ISPA Evidence

APIG Communications Data Inquiry Oral Evidence

Internet Service Providers Association (UK)

Wed, 11 December 2002


MR. WHITE: Thank you for coming. Perhaps you would like to introduce yourselves.

MS. DE STEMPLE: I am Camille de Stemple. I work for AOL Europe and I sit on the ISPA Council.

MR. FEATHER: I am Clive Feather and I work for Thus plc. I also sit on the ISPA Council.

MR. WHITE: Do you want to make an introductory statement or are you happy to answer the questions we have?

MS. DE STEMPLE: I am happy to answer any points you wish to raise.

MR. ALLAN: Following on from what Brian said, the idea of these sessions is, really, is to try and tease out what the key issues are in respect of the legislation so that we, as Members of Parliament who have been involved in various bits of the legislation, can be better informed, for example, as to the RIPA Part 1 Chapter II provisions, which are the ones about access to communications data. We are expecting material to come to us at various points in the coming months and information about the implementation of the Anti Terrorism Crime and Security Agency - the ATCS, as we all call it -- legislation. So really those are the kind of areas that we want to tease out some information from you. Starting with the RIPA legislation on access to communications data, I understand from your submissions that you have suggested that the Part I Chapter II provisions on communications data, which the legislation states are in place for the police, security services, Customs & Excise and the tax authorities, should be implemented as soon as possible. My understanding is that that is because the current provisions which are under the Data Protection Act are legally inadequate. I wonder if you could just flesh out what the problem is there.

MR. FEATHER: Yes. We would like to see the provisions of RIPA brought into force as soon as possible and, of course, with the Code of Practice, which I know is being drafted.

MR. WHITE: Are you getting sufficient input into Code of Practice?

MR. FEATHER: I believe we are, yes. We are being consulted all the time. The problem with the present regime on access is that it is not so much "The police need this data. We will give it to them", but that the police come to us and the Data Protection Act says that we cannot give it to them unless we are convinced that they need it. So the onus is on us to be convinced rather than for the police to say. Even then it is not totally clear that we would be legally protected if it ever came to a challenge.

MR. WHITE: But has not this fudge worked with BT for 40 or 50, or in England going on for 100 years?

MR. FEATHER: No; because we have not had a Data Protection Act for 40 or 50 years. There were also wording changes in the 1998 Act which make it a little harder. It is not at all clear that this regime is compliant with the Human Rights Act.

MR. ALLAN: Just to confirm the position, you are giving authorisation for the release of the data based on your assessment that the public interest in releasing it overrides the privacy of the individual?

MR. FEATHER: If I remember correctly, the wording in the Act is "would prejudice the detection of or prevention of crime".

MR. ALLAN: So you are making a judgment that this is important for the protection of crime?

MR. FEATHER: Yes. Obviously, if the police come to us and say, "Here is a telephone number or an e-mail address. We need to know who this person is otherwise we cannot prosecute them", we have to believe the police that a crime is involved. We are not police officers or investigators.

MR. ALLAN: Has anyone sought to challenge any ISP on this yet?

MR. FEATHER: Not yet that I am aware of.

MR. ALLAN: But your advice is that you could be challenged?

MR. FEATHER: Our advice is that we could be challenged. We are relying on the good grace of everybody not to do so. As the Human Rights Act comes into force, it becomes more clear what that means and we become less and less comfortable with this approach.

MR. ALLAN: When we had the fuss in the summer about adding other agencies into those who are able to act with communications data, and we managed to get Daily Telegraph and Guardian editorials on the same day taking the same line, which is quite something, particularly on an IT issue -- it was unusual -- did you find an increased interest from your customers from the ISP point of view? Did you find that your customer base was suddenly interested in privacy issues and asking questions of you?

MR. FEATHER: A little but not a lot. Mostly questions were being answered in the newspapers faster than they could get to us.

MR. ALLAN: The question which that circumstance does throw up is if RIPA Part I Chapter II is implemented, which covers certain defined agencies, how do you feel the other agencies should be dealt with? Should they be brought into that regime in a similar way?

MR. FEATHER: If they are brought into the regime properly so, for example, that there are single points of contact, that they follow the same procedures and the same cost recovery mechanisms are used; in other words, if they are brought in completely and they are making requests in conformity with the law proportionate, in exactly the same way, then there is not a problem. I will repeat the words "cost recovery" because if you add many more agencies there will be more requests, and they will cost us more to serve.

MR. ALLAN: Can you give us an idea, bearing in mind that AOL and Thus are both very well known ISPs in the country, or are you able to say on record more or less what number of requests you get currently under the Data Protection Act, 29(3)-type requests, and what kind of costs, or a ball park figure, you are incurring as ISPs?

MS. DE STEMPLE: I cannot say the number of requests, but I can say that a full-time person is employed solely to respond to UK law enforcement requests.

MR. ALLAN: So that is one full-time person?

MS. DE STEMPLE: Yes; one full-time person at all times. So if she goes on holidays, I have to find someone else to do the job.

MR. FEATHER: I believe we are currently on about half-a-person; that is to say, she does other things as well, but it is a significant part of her job.

MR. WHITE: Both of you are rather large ISPs. Does the same problem apply to the smaller ISPs?

MR. FEATHER: I would expect them to get less requests, obviously. Equally, when a request comes in it will take the attention of, probably, a senior manager because they cannot afford to have someone dedicated to that job.

MS. DE STEMPLE: As large ISPs, we have legal resources that smaller ISPs would not have access to. We have a legal department so if we have a 29(3) arriving and we are quite unsure whether we should respond or not, we have access to legal resources and smaller ISPs would be unfairly disadvantaged by having to retain outside counsel to decide whether or not to give that information, and RIPA would give them the certainty that they would need as a small business.

MR. FEATHER: I agree. In relation to that, as a large operator, as Camille says, we can afford to investigate something we are not happy with and bounce it back to the law enforcement agency if we do not like it. If you are a three-man operation and you get a request from Scotland Yard, you may be unhappy about it or you may not feel comfortable in refusing to answer them and finding yourself on the front pages the next day.

MR. ALLAN: So, in some ways, the ones who are most likely to be caught are going to be the small ISP who accedes to a request, does not have the legal advice and gets challenged over it?

MR. FEATHER: That is right.

MR. ALLAN: So there is a risk area there for small ISPs, put it that way.

MR. WHITE: Something I did not understand in the evidence is this. You said that you want the legacy data access powers for other authorities to be repealed. Could you explain that?

MR. FEATHER: Not quite repealed but repealed in relation to this data. For example, trading standards authorities have a wide power to demand documents from almost anybody when they need to investigate a trading standards matter. They then come and use that power to demand an enormous sequence of communications data which changes on a daily basis. It is very different from what Parliament envisaged. We want to see everybody coming in through the same channels. We need to be absolutely clear that we are receiving the same paperwork with the same information filled in so that we can respond in the same manner. It is more efficient all round than having to say, "Now, do these people have a right to look at this thing?" or "Should they be coming in that way?" Does the Trading Standards Act allow them to look at traffic data as opposed to communications data? I do not know. It would be much more simple if everybody who needed access came in the same manner.

MR. ALLAN: Just to confirm that that is happening now, that people like the trading standards authorities can come to you today under the Trading Standards Act and say, "Can we have this communications data?"

MR. FEATHER: They do, and Social Security come in under the Social Security Act, and the Serious Fraud Agency comes in under their legislation which, incidentally, does not require them to pay our costs of them obtaining that data.

MR. ALLAN: In terms of those agencies which were listed in the summer in the draft regulation, are all of them people who currently can come to you and do come to you?

MR. FEATHER: No. For example, Consignia is not an organisation which comes to us at present.

MR. ALLAN: They are no longer Consignia but the Post Office again, are they not?

MR. FEATHER: I have lost track.

MR. ALLAN: Anyway, the postal function.

MR. FEATHER: If I recall correctly, people like the Serious Fraud Office were not on the list of authorities.

MR. ALLAN: So there were some which were not on the list who do currently come to you and some who were on the list who do not currently come to you?

MR. FEATHER: That is right. There is a whole range of people who have a power to look at things as a sideline in the legislation, who have not been considered at all, one of whom is the Benefits Agency. I had another one the other day but I cannot remember who it was.

MR. ALLAN: I sat on the Committee Stage and we spent hours debating whether certain people should be given powers under RIPA or not. I think we had the assumption, as Members of Parliament, that if they were not getting the powers under RIPA, they did not have them, but they were probably doing it, anyway.

MR. FEATHER: Somebody's recent legislation says something like they have the power to demand information of any employer. I think it is the Benefits Agency or Social Security, and they are using that to request communications data, whereas you would expect them to be requesting employment records.

MR. ALLAN: So from a Parliamentary point of view, we need to be keeping an eye on any piece of legislation which talks about demanding information, anyway.

MR. FEATHER: As I said at the beginning, it is not that we want their powers repealed, but where it is access to communications data it should be coming through RIPA and not through from where we do not know. Nobody seems to know how many pieces of legislation are involved.

MR. WHITE: When other people ask for information, do they understand what they are asking for?

MR. FEATHER: I would have to ask that question of one of particular people who receive the requests. I get a certain oversight of them but not in detail.

MS. DE STEMPLE: Some yes; some no. Specialised agencies, such as the Paedophile Units or the computer crime squad units, if you talk directly to them, will know exactly what they are looking for and what they want. It is much easier to deal with them than with some other agencies who just want information just in case, and they do not really know what they are looking for. They are just fishing to try and see how they are going to be able to put two and two together.

MR. WHITE: So you would want the whole issue of training and resources put into any code of practice?

MR. FEATHER: Yes; certainly somewhere in it. Whether the code of practice is the right place, I do not know.

MR. WHITE: For the issue to be addressed by the Home Office and by other agencies and departments?

MR. FEATHER: Yes; certainly. Up until a few years ago, the training was done informally by the ISPs.

MR. ALLAN: As to single points of contact, you have now got those in place for the police.

MR. FEATHER: Yes.

MR. ALLAN: Although I understand that the Metropolitan Police have several single points of contact.

MR. FEATHER: I believe that is the case because they are specialist units. So long as we known who the single points of contact are, that is not a problem.

MR. ALLAN: It is that each one represents a reasonable number of requests and it is well-informed about what they are doing.

MR. FEATHER: That is right.

MR. ALLAN: The key characteristics.

MR. FEATHER: And we have ways of verifying that they are who they say they are, which is, of course, very important.

MR. ALLAN: Yes. From the pattern of the police ones which exist at the moment, can you give an idea as to how well that is working? Are they mostly well-resourced and able to function effectively or are some of them, shall we say, in development?

MR. FEATHER: When we get to see them, they seem to work. What we are hearing is from the other side with police officers saying that if they go through their SPOCs it takes months to get something, but if they go directly they can get it in a day or so, which implies that there is a resourcing problem somewhere.

MR. ALLAN: So they are coming directly to you because you are more helpful than their SPOC?

MR. FEATHER: In our case, we tend to bounce it straight back and say "You have to go through the SPOC", but where there were existing procedures in place -- I believe this is more in the telephone world than the Internet world -- I suspect that some people are still using that.

MR. ALLAN: It sounds as though we need new waiting list times for SPOC waiting lists.

MR. WHITE: One of the things which we have been looking at is the new European warrant so you can arrest people here for crimes in other countries. Is there an issue about either the British Government looking for traffic elsewhere in the world or other governments looking for traffic in this country?

MR. FEATHER: I cannot think of anything specified in that context. Obviously, any request we get we have to know if it is in conformance with the law, and that that law is being enforced properly. In other words, it is no good having a set of procedures if nobody is checking up on the people filling in the forms.

MS. DE STEMPLE: So for AOL, if the enquiry is about a member who is not a UK member, we would refer the police back to the authorities in another country. So we have a good network of contacts, such as police liaisons at different embassies and contacts to refer the UK police to, but we would not give details of a German person to a UK law enforcement agency, and our German business will not give information on a UK member to German law enforcement.

MR. WHITE: So it would be for the UK police to go to their German equivalents and ask the German equivalent to ask AOL Germany?

MS. DE STEMPLE: Yes.

MR. ALLAN: Moving on to the ATCS area and the questions about data retention, which are obviously at the heart of the question of whether ISPs should retain data and whether that should be a voluntary or a mandatory situation. I would be interested if you could give your view on why the emergency legislation which was brought in a long time ago has yet to be implemented. From your point of view, should the Government be blaming ISPs for dragging their feet?

MR. WHITE: Lightening speed in government terms.

MR. ALLAN: Do you have an understanding as to why this is taking so long?

MS. DE STEMPLE: I think it is quite a complicated area. It is fundamental in terms of our business, even in our business structure, so it will have an enormous impact on ourselves and on the way the police investigate. No one is dragging their feet but everyone is trying to understand each other's view, namely, why is it important and what is really important, and to try and come up with the best solution for everybody.

MR. FEATHER: We have got ATCS which interacts with RIPA, and it interacts with the Data Protection Act, the Human Rights Act and the Telecommunications Act has been dragged in at least once. It also interacts with the Telecommunications Data Protection of Privacy Regulations, which are going to have to be re-written in the next seven or eight months because there is a new European directive which repeals the old one which those regulations are based on. That, then, ties into four other directives on telecommunications. I think we have reached the point where nobody understands them any more.

MR. WHITE: Should that all be wrapped up in the Bill which is going through on communications?

MR. FEATHER: I think if you do that you will drag that one out for another year.

MR. ALLAN: It is big enough already.

MR. FEATHER: Yes.

MR. ALLAN: I would like to ask about the cost implications. You said that this now fundamentally affects your business.

MS. DE STEMPLE: Yes.

MR. ALLAN: Could you clarify for us what the current situation is in terms of data retention from purely a business point of view? What do you do as a business where there is no legal requirement to retain data? What is the norm and what is the cost difference, if you like, between the norm, which is what you do from purely a business point of view, and the kind of things you may be being asked to do under ATCS?

MS. DE STEMPLE: The norm is for IP addresses for AOL is that we would keep IP addresses for around three months. This would be something which suits our business and the security of our customers, but also law enforcement because we have been working with them for quite a long time. Adding on nine months to it is adding enormous cost to us. In our submission, we have given you some ideas of rough estimates of what we have done, which was $40 million just to set up the system and then around $14 million to run it.

MR. ALLAN: It is huge!

MS. DE STEMPLE: It is huge because we are talking about a huge amount of data. As an example, AOL has, on average, per day 392 million sessions. We send -- not receive -- 597 million e-mails. We are just one ISP. I appreciate that we are a big one, but we are still only one ISP. As Clive as previously pointed out, that is about 100 CDs a day.

MR. FEATHER: That is communication data. It is a lot of e-mails.

MS. DE STEMPLE: It makes it extremely expensive for us. Any unit cost, because you are going to multiply it by a number of days, is going to have an enormous impact on the business.

MR. ALLAN: Can I get an understanding of what you think you are being asked to do. You have said 100 CDs a day. If a police investigation wanted to look through that retained data, would you be able to hand over, according to my calculations, 36,500 CDs to their investigators and say, "Here are you 36,500 CDs. Go and look for whatever it is you are looking for", or is it your understanding that you would also have to maintain search facilities?

MS. DE STEMPLE: No ----

MR. FEATHER: If we hand it all over, that is disproportionate, which means it would be an offence under RIPA.

MR. ALLAN: Or could they come to their office? How are they going to find something in reality?

MR. FEATHER: We would have to search.

MS. DE STEMPLE: We would have to search for that particular piece of data. You cannot hand over everybody's piece of data for them to search for it. We still have a duty to protect our other customers.

MR. FEATHER: If I can get slightly technical for a moment, we have this figure of 36,000 CDs. That is one years' data. You would not just store the data in raw form so you would have to search for it. You would organise it so that you could find stuff on an individual customer relatively simply. In effect, you would alphabetise it or whatever, but it takes time and effort to do that and computing power to do that that would have to be paid for. There is a trade-off here between the ease of storage and the ease of retrieval.

MR. WHITE: The Government estimate was £20 million for the whole industry, that that was reasonable, it covered most of your costs and protected the taxpayer.

MR. FEATHER: I have no idea where that estimate came from since I could probably justify £5 million or £6 million for my company alone. We understood that that was the amount of money that was available rather than what it would actually cost. If I could go back to your original question on this, what industry stores varies very much from company to company. As an example, e-mail transactions, like who sent them out to whom, we store for a couple of days, and it is stored on spare space on the e-mail systems because there are very very few requests to search. In fact, I cannot think that we have had any.

MR. ALLAN: From a customer point of view, a customer may want to do a trace.

MR. FEATHER: No, no, no. It is stored in case something goes wrong with the system and the engineer needs to figure out what was going on. So it is literally in order of events. It is in order of timescale. After a couple of days it gets wiped off to make room for the next one. As one of my colleagues has put it, if you store too much the machine fills up at 3 o'clock in the morning and the engineer gets woken up, so the engineer very quickly sets it not to store that much. If we had to store it for a year, we would need a dedicated system. We would have to arrange for the data to be shifted off before it got wiped out. We would have to ensure the security of that system because now we have a huge repository of data which is attractive to criminal elements, apart from anything else.

MR. ALLAN: So you would be setting up a whole new system. So any idea that this is something which tacks on to your ordinary business is out of the question. It is a whole new system, very complex and a massive data storage system with search and retrieval facilities.

MR. FEATHER: That is right.

MR. ALLAN: It is like a major computing project.

MR. FEATHER: It is a major computing project.

MR. ALLAN: And a very expensive one.

MR. FEATHER: That is right.

MR. WHITE: Should it be done by each individual company or ---

MR. FEATHER: --- by a large Government IT project?

MR. WHITE: Or on which is privatised as well?

MR. FEATHER: That is a complicated question to answer. In the very technical sense, it would, perhaps, be easier if we could dump the responsibility on someone else, provided the responsibility went with it. On the other hand, you have now got a central data store that criminals can break into. You have got the large project problems. One would wonder how diligent the staff would be at ensuring that it was only accessed in the correct legal manner.

MS. DE STEMPLE: And for us, we have the added dimension that all our customers are not just from the UK. We use the same type of data for everybody around the world. I do not think it would be appropriate that we dump data for French, US or Chinese customers here.

MR. FEATHER: In any case, it would not take all the costs away from us. It would just take some of them.

MR. ALLAN: On the security point of view -- that is very significant -- if we have created these large stores of data which can be used to breach people's privacy quite significantly, the fact that A e-mails B in certain circumstances can be quite a significant piece of knowledge to have, but under the current negotiations taking place would we be moving to a situation, if those were concluded, as was intended, of every ISP having one of these data stores with very sensitive personal data which they did not particularly want to have but now were being asked to have and then would have to manage that and guarantee the security of it?

MS. DE STEMPLE: Also its integrity.

MR. ALLAN: And the integrity of it? I suppose the other consideration is, from a citizen's point of view, are there legal procedures in place that are sufficient to govern the behaviour of the ISP security officer who is going to be responsible for this very sensitive park?

MR. FEATHER: Yes, you are right in that everyone would have to have these systems. Are the procedures in place? The law is relatively clear. We are responsible for the security. I think the Seventh Data Protection Principle is a very fundamental part of the data protection law.

MS. DE STEMPLE: But it is also a fundamental piece of our business. If we cannot ensure security of our customers' data, this is all we are about. We are about transporting data. If we cannot be relied upon to keep that security, then our business is not viable.

MR. ALLAN: From your point of view as a business, there is a risk here that any breach of security, which is headline news in Computer Weekly, is going to threaten your business.

MR. FEATHER: Yes. One thing which differs from the present situation is the logs that we are talking about are kept for the engineers to look at. In general no one else goes and looks at them. We are talking about this massive system. It has to be kept secure except from all the people who need to get to the data in it.

MR. ALLAN: So the engineers could not go to it?

MR. FEATHER: It is not a case of the engineers not going to it. Its whole purpose is for people to request data out of it, so the security officer has now got to make sure that the right people are requesting data under the right circumstances in the right way, whereas with the present system we get so few requests for this particular data that they can be vetted very carefully. You can go to an engineer and say, "You have already got this privileged access. Please extract this information".

MR. WHITE: Should it be a mandatory scheme or should it be a voluntary scheme?

MR. FEATHER: We would rather not have to do it at all because of the business implications of doing so. A lot of people felt at first it should be voluntary, but I think they are swinging round to it being mandatory only because it simplifies the legal situation. If we are ordered by the law to do something, then data protection does not apply to what we are doing. If the Data Protection Act says you are required by law to do this, you have your get out of jail free card. Obviously, we still have other issues. If we stored all of this data, then if our customer wants to look at their own data, we have to let them. Setting up systems to deal with that is a brand new cost.

MR. ALLAN: Other people can also come and ask for it if they know it is there.

MR. FEATHER: Yes. Prosecution lawyers working for law enforcement can, but defence lawyers are entitled to see it. In civil cases lawyers are entitled to come and ask for it.

MR. ALLAN: Your legal advice is that if you have the data there, even though the law says it is only to be held for purposes of anti-terrorism and national security, you would get a queue of other people turning up and asking for it, would you not?

MR. FEATHER: Yes. We are already starting to get a queue of other people turning up even for the little bits of data we do have. It is one's and two's at present, but that may indicate that the legal profession does not have as good a communications network as we have.

MR. ALLAN: From your point of view, you are sitting in the middle. If you have got somebody turning up with a court order who you cannot say "No" to, and you have got a customer potentially suing you for having released their data because they have looked at it and said, "Was this to do with terrorism?" or whatever, they will say that you should not have released it because it was not to do with terrorism. Is that where you are?

MR. FEATHER: That is one of the fears that we would have, yes.

MR. ALLAN: Your legal advice to date does not resolve that in any way. You have exposure.

MS. DE STEMPLE: In AOL we are still keen on the idea of non-mandatory data retention. Our view, although it is not the view of most of ISPA, is that each ISP is having different pieces of data. Therefore, to make it mandatory might make certain pieces of data mandatory to us to retain when we never did. We need the flexibility of a non-mandatory system to be allowed.

MR. WHITE: Presumably because you do things in a slightly different way, it will impact on different sized ISP's in different ways?

MR. FEATHER: Yes.

MS. DE STEMPLE: Yes. For example, some people do not keep any data at the moment and they would not be under any obligation.

MR. FEATHER: I must counter one of the points and agree with another one. The Home Office has kept saying that this is only about extending the retention periods on material which we already keep. This would not necessarily be the case for all time. A concern with a mandatory scheme is that it would be relatively easy to expand it.

MR. ALLAN: If a police officer came to you and said, "I went to this ISP but they could not give me the data which that ISP gave me. Make them hold the same data", then there would be that pressure on all the time?

MR. FEATHER: Yes. There would be that pressure to change the system. I do have to agree with Camille that some things are not kept at present. Certainly, I am aware that, in relation to some communication providers, this whole process has led them to re-audit their systems and decide that they do not actually have a business case any more to keep particular items, or indeed they keep them for less time than they were doing in the past.

MR. WHITE: Is this whole regime a barrier to new entrants?

MR. FEATHER: It could well be, yes.

MR. WHITE: So you could not get another Freeserve emerging because of these kind of regulatory barriers?

MR. FEATHER: It is another cost you would have to consider to set up. It is also being suggested to me that the cost recovery for setting this up will apply to people who are building new systems for the Home Office now. Let us say that in a year's time all of this is in place, if we then start a new product or someone wants to start a new ISP, then this is part of the costs of doing business.

MR. ALLAN: A lot of ISPs are re-sellers. They do not actually have any physical service at all. An ISP buys something up and sells it. What is your understanding of the position of those ISPs given that they do not have any ability at all to implement anything?

MR. FEATHER: How long have we got? It has to be looked at case by case. In some senses the law says you go to the person who has got the data, and in some senses the law says you go to the person who is in-charge of the data. As you say, they may not be the same thing. I can think of at least one case where all the data is stored by the ISP except for who the customers are, which is stored by the re-seller. So if you know the magic code number for a given customer, you can go to the ISP and get the data, but the ISP has no idea of who that code number refers to. If you want the data about Fred Bloggs, you have to find out from the re-seller. So it is incredibly complicated. It will be case by case. There is no one rule. Of course, there are re-sellers and re-sellers.

MR. WHITE: Presumably, they will go and say that they are your customer, that they are a customer of Joe Bloggs ISP. They will go to Joe Bloggs and Joe Bloggs says, "I would like to help you and the police, and I want to make sure that I am conforming to the law but I do not know. You will have to ask the people who sell me the ISP service whether or not we conform to the law". Legally, this person is going to gain a legal duty to do something over which they have no control.

MR. FEATHER: Quite possibly.

MR. ALLAN: I want to ask you about something else which AOL has put in, which is about data preservation as opposed to data retention. I wonder if you could flesh out the difference between data retention and data preservation?

MS. DE STEMPLE: Data preservation is when you have a particular target. You preserve that data so it allows you, for example, to go through all the legal processes which you need to go through to retrieve that piece of data, or you know that you are conducting an investigation and that you will need that particular day's data for the future. Then we preserve that data and only hand it over once we get all the paperwork in place. It works very well in the US. We do that quite often. For example, if there is an international investigation and foreign police are asking for a piece of data to be retained so that they can go through the international process which sometimes is a bit long, then we would preserve that piece of data and hand it over as soon as they have the right papers. So it is very targeted and very proportionate to the effort that we put into it.

MR. WHITE: So if I am under investigation, you basically keep all of my e-mails for the time being?

MS. DE STEMPLE: Yes; for the past. It is not an interception. It is not like interception.

MR. FEATHER: It is not "Keep the e-mails" but "Keep the communications data".

MS. DE STEMPLE: Yes; keep the communications data. It is in the past not in the future, because that is interception.

MR. ALLAN: That is what happened post September 11th when people came to the ISPs and said, "We may need you to help". That is what you do. You preserve data.

MR. FEATHER: "Could you make a copy of your material from the few days before September 11th and stick it to one side. We will go and get the formal warrants. We just do not want it to disappear". This is what I am saying. We create the data but we destroy it regularly. Data preservation is about "Don't destroy this item. We are going to get a warrant, honest".

MR. ALLAN: And you do data preservation regularly and you believe it helps a lot of agencies?

MS. DE STEMPLE: Yes.

MR. ALLAN: The other significant question is this. Do you believe that if you entered into a regime of holding everything for a year that there are a significant number of offences which will suddenly be detected/prosecuted or whatever that otherwise would not be? Is it workable and would it deliver results?

MR. FEATHER: Did you say if we kept everything for a year?

MR. ALLAN: Which is either mandatory or voluntary data retention. Data preservation allows you to catch a certain number of people. Is holding data for a year -- I am thinking of question of workability and so on -- going to add to the haul of villains that are suddenly swept up in the net?

MR. FEATHER: We do not know. We also do not know how many villains would be swept up. If it catches three burglars in a year, is it worth doing? If it prevents another September 11th, that is a very different matter. This is the "business case" -- I am not quite sure where the term came from -- from law enforcement.

MR. ALLAN: Which you have not found persuasive today?

MR. FEATHER: We have not found it persuasive today, no.

MS. DE STEMPLE: We found out that data can be useful as part of an investigation, but we have not been convinced that it is the big piece that is going to help them solve the crime. It is one of the many pieces that will help them to solve a crime. We have not been convinced that their evidence is compelling. Most of the evidence that they have given to us relates to mobile phones and telephone calls rather than to communications data to ISPs. Even if we look at the requests we are getting now, even without a regime of data retention, we do not get many requests for communications data. 99.9% of our requests are on identifying the customer.

MR. FEATHER: Name and address of subscriber. Perhaps I should add that there is a reasonable case to be made that that should be met under a different regime from everything else. For example, this additional authorities stuff that we were talking about under RIPA, if those additional authorities could only request name and address from telephone or e-mail, then there would be much less concern, I think, because that is the sort of thing they are using their existing powers for, or the ones who have existing powers.

MR. ALLAN: It still might be under a data protection-type regime, because all you are doing is linking one identifier with a set of personal identifiers.

MR. FEATHER: It is RIPA which gives them the power to do that. It is regulating investigatory powers, not just regulating communication powers.

MR. WHITE: We are coming to an end now, and I do have a couple of questions. You had a rather traumatic experience with the Home Office last summer when RIPA came in. Are there any lessons which you have drawn from that experience about how such things can be avoided in the future?

MR. FEATHER: I think plenty of consultation is the most important. When RIPA came in in 2000 there was a certain amount of consultation over the Bill but many of the flaws in it were still being addressed at the Committee Stage and at Third Reading Stage. More recently, we have seen a lot of consultation on statutory instruments and things like the draft Communications Bill, which gives people time to spot the problems and get them fixed.

MR. ALLAN: Pre-legislation scrutiny?

MR. FEATHER: I think both informal and formal is actually very helpful, in particular, in technology areas where what Parliamentarians think the words mean are not always what the technicians think the words mean. If I had time, I could give you some examples of that.

MR. WHITE: I appreciate this point is slightly outside the terms of our reference, but I know you made some representations on the need to up-date the Computer Misuse Act and misuse of denial of service. Do you have any comment to make on that?

MR. FEATHER: Very briefly. There is a thing called distributed denial of service where, basically, the perpetrator co-ordinates lots of computers to make of themselves legitimate requests to a target machine, and the machine is just swamped by the sheer number of requests. It is unclear that that is an offence at present because you are not actually doing anything that the machine is not supposed to do. So you are not trying to break into the machine; you are not trying to make it do something wrong, but you are merely trying to overload it. If you can get 10,000 people to queue in front of something, that is going to stop the legitimate use of it, but none of those people are actually doing anything wrong.

The Computer Misuse Act was written in the days when you had these big mainframes which people walked up to or dialled into them with a telephone. It was not written for the days of the Internet. It needs up-dating. The technology moves very fast. Whilst it is generally a good Act, I think it needs up-dating.

MR. WHITE: Is there anything that we have not talked about this morning that you feel we ought to include in our report.

MR. FEATHER: I think we have just about covered everything.

MS. DE STEMPLE: Thank you.

MR. WHITE: Can I thank you very much for coming. I have found your evidence extremely informative. I have no doubt it will form a key part of our report. Thank you very much.

(The witnesses withdrew)

Back to Oral Evidence Page.

Back to 11th December Oral Evidence Session Page.