Privacy International/FIPR Scrambling for Safety 7 22 October 2003

Beatrice Rogers, Senior Programme Manager, Intellect

 

Data retention is an issue where Government is forcing Industry to become an arm of the state.

 

The ICT industry continues to uphold its role as a good corporate citizen and supports legitimate law enforcement. However, Government is requiring companies to hand over information for purposes it was not meant for, placing Industry in compromising position between compliance and abusing customer trust; inhibiting Industries productivity and its role within society as a money generator. Industry is a private commercial entity and does not exist to implement public policy.

 

The Home Office is taking forward data retention as part of the "emergency powers" first set out in the Anti Terrorism Crime and Security Act two years ago.   In developing its position, Intellect considered the following questions:

 

-         What is the correct balance between national and public security, privacy, and measures taken to protect them?

-         What are the roles, liability and responsibility of government and the private sector in securing this balance?

-         Why does Industry exist? What is its purpose?

 

This act is part of a real worrying strain of policy development where Industry is forced to be the implementer – risk, liability and costs are pushed straight onto Industry by a Government which is looking for private industry to do their policing for them. In the context of today’s environment, the implementation of this act smacks of political opportunitism, where Government requires Industry to hold the greatest pools of data, on the greatest number of people, for the widest possible usages; where data collected for national security and terrorism prevention is used to track tax evasion.

 

Intellect always welcomes the opportunity to participate in open consultation and to share Industry expertise with Government. We commend the positive changes to the original proposals for RIPA & ATCSA and value the increasing effort by the Home Office to be inclusive of Industry in its approach. Therefore, it is disappointing that Government, despite consulting with Industry, continues to ignore our fundamental concerns. So for the remainder of my time I will be addressing the following subjects:

 

·        Legal concerns

·        Technology & Implementation

·        Value of data

·        Consequences

 

Firstly, Legal concerns: There is a lack of certainty that data retention and access will always be compatible with Data Protection and Human Rights legislation. The Home Office has not provided firm evidence that if such incompatibility occurs, liability for breaches of the Data Protection Act (DPA) and Human Rights Act (HRA) will not rest with Industry.

 

If Communication Service Providers (CSP’s) are required to retain data for national security on a voluntary basis this opens them up to legal liability, with the possibility of customers suing. This presents obvious legal risk. However, even more harmful would be the effect on the relationship with our customer base. Brand and reputation would be damaged; customers would no longer trust the company. The consequences would impact consumer trust and confidence in new technologies.

 

The Home Office has made moves to verbally reassure Industry of its indemnity in terms of the legal uncertainty around the Human Rights Act, Data Protection Act, Regulation of Investigatory Powers and Anti Terrorism Crime and Security Act. But what is the true value of this offer? There has been no firm commitment for indemnity and Industry must ask the question “has the Secretary of State got the power to offer indemnity?”. There is no precedent that we are aware of. This commitment needs to be clear on paper.

 

Intellect believes in order for this legislation to be truly effective that the Home Office needs to look at the root of the problem and create a harmonious legislative regime; rather than offering Industry symptomatic solutions – such as the verbal reassurance given to underwrite CSP’s for any civil litigation in terms of funding and costs. Although monetary loss would be a primary concern, we hope that Government recognises that the damage to brand and consumer trust and confidence arising from such litigation could be irredeemable.

 

 

Secondly, Technical and Implementation issues The technical and implementation issues appear been sidelined, not fully understood or taken into account. It is as though the Home Office has refused to look at the issue as a whole.

 

Although companies that comply with the Code need not retain additional communications data beyond what they already keep for business purposes, the data must be retained often for longer periods of time, and in a manner that allows for law enforcement access. If you wish to access data held under the Anti Terrorism Crime and Security Act, it must be catalogued, searchable and retrievable. This does not only have implications for software and integration, but also for hardware & storage media. The technical challenge includes maintenance of legacy systems, interrogating large amounts of data, ensuring sufficient computing power, future proofing. It is impossible to extrapolate what Public Authority and law enforcement demand will be and businesses are held in a state of uncertainty, unable to plan for costs. The difference in technical requirements for a system dealing with 50 requests a month and 1000 requests a week is significant.

 

The Home Office has stated that “The government is prepared to contribute to communication service providers’ reasonable costs” and the ATCSA makes it the duty of the Secretary of State to ensure that an appropriate contribution is made to CSP’s in respect of costs incurred.

 

The systems needed will also create major business process change projects. Costs will be incurred not only for the storage and retention of data, retrieval systems etc, but also from the cost of business process re-engineering, training, increased load on systems (including security), policy development and so on.

 

It appears that Government has not taken into account practical timescales needed to comply with the act or its impact on business. The timescales have been set up solely for the process of legislation, not for the rollout of systems and business implementation. The systems are unlikely to be top of the agenda for many businesses and it can be assumed that without the relevant business case, Boards will be reluctant to sign off the projects.

 

There is no direct return on investment for companies and the ICT industry is not currently well endowed with capital for non-business critical projects. To enforce compliance would negatively affect ongoing business concerns; diverting resources from investment in business development, innovation and improving customer service. Government is pushing the UK to improve productivity, competitiveness and to become a global competitor in the knowledge driven economy; this will seriously inhibit Industry in achieving that aim.

 

 

Thirdly, Value of dataLikely expenditure to comply with the Code of Practice is not justified by the end product of such retention.

 

Data is not a panacea to crime prevention and anti terrorism; indeed business acknowledges that without management skills, communication and good processes, data is almost useless.

 

Industry has not been persuaded of the value of the data towards its intended purpose. There has been no business case presented, although the Home Office has committed to demonstrate one. Industry believes that authorities are not fully exploiting data already available. There has been no evidence of an assessment or qualification for these specific lengths of time or types of data. There is no evidence to show that the system of data retention will allow agencies to retrieve and interrogate the data necessary for investigations in an effective and timely manner.

 

Intellect recognises that the Home Office has moved forward from early proposals and is now requesting that only information that is part of the business plan is to be retained. However, definitions of data to be stored are still not clear enough. The current information given is open to interpretation - to the extent that every packet containing IP addresses could have to be stored. There is also not enough clarity on why retention of such data is necessary for law enforcement purposes. It appears a blanket approach has been taken which is neither cost effective for Government or Industry nor sympathetic to the privacy needs and concerns of citizens.

 

 

Finally, a look at the Consequences - Data retention requirements outlined in the consultation paper threaten consumer confidence and the take up of e-services, are technologically challenging and excessively expensive.

 

Privacy is a very sensitive subject within today’s societies and within the British culture, specifically, is of great importance. The data retention regime as set out in the Statutory Instruments raise troubling privacy concerns for citizens – our customers. The vast amounts of data required to be stored indiscriminately presents risks to individuals privacy, by providing increased opportunities for misuse or improper disclosure of sensitive information.

 

Consumers are increasingly concerned with what data is stored and for what purposes. If their concerns are not addressed it could threaten consumer confidence in electronic services. Indeed it could be projected that the proposals within the consultation will impair the growth of the eMarket and inhibit the take up of eGovernment.

 

Since 2001 the USA has had increasingly tougher national security agreements for incoming communications service providers to the point where the investment becomes very expensive – making some companies consider whether the return on investment is worthwhile. Do we wish to prevent inward investment and limit customer choice in the UK? Businesses have cut costs and streamlined processes almost to the point where it is impossible to cut back any further. Any cost burden placed upon business will have to be paid for – someone will have to pay – and it will be passed onto consumers. This is not good for business, it is not good for customers, it is not good for UKplc.

 

There is a risk that applying the Code could lead to a distortion of trade in the UK market. If larger players are forced into compliance and applying measures that are not applicable to smaller players, it will affect the market and competition in favour of the smaller players. Conversely, if all CSP’s have to comply, the costs and resources needed to comply with the code may be unduly burdensome on smaller players, causing damage to businesses.

 

Many Intellect members view applying a data retention regime on UK companies as a direct blow to the competitiveness of UK based companies within the global market. The Code states ”However, if data relating to a service provided in the UK are stored in a foreign jurisdiction it may be subject to conflicting legal requirements prohibiting the retention of data in accordance with this Code. In such cases, it is accepted that it may not be possible to adhere to the terms of this Code in respect of that communications data” This could possibly result in an offshore “black-market” in service providers – as with the use of offshore services for gambling, or money laundering. This would place UK CSP’s at a clear business disadvantage.

 

This might also create a two-tier system where criminals and threats to national security would use alternative service providers to try and avoid the capture of data – e.g. using Internet Cafes and services held outside of UK jurisdiction – pushing crime further out of the reach of investigation.

 

To sum up

 

·        This legislation places undue burden, cost, and liability on industry – preventing competitiveness. This goes against reassurances made to industry in 2001 that the ATCSA would not place cost or technical burden on industry to the point of inhibiting competitiveness.

·        No business case has been put forward by Government to Industry in terms of return on investment and value of data retention

·        There is a high risk of negative impact on customers - in terms of cost, increased citizen’s privacy concerns and a drop in trust and confidence in electronic services

·        Policy created without a true understanding of regulatory impact has the potential to seriously damage the UK’s competitiveness and impede UK plc in its drive to become a knowledge driven economy