Where’s your digital footprint today?

Well, it’s probably in the same places it was on Sunday. The difference is that, as of yesterday (Monday April 6th 2009) it will remain stored for at least 12 months in some of those places, under the European Commission’s Data Retention Directive (to which the UK has signed up).

This augments powers put in place 18 months ago, making it a legal requirement for telecommunications carriers to retain records or mobile and land-line phone connections for 12 months. The new Directive adds internet traffic and internet-borne voice calls to that list of retained data.

The claim is that this policy is proportionate because it requires the retention only of the ‘meta-data’ about a call (who made it to whom, when and from where; which websites were visited, and so on) rather than the content.

However, in a number of relevant aspects, the proportionality of the policy is clearly questionable.

First, the Directive requires the retention of all users’ traffic data: there is no provision for limiting it only to those individuals who are already under suspicion in some accountable way.

Second, as Tom Espiner notes in his piece here, rather than introducing the new laws on a ‘minimal disclosure’ basis with strict accountability measures in place,

“[c]urrently, covert surveillance, such as accessing the data retained under the Data Retention (EC Directive) Regulations 2009, can be authorised in local authorities by junior executive officers. The Home Office said it is considering raising the level of authorisation to senior executives, with possible oversight by elected councillors.”

If that rings a bell, you may recall that RIPA (Regulation of Investigatory Powers Act) was introduced on a similar basis, and was subsequently found to be being abused for purposes such as snooping on misplaced dog-poo. As far as I am aware, the promised Home Office consultation on now RIPA use might be better regulated has yet to happen. Which strikes me as odd, given that the word “Regulation” is prominent in the title of the Act.

For other perspectives on the Data Retention Directive, you may want to read the markedly low-key BBC article here, or the thorough (as ever) SpyBlog analysis here.