Mythic Beasts position on Electronic Communications Data Retention (EC Directive) Regulations

This page describes our position on the Electronic Communications Data Retention (EC Directive) Regulations, a transposition of European Directive 2006/24/EC. At time of writing (12th January 2009), the Government have stated that implementation is planned for "no later than 15th March 2009" but a final version of the Regulations is not available. There has been some recent coverage of this legislation, including a BBC News article.

As we understand it, this will be part of the Communications Data Bill, currently scheduled for inclusion the 2008/9 legislative program. The consultation period for the transposition of the directive ended last October, and the Government said that a draft bill would be made available on the Home Office website last year. So far as we can tell, it has not been.

The government have stated that this bill is intended to implement EU Directive 2006/24/EC. This directive explicitly says (Article 2, para 2) "No data revealing the content of the communication may be retained pursuant to this Directive." Although the BBC article tacitly acknowledges this to be the case, many of the secondary news stories that it has generated have failed to appreciate this.

At present we are assuming that the government will require us to retain the information mentioned in directive 2006/24/EC and nothing beyond that. When (if?) the legislation finally passes through parliament, we will look again and check. Clearly the requirement to retain this information cannot begin until the enabling legislation has been passed, and this may well not happen before the 15th March deadline set by the EU.

If the issue is of particular concern to you, we would recommend reading Article 2 of that EU directive – once you ignore parts that only concern telecommunications, it's quite short. From our reading of it, we believe that we need to keep no information over and above what we routinely keep for diagnostic purposes.

Specifically, we believe we need to retain:

the sending user's user ID for mail originating on any server maintained by us (such as our shared hosting servers or shell account servers, but not client-maintained virtual servers);
the IP address from which we receive email (if not originating locally);
the receiving user's user ID for mail delivered on any server maintained by us;
the recipients' email addresses (i.e. Envelope-To, but not specifically the To, CC, Bcc, etc. headers);
the date and time at which users log in to and out of our servers and/or webmail interfaces;
the IP address from which a user SSHs into our servers and/or accesses our webmail;
the name and address of all of our users, as supplied to us.

In other words, the information stored in the log files for exim and ssh – all information that we retain for sometime anyway, because customers often ask us questions about email that has gone astray. We do not and will not retain the contents of emails including any of the mail headers except as noted above.

For customers who colocate (or rent) their own dedicated server or virtual server, if they choose not to use our mailhub, we will not retain any logs whatsoever. This is allowed because we are not acting as a mail provider for those customers – they are effectively their own mail provider.

The EU directive requires us to keep this data for at least six months and no more than twenty-four. It is our intention to keep the data for the minimum time permitted. (We currently keep it for about a fortnight – the exact length varies – so this will be a big increase.)

The logs are only ever stored in servers owned and controlled by Mythic Beasts and physically located in the United Kingdom, and would only be disclosed in response to a court order or, to the extent that the Communications Data Bill requires us to, at the request of competent law-enforcement agency. Neither off-site backups, nor (frequently) on-site backups of the information are retained: we believe that storing the information on a RAID device constitutes "appropriate technical ... measures to protect the data against ... accidental loss".

We don't in the least like legislation of this sort and believe that it is a gross violation of our users' privacy, that retaining it for six months puts an unnecessary burden on us, and have doubts about the ability of relevant law-enforcement agencies to interpret the information even if it were disclosed to them. We are certainly not going to jump through hoops to conform to it beyond the minimum possible. But equally, unless there is an exception for small ISPs (there has been in the some previous legislation) we cannot ignore it completely.