UK e-mail law

[matt40k]

Has anyone seen: BBC NEWS | UK | UK e-mail law 'attack on rights' ?

My question is, would you say a school, who runs there own email system defined as a ISP? I think they would? Next question does Exchange by default have enough information logged to comply with the law? I know there is a bit to exclude small ISP, but a secondary school its not uncommon to have 2k users, would you say that's "small"?

(http://eur-lex.europa.eu/LexUriServ/...54:0063:EN:PDF)

From what I've been told the law states that you would need the following information with "appropriate technical ... measures to protect the data against ... accidental loss"

> the sending user's user ID for mail originating on any server maintained by you

> the IP address from which you receive email (if not originating locally)

> the receiving user's user ID for mail delivered on any server maintained by you

> the recipients' email addresses (i.e. Envelope-To, but not specifically the To, CC, Bcc, etc. headers)

> the date and time at which users log in to and out of our servers and/or webmail interfaces

> the name and address of all of our users, as supplied to you - (SIMS or any other MIS).

[Michael]

My question is, would you say a school, who runs there own email system defined as a ISP?

A school isn't an ISP. Again the good old UK Government/UK press get their terminology incorrect. An ISP or Internet Service Provider has nothing to do with e-mail. They provide an internet service.
It may be the case the Government have decided to target ISPs who (more than likely) host or support a good chunk of e-mail accounts within the UK, but to be honest again I think their data is inaccurate.

The biggest e-mail provider in the world is Microsoft's Hotmail and they're not an ISP. I'd love to know who these advisors the Government employ are as I am pretty confident I would do a better job.

[powdarrmonkey]

A school isn't an ISP. Again the good old UK Government/UK press get their terminology incorrect. An ISP or Internet Service Provider has nothing to do with e-mail. They provide an internet service.

I think the confusion is probably the distinction between providing a service as in a connection, and providing a service at a higher level, like email. 'Internet Service Provider' taken literally is a very, very broad term (hey, I'm one if you're loose about it).

It's a pretty half-baked solution: what do I do? I run my own mail server, but it's not public to anyone else, so I don't believe I have to keep my logs. But that also means that if I'm accused of something, the logs aren't available for analysis. Therefore if I wanted to be a terrorist, I'd just build my own services.

(a big red alarm probably just went nuts in Downing Street now I've said that word...)

[matt40k]

If you read the PDF, the actual legal guff, ISP isn't used. ISP is just a friendly name for the provide of the internet based service. Ok, generally not correct, but joe public doesn't get confussed. I suppose it should be "Internet communications service" as per the PDF.

[Marci]

Well, I know our Ipswitch IMail Server software logs everything they need other than full name and address, which we have on Facility anyways, so we're in the clear... but anyways...

on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending

All depends how you interpret "publicly available". As far as I'm concerned, our email servers aren't publically available other than in a case of a member of the public can send an email to anyone within our network...

Publically available to me kind of implies that members of the general public can send emails FROM our network, or VIA* our servers, which they can't...

*(eg: that they could visit a page on our website, fill in a form that allows them to specify a destination email address and send mail out that way... which they can't)

So, a CyberCafe that runs it's own mail servers and allows paying users to have their own account on those servers and to send email via those servers - they'd need to log everything.

Anywhere offering a webmail facility that people can sign up to - they'd need to log everything (eg: gMail, hotmail, the other usual spammer-attracting suspects).

A website that allows users to signup and send SMS messages from a web or desktop interface - they'd need to log everything.

If a member of the public can walk into your school, get an account setup on the network, log on, and send an email to an external address, you need to log everything. If a member of the public can't do that, then you don't need to log anything (other than for your own peace of mind - hence we do anyway).

[matt40k]

I know alot of schools are doing alot of "community" stuff, which could count as "publicly available".

I think they mean by "publicly available" you can email anyone. Again, that's just how I understand it. I think it's worth checking, better to be safe then sorry after all.

I think everyones said it's rather unclear, I guess that was the point.

[GrumbleDook]

There is already a thread about this if you search for Communications Data Bill (mods - please merge to original thread)

I have asked the question of both Becta and the NEN and it is being looked into.

According to the Directive, it applies to “public communications providers” which means

(i) a provider of a public electronic communications network, or

(ii) a provider of a public electronic communications service;

and “public electronic communications network” and “public electronic communications service” have the meaning given in section 151 of the Communications Act 2003(Communications Act 2003 (c. 21) ):
• “public electronic communications network” means an electronic communications network provided wholly or mainly for the purpose of making electronic communications services available to members of the public;
• “public electronic communications service” means any electronic communications service that is provided so as to be available for use by members of the public;

So it may come down to a legal ruling on whether staff and students are classed as “members of the public” and this may differ from organisation to organisation.

When this was looked at for FE / HE by JISC the following article was published.

Storing User Data - New Regulations
New regulations came into force on 6 April 2009 which require that details of user emails and internet telephone calls are stored by internet service providers (ISPs). The regulations (The Data Retention (EC Directive) Regulations 2009) apply to the retention of communications data relating to internet access, internet telephony and internet email.
The requirements for FE and HE institutions remain as laid down by JANET (which is regarded as a private network) and can be found here - ACTIVITIES: LOGGING AND DATA COLLECTION. Further details of the new regulations can be found on the BBC website at - BBC NEWS | Technology | Net firms start storing user data.
(07/04/09)

JANET pinpoints itself as a private network but still advises keeping logs, but schools differ from FE / HE which is why this is still being investigated.

If you are not using an RBC connection then I would advise contacting the provider of your feed and see what they have put in place. If they have put something in place then you only have to worry about people concerned about privacy invasion and can happily wait to see if schools are not deemed to be 'public', but if they are not then keep your eyes peeled to the threads.

As before ... updates when I have more info
(thanks to EMBC and Becta staff for support so far)