Data retention and VPN logging in the United Kingdom

Douglas Crawford

Douglas Crawford

May 3, 2013

The UK has a justifiably very poor reputation when it comes to online surveillance, although thanks to government coalition partner and Deputy Prime Minister Nick Clegg’s recent (April 2013) refusal to support the CCDP ‘web snooper’s charter’, this particularly odious piece of legislation, aimed at a creating ubiquitous mass surveillance scheme, is now on a back-burner.

As in many other countries, successive UK governments have used every possible tactic from scaremongering about the threats posed by terrorism and paedophilia, to taking the moral high ground over piracy (despite growing evidence that piracy, if anything, as has actually increased sales) to  push for legislation that tramples over its citizens rights and freedoms.

The EU Data Retention Directive

The UK is in full compliance with this EU wide Directive, and is one of the countries who most often access and act upon the information obtained as a result of it. It does this with little or no judicial oversight, and over 200 agencies and police have been authorized to access personal data logged by ISPs and VPN providers, including the following:

  • All regional Police forces
  • National Criminal Intelligence Service
  • Serious Organised Crime Agency)
  • HM Customs and Excise
  • Inland Revenue (the latter two have been merged into HM Revenue and Customs)
  • Security Service
  • Secret Intelligence Service
  • Government Communications Headquarters
  • Food Standards Agency
  • Local Authorities
  • The National Health Service

All telecoms data (including all data from ISPs and VPN providers) must be kept for a minimum of one year (and a maximum of two years), and must include enough information to:

  • trace and identify the source of a communication
  • trace and identify the destination of a communication
  • identify the date, time and duration of a communication
  • identify the type of communication
  • identify the communication device
  • identify the location of mobile communication equipment

The list of justifications for which the above agencies can access this information is similarly broad:

  • in the interests of national security
  • for the purpose of preventing or detecting crime or of preventing disorder
  • in the interests of the economic well-being of the United Kingdom
  • in the interests of public safety
  • for the purpose of protecting public health
  • for the purpose of assessing or collecting any tax, duty, levy or other imposition contribution or charge payable to a government department
  • for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health
  • for any purpose (not falling into the above) which is specified for the purposes of this subsection by an order made by the Secretary of State.

In 2009 the UK government (and authorised agencies) made over half a million requests for communications data, but has now stopped making these numbers public.

The HMA ‘Lulzsec fiasco’

A high profile incident in September 2011 served to highlight the fact that using a UK VPN provider is no guarantee of anonymity. Cody Kreitsinger, a member of the notorious hacking collective LulzSec, was arrested and charged with hacking the Sony Pictures website.

It soon became apparent the arrest was a result of London based VPN company Hide My Ass (HMA) handing over logs to the FBI. The FBI had traced the attack to an IP owned by HMA, and quickly obtained a court order (similar to a subpoena in the United States) requiring HMA to hand over its logs (which it kept in compliance with the EU Data Retention Directive), which it promptly did.

This created a storm of outage on the internet, and illustrated the problem that VPN providers, whose stock-and-trade is providing their customers with privacy when on-line, have in countries such as the UK which require that logs be kept and handed over when requested. Although Hide My Ass put up a spirited defense of their actions (perfectly legitimately pointing out that their service is not intended to shield criminal behaviour), the incident served to show that privacy can only guaranteed where a VPN company keeps (and can keep) no records, and prompted net neutrality and torrent activist organization TorrentFreak to create a list (recently updated) of VPN Services That Take Your Anonymity Seriously.

The Communications Capabilities Development Programme (CCDP)

Almost universally reviled, even by many members of the (senior coalition partner) Conservative Party, the so-called ‘snooper’s charter’ aimed to force communications companies to log every telephone call, email, text message and social network post (including Facebook and Twitter) of every resident of the UK.

Announced in May 2012, the CCDP is a watered down version of the Digital Economy Act which was pushed through by the previous Labour government before the 2010 elections, but which had stalled due to legal challenges (ironically, when in opposition the Conservative Party were one of this bills main opponents). Despite massive cross-party opposition, large-scale public concern, and the government’s self-appointed Joint Committee report slamming the bill as “overkill” and “trampl[ing] on the privacy of British citizens”, Prime Minister David Cameron and Home Secretary Theresa May continued to express a determination to force through the legislation before the next general election.

Fortunately, the Deputy Prime Minister and leader of the junior coalition partner Liberal Party, Nick Clegg, chose to veto the bill on 26 April 2013, so for the time-being we have probably seen the last of it. However, given that the Liberal Party are unlikely to retain influence following the next election, and that both the main political parties want the legislation passed, it is likely to resurface again in the not distant future.

Like SOPA in the US and ACTA (worldwide), the CDDP was largely the result of large scale lobbying by the entertainment industry, aimed at preventing copyright theft. Not only would all communications providers have been legally required to log all information about all customers, but the government plan involved the installation ‘black box’ hardware to monitor and store the data.

DMCA Takedown Notices

The DMCA (Digital Millennium Copyright Act) is a US only piece of legislation, and can be enforced only on US based telecoms companies (and possibly those with servers located on US soil). However, VPN companies in the UK regularly receive these takedown notices, and generally comply with them as damages can still be pursued in US courts (which will most likely result in a win). Once a Judgment has been made in a US court, the copyright holder can pursue the matter through the UK courts, something most VPN providers would prefer to avoid.

In addition to this, the UK has a similar mechanism, the Cease and Desist Order, which while not as clearly defined as the DMCA Takedown Notice, serves a similar purpose.

UK Censorship of BitTorrent websites

While not strictly about ‘data retention and VPN logging’, moves by the British government to block access to popular BitTorrent websites at the IP level will likely be of interest to most VPN users.

Despite Britain’s government-appointed communications regulatory body Ofcom’s report stating that ‘… the blocking of discrete URLs, or web addresses, is not practical or desirable as a primary approach’, in April last year (2012) the UK High Courts, under pressure from the British Phonographic Industry (BPI), ordered ISPs to block access the  notorious Pirate Bay website, and the ban was quickly implemented by the UKs major ISPs, Talk Talk, Virgin, O2, Everything Everywhere, and BT.

Despite being widely circumvented through the use of VPN, proxies and mirror websites (in fact the ban initially led to a surge in Pirate Bay visits from UK users), the High Courts extended the ban to fellow BitTorrent websites Kickass Torrents (KAT), H33T and Fenopy in March this year.


The Deputy Prime Minister’ veto of the CCDP is great news, and offers at least a temporary reprieve for the UK from one of the most far reaching and intrusive attacks on personal liberty yet seen in a so-called free western democracy.

However, Britain’s full compliance with the EU Data Retention Directive*, plus the aggressive anti-piracy stance of the UK government and legal system make the UK an unsuitable location for VPN providers who are dedicated to maintaining their customers’ anonymity.

The bottom line is that UK providers (and possibly any provider when facing a legal challenge over the use of servers located in the UK) simply cannot guarantee the privacy for its users.

*It should be noted that some EU countries, although subject to the Data Retention Directive, have either had it ruled unconstitutional (e.g. Romania, Czech Republic and Cyprus), or have ruled that the Directive does not apply to VPN providers (e.g.  the Netherlands, Sweden and Italy), and therefore good locations for a VPN provider).

Exclusive Offer
Get NordVPN for only