UK ISPs voluntarily preserve internetdata

By EDRi · July 14, 2005

Immediately after the London attacks on 7 July 2005, the National High Tech Crime Unit sent an e-mail to the UK provider association and to the London Internet Exchange asking for voluntary help in preserving traffic data of telephone and internet, but also the contents of e-mails, voice-mails and SMS. Some technicians outside of the UK responded in outrage at this request, comparing the request to asking the Postal Services to photocopy all post and pointed out the technical impossibility of storing tens of millions of e-mails a day.

But the UK ISP world remained extremely silent. Now it turns out the preservation was voluntarily offered by UK ISPA and it also turns out this is not the first time UK ISPs have voluntarily preserved massive amounts of sensitive data on all their customers. After the New York attacks, on 14 September 2001 the UK ISPA already recommended giving in to a preservation request from the Crime Unit. As one anonymous UK ISP remarked in a technical conversation: “they took six months to get back to us, without even mentioning they wanted the data.” After that, the ISP deleted the records, because of the massive amount of necessary hard-disk space.

Telephony and internet providers were asked to store the content of email servers; email server logs; radius or other IP address to user resolution logs; pager, SMS and MMS Messages currently on the network’s platform; content of voicemail platforms; call data records (includes mobile, fixed line, international gateways & VoIP) and subscriber records.

The explanation offered was: “The investigation into this crime will take many months and it is likely that the significance of specific communications data and current stored content will not become immediately apparent and there is a real risk that important evidence could be lost.”

Now that the individual suiciders have been identified within a few days and general investigation is making rapid progress, hopefully the Crime Unit will quickly follow-up on the request and make sure these extremely sensitive data are not stored any longer than necessary for acceptable business purposes.

Unconfirmed rumour has it that Belgian ISPs received a similar request from the UK Crime Unit. It is unlikely they will voluntarily co-operate. Storing the content of communications is in utter violation of EU privacy legislation. Only upon court order may an ISP preserve specified data from individual suspects, if the cybercrime treaty has been implemented. There is no legitimacy in any kind of voluntary preservation, also given the immense privacy and security risks of collecting such massive amounts of data.

In the UK ISPs have been bullied into voluntary data retention measures, in spite of extremely critical comments from the Information Commissioner. In response to a government consultation in 2003 about the government proposal for voluntary retention he said only a statutory obligation would comply with data protection laws, but added “However, the Commissioner is yet to be convinced that there is a need for a communications service provider (CSP) to retain data routinely for the prevention of terrorism, for any longer than the data would be normally retained for its own business purposes.”

When the UK failed to pass a specific data retention law through the normal democratic procedures, it seems they managed to convince ISPs they would risk their reputation if they did not voluntarily collaborate with essentially unlawful retention measures. Their attempt to bully the Brussels institutions into legalising this national practice hopefully meets with louder public resistance.

Net industry urged to co-operate following London bombings (11.07.2005)

Response Information Commissioner (June 2003)….pdf

Summary of other responses to the proposal for voluntary data retention (11.09.2003)