In the wake of the terror attacks on London, the Government has received renewed support in Brussels for regulations allowing the retention of e-mails and mobile telephone records.

Under the proposals, mobile operators and owners of e-mail servers will have to store the sender and receiver’s details together with the time of the calls/messages for upwards of a year. There will not be the requirement for service providers to retain the actual content of messages.

The Government claims that the retention of these details will help it track down those involved in planning terrorist activities.

The plans are unlikely to cause a huge amount of controversy from human rights groups because the actual content of messages will not be stored, so, in theory, it would be no different from the records that BT and other phone companies keep for billing purposes.

And because there are only five mobile network operators in the UK (T-Mobile, O2, Orange, Vodafone and 3) the logistics of keeping phone records should not be too difficult.

However, it is a different matter when it comes to e-mail. There are thousands of Internet Service Providers (ISPs) and website hosting companies in the UK, with upwards of 10,000 in the EU as a whole.

They vary in size from telecom giants like Cable & Wireless to one man and his dog operations such as ServerStream (who host my website). There are also hundreds of thousands of web servers owned and operated by small businesses across the EU.

While BT, Wanadoo and Tiscali could, despite the considerable costs, store the necessary data and be able to retrieve it easily, it might not be so straightforward for the thousands of small businesses that could also be hit if the Government decides to implement the legislaiton across the board.

My website, for example, has its own “e-mail server”, which could make my company, in effect, a service provider, because the server is used to provide e-mail addresses for members of staff.

I would be required to retain a copy of the details of every e-mail sent to and from my company. Thousands of other small businesses would be in a similar position.

At present, I cannot find any reasonably priced software that automatically performs this task. Assuming that the software was available, it would still take considerable resources to apply and would undoubtedly add to the cost of maintaining a website. These costs would ultimately be passed on to consumers.

Meanwhile, the value of the measures are also questionable. Any terrorist with a degree of technical knowledge could delete messages or choose to disable the storage software. Alternatively, they could easily decide not to record the details in the first place.

It is simply not feasible for the police to inspect every server to ensure that it is recording data; it is not even possible to prove that particular message details are not being stored. Also, terrorists could simply decide to base their e-mail server outside of the EU where the legislation would not be in force.

An alternative to this flawed scheme is the establishment of an internet regulator, ideally linked to a global regulatory system that in addition to protecting consumers and businesses could also be used for anti-terrorism intelligence gathering.

By intercepting messages during the transit between servers, the intelligence community would be able to gain the information that they say they require. But I have always imagined that they did that anyway.

part of the reason why reimbursement is such an issue is because of the legal basis of the council’s proposal - due to it being a pillar 3 (ie intergovernmental / JHA) agreement it is legally awkward (read impossible) for them to mandate reimbursement by govts because this puts it into the area of pillar 1, i.e. the Commission’s prerogative which would mean the bill would have to go thru the EP where it is likely to be voted down.
all extremely complicated

The impression I’m getting from folk closer to the current EU process is that the Pillar 3 folk are going to “defer” to the Pillar 1 process, and allow for the first step to go through the Commission and EP. (EDRI has both the Commission and Council proposals on their site)

This is an intriguing strategy - an attempt to allay the MEP’s irritation that they are being bypassed. That said, I hope that that is not *all* the MEPs are angry about: that their reticence to accept data retention is also due to their worries about the serious civil liberties implications.

I think this is a good chance to ask some very awkward questions!

commission proposal coming 21 september