Feeds

Brussels tables data retention law

All your data are belong to us

  • alert
  • submit to reddit

3 Big data security analytics techniques

The European Council has quietly proposed pan-European data retention laws that will require communications service providers to keep user data for a minimum of a year, and possibly indefinitely.

The draft framework will apply to data generated by an exhaustive list of comms architectures and protocols: phone, text, MMS, email, Voice over IP, and Web communications among them.

It has been rather hastily published in line with the European Council declaration that followed the bombings in Madrid. In this declaration, the Council said it would bring forward the debate around data retention. The fact that this document surfaced so quickly suggests, some say, that it has been floating around for some time.

The draft is very broad in its scope, and very loose in its definitions, which may sound familiar. The stated aim is not to store content, just the data generated by the flow of traffic, and its associated user information. However, as Joe McNamee of lobbying group Political Intelligence points out, at no point does this draft specify exactly what consitutes content, and what constitues traffic data.

Broad and loose

Consider article 2.3, part(c). This states that service providers will be required to retain FTP logs. Are these content, or traffic data? This question needs to be resolved, especially as (in article 2.4) the draft makes the provision that it will cover all future communications technologies too.

It is also noticeably imprecise about how long the information must be kept for: article 4.1 provides a time bracket of between 12 and 36 months, but goes on to say that it may be kept for longer if the member state feel it is neccessary.

Draconian, you might think. Bound to get the civil libertarians up in arms? But wait: 4.2 contains the get-out clause. It says that any member state can derogate from 4.1 (i.e. ditch it), should they feel it is unacceptable.

"Sometime the most effective thing you can do, politically, is not be rigid," McNamee says. "This clause is very clever. It gives a perfect counter-argument to any criticism without actually backing down: the Council can always argue that it is not forcing the legislation on any of its member states, even though it is extremely unlikely that any will actually take advantage of the option."

In the covering letter, the writers explain that although this kind of retention of data may constitute an "interference in the private life of an individual", this doesn't violate European law, provided the interference is "appropriate and strictly proportionate".

Is it legal?

It is interesting, then, that 18 months ago both Ireland and Sweden said they had no problems (see question five in the link) that would be solved by tighter laws on data retention.

This raises a fundamental question about this proposal: is it legal? Is it possible to reconcile the proposed data retention requirements with the fact that two of the countries putting the draft forward say they have no need for such laws? How can legalising interference in a person's private life be judged appropriate or proportionate by either Ireland or Sweden?

This isn't just a question of nosy politicians snooping on the citizens they are supposed to be representing. It has implications for businesses too. The costs of complying with any resulting legislation will almost certainly be passed to the service providers, for instance.

It is a wide range of data that companies will need to store,and they will need to store it very safely, or they will fall foul of other legislation. In the UK, we are already struggling to implement data protections laws properly, for example. This will certainly add to the confusion, as keeping data you don't need to keep is strictly an abuse under the Data Protection Act (DPA). But not keeping it will mean you violate the data retention laws.

But what of those innocent citizens whose digital movements will be tracked? Everything you do online must be recorded: that means that FTP logs about images you download, even in a spam email, are kept on a database somewhere. "If I was Joe Public, I don't think that would make me feel very secure," McNamee concludes. ®

Related stories

US defends cybercrime treaty
French ISPs to carry the can for dodgy content
UK firms must monitor staff IMs
EC: implement e-privacy directive or else
Govt restricts access to snooping powers
Net snooping to cost UK taxpayers £100m+. A year

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.