The European directive that requires Internet Service Providers to log their customers' communications came into force in the UK today, and means that details of user emails and internet phone calls will be stored by ISPs for twelve months.
On paper, Directive 2006/24/EC is not such a bad thing. The actual contents of emails aren't monitored but the internet addresses of recipient and sender. It will make crime-solving easier, it won't hurt you if you have nothing to hide, and of course it'll stop those damned terrorists right in their tracks.
In real life, though, the fact of the matter is that the European Directive on Data Retention is highly controversial. All the usual left-wing groups are shouting out about privacy violations in cute media soundbites, and the citizens of the internet are up in arms that their communication habits will be stored for an entire year by their friendly, local ISP for unverifiable government purposes.
But the real problem with the directive lies in the technicalities of the email monitoring itself. For starters, data on the sender and recipients of an email message is contained in the message itself, and it is trivial to falsify this data as the email passes through various servers on the internet to reach its destination. This huge flaw in the design of what we know today as email is one of the reasons that spam is so ridiculously prevalent, and it means that an ISP taking this data and storing it might be storing falsified data without realising it.
Someone wishing to send an email without it being intercepted and stored might encrypt the message, and hope that the government lacked the means of cracking their encryption. Security software to do this is nowadays increasingly touted as the perfect means to total anonymity, but in this case encrypting the contents of an email into an illegible form does nothing to prevent the source and destination being jotted down… which is all that is going to happen.
And sending email from a so-called "shell server" — an account on a commercial server held for the purpose of keeping data or basing a website, that isn't reliant on the residential connection provided by your ISP — won't help either, since even the shell providers get their connectivity from ISPs. And if you are sending email to a home email address, information on the email will be stored by the recipient's ISP anyway.
But why would we want or need to find a workaround? What do we have to hide?
Page 11 of the directive says, "The West Yorkshire Police provided the following examples where internet related data had assisted their officers," and goes on to describe one such example: "A series of internet e-mails were sent to a confidential help-line run by a charity threatening to 'bomb' their office premises. The investigation determined, through the acquisition and analysis of internet related data, that the bomb threats were a hoax."
At first glance this is perfectly innocuous, and delicately sells the wondrous goodness of the scheme as entirely necessary in the investigation of bomb threats; emphasis mine, but I think not entirely retroactive. Clearly, the "confidential help-line" wasn't so confidential. Favourable outcome notwithstanding, isn't this highly immoral?
The document continues on page 12 to provide an example from the Greater Manchester Police of a situation "where internet related data had assisted their officers to save life, determine whether or not a crime has been committed and seek the whereabouts of a suspect."
Whilst the government responds to outcry with assurances that data on the communication habits of citizens would only be used as part of criminal investigations and where a warrant had been issued, the phrase "whether or not a crime has been committed" seems to imply that such determinations could be feasibily applied retroactively. This gives cause for concern for citizens involved in cases where a crime has not been committed.
And this isn't even simply another case of the European Union imposing its iron fist on the good British public. The Home Office is implementing the policy fully willingly, saying that it was the government's priority to "protect public safety and national security", and that "communications data is the where and when of the communication and plays a vital part in a wide range of criminal investigations and prevention of terrorist attacks, as well as contributing to public safety more generally."
Other countries haven't been quite so happy about it. Whilst Germany is pushing a challenge through their courts at present, Sweden has opted to simply ignore the directive completely. ISPs and telecoms firms have also resisted the concept.
The Home Office said the measure had "effective safeguards" in place, although after a recent spate of literal data loss — government data left on USB sticks in pub car parks, for one — it is difficult to be fully trusting in this assertion.