Campaigners warn of user data creep

http://news.bbc.co.uk/go/rss/-/1/hi/technology/7985664.stm

Version 0 of 1.

By Darren Waters Technology editor, BBC News website Authorities can seek to have your encrypted data unlocked

Internet service providers (ISPs) are required to store details of user e-mails and net phone calls from Monday as a European Union directive comes into force. Governments say it will protect citizens but civil liberty campaigners are not so sure.

To whom did you send your first e-mail today?

I ask, because from today ISPs inside the EU are legally required to store details of that e-mail for up to a year. And the same goes for any internet phone call you make.

This so-called communications data is now being held on the ISPs' servers just in case the authorities want to come and look at it.

Many ISPs have actually been holding on to this kind of data as a matter of course - to help defeat spam, to monitor and manage their own networks and because governments have asked them to do so voluntarily.

The difference now is that it is a legal requirement.

Not logged

To be clear, the contents of the e-mails are not logged, nor are the contents of any net phone calls. This is about connections between people and organisations.

Governments believe that they can look for patterns in these relationships that would help them flag potentially dangerous individuals or organisations.

Technology makes it very easy to collect, store and process data Jim Killock, Open Rights Group

It is called data mining but some security experts are sceptical about the true benefit of such pattern analysis.

Bruce Schneier, a well-respected security expert, has pointed out that a data pattern indicating "terrorist tendencies" is no substitute for a real investigation.

The UK government has said the data is needed to enable police to identify suspects, find more information about their contacts and to establish relationships between alleged conspirators.

The information can also be used to put suspects in a location at a certain time, potentially supporting or rebutting alibis.

The Home Office has said that communications data was vital in the investigation into Rhys Jones's murder in 2007.

However, a Home Office spokesman told BBC News the Rhys Jones investigation did not relate specifically to e-mails, net phone calls or website visits.

Link suspects

"The reference is around the use of communications data in general," a spokesman said.

The Rhys Jones investigation used telephone records to link two suspects, using data retention powers which were in operation before this latest directive came into play.

For civil liberty groups this latest directive is part of a wider debate about the use and potential misuse of technology.

Details of your e-mail recipients will be recorded

"Technology makes it very easy to collect, store and process data," said Jim Killock, executive director of the Open Rights Group.

"The problem is there is a growing temptation from the security services and police to say we want more, we want to do more and keep more of our data."

He said the problem with traffic pattern analysis was that we became "judged on our past mistakes".

"There is a basic risk we become a mere data trail - that rather than being able to exercise choice we become who we are based on our history."

Mr Killock said the legislation could also have the opposite effect to the one intended by governments.

'More conscious'

Innocent actions may be picked up by an automated scan of the database Isabella Sankey, Liberty

"People who really do want to do obnoxious things will simply hide themselves away - using encryption techniques and anonymisers.

"It will make it harder for the security services that actually monitor the people they think are a risk."

No wonder then that governments are equally targeting the creators of encryption software.

In the UK, authorities can use the Regulation of the Investigatory Powers Act (Ripa) to try to force people to hand over the keys which lock and unlock encrypted data.

The concern for some rights campaigners is that the number of authorities that can now have access to our communications data, and potentially even our encrypted personal data, is widening from the police, to include public bodies such as local authorities.

Liberty has warned that this latest EU directive is just one further step on a road to a centralised database in the UK, which holds data about all our digital interactions.

The fear, as expressed by Liberty, is that this would be held by a third party, not the ISPs, and that access to the data would be controlled by the Ripa legislation.

Isabella Sankey, policy director at Liberty, said: "Once records of all our phone calls, text messages and e-mails are held in one place, there will be fewer checks and balances.

'Fishing expedition'

"Innocent actions may be picked up by an automated scan of the database and the current system will be turned on its head - instead of our communication records being accessed if we are a suspect, we will become a suspect because a computer on a fishing expedition deems it so."

There is also, of course, a cost factor. The UK government is alone in offering to reimburse ISPs the cost of maintaining this database of communications data.

The Home Office has said it will cost £46m over the next eight years to create and maintain.

Liberty has warned that the cost of building the planned centralised database could run into billions of pounds.

However, plans to introduce the database into legislation have continued to be put on the backburner after it failed to appear in the draft Communications Data Bill.

It follows the comments of the UK's Information Commissioner Richard Thomas, who called it a "step too far for the British way of life".