As part of the stand against crime and terrorism, the plans would require ISPs and telecoms providers to pass on information which would be stored in the database for twelve months, where it could be accessed by police and secret services after gaining authority from court.
Given the government’s recent history with data protection – most notably the loss of two discs containing the personal details of 25 m child benefit claimants last November – the proposal has invited a cynical response; not least because the retention of such a huge proportion of information in a single place may make it ripe for catastrophic data breaches and potential attacks.
“I’m not sure we’re out of the woods with HMRC.” says George Fyffe, director for EMEA for database security company, Application Security. “It doesn’t auger well for them taking on an even bigger database. It makes you shudder.” Referring to the data loss of November, Fyffe worries that “a junior guy was allowed to copy data and send it out on two CDs. Had they been monitoring him? That quantity should have raised a flag.”
It was revealed earlier this month that 600 HMRC staff had been disciplined, but it may still take time for the government to elicit confidence from the people whose data it plans to store.
CEO of Application Security, Toby Weiss, expressed concern over the declaration itself. “I doubt people knew the data [of child benefit claimants] existed. Now we have a declaration practically telling the bad guys where certain information will be. They’ll be lining up around the corner to break in.”
The proposal suggests that the database will not store the content of calls and emails, just the endpoints in order to examine communication patterns. Critics however point out that such a database would not be built if the information wasn’t valuable.
The plan raises the question of how companies will need to reassess their internal communication policies, as well as how the information will be monitored in transit.
“From an archiving [and] storage angle, this is a nightmare scenario.” insists David Vella, director of product management for GFI Software. “Individual companies are already having problems handling their own data, so one can only imagine the massive task ISPs would have to monitor the huge volume of data that all their clients are generating on a daily basis.
“Furthermore, after the 12 month period expires, how will the data be deleted? Who will be responsible to dispose off any tapes, secondary storage devices and backups used - that is if the government intends to have backups off-site?”
The plans are being considered for inclusion in the data communication bill, scheduled for later this year.