deliver the security that the Government is seeking, because:

    —  not all CSPs will follow it;

    —  customers who might be intending to use communications systems for terrorist purposes could very easily switch to non-complying CSPs;

    —  there would be inconsistency even between complying CSPs, let alone between complying and non-complying CSPs, since different CSPs hold different types of data for different purposes.

  There may be real technical issues arising depending on what information is required and for what periods, particularly going into the future as CSPs increasingly move from traditional switched telephony networks to Internet Protocol networks.

  It needs to be understood that the integrity of information concerning internet calls is much less robust than that associated with voice calls. Data retrieval is a difficult process and its accuracy cannot be guaranteed, because of the nature of internet calls, where there is 'dynamic' allocation of addresses (ie for the duration of the call), where encryption is used, where data transmissions may pass through several time zones, networks, servers etc all of which are 'timed' independently.

  As a general rule, there are significant costs savings for billing for IP services, where the trend is towards flat rate pricing rather than per-occasion charging. The data requirements for billing purposes are much reduced in this scenario.

  On the other hand, the volume of traffic data associated with internet calling is many times higher than that arising from voice calls, so a requirement to store such information would involve considerable expense.

  In any event, there will be additional costs for data collection and storage for those CSPs that comply and these should be recoverable from government.

  Even with reimbursement, data retention will move the CSP away from being a commercial entity towards being a public authority resource.

  Data retention could run counter to other legislation (eg Data protection rules, Human Rights Act) and, if so, those who have to execute the requirements must be protected from any liability under other legal measures, either personally or corporately.

  There are concerns that the data involved will not be 'ring-fenced' for dealing only with terrorism issues but may also be available to any public authority permitted to request communications data under the Regulation of Investigatory Powers Act. We are opposed to any extension of the power of Law Enforcement Agencies being achieved via the back door afforded by the need for Anti-Terrorism legislation. Apart from procedural propriety issues there are serious commercial risks associated with the inevitable increase in requests for data, and public confidence risks if requests become too numerous or poorly targeted.

Proposal

  To be most effective we believe that the legislation should be proportionate, non-discriminatory, justified and targeted in accordance with UK and EU law. We know that the EU is currently considering data retention in the context of revised Data Protection rules, but these discussions will not be finalised in the timescale envisaged for the Anti-Terrorism legislation.

  A mandatory requirement on all CSPs would make the legislation more effective by overcoming the problems of migration from one CSP to another diluting the effectiveness of the legislation.

  It would also ensure fairness as between CSPs.

  Mandatory regulations would bring clarity to the question of which organisations were covered, for what types of information, who was entitled to request the information and for what purposes. They would provide protection for those properly executing them from any liability under other legal measures, either personally or corporately.

  This would raise public confidence both that action was being taken to deal with potential terrorist activity and that appropriate safeguards were in place to protect legitimate personal privacy.

  Mandatory regulations could be made very flexible to allow for speedy amendment in the light of developing terrorist threats. The model of Food Safety regulations could be followed.

  Contrary to some suggestions, we believe that mandatory regulations would have a longer shelf life than a voluntary code, precisely because they carry the force of law but can be amended quickly. A Code would, inevitably, fall into disrepute over time and be followed less carefully and by fewer organisations.

November 2001


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2001
Prepared 19 November 2001