April 06, 2009 | Jim Killock

Data retention endangers democracy

European legislation that came into force today requires internet service providers to retain details of user's emails, net phone calls and other web traffic. This requirement, imposed on all all EU states, is a serious erosion of our fundamental human right to privacy.

Privacy is recognised by European and British courts as a matter of right. The European Human Rights Convention states quite clearly that we have a right to a private life and correspondence, and the European Court of Human Rights has stated that traffic data is ‘an integral element in the communications made'.

In a recent, failed challenge to the legitimacy of the Data Retention Directive, Open Rights Group and over forty other human rights and privacy organisations argued for the incompatibility of this directive with human rights law. The core of this argument is shown below. Although the court rejected the case, they left the gates open for future action on the grounds of breach of human rights. We may yet see this from Germany, where a challenge is taking place. There is also concern in Sweden, where the Directive has not been implemented,

If this matters to you, then please join this mailing listto get updates on related campaign actions.

[R]etaining traffic data creates potential risks of abuse by state agencies. Traffic data can be extremely useful for political control, eg by intelligence agencies. Experience shows that the risk of powers being abused, especially where they are exercised in secret, must not be underestimated even in Europe.

[W]here the government prevents the effective protection of personal data because of its appetite for surveillance, it opens up the gates for misuse of the data by third parties. Innumerable facts about the private life of prominent members of the public could be obtained by analysing traffic data. In the event of unauthorised access to retained traffic data, politicians could be forced to resign and officials could be blackmailed.


Where data retention takes place, citizens constantly need to fear that their communications data may at some point lead to false incrimination or governmental or private abuse of the data. Because of this, traffic data retention endangers open communication in the whole of society. Individuals who have reasons to fear that their communications could be used against them in the future will endeavour to behave as unsuspiciously as possible or, in some cases, choose to abstain from communicating altogether. Such behaviour is detrimental to a democratic state that is based on the active and unprejudiced involvement of citizens. This chilling effect is especially harmful in cases which attract abuses of power, namely in the case of organisations and individuals who are critical of the government or even the political system. Blanket traffic data retention can ultimately lead to restricted political activity, bringing about damage to the operation of our democratic states and thus to society.

Traffic data retention also causes increased efforts in the development of countermeasures such as technologies of anonymisation. Where the state indirectly encourages anonymous communications in its pursuit of surveillance, it will ultimately damage its power to intercept telecommunications even in cases of great danger.

Comments (12)

  1. RevK:
    Apr 12, 2009 at 04:31 PM

    We're a small ISP and think it is crazy too...

  2. Francis Davey:
    Apr 12, 2009 at 11:25 PM

    @theo - you are quite right that the regulations are drawn so widely that they do encompass all kinds of small operations (cybercafes, public wifi) but as Richard quite rightly says you don't have to do anything until you've had a notice from the secretary of state. I've written my thoughts on open wifi up here:


    What is odd is that the secretary of state has a statutory duty to give notice to every public communications provider. What a stupid way to draft regulations.

  3. J D:
    Apr 11, 2009 at 10:41 AM

    @David Cameron

    I sympathize with your situation but if you let Privacy & Data Retention "use/misuse" become the "norm" instead of the "exception when needed"; the lack of Privacy & data integrity becomes a liability "not" an asset!

  4. theo:
    Apr 07, 2009 at 04:40 AM

    I'm not sure whether any changes have been made to this draft:


    but if the final version of the data retention contains the same version of point 2(e)(iii), then it's worse than it seems. Point 2(e)(iii) states the following: "In these Regulations “public communications provider” means-
    (i) a provider of a public electronic communications network, or
    (ii) a provider of a public electronic communications service;
    and “public electronic communications network” and “public electronic communications service” have the meaning given in section 151 of the Communications Act 2003(a);".

    Now, fast forward to section 151 of the Communications Act 2003(a) (which I found here: http://www.opsi.gov.uk/ACTS/acts2003/ukpga_20030021_en_15#pt2-ch1-pb28-l1g151): "“public communications provider” means—
    (a) a provider of a public electronic communications network;
    (b) a provider of a public electronic communications service; or
    (c) a person who makes available facilities that are associated facilities by reference to a public electronic communications network or a public electronic communications service;"

    Point (c) is the really big problem here. It means that not only commercial ISPs and fixed or mobile telephony providers have to store traffic data. It means that even home users that share their connection with a friend/neighbor or that are running a Tor relay would have to store traffic data and respect the same conditions imposed on the commercial providers.

    I feel the need to reiterate my initial statement: this is worse than is seems at first sight.

  5. Scot:
    Apr 06, 2009 at 02:10 PM

    I think eventually this directive will be undone, not out of any great respect for human rights but simply because it will deliver so little benefit for a large amount of money. It will be an easy target for opposition politicians looking to score some "we'll keep you safer and we'll cost you less" points.

    Hopefully whatever act of security theater that replaces it will be less invasive.

  6. Nathan:
    Apr 07, 2009 at 11:49 AM

    European legislation that came into force today requires internet service providers to retain details of user’s emails, net phone calls and other web traffic.

    Is this really true? What instrument actually brought the directive into force in the UK?

    The only legislation I can find is a draft statutory instrument, which was only planned to go into force on the 6th.

  7. David Cameron:
    Apr 10, 2009 at 09:47 PM

    I support the access by law enforcement agencies to records showing e-mail and mobile phone contact details (I understand the actual content of these communications are not retained). My experience/reasons? I am a 57 year old doctor and have lived my life through the 'troubles" here in Northern Ireland. I have seen over years the physical and long term emotion scars of terrorism on my fellow countrymen both catholic and protestant. My wife has had a family member (police woman) murdered by an IRA. Both sides have been barbaric. I have been part of the medical teams treating bomb and bullet victims - protestants and catholics injured by terrorists of the other side and I continue to this day to treat relatives of those killed. If modern communications technology could be used to prevent/successfully prosecute only one of any such future incidents, I would be ecstatic. Yes there would also be a down side - but unless you have lived through the pain of what went on here you could not have a hope of appreciating the over riding gain , compared to concerns about privacy and misuse, that anti-terrorist bodies will gain from these changes. I do not expect much agreement replying this way to a site so clearly of a different opinion - our views are often formed by our experience (and unfortunately, very many times from our misconceptions and generalisations) and you have not experienced a near life time of what terrorism does. I hope you never do.
    PS just before the recent murders of 2 soldiers and 1 policeman here, Hugh Orde was getting criticism for bringing in to Northern Ireland communcations surveillance experts (on the background of intelligence in PSNI of increasing threat from republican dissidents) : that same week the murders occurred : immediately all criticism ceased, from all parties, including fron Sein Fein. The lesson? issues of privacy/data misuse pale somewhat when juxtaposed against a wife who has lost a husband or parents who have lost a son.

  8. P2P Foundation » Blog Archive » Data retention endangers democracy:
    Apr 06, 2009 at 08:37 PM

    [...] You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. [From The Open Rights Group : Blog Archive » Data retention endangers democracy] [...]

  9. pete:
    Apr 06, 2009 at 10:29 PM

    Encryption people !

    Buy your own server space, set-up an email service for all your contacts and use encryption.

    Take control of your privacy and wake up.

  10. David Legg:
    Apr 06, 2009 at 03:56 PM

    It's getting to the stage where nobody can really be sure what ISPs are recording and what data official bodies can scrutinise. Even the non-paranoid will surely be encrypting email soon. I will certainly building my next PC with encrypted filing systems. It's even tempting to start sending emails via an out-of-country ISP. Thank goodness for Linux and open source software, with which you know that it isn't calling home to tell Uncle Bill what we're getting up to.

  11. An ISP:
    Apr 06, 2009 at 04:09 PM

    This data retention directive is a joke. I'm the Technical Director for an ISP (not a new one, we've been around since the mid-1990's, but a small one). We haven't heard a thing about this directive from "the government" so we're definitely complying. We don't actually know what we're supposed to be complying with anyway. I suspect most other small ISPs haven't either - it might just be AOL, NTL (Virgin) and BT.

    Like any public spirited outfit, we do keep server logs in case someone is using us for something nasty - and there is nasty stuff going on. That's as far as it goes, and I shan't be tripping over in a rush to email Strasbourg for details.

    In other words, this directive is unworkable anyway, because "the authorities" can't even contact ISPs to tell them what they're supposed to be doing. If they did, it's doubtful whether we'd comply as we probably couldn't (the details I've seen reported in the news media are technically bonkers). The question of whether we would comply is academic.

    This message is anonymous for obvious reasons. You may publish it if you wish but more importantly, note its contents! Unless you get lucky, you can't contact me for further information but just ask any small ISP and you'll get the same answer.

  12. Richard Clayton:
    Apr 06, 2009 at 04:39 PM

    We haven’t heard a thing about this directive from “the government” so we’re definitely complying.

    Yes indeed so! The way that the Statutory Instrument works means that unless the Secretary of State writes to you asking you to retain data then you have no obligation to do so... it _is_ the case that the Secretary of State is required to write to the public communications providers that are caught by the Directive [for otherwise the UK transposition would be flawed], but if you're not a large ISP (viz: the police don't care about your customers) then don't hold your breath whilst you watch your doormat!