There is some opposition to this move but given the country’s predilection to treating everyone as a subject of surveillance it is hard to see this not happening.
"Social-networking sites such as MySpace or Bebo are not covered by the directive," said Vernon Coaker, speaking at a meeting of the House of Commons Fourth Delegated Legislation Committee. "That is one reason why the government (is) looking at what we should do about the Intercept(ion) Modernisation Programme, because there are certain aspects of communications which are not covered by the directive."
Under the EU Data Retention Directive, from March 15, 2009[PDF link], all U.K. ISPs are required to store customer traffic data for a year. The Interception Modernisation Programme, or IMP, is a government proposal, introduced last year, for legislation to use mass monitoring of traffic data as an antiterrorism tool.
The IMP has two objectives; that the government use deep packet inspection to monitor the Web communications of all U.K. citizens [and subsequently monitor those who maintain correspondence with the UK Citizens]; and that all of the traffic data relating to those communications are stored in a centralized government database. The problem is that social networking sites aren’t covered by the directive.
The U.K. government has previously said communications interception is "vital" and has hinted that social-networking sites may be put under surveillance. And responding to a question from Liberal Democrat Parliament member Tom Brake, Coaker said all traffic data on social-networking sites and through instant-messaging services may be harvested and stored.
"The honorable member for Carshalton and Wallington will also know the controversy that currently surrounds the Intercept(ion) Modernisation Programme," Coaker said. "I look forward to his support when we present (IMP) proposals, which may include requiring the retention of data on Facebook, Bebo, MySpace, and all other similar sites."
Deep-packet inspection, the second strand of the IMP, involves intercepting and examining the contents of all data packets that flow over a network. In Monday's meeting, Coaker said the government still intends to have a consultation on whether to inspect and then store all Internet traffic data in a centralized government database.
"What is the point of having a consultation if, as the honorable gentleman implies, the government (has) already made up (its) mind to have a central database?" Coaker asked. "We have not made up our mind. We have said we will consult on a variety of options."
Opposition to the government's IMP proposal has been fierce. Cambridge University computer security expert Richard Clayton told ZDNet UK on Wednesday that the government proposal to monitor social-networking traffic was "extremely intrusive."
"The question is whether it's necessary or proportionate, and the short answer is no, it doesn't look that way," said Clayton. "If the government wants to make us safer, having a few more police on the electronic beat would be a good idea."
Clayton said the problem for the government is that the Data Retention Directive applies only to data held by Internet service providers, but that a large number of people don't use ISPs' systems to communicate, instead using online services such as Web mail and social-networking sites. Servers may be located in different jurisdictions, Clayton said, and data retention times may be short.
"The government wants to collect all of this data on everybody, just in case," Clayton said. "Suppose you use (an e-mail service based in Pakistan), and you blow up the Houses of Parliament. The government would have to persuade the Pakistani authorities to turn over the logs, which may then turn out only to have been retained for three days."
However, Clayton believes that the cost of harvesting this information, which would involve all U.K. Internet infrastructure providers and ISPs having "black boxes" to monitor data, would be prohibitively expensive. Clayton said taxpayers' money would be better spent on the police, who could target investigations to those they suspect of criminal activity, rather than on performing blanket surveillance of everybody.
"To deploy deep-packet inspection equipment isn't cheap--the word 'billion' is appropriate," Clayton said. "It took the Home Office the best part of a year to find 3 million pounds for the Police e-Crime Unit. That's what is wrong with this picture."
Web inventor Sir Tim Berners-Lee also opposes the use of deep-packet inspection to inspect people's data. Berners-Lee told ZDNet UK last week that the Internet should not be "snooped" upon.
"If (third parties) are using the data for political ends or commercial interest, there we have to draw the line," Berners-Lee said. "There's a gap between running a successful Internet service and looking inside data packets."
Sources: Tom Espiner of ZDNet UK and The Inquisitr
Police and security experts will be able to request access to the information to help combat terrorism and cyber crime, but only with a court order. Nonetheless, the move has sparked serious concerns from privacy groups, IT security firms and legal experts.
Susan Hall, an ICT and media partner at law firm Cobbetts LLP, maintained that such a database is "the antithesis of what the whole internet is about".
"There have been regular and well known cases when the police criminals' record database has illegally been accessed by 'insiders', using it to vet employees and do favours for friends," she said.
The directive has provoked criticism from EU member states over the cost of the operation, which is estimated at £46m over an eight-year period, as well as fears of privacy violation.
"Given the numerous data breaches of late, it is hardly surprising that concern has been raised over these proposals," said Jamie Cowper, director of EMEA marketing at security firm PGP Corporation.
"With public confidence about data security at an all time low, it is absolutely essential that ISPs take their obligations seriously. If privacy violation is to be avoided, and the huge cost of this operation is to be justified, the security of the public's data must be watertight.
"If the EU plans to roll out similar legislation to other sectors, they are going to have to demonstrate to the public that every step is being taken to defend their data. If not, it is fair to say that we are just one data breach away from a major public backlash."
Hall went on to ask: "The government is trying to impose liabilities on service providers, and for what? The theoretical possibility that it will stop terrorists?
"People applying for access to the database will, on the basis of what we've already seen happen with the Regulation of Investigatory Powers Act, use a slippery slope argument: first arguing for using the information for sex offenders and other serious criminals, but ultimately using it to worry about parking tickets or whether children are entitled to be enrolled in the school they've applied to, as in the recent Poole Council case."
Hall also believes that these measures will have little discernable impact on the fight against terrorism, as the criminals involved will just find ways of bypassing the checks by using other people's unsecured Wi-Fi connections, hotspots or pay-as-you-go 3G modems.
"It is also very interesting to note that the European Court of Human Rights ruled in January that a similarly sweeping DNA database, which contained genetic samples from thousands of citizens who had not been convicted of any crime, violated privacy rights," she said.
"Looking at the comments made in this recent case, the ISP database will run the UK government foul of the European Convention on Human Rights, and on this basis alone should be reconsidered. "
Thus far, ISPs that have attempted to stop these laws being implemented, such as in Ireland and Slovakia, have been unsuccessful.
Read as well: Children on DNA database are “suspects for life” Official figures show that, since the DNA database was created, 1.07 million profiles of children have been added. This is nearly a quarter of the 4.4million profiles on the database. Anyone who comes into contact with the police, as an offender or a witness, can have a DNA sample taken for the database. Ministers and the police say the database is a vital tool in solving crimes, and has helped detectives crack major cases including murder and rape.
DIRECTIVE 2006/24/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (.pdf)
Extracts from the above document
Obligation to retain communications data
(5) No data revealing the content of a communication is to be retained in pursuance of these Regulations.
4.--(1) It is the duty of a public communications provider to retain the communications data specified in the following provisions of the Schedule to these Regulations--
PART 3 INTERNET ACCESS, INTERNET E-MAIL OR INTERNET TELEPHONY
Data necessary to trace and identify the source of a communication
11.--(1) The user ID allocated.
(2) The user ID and telephone number allocated to the communication entering the public telephone network.
(3) The name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.
Data necessary to identify the destination of a communication
12.--(1) In the case of internet telephony, the user ID or telephone number of the intended recipient of the call.
(2) In the case of internet e-mail or internet telephony, the name and address of the subscriber or registered user and the user ID of the intended recipient of the communication.
Data necessary to identify the date, time and duration of a communication
13.--(1) In the case of internet access--
(a) The date and time of the log-in to and log-off from the internet access service, based on a specified time zone,
(b) The IP address, whether dynamic or static, allocated by the internet access service provider to the communication, and
(c) The user ID of the subscriber or registered user of the internet access service.
(2) In the case of internet e-mail or internet telephony, the date and time of the log-in to and log-off from the internet e-mail or internet telephony service, based on a specified time zone.
Data necessary to identify the type of communication
14. In the case of internet e-mail or internet telephony, the internet service used.
Data necessary to identify users' communication equipment (or what purports to be their equipment)
15.--(1) In the case of dial-up access, the calling telephone number.
(2) In any other case, the digital subscriber line (DSL) or other end point of the originator of the communication.