The debacle surrounding data retention in Europe (and Ireland) has been dragging on for the last couple of years.
Although it is a very important issue for service providers of all sizes and also has important implications for the public, press coverage of the issue has been poor at best. One possible explanation of the lack of press coverage is that the issues themselves are complex and highly technical. Another is that EU legislation is nebulous at best.
So what is it all about?
Who will be affected?
More importantly will it even do anything to “help” anyone in tracking down “terrorists”?
The current proposal carries this preface:
1. This Directive aims to harmonise the provisions of the Member States concerning
obligations on the providers of publicly available electronic communications services
or of a public communications network with respect to the […] retention of certain
data which are generated or processed by them, in order to ensure that the data are
available for the purpose of the […] investigation, detection and prosecution of […]
serious crime, as defined by each Member State in its national law criminal offences […].
2. This Directive shall apply to traffic and location data of both private and legal persons, as
well as the related data necessary to identify the subscriber or registered user. It shall not
apply to the content of electronic communications, including information consulted using
an electronic communications network.
The spirit of the directive is not abhorrent, however the implications and finer details of how it is implemented is.
If we examine some of the sections of the proposed legislation that would be of interest to internet usage:
Article 4
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under this
Directive:
a) Data necessary to trace and identify the source of a communication
Simple enough? Not really.
Joe Citizen going about their business and not committing any criminal offence (the definition of which is left broadly in the hands of the member states) is unlikely to be consciously covering their tracks and would thus fall outside the remit of the directive. However if you were intent on committing a criminal offence you would probably use everything in your power to hide your traces, so what have they done to cover this?
(3) Concerning Internet Access, Internet e-mail and Internet telephony:
(a) The User ID(s) allocated.
(b) The User ID and telephone number allocated to any communication entering
the public telephone network.
(c) Name and address of the subscriber or registered user to whom an Internet
Protocol (IP) address, […] User ID or telephone number was allocated at the
time of the communication.
While a and b may already be stored for billing purposes c is problematic. It doesn’t actually identify a person – just an IP address assignment. If you consider the number of people using internet cafe’s, public wireless access points etc., etc., you quickly see how useless that information becomes. All they are really doing is forcing ISPs to hold onto large amounts of data that is of little or no use.
When they broach the subject of email it really does make you want to giggle (if you don’t feel like crying when you think of the SANs you will have to buy in order to retain all this useless data):
(3) Concerning […] Internet e-mail and Internet telephony:
(a) The […] User ID or telephone number of the intended recipient(s) of an Internet
telephony call.
(b) Name(s) and address(es) of the subscriber(s) or registered user(s) and User ID of the
intended recipient of the communication.
Yes of course. We really know who is behind mike143@somerandomdomain! I’ll give you their telephone number if you want.
Some other bits are even more amusing:
2. No data revealing the content of the communication can be retained pursuant to this Directive.
So if your mail logs include the email subject, which if used properly will tell you a lot about the content, you are meant to remove that part from the logs somehow?
Maybe these people are part of the “blank subject” school of thought?
However the “best” bit is:
Article 7
Periods of retention
Member States shall ensure that the categories of data referred to in Article 4 are retained for
periods of not less than 6 months and for a maximum of two years from the date of the
communication […].
But wait, wasn’t this directive’s intent to harmonise data retention? Maybe I missed something, but my understanding of “harmonise” would preclude such a wide variance in time periods.
It also seems to lack any logic.
If a person is in a country that retains the data for 6 months and they send something (obviously criminal) to a person in a country that retains the data for 8 months (or more) won’t the data be useless after 6 months and one day? You’ll only be able to piece together a small part of the communication …
Of course you may be worried about your data’s security and integrity:
Article 7bis
Data protection and data security
Without prejudice to the provisions adopted pursuant to Directive 95/46/EC and Directive
2002/58/EC, each Member State shall ensure that providers of publicly available electronic
communications services or of a public communications network respect, as a minimum, the
following data security principles with respect to data retained in accordance with the present
Directive:
(a) the retained data shall be of the same quality and shall be subject to the same security and
protection as those data on the network;
(b) the data shall be subject to appropriate technical and organisational measures to protect the data
against accidental or unlawful destruction, or accidental loss or alteration, unauthorised or
unlawful storage, processing, access or disclosure;
(c) the data shall be subject to appropriate technical and organisational measures to ensure that
access to the data is undertaken only by specially authorised personnel; and
(d) the data shall be destroyed at the end of the period for retention except those data which have
been accessed and preserved.
The provisions of the article maybe legally sound, but they are incredibly vague and, like much of legislation, open to a certain degree of interpretation. When it comes to data you do not have room for interpretation. Either you have it or you don’t.
Article 8
Storage requirements for retained data
Member States shall ensure that the data as specified in Article 4 are retained in accordance with
this Directive in such a way that the data retained and any other necessary information related to
such data can be transmitted upon request to the competent authorities without undue delay.
Which data? Here – have a few terabytes of logs. I’m sure you’ll have lots of fun finding anything really useful in there…
If they honesly expect to be able to gain any insight into anything from mail logs, server logs etc., then they really should have taken on board some of the concerns expressed by the ISPs.
It’s also nice to see that all mention of who is going to pay for this gargantuan project in data storage has been completely removed.
I can see network storage device vendors rubbing their hands with glee.
Course we’ll all either go bankrupt or have to revert to charging 90s prices to recoup or costs .. but the politicians will have got their nice headlines about how much they are doing on the war on terrorism, so I guess that makes it okay…
There will be a vote on the Data Retention on December 12th or 13th.
The Irish government seems intent on pursuing their objective of retaining data for up to 3 years.. Why? God only knows.
More info:
Digital Rights Ireland
EuroISPA in particular the papers section.
For an overview of why data retention is so complex and impractical Richard Nash’s paper is excellent reading:
Data Retention: Why is the ISP Industry concerned?
EDIT: Some of the other implications of the proposed directive are covered by EDRI
SAGE-IE – The Irish Systems Administrators’ Guild has a summary and links to some of the relevant legislation and statements from interested parties including a statement (MS Word format) from the IIA
Suw Charman’s piece puts it in the context of both the end user’s privacy and the cost to the ISPs
More information on the Internet Service Providers Association of Ireland website
Gents, I feel we need to form a cult. The purpose of this cult would be of one nature… Keep the term of “offsite backups” and forms of it secret. Very secret. :))) If a single idiot politician hears of such a thing… we are all doomed 🙂
If one single politician finds out the purposes for offsite backups, they will make us get armored trucks, fireproof datacenter doors and walls… and maybe confiscate scisors and matches on the way to work. Otherwise we are in danger of terrorist groups kicking down our door, beating up myself and whoever else did not ssh in that morning…. and burning down my ata over ethernet array… along with my costy IBM Tivoli san…. and I am sure the bastards will cut my DRBD synch cables…. causing another lengthy synch… sigh.
But seriously, we can all laugh all we want, that will not solve a single thing.
It is obvious that the decision makers behind the topic are not very knowledgeable… and probably never balanced books at an ISP…
Lets call ourselves…. The …. ummmm… Knights of the tux…. no…. i need more suugestions…. anyone?
Vasiliy – Is there similar crazy legislation in the US?
“I can see network storage device vendors rubbing their hands with glee.”
Hold on. We’re not the recording industry we don’t try to s**t on our customers. We’d rather you happy and buying a significant amount of gear over a number of years than p****d off and making a massive one time purchase because you’re forced to.
Booking a chunk of revenue in a quarter and then going dry is not good business.