ISP email law changes meet stiff opposition

New rules set to come into force in March will require all Internet Service Providers (ISPs) to keep information about every e-mail sent or received in the UK for a year.

As the day grows closer so the opposition becomes more vocal.

The Home Office says that the data - which will not include the content of the emails - will be essential as it tackles high profile crimes like terrorism. But other groups and experts are concerned that it represents the thin end of the privacy wedge. Add to this the government's previous track record in handling personal data, which puts its role as guardian under greater scrutiny.

In December, the UK's privacy watchdog, the Information Commissioners Office, raised its concerns in a statement. "It is likely that such a scheme would be a step too far for the British way of life," it said.

"Creating huge databases containing personal information is never a risk-free option as it is not possible to fully eliminate the danger that the data will fall into the wrong hands. It is therefore of paramount importance that proposals threatening such intrusion into our lives are fully debated."

Today, Chris Mayers, chief security architect at Citrix, added: "The Government's responsibility is to uphold national security and protect the public. Building a single national database that holds information about every email sent will achieve neither aim. A centralised database merely magnifies the security and privacy risks. With the continuing spate of data leakages, the public is unlikely to feel confident in the security of the database. It is hard to see any public benefit of such a database, whatsoever."

Earlier this week, it was revealed that the Home Office was also supporting calls to let the police use hacking techniques to remotely access personal computers. This proposal was also attacked by privacy and security experts.

Gary Clark, vice president at SafeNet, said, "It goes without saying that it's been a catastrophic year for data loss. Over the past 12 months, consumers have been left vulnerable because of the lackadaisical approach to protecting data."

He added: "All organisations have a responsibility to protect the information they hold. The public should be able to trust that they are using stringent practices to secure data and have the necessary safeguards in place to protect it. These include identifying process weaknesses, adopting robust security standards and, most importantly, encrypting all sensitive data."

The rules, which come from the European Commission (EC), are due to come into force on 15 March. Under them, any public body that makes a lawful request will be able to access data. The EC said that to aid the practice, the government might have to fund it, paying ISPs between 25 million and 70 million.

Perhaps unwisely, the EC has its annual conference on Computers, Privacy and Data Protection the day after on 16 March. Here it will seek to bring together policymakers, academics, practitioners and activists with the aim of "Identifying and addressing new challenges to be faced by computer privacy and data protection."

The UK Government must pass legislation this year and it has promised to publicly consult on the issues involved.