Feeds

Brussels tables data retention law

All your data are belong to us

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The European Council has quietly proposed pan-European data retention laws that will require communications service providers to keep user data for a minimum of a year, and possibly indefinitely.

The draft framework will apply to data generated by an exhaustive list of comms architectures and protocols: phone, text, MMS, email, Voice over IP, and Web communications among them.

It has been rather hastily published in line with the European Council declaration that followed the bombings in Madrid. In this declaration, the Council said it would bring forward the debate around data retention. The fact that this document surfaced so quickly suggests, some say, that it has been floating around for some time.

The draft is very broad in its scope, and very loose in its definitions, which may sound familiar. The stated aim is not to store content, just the data generated by the flow of traffic, and its associated user information. However, as Joe McNamee of lobbying group Political Intelligence points out, at no point does this draft specify exactly what consitutes content, and what constitues traffic data.

Broad and loose

Consider article 2.3, part(c). This states that service providers will be required to retain FTP logs. Are these content, or traffic data? This question needs to be resolved, especially as (in article 2.4) the draft makes the provision that it will cover all future communications technologies too.

It is also noticeably imprecise about how long the information must be kept for: article 4.1 provides a time bracket of between 12 and 36 months, but goes on to say that it may be kept for longer if the member state feel it is neccessary.

Draconian, you might think. Bound to get the civil libertarians up in arms? But wait: 4.2 contains the get-out clause. It says that any member state can derogate from 4.1 (i.e. ditch it), should they feel it is unacceptable.

"Sometime the most effective thing you can do, politically, is not be rigid," McNamee says. "This clause is very clever. It gives a perfect counter-argument to any criticism without actually backing down: the Council can always argue that it is not forcing the legislation on any of its member states, even though it is extremely unlikely that any will actually take advantage of the option."

In the covering letter, the writers explain that although this kind of retention of data may constitute an "interference in the private life of an individual", this doesn't violate European law, provided the interference is "appropriate and strictly proportionate".

Is it legal?

It is interesting, then, that 18 months ago both Ireland and Sweden said they had no problems (see question five in the link) that would be solved by tighter laws on data retention.

This raises a fundamental question about this proposal: is it legal? Is it possible to reconcile the proposed data retention requirements with the fact that two of the countries putting the draft forward say they have no need for such laws? How can legalising interference in a person's private life be judged appropriate or proportionate by either Ireland or Sweden?

This isn't just a question of nosy politicians snooping on the citizens they are supposed to be representing. It has implications for businesses too. The costs of complying with any resulting legislation will almost certainly be passed to the service providers, for instance.

It is a wide range of data that companies will need to store,and they will need to store it very safely, or they will fall foul of other legislation. In the UK, we are already struggling to implement data protections laws properly, for example. This will certainly add to the confusion, as keeping data you don't need to keep is strictly an abuse under the Data Protection Act (DPA). But not keeping it will mean you violate the data retention laws.

But what of those innocent citizens whose digital movements will be tracked? Everything you do online must be recorded: that means that FTP logs about images you download, even in a spam email, are kept on a database somewhere. "If I was Joe Public, I don't think that would make me feel very secure," McNamee concludes. ®

Related stories

US defends cybercrime treaty
French ISPs to carry the can for dodgy content
UK firms must monitor staff IMs
EC: implement e-privacy directive or else
Govt restricts access to snooping powers
Net snooping to cost UK taxpayers £100m+. A year

Intelligent flash storage arrays

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.