Feeds

Brussels tables data retention law

All your data are belong to us

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The European Council has quietly proposed pan-European data retention laws that will require communications service providers to keep user data for a minimum of a year, and possibly indefinitely.

The draft framework will apply to data generated by an exhaustive list of comms architectures and protocols: phone, text, MMS, email, Voice over IP, and Web communications among them.

It has been rather hastily published in line with the European Council declaration that followed the bombings in Madrid. In this declaration, the Council said it would bring forward the debate around data retention. The fact that this document surfaced so quickly suggests, some say, that it has been floating around for some time.

The draft is very broad in its scope, and very loose in its definitions, which may sound familiar. The stated aim is not to store content, just the data generated by the flow of traffic, and its associated user information. However, as Joe McNamee of lobbying group Political Intelligence points out, at no point does this draft specify exactly what consitutes content, and what constitues traffic data.

Broad and loose

Consider article 2.3, part(c). This states that service providers will be required to retain FTP logs. Are these content, or traffic data? This question needs to be resolved, especially as (in article 2.4) the draft makes the provision that it will cover all future communications technologies too.

It is also noticeably imprecise about how long the information must be kept for: article 4.1 provides a time bracket of between 12 and 36 months, but goes on to say that it may be kept for longer if the member state feel it is neccessary.

Draconian, you might think. Bound to get the civil libertarians up in arms? But wait: 4.2 contains the get-out clause. It says that any member state can derogate from 4.1 (i.e. ditch it), should they feel it is unacceptable.

"Sometime the most effective thing you can do, politically, is not be rigid," McNamee says. "This clause is very clever. It gives a perfect counter-argument to any criticism without actually backing down: the Council can always argue that it is not forcing the legislation on any of its member states, even though it is extremely unlikely that any will actually take advantage of the option."

In the covering letter, the writers explain that although this kind of retention of data may constitute an "interference in the private life of an individual", this doesn't violate European law, provided the interference is "appropriate and strictly proportionate".

Is it legal?

It is interesting, then, that 18 months ago both Ireland and Sweden said they had no problems (see question five in the link) that would be solved by tighter laws on data retention.

This raises a fundamental question about this proposal: is it legal? Is it possible to reconcile the proposed data retention requirements with the fact that two of the countries putting the draft forward say they have no need for such laws? How can legalising interference in a person's private life be judged appropriate or proportionate by either Ireland or Sweden?

This isn't just a question of nosy politicians snooping on the citizens they are supposed to be representing. It has implications for businesses too. The costs of complying with any resulting legislation will almost certainly be passed to the service providers, for instance.

It is a wide range of data that companies will need to store,and they will need to store it very safely, or they will fall foul of other legislation. In the UK, we are already struggling to implement data protections laws properly, for example. This will certainly add to the confusion, as keeping data you don't need to keep is strictly an abuse under the Data Protection Act (DPA). But not keeping it will mean you violate the data retention laws.

But what of those innocent citizens whose digital movements will be tracked? Everything you do online must be recorded: that means that FTP logs about images you download, even in a spam email, are kept on a database somewhere. "If I was Joe Public, I don't think that would make me feel very secure," McNamee concludes. ®

Related stories

US defends cybercrime treaty
French ISPs to carry the can for dodgy content
UK firms must monitor staff IMs
EC: implement e-privacy directive or else
Govt restricts access to snooping powers
Net snooping to cost UK taxpayers £100m+. A year

The essential guide to IT transformation

More from The Register

next story
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.