Web surveillance - who’s got your data?

Rory Cellan-Jones
Technology correspondent
@BBCRoryCJon Twitter


The government's plans to extend surveillance of our communications to cover email, the web and social networking have provoked quite a storm, with MPs from across the political spectrum joining with privacy campaigners to express concern.

I'll leave coverage of that to my political colleagues - but let's turn to the practicalities, and how this surveillance might affect you and me. Or, to be selfish, me.

From what we know of the plan, it involves asking Internet Service Providers and mobile phone companies to store records of users' email and web traffic - not the content, but the destination. So the companies could be asked to hand over details of who you emailed and when, not what you were talking about.

So how much of that data do they store already? I approached Virgin Media, my current Internet Service Provider, O2, a mobile phone network I use, and Google, which provides my personal email, to ask them for details of what they knew about me - and how much effort it would be to collect more data. Here's what I found:

Virgin Media

My ISP Virgin Media says it doesn't store any data on my personal web or email use, though it does collect data at a network level to understand the overall patterns of traffic.

If it is served a warrant, though, it can allow the authorities to access data about an individual customer's web and email use. As far as I understand it that could include web-based email services like Hotmail and Gmail. The company was keen to stress that there are very strict limits on how many such warrants can be issued, under the Regulation of Investigatory Powers Act, and Virgin itself doesn't get to see or keep that data involved.

So what happens if the government does want to go further? The company was reluctant to go into any detail, but I get the impression that starting to collect data on my web and email use on a routine basis would be a complicated operation, but by no means impossible.

Now I was left a little confused here because my understanding was that secure web-based email such as Gmail, where HTTPS pops up in your browser, could not be accessed by your ISP. So I then turned to Google.


As a user of various Google services, from search to Gmail, I know that the company does have plenty of data on me. For example, it obviously knows who I've emailed and when - the sort of information that the government may want to see in the future.

Google pointed me towards its transparency report which details requests for user data from the UK authorities. Between January and June last year, it received 1,279 such requests, and complied with 63% of them.

But what about that secure web email question? Here, Google had a different story from Virgin Media. The search firm insists that when I send an email from my Gmail account on my home broadband connection using SSL - the secure system - Virgin can't see who I'm emailing.

In other words, the security services may be more interested in targeting the likes of Google than your ISP if they want to know who you're talking to.


My mobile phone network, O2 pointed me towards their privacy policy which details what kind of information they collect. It's quite a list:

"Phone numbers and/or email addresses of calls, texts, MMS, emails and other communications made and received by you and the date, duration, time and cost of such communications, your searching, browsing history (including web sites you visit) and location data, internet PC location for broadband, address location for billing, delivery, installation or as provided by individual, phone location."

The policy says it can be disclosed to third parties "where required by law, regulation or legal proceedings", under the same rules which Virgin mentioned. The data is retained "for not less than six months and not more than two years".

What seems clear from this is that both Google and the mobile networks already collect plenty of data which might be of interest to the police and intelligence services - and which they can already access, subject to quite strict controls. A move to make it easier for the authorities to access that data might not impose much of an extra burden on them.

For ISPs like Virgin Media, however, it seems to be a different story. They will have concerns about the cost of collecting this information and the impact on their relations with their customers. And, given how disgruntled ISPs are already over plans to force them to police copyright abuse on their networks, prepare for a battle over what they will see as a new burden.