Feeds

Brussels tables data retention law

All your data are belong to us

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The European Council has quietly proposed pan-European data retention laws that will require communications service providers to keep user data for a minimum of a year, and possibly indefinitely.

The draft framework will apply to data generated by an exhaustive list of comms architectures and protocols: phone, text, MMS, email, Voice over IP, and Web communications among them.

It has been rather hastily published in line with the European Council declaration that followed the bombings in Madrid. In this declaration, the Council said it would bring forward the debate around data retention. The fact that this document surfaced so quickly suggests, some say, that it has been floating around for some time.

The draft is very broad in its scope, and very loose in its definitions, which may sound familiar. The stated aim is not to store content, just the data generated by the flow of traffic, and its associated user information. However, as Joe McNamee of lobbying group Political Intelligence points out, at no point does this draft specify exactly what consitutes content, and what constitues traffic data.

Broad and loose

Consider article 2.3, part(c). This states that service providers will be required to retain FTP logs. Are these content, or traffic data? This question needs to be resolved, especially as (in article 2.4) the draft makes the provision that it will cover all future communications technologies too.

It is also noticeably imprecise about how long the information must be kept for: article 4.1 provides a time bracket of between 12 and 36 months, but goes on to say that it may be kept for longer if the member state feel it is neccessary.

Draconian, you might think. Bound to get the civil libertarians up in arms? But wait: 4.2 contains the get-out clause. It says that any member state can derogate from 4.1 (i.e. ditch it), should they feel it is unacceptable.

"Sometime the most effective thing you can do, politically, is not be rigid," McNamee says. "This clause is very clever. It gives a perfect counter-argument to any criticism without actually backing down: the Council can always argue that it is not forcing the legislation on any of its member states, even though it is extremely unlikely that any will actually take advantage of the option."

In the covering letter, the writers explain that although this kind of retention of data may constitute an "interference in the private life of an individual", this doesn't violate European law, provided the interference is "appropriate and strictly proportionate".

Is it legal?

It is interesting, then, that 18 months ago both Ireland and Sweden said they had no problems (see question five in the link) that would be solved by tighter laws on data retention.

This raises a fundamental question about this proposal: is it legal? Is it possible to reconcile the proposed data retention requirements with the fact that two of the countries putting the draft forward say they have no need for such laws? How can legalising interference in a person's private life be judged appropriate or proportionate by either Ireland or Sweden?

This isn't just a question of nosy politicians snooping on the citizens they are supposed to be representing. It has implications for businesses too. The costs of complying with any resulting legislation will almost certainly be passed to the service providers, for instance.

It is a wide range of data that companies will need to store,and they will need to store it very safely, or they will fall foul of other legislation. In the UK, we are already struggling to implement data protections laws properly, for example. This will certainly add to the confusion, as keeping data you don't need to keep is strictly an abuse under the Data Protection Act (DPA). But not keeping it will mean you violate the data retention laws.

But what of those innocent citizens whose digital movements will be tracked? Everything you do online must be recorded: that means that FTP logs about images you download, even in a spam email, are kept on a database somewhere. "If I was Joe Public, I don't think that would make me feel very secure," McNamee concludes. ®

Related stories

US defends cybercrime treaty
French ISPs to carry the can for dodgy content
UK firms must monitor staff IMs
EC: implement e-privacy directive or else
Govt restricts access to snooping powers
Net snooping to cost UK taxpayers £100m+. A year

Secure remote control for conventional and virtual desktops

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Forget silly privacy worries - help biometrics firms make MILLIONS
Beancounter reckons dabs-scanning tech is the next big moneypit
Microsoft's Office Delve wants work to be more like being on Facebook
Office Graph, social features for Office 365 going public
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.