A European Commission directive will come into force on 15 March 2009 that could require every UK internet service provider to retain a record of every email sent and received by British citizens. The legislation would force ISPs to keep details about the email sender and recipient for at least one year – including all spam. The email content does not need to be stored, but ISPs may choose to do so.
The Home Office insists that the data is vital for intelligence gathering in criminal and terrorist enquiries. However, your data could be requested by up to 500 UK public authorities, including the police, health services, and local councils.
Many ISPs have voluntarily implemented email recording systems and the rules already apply to telephone companies (although those records are kept for the purposes of customer billing). The Government are also considering plans for a single central database that would gather details of every telephone call, text message, email, website visit and all other internet activity.
Human rights groups such as Liberty have expressed concerns about the bill: monitoring every UK citizen on the off-chance of catching a criminal is considered to be a gross invasion of privacy.
The proposals may encounter a number of technical implementation flaws:
- An estimated 210 billion emails are sent per day (the vast majority is spam). UK-only traffic accounts for a small proportion of this total, but the storage implications are massive.
- The UK Government are likely to offer between £25 million and £70 million to pay toward data collection and storage. However, the Government’s record on IT project estimates, security and data loss does not inspire confidence.
- The current proposals only cover email handled by UK ISPs. Criminals can still evade detection using webmail, instant messaging, forums, Facebook, Twitter or any number of non-UK systems than need not adhere to the legislation. The Italian police recently warned that criminals are adopting Skype to avoid wiretaps.
- How will the Government deal with shared or hacked email accounts?
Finally, the system must operate under existing UK laws, including the Data Protection Act. The Government must guarantee data integrity, allow individuals access to data held about them, and handle updates to inaccurate information. This could incur significant staffing costs but the organisation will be unable to charge an individual any more than £10 for the service.
What do you think? Is the UK Government right to track all internet traffic in the interests of national security? Are we dangerously approaching a full-surveillance society?