ISPs threatened by 'snooping' government agencies

MPs have warned that government agencies must stop using a range of laws to demand access to records of people's surfing activities if ISPs are not to be forced out of business.

In a report on its inquiry into data retention, the All-party Parliamentary Internet Group (APIG) said that government agencies must pay more heed to the spirit than the letter of the law when demanding communications data from ISPs.

Communications data means IP addresses of websites that people visit, and addresses of emails; it is distinct from content, although many in the industry believe it is just as invasive.

Rules designed to regulate access to communications data are contained in the Regulation of Investigatory Powers Act (RIPA), which contains provisions for the home secretary to allocate money to compensate ISPs for the costs of providing data to government agencies such as the police.

But a wide range of government agencies can still access the data under different laws: Trading Standards officers have the power to demand records under Trading Standards Act, while Social Security officers have powers under the Social Security Act, and the Serious Fraud squad under separate powers, to name but a few. None of these are required to compensate ISPs for costs incurred during access demanded under these other laws instead of under RIPA.

ISPs already retain data for operational purposes - in case a system fails and they have to restore it - and they receive requests from various government agencies for this data.

But when the relevant part of the Anti-Terrorism Crime and Security Act (ATCS) comes into power later this year, and ISPs are forced to retain a whole year's worth of data, they are expecting a "flood" of requests from numerous agencies under numerous laws, and a corresponding rise in costs.

At Thus, costs are expected to be in the region of £5m, while AOL has estimated its costs at £30m to set up the systems and then a further £30m a year. The government is believed to have estimated the costs for data access under RIPA for the entire industry at £20m, but has no plans to address the costs incurred when agencies use other powers.

MPs say the only solution is legislation to ring-fence access to communications data so it can only be accessed by public authorities through the use of RIPA Part I Chapter II "and hence use of other legislation would be ineffective". This legislation would "prevent agencies from deliberately avoiding RIPA controls" by accessing communications data through a statutory gateway.

"We endorse the recommendation from (the UK ISP Association) that a memorandum of understanding be developed whereby those public authorities who currently access communications data would renounce use of their legacy powers," said APIG in its report. "We recommend that the Home Office bring forward legislation to prevent agencies from deliberately avoiding RIPA controls by accessing communications data through a statutory gateway."

The MPs also called for explicit criminal penalties in RIPA for those who use section data access notices without proper authorisation "or who deliberately abuse the system to obtain information to which they are not entitled".