Who's monitoring your email?

Internet service providers will have to retain details of internet communications, including email, under UK law which came into force on Monday.

The Data Retention (EC Directive) Regulations 2009 require service providers to retain details of user internet access, email and internet telephony for 12 months. ISPs must also be able to respond to access requests by law enforcement and other designated authorities.

The details of UK citizens' communications to be retained include which IP address people have been assigned, plus log-in and log-off times; the sender, recipient, date and time of emails; and the caller and recipient of internet telephone calls.

In addition, the regulations state that telecommunications companies must also retain details of all fixed and mobile telephony usage, including the geographical location of the caller.

These regulations supersede the Data Retention (EC Directive) Regulations 2007, which required fixed and mobile telephony data retention, but did not require the retention of internet communications.

Privacy campaigner Simon Davies, director of Privacy International, told silicon.com sister site ZDNet UK on Monday that data preservation, in which ISPs and telcos retain the data of specific suspects rather than of all citizens, would have been "less privacy intrusive and achieves the same objectives".

"It's not necessary to retain all of that data," he said.

Davies noted that retention of data could lead to local authorities using that data in a similar way to their use of the Regulation of Investigatory Powers Act (Ripa). Local government has been criticised by various agencies, including the Home Office, for using the legislation to monitor people putting their bins out, or dog-fouling.

"Once the data is held under this particular regime, you will probably find it will be used for a whole range of other purposes, just as Ripa has been," Davies said. "With data preservation, what would not have occurred is the gross infringement of local authorities using that data to investigate dog-fouling or littering."

Davies added that public trust in government may be eroded if communications data is misused by local authorities.

The Home Office said in a statement on Monday that it does not want to see data retention or Ripa powers "being used to target people for putting their bins out on the wrong day or for dog-fouling offences". However, legitimate actions would include local authorities using data to target "dodgy traders", fly tippers and noisy neighbours, the Home Office said.

Currently, covert surveillance, such as accessing the data retained under the Data Retention (EC Directive) Regulations 2009, can be authorised in local authorities by junior executive officers. The Home Office said it is considering raising the level of authorisation to senior executives, with possible oversight by elected councillors.

Home secretary Jacqui Smith said in December that the Home Office would consult on use of Ripa. This consultation would occur "shortly", the Home Office said.

The Home Office statement added that retention of communications data is necessary as a crime-fighting and anti-terrorist tool. "This data is a vital tool to investigations and intelligence gathering in support of national security and crime," the statement said. "Communications data allows investigators to identify suspects, examine their contacts, establish relationships between conspirators and place them in a specific location at a certain time."

Original article: Internet data-retention law comes into force from ZDNet UK