UK Follows EU Directive: ISPs Must Keep User Data for a Year

LONDON, England -- The British government has followed through on a European Union directive that Internet service providers are to maintain user data records for up to a year's time. 

Going into effect Monday, ISPs must now keep records of e-mail details, Internet calls and website visits of their customers, which will be accessible to police and other law enforcement organizations as well as any other public body with a proper warrant.

The directive was proposed nearly four years ago, following terrorist bombings in London during the summer of 2005. Then-British Home Secretary Charles Clarke was a proponent for the new rule and said at the time, "Modern criminality crosses borders and seeks to exploit digital technology. The measure is an important step in delivering the right to citizens across the EU to live in peace and free from the negative impact of terrorism and serious crime."

The EU has said the record-keeping directive is not related to anti-piracy or plans to battle file-sharing, though some opponents have claimed otherwise.

Many ISPs and telecom firms are refusing to take part in the directive, which requires the storing of communication between two individuals, reports ITProPortal.

An EU directive is already in place that calls for telecoms to keep telephone records for a year.

The UK Home Office said in a statement: "Communications data is the where and when of communication and plays a vital part in a wide range of criminal investigations, and prevention of terrorists attacks as well as contributing to public safety more generally."

The government agency said implementation brings the UK in line with Euro counterparts and added, "Access to communications data is governed by the Regulation of Investigatory Powers Act 2000, which ensures that effective safeguards are in place, and that the data can only be accessed when it is necessary and proportionate to do so."

VNUNet reports some ISP and tech service representatives see the rule as very problematic, such as Neil Cook of message security firm Cloudmark.

"Quite clearly this new legislation opens up a whole can of worms for the ISPs when it comes to potential security implications," Cook said. "Considering the sheer volume of high-profile security breaches hitting the headlines in the UK, the protection and storage of data is of paramount importance to an organization."

The British government states the data will enable law enforcement bodies to identify suspects, possibly terror networks, and conspirators, all through "data mining."

According to the BBC global security experts wonder how effective the directive will really be in combating terrorism, suggesting there is "no substitute for a real investigation," while civil liberties groups are questioning the directive and what it means for privacy and free speech.

"Technology makes it very easy to collect, store and process data," said Jim Killock, executive director of the Open Rights Group, whose website currently claims, "Data retention endangers democracy."

"The problem is there is a growing temptation from the security services and police to say we want more, we want to do more and keep more of our data," Killock told the BBC. "There is a basic risk when we become a mere data trail -- that rather than being able to exercise choice we become who we are based on our history."

The human right group Liberty's policy director, Isabella Sankey, suggested that innocent actions may be picked up by an automated scan of an ISP database and someone will be investigated on a "just because" basis.

"Once records of all our phone calls, text messages and e-mails are held in one place, there will be fewer checks and balances," she said.

Yet those who want to "hide," will find a way, she added.

"People who really do want to do obnoxious things will simply hide themselves away -- using encryption techniques and anonymizers," Sankey said. "It will make it harder for the security services that actually monitor the people they think are a risk."

To that effect, the UK government is also going after creators of encryption software through the Regulation of the Investigatory Powers Act.

The biggest concern is the creation of a centralized database throughout the UK, as civil rights group globally wonder if it will happen next in their nation.