In 2003 Parliament agreed a code of practice for the retention
of communications data by the telecoms industry. The
Anti-terrorism, Crime and Security Act (ATCSA) of 2001 and the EU's
2007 Data Retention Directive both made it possible for the
Government to pay grants to service providers to cover the cost of
keeping that data though they did not demand payment.
Security minister Admiral Lord West has released information
about the amounts the Government has paid in grants to telcoms
firms for keeping that data.
In 2007 10 grants were made totalling £8.3 million. In the first
year of the scheme, 2004, four grants were made which accounted for
just £84,582 in total. In the first seven months of this year £4.1
million was paid out in five grants.
The average grant size was £17,000 in 2004 and rose to £830,000
by 2007.
Security researcher Richard Clayton obtained the figures from
the Home Office after he said they were not published alongside the
Parliamentary answer in the record of debates, Hansard.
When he published the figures on an IT security mailing list,
Clayton suggested an explanation for the increase in average
grant.
"What you're seeing is much larger entities obtaining money for
data retention," he wrote on UK Crypto. "Note that this is in the
run up to the time when the mobile companies and telcos had to move
to retaining data for a year; whereas one might suspect that
2004 was all about tiny little ISPs."
The EU's Data Retention Directive orders countries to pass laws
ordering telecoms companies to keep information about phone calls
and internet access. Countries can choose to mandate a retention
period of anywhere between six and 24 months.
From 2007 onwards the Government issues some grants which it
says are related to ATCSA and some which it said are related to the
EU Directive.
"In October 2007, the Data Retention (EC Directive) Regulations
2007 came into force and many former ATCSA grants payments are now
made under those regulations," said its Parliamentary
statement.
The information gathered by the Government when it makes
requests for this data relates only to what connections have been
made over networks, not the content of phone calls or internet
sessions.
The Government is said to be considering creating its own
database of connections information, though a proposed database has
not yet become Government policy.
Privacy and data security activists and experts have opposed the
move, fearing that a single Government controlled database would be
vulnerable to attacks or errors leading to information leaks.
