Government on 'snooping' code collision course

A government code to force internet service providers to retain people's email and web browsing data as part of anti-terrorism legislation has come under renewed attack with ISPs threatening not to comply over cost and privacy concerns.

Compliance with the code, which is part of the Anti-Terrorism, Crime and Security Act (ATCSA), will oblige communications service providers (CPSs) – ISPs, telcos and others – to keep records of communications from their users, including names, addresses and the time and date of the communication, to give the government a hand when investigating matters of national security. The code also doubles the amount of time companies will have to keep such records for, raising the time limit from six months to a year.

But the Internet Service Providers Association (ISPA) has such grave concerns about the cost of compliance and data protection laws that it is advising all its members to not comply with the code. An ISPA spokesperson told silicon.com that while ISPs are happy to assist the government, "law enforcement is not an ISP's job, so why should they have to pay for it?" ISPA also has legal concerns about the code, which it believes may contravene existing legislation.

It's a stance that has a struck a cord with ISP Earthnet, which has publicly declared that it won't be following the voluntary code, saying that it is concerned that the Act isn't compliant with compliant with data protection principles and human rights standards.

If CSPs do not go along with the voluntary data retention code the government has warned it will look to make compliance compulsory. With increased storage costs, as well as the costs of putting in place the relevant security and business processes to make such data retention work, it looks like UK companies will be landed with a hefty bill for the privilege of doing the government's policing for it.

While larger ISPs may be able to absorb some of the cost themselves, Beatrice Rogers of technology and communications trade body Intellect said that due to the harsh economic conditions, the Act would put an undue strain on British business' budgets, describing companies as "not well-endowed for non-business critical projects".

Fundamentally that means consumers forking out for it, said Rogers. "Someone has to pay, and costs will be passed on to customers. [The Act] isn't good for business, it isn't good for customers and it isn't good for UK plc," she said.

It is an expense ISPs may find hard to bear. Zen, a UK ISP supplying broadband to business customers, is more than happy to comply with the Act – if only someone would give them an idea about how to go about it and a few bob to go with it. James Blessing, technical development at Zen, told silicon.com: "We're more than happy to comply...we have a responsibility to our customers and the public in general".

But he said the government's approach to keeping ISPs informed about their obligations had left service providers confused and the issue of financing was still to be resolved. Zen has estimated the cost of compliance to be around £500,000 which would take a hefty chunk out of the £4m the government has put aside to give all UK ISPs a gentle push in the right direction.

Blessing said that without money from the government, ISPs simply won't be able to fund compliance with the code. The only ISPs likely to be able to absorb the costs without outside funding would be those with substantial profits already behind them and without government help ISP will have to look at alternative means of funding and risk the possibility of pushing up the prices to its consumers, he said.

A Home Office spokesman told silicon.com that the £4m available to help ISPs was a set figure for the year, but more funds would be made available in the future. He added that the Home Office was "keen to ensure that ISPs have what they need" but the matter of how the funding pie would be carved up was a matter of negotiation between ISPs and the Home Office itself.

Another problem lies ahead with ISPs providing Wi-Fi. The question of how individuals with their own domestic hotspots, for example, should treat the regulations is a thorny one – most providers would lack the technology to track the number and identity of those using the hotspot, while even MPs themselves admit the guidelines are lagging behind the pace of technology.