Categories
Business internet security

Transposition of Directive 2006/24/EC

We do live in a marvellous world don’t we? If anyone was to ask you what the title of this post was all about you’d almost certainly give them a blank stare.

This is all about what is better known as “The Data Retention Act” which was stipulated by the EC some time ago. This Act has been implemented to assist in the fight against terrorism. Every Communications Provider has to keep logs of phone calls made and received.

I don’t mind this. We do it anyway otherwise we wouldn’t be able to bill our customers and I certainly will help fight the good fight if I can do so (safely).

The first phase was rolled out in 2007 for fixed and mobile telephony. The Internet community was given a further 18 months to implement the same measures for VoIP and emails. The VoIP service provider community is also OK with this for the same reasons given above.

When it comes to emails it is a slightly different story. ISPs have had no reason to keep records of emails sent and received. The service is flat rate (or free) and does not therefore require the information for billing purposes. So implementing the directive is likely to cost money for an ISP.

This Act is now in its consultation phase which is causing some consternation and confusion in the ISP industry. The Regulations state that costs associated with this ‘may’ be recoverable. No guarantees. A recent briefing by the Home Office also stated that because of these costs they were currently looking at a scenario whereby only the ‘big 6’ ISPs would have to keep the data and that smaller ISPs would only be asked to do so based on “intelligence led approach”. Ie you have to keep the information if they suspect one of your customers of being a terrorist.

The suggestion here is that if you are a small ISP you are more likely to have a terrorist as a customer than a big ISP. The baddies will know that they are less likely to be monitored.

This approach also presents other problems. The ISP having to do the monitoring is at a competitive disadvantage to the one not having to do so because of the additional overhead involved.

What’s more the technical logic is somewhat flawed in respect of email data retention and a savvy terrorist is  easily going to bypass the system. Web based email networks normally allow you to save a draft of an email for sending later. It just takes two terrorists to know the log on details of a google mail account. One writes the email and saves it as  draft. The second then logs in to the gmail account and reads the draft.

The Act is scheduled to become law on 15th March 2009 and it seems that there is a lot of work to be done before it can be sensibly implemented. Timico is playing a leading role here with its involvement in the ISP Association and you can be sure that readersof this blog will be updated on progress.