Two Years for European ISP’s Data

December 15, 2005: In a majority of 378 to 197, the European Parliament has just made investing in data management an even more sensible option by passing a bill requiring all European ISPs and Telcos to retain all data for two years relating to digital communications. This includes phone data such as that which occurs when a number is dialled but nobody picks up.

According to the BBC, the bill will cover:
Data that can trace fixed or mobile telephone calls
Time and duration of calls
Location of the mobile phone being called
Details of connections made to the internet
Details, but not the content, of internet e-mail and internet telephony services

Storage Not All
From a storage and data management perspective, the retention of data for 24 months will obviously boost requirements. However, it should also be understood that the bill only relates to data about communications such emails, text messages, telephone calls; it does not relate to the actual content. Nevertheless there will still be a major increase in the necessity to spend hard cash on soft and hardware by ISPs of all sizes.

The devil, as ever, resides in the detail, however. And given the Byzantine nature of EU law, the detail may still see ISPs and Telcos breathing sighs of relief. In order to become operative, the legislation must be read into local law in each of the 25 EU states – which currently have only agreed that data should be retained for a period of between six and 24-months. So this may well simply be a case of flag-waving in the ‘War Against Terror’ rather than the introduction of legislation that carries any real weight.

That said, it would certainly be short-sighted from an Asia Pacific perspective not to start planning for this kind of law. As Rob Stirling, a board member for the Storage Networking Industry Association (SNIA) points out: “While anti-terror legislation such as this should be applauded without good management, all this data will simply become a bucket of junk. We should look at this European legislation and ensure that there is suitable workflow in place.”

When pressed on the proposition that this kind of legislation must surely benefit SNIA members in terms of increased revenue-earning potential, Stirling points out: “SNIA doesn’t support storage per se. It supports sensible storage and management.

Stirling’s considered approach is reinforced by Mark Heers of Netapps who told IDM today, “You can’t search what you don’t have – but you have to clear from the outset about what information you want to be collected. A rough calculation for a large Australian would see petabytes (1,024 terabytes) of data stored in one year – and how can an ISP prove that any of that data has not been tampered with? Do you encrypt that data?”

Consulting Director for Fujitsu, Kip Frame, agrees that – at least in the Telco space - the major questions here are not predicated on cost of storage in and of itself as most carriers retain Call Detail Records (CDRs) either for CDR billing purposes. In the case of a large Australian Telco, this can already mean holding upwards of 50 million CDRs per day.

Frame’s personal experience meant that in one situation he was able to access carrier data for up to 12 months. “There won’t be much (storage) pain initially. I think they will be asking ‘what is next’? The real cost is not how much to store but how they are mandated to store the data. Raw storage is very, very cheap. The real cost comes when you want many people to carry out unstructured searches on the data. The costs will come when the EU wants to audit it all.”

The case of ISPs, however, is different. Although ISPs cache web pages for anything from seven to 21 days, retaining instant message, file sharing and email transaction logs for 24 months and also enabling relevant and timely discovery of all these bits and bytes will undoubtedly put a strain smaller organisations.

No Current Plans
Speaking to IDM today, Telstra spokesman, Rod Bruem, stressed that while the company had not had time to fully digest the news from Europe,” You can’t automatically assume that what happens in Europe will happen in Australia (however) we’d  be very concerned about any move in Australia to introduce any more onerous red tape.”

The view from the storage manufacturer’s side as expressed by Quantum’s, Craig Tamlin is obviously less doom-ladened: “This (bill) has probably been introduced with no procedures to access and audit the data in place. What it would mean to us, in the event that the legislation was mirrored in our region, would be that people would have to look for lowest cost storage – and that is still tape.”

The view from Graham Schultz, Brocade’s Country Manager for Australia and New Zealand, was similar in terms of feeling if not as medium-specific: “It has ramifications on a lot of areas. The challenge for the Telco’s is to ensure their infrastructure has the capacity to deal with the new legislation requirements. This means building up their SAN infrastructure from a switching perspective.” 

Compliance
David Havyatt, Head of Regulatory Affairs at major Australian service provider, AAPT, takes a down-to-earth approach based on many years expert experience. “A retention period of two years (for CDRs) is not far away from what there is now – if you think in terms of auditing of billing records. Email, however, is more complicated due to the number of ISPs that can possibly be involved in their transport. We don’t usually track this.

Having explored various areas of existing Australian telecommunications and privacy law, IDMis astonished to discover a lack of clear guidelines in either the ISP or Telco areas. In the event that the EU model was transported to our region – bringing with it another level of compliance and all that accompanies it – it will be interesting to view the effects.

What is your view on the EU data retention bill?

Related Article:
Workshare updates compliance software