Europol Describes Data Retention Desires

freakyboff writes "Found this on cryptome.org - It's a confidential document from Europol, basically a wish list of all data that they would like people to keep. Many things that violate peoples privacy are in the minimum requirements, such as caller line identification and assigned IP for dial-up Internet access; e-mail and ftp server logs; and companies running web servers should keep information on what information users put on their servers." Statewatch is a good source for more information. I find it odd that Europe is moving from a position of protecting a great deal of data with fairly strong laws to requiring that telecommunications companies store data on their customers for as long as seven years so that law enforcement can go data-mining - skipping the intermediate step of making it optional.

Help save cryptome's poor server

[sludgely]

Use a mirror:

Thanks to A for mirror:

http://www.lessgov.org/cryptome
Thanks to SC for crypto software:

http://mrstef.dns2go.com/crypto
Thanks to AJ for mirrors:

http://cryptome.sabotage.org
ftp://ftp.zedz.net/pub/varia/Cryptome/cryptome.o rg /

the whole shebang is available at:
ftp://ftp.zedz.net/pub/varia/Cryptome/
Thanks to mb for mirror:

http://while1.org/~xm/cryptome.tgz
Thanks to VP for mirror:

http://munitions.vipul.net/documents/cryptome/

A ruse

[Jeffrey+Baker]

This certainly seems like the US strong-arming the EU to pass these measures. After they get passed in the EU it is much easier to get them passed in the USA.

George Bush, President of the USA, sent this demand -- among many others -- to the EU on October 16, 2001:

Revise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period.

Just horrific....

Data that must be retained by Internet Service Providers:

1. Network Access Systems - Date and time of connection of client to server - User-id and password - Assigned IP address NAS Network attached storage IP address - Number of bytes transmitted and received - Call Line Identification (CLI) - User's credit card number / bank account for the subscription payment

2. Email servers - Date and time of connection of client to server - IP address of sending computer
- Message ID (msgid) - Sender (login@domain)
- Receiver (login@domain) - In some cases identifying information of email retrieved

3. File upload and download servers - Date and time of connection of client to server - P source address - User-id and password - Path and filename of data object uploaded or downloaded

4. Web servers - Date and time of connection of client to server - IP source address - Operation (i.e. GET command) - Path of operation (to retrieve html page or image file) - Those companies which are offering their servers to accommodate web pages should retain details of the users who inserts these web pages (date, time, IP, User ID, etc.) - "Last visited page" - Response codes

5. Usenet - Date and time of connection of client to server - Protocol process ID (nnrpd[NNN...N]) - Hostname (DNS name of assigned dynamic IP address)
- Basic client activity (no content) - Posted message ID

6. Internet Relay Chat - Date and time of connection of client to server - Duration of session - Nickname used during IRC connection - Hostname and/or IP address

7. Data that must be retained by telephone companies for fixed numbers' users: - Called number even if the call was not successful - Calling number even if the call was not successful
- Date and time of the start and the end of the communication - Type of communication (incoming, outgoing, link through, conference) - In case of conference calls or call to link through services, all intermediate numbers - Information both on the subscriber and on the user (name, date of birth, address) - Address where the bill is sent - Both dates (starting and ending) from when the subscription has been signed and dismissed - Type of connection the user has (normal, ISDN, ADSL, etc., and whether it is for in-out calls or for incoming only) - The forwarded called number - The time span of the call - Bank account number/other means of payment - For a better investigative purpose Telcos should be able to know the nature of the telecommunication: voice/modem/fax etc.

8. Data that must be retained by telephone companies for mobile / satellite numbers' users:- Called number even if the call was not successful- Calling number even if the call was not successful - Date and time of the start and the end of the communication - Type of communication (incoming, outgoing, link through, conference) - For conference calls or call to link through services, all intermediate numbers - Information both on the subscriber and on the user (name, date of birth, address) - IMSI and IMEI numbers - Address where the bill is sent - Both dates (starting and ending) from when the subscription has been signed and dismissed - The identification of the end user device - The identification and geographical location of the cells that were used to link the end users (caller, called user) to the telecommunication network - Geographical llocation (coordinates) of the mobile satellite ground station - Type of communication (incoming, outgoing, link through, conference) [duplicate item] - GPRS service - For conference calls or call to link through services, all intermediate numbers [duplicate item] - The forwarded called number - The time span of the call - Bank account number/other means of payment - As GPRS and UMTS work on Internet base, thus all the data above mentioned (as IP address) should be preserved - For a better investigative purpose Telcos should be able to know the nature of the tgelecommunication: voice/modem/fax etc.

Re:Most likely do to the War On Terror

[bafu]

It seems to me that it's more likely to be a side effect of the US War On Terror that is driving them to keep better log info.

I doubt the EU is just waiting for the US to tell them what to do all the time. It's probably just the normal disconnect between the people whose job it is to investigate things and other elements of the gov't. The law enforcement elements will obviously focus on the benefits of collecting and keeping data that will make it easier for them to investigate things (especially in internal documents, like this one). It is to be hoped that their wish list, once offered, will be turned back due to privacy concerns. I guess what I am saying is that the bigger story will be the larger EU reaction to this, not the proposal itself.

Isn't this already standard practice?

[mpearce]

Every ISP I have ever worked with has kept logs of assigned IP for dialup, caller id (when available and not cost prohibitive), email and ftp server logs. These logs are referred to when following up complaints of abuse (mainly spammers). Even if an ISP were not interested in fielding abuse complaints, they would be insane not to keep this information in the face of subpeonas and requests for cooperation by law enforcement (and lately DMCA notices).

Why is this a violation of privacy? While the information may be handled casually in many cases, it is not published publicly. Do users really think they have an expectation of privacy in this way? Do they really think they have a right to be untracable and unaccountable for their actions online?

I know slashdotters seem to be always fighting a losing battle for privacy, but these logs seem to be common sense.