ZDNet UK 26/10/2001: "Home Office admits data retention plans"

Caspar Bowden cb at fipr.org
Sat, 27 Oct 2001 17:35:51 +0100 

> Roland Perry
..
> Time to read: http://www.iupf.org.uk/privacy-bcp.html sections 7 & 8.
>=20
> >Currently, ISPs are not permitted to keep more than the minimum data=20
> >required for billing purposes
>=20
> There are other legitimate business purposes.

The only allowable ones are in S.9(3) SI 2093 of 1999
http://www.hmso.gov.uk/si/si1999/19992093.htm#6
"(a) the management of billing or traffic;
(b) customer enquiries;
(c) the prevention or detection of fraud, and
(d) the marketing of any telecommunications services provided by the
relevant person."

> >-- which is, normally, the IP address of
> >the user and how long they are logged on for.

And why is that NECESSARY and for how long is that NECESSARY (test in
S.9.2 of 2093)

> It might also include the=20
> >IP address they are logged on to, and, for security=20
> purposes, data such=20
> >as the Radius security server log.

Why does that need to be identifiable ? Put it this way, how often do
ISPs in real life refer to that data in realtion to some customer
service issue. Could ISPs consuct business wirthout it, or without
holding it for very long ?

> See BCP.

BTW - Is it still true do you think that (BCP S.8 ) "Most ISPs will
usually log nothing whatsoever about any actions or data passed during
an individual Internet session". I know of one very large ISP that keep
individual records of customer web browsing indefinitely. They do this
in case they one day figure out a way to datamine it - in other words it
is a resource held because of its speculative value. Does that fall
within Best Practice ?

> >The concern is ... enable him (Blunkett) to simply=20
> >put forward a resolution at a later date which might extend=20
> >the current voluntary proposals.
>=20
> As all primary legislation these days in there simply to=20
> provide enabling powers for later secondary legislation, then=20
> that scenario is inevitably the case.

No, it's not inevitable, the alternative is either not to do it at all,
or to draft primary limitations on what kind of traffic and comms data,
as RIP ineptly defines or redefined, may be compelled to be retained or
not.

> >The extension could be literally anything, said an expert on=20
...
> RIPA, under which disclosures have to be made (remember, the=20
> new legislation doesn't make disclosure any easier) already=20
> includes all conceivable data types.

Yes but the Code covering the Anti-Terrorism stuff (if there is to be a
separate code) can later move the goalposts on what data is being
retained. Unless it is retained, power to access is moot.
=20
> > And it could call for the voluntary code to be
> >made compulsory."
>=20
> It would be a World First, and many people would be very unhappy :-(

But ISTR Home Office briefing comics talking about Netherlands and other
European countries who are already compelled to retain (in theory) with
or without formal derogation from Tel DP Directive 97.

--
Caspar =
Bowden=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0 www.fipr.org
Director, Foundation for Information Policy Research
Tel: +44(0)20 7354 2333=20