EU Data Retention Directive – Golden rules for ISPs

In early 2009 the UK Home Office announced the second phase of the European Union Data Retention Directive (EUDRD). As a result, the responsibility for storing and managing all internet communication data is to be placed with internet service providers (ISPs) and the ramifications of the legislation will impact ISPs in a number of ways as there are several key considerations that need to be made to ensure they fulfil its requirements.

The history of EU Data Retention Directive

In response to the London terrorist bombings in 2005, the European Parliament ruled that EU states must harmonise their provision and retention of fixed landline and mobile communications data. This was enforced in 2006 and required telecommunications companies to store records which can identify the caller and the time and the means of communication, but not the content of the communication itself. All member states were asked to make all information readily available to their law enforcement authorities should it be required for the purpose of investigation, detection and prosecution of crime. The legislation stated that this data must be stored for at least six months, but for no longer than two years.

In April, the second phase of the EUDRD was introduced, going one step further to incorporate all IP data, which must now be stored and be fully searchable. As a result, all internet-related communication data, including broadband access, internet telephony and email event data, must be retained for at least six months, but for no longer than two years. UK ISPs have just 18 months to ensure they are up to speed and between now and then there are a number of issues they need to address to ensure they observe the ruling in the smoothest and most cost-effective way possible.

Options for ISPs

In complying with the EUDRD, ISPs broadly have three options for implementing an appropriate system:

Choose to build their own solution: On the face of it, this appears to be the most straight forward option but the downside of this is that it involves creating a complete solution from scratch that could incur high implementation and maintenance costs. This can also be a risky choice as the solution may not be secure enough, may not provide sufficient evidential quality or may not be able to meet the demanding performance requirements – there is also no guarantee that it will comply with the Directive

Purchase a software application and commission the hardware separately: This presents a risk if the hardware ultimately proves insufficient for the application performance demands, or can incur unnecessary cost if the hardware specification includes over-capacity to mitigate those risks

Plug and play solution: The majority of ISPs are small and medium sized businesses that do not have the expertise or budget to build a system of their own from scratch. So the best option is to install a simple appliance that they can put in the corner of the office and that will operate smoothly by itself.

Five golden rules for compliance

One of the biggest challenge ISPs face is in deciding the most efficient way to retain and organise their records so that they can be easily searched and retrieved. Since internet information is considerably more complex to interrogate than telecommunications data, providers need to carefully consider their approach.

There are five key issues that ISPs need to consider in complying with the EUDRD as follows:

Security – with today’s compliance requirements it is vital to make sure that all data is securely retained and is protected from mis-use and unauthorised access. ISPs need to put in place an automated system so that once data falls beyond the legal retention period it is immediately destroyed.

Proportionate access – The public is now more concerned than ever with who has access to its data, so only data that is both relevant and appropriate to an investigation should be disclosed to an authorised agency.

Legal evidence – Providers need to take meticulous care with all information they disclose. Failure to ensure that their data is accurate could result in unnecessary or inappropriate legal investigations and/or penalties for misuse.

Timeliness – All data retained should be collected and disclosed to authorities in a timely manner to avoid delays to investigative processes. Searching for IP data can be like looking for a needle in a haystack, so it is vital that the right system is in place.

Total Cost of Ownership – the solution chosen by ISPs should afford proportionate costs in terms of hardware, implementation and operation of the system and deliver long-term value for the service provider.

What the EUDRD means for ISPs

Communications data is a key piece of the puzzle used for investigations of serious crimes and threats to national security and therefore it is essential that vital information is securely retained.  Providers should consider that their existing storage systems might not have the capacity or ability to comply with the new legislative requirements. Unlike telecommunications companies that often have extensive management capabilities, many internet service providers are relatively small in comparison and could find it harder to organise the volumes of data that the Directive demands.

To successfully comply with the EUDRD, ISPs must turn to solutions that are proven to support the new legislation and it is essential that they implement a system that is suitable to their size and needs whilst leveraging the most appropriate technology. The next 18 months are likely to be a challenging time for UK ISPs whilst they get up to speed with the requirements of the Directive, but by applying our golden rules to their strategy as a first step, they can be confident that they will be on the right track.

Duncan Pauly is CTO for data management specialist CopperEye

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.