What do you think about communications data collection and storage?

[David Biggins]

> -----Original Message-----
> From: ukcrypto-admin@chiark.greenend.org.uk [mailto:ukcrypto-
> admin@chiark.greenend.org.uk] On Behalf Of ken
> Sent: 28 April 2009 15:16
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: What do you think about communications data collection
and
> storage?
>=20
> But who is a small communications provider anyway?  Is the
> university I work for a communications provider?  If not why
> not?  We can and do provide email and other forms of messaging
> to people all over the world, some of them distance learners who
> never set foot in our buildings or even the UK.=20

That's kind of the same issue I face.  I run a couple of web & mail
services for my clients.

And since the mail accepts SMTP input,  it clearly is providing a
communications service for any member of the public who feels like
sending in a message to a specific email address, which gets past the
spam filters.

The fact that such messages would normally be caught by the sender's ISP
is probably irrelevant,  so I'm left with the assumption that every SMTP
server in the world is potentially a device allowing (at least a
limited) communication facility to anyone who wishes to address it
(directly or through a proxy with a VPN on the client side).

And of course if any of my clients have the ability to add email
addresses not directly under my control (they mostly do, in fact) then I
suppose I am definitely providing a public communications service.

And of course the website logs...  =20

Now let's say that the regulations do apply.   How much data would I be
required to hold?  What percentage of my total disk space is it
reasonable to expect me to dedicate to holding logs?

Most small server hosting packages offer an off-server FTP backup
service.  This is an extra cost, and is usually less than half the total
disk space of the base server.  Am I obliged to use this resource to
maintain backup copies of the logs?  What penalties do I face if my
server fails and I do not have logs backed up?

Am I required to keep logs that show communications attempts that I
reject as being spam?

If I am the subject to a DDOS attack that generates huge log files, how
much of that clear evidence of a criminal action am I to be obliged to
hold?

I had the interesting experience (fortunately on an internal server, not
a live one) of having a mail program go berserk last week.  It ran up
100GByte of meaningless log files until the partition was fill, with the
usual couple of megabytes of "real" log buried inside.  If this happened
on a live system, to what extent would I have the legal discretion to
delete those log files before the crashed the entire system?

If I need to increase the number of hosted servers because the disk
space provided by the company from which I lease does not offer hard
disk upgrades in a server to cope with the extra data, that will of
course involve me in the cost of buying additional licences for the
various software I deploy;  to what extent will the government accept
responsibility for these costs if it rules that I am a communications
provider?

Government's fondness (for obvious reasons as you say) for dealing with
big companies, and building the regulations around them, ignores the
significant extent to which very small companies and sole traders
contribute to the country's economy.   Landing us with regulation of
this kind could do a great deal of harm;  yet I can clearly understand
that excluding us would rapidly render the entire system valueless.  =20

I'm assuming that an understanding of this is behind the Home Office's
fondness for Phorm - only by putting DPI at all initial access points to
the internet or at crucial key nodes can they actually make their
desired snooping work.

In the meantime, they have to maintain the public pressure that allows
them to continue,  so until Phorm effectively prove out DPI for them,
the government is stuck with having to create a public view of "we must
DO something" to which of course Sir Humphrey can continue "this is
something, therefore we must do it".

D.