Europol Describes Data Retention Desires

freakyboff writes "Found this on cryptome.org - It's a confidential document from Europol, basically a wish list of all data that they would like people to keep. Many things that violate peoples privacy are in the minimum requirements, such as caller line identification and assigned IP for dial-up Internet access; e-mail and ftp server logs; and companies running web servers should keep information on what information users put on their servers." Statewatch is a good source for more information. I find it odd that Europe is moving from a position of protecting a great deal of data with fairly strong laws to requiring that telecommunications companies store data on their customers for as long as seven years so that law enforcement can go data-mining - skipping the intermediate step of making it optional.

Help save cryptome's poor server

[sludgely]

Use a mirror:

Thanks to A for mirror:

http://www.lessgov.org/cryptome
Thanks to SC for crypto software:

http://mrstef.dns2go.com/crypto
Thanks to AJ for mirrors:

http://cryptome.sabotage.org
ftp://ftp.zedz.net/pub/varia/Cryptome/cryptome.o rg /

the whole shebang is available at:
ftp://ftp.zedz.net/pub/varia/Cryptome/
Thanks to mb for mirror:

http://while1.org/~xm/cryptome.tgz
Thanks to VP for mirror:

http://munitions.vipul.net/documents/cryptome/

Re:Cost?

[bluGill]

In your case yes, but consider for a moment the cost of no security whatsoever on the blanks. Want a blank license, just walk in and take as many as you want, no tracking, no chance of getting punished. Not you do you take 15 (presume that you need them for something), but everyone else does too. Now it isn't 15 blanks, it is 2,000 at a total cost of 1784 dollars. Starting to get meaningfull already. (note, the number 2000 was pulled out of the air). Now multiply that out by a few years...

Security and prevention always comes at a cost. Insurance companys can draw fancy curves and graphs to show where your cost for secuiry (including punishing offenders, and insurance) is the least compared to your potential losses. Perhaps it isn't worth the goverment's time to do anything about the theif of blanks, perhaps it is. (I don't know how to do that analysis) At some point though you have something that costs more then it looks like it should because you can't account for the losses spending that much prevents.

Re:Cost?

[stubear]

Oh, really persuasive argument there chief. Crime costs too much to prosecute so we shoudl just fine the criminal and send them on theri merry way. What happens when graffiti becomes more common? It raises the cost to clean up and while it might still be more expensive to prosecute ALL those involved, it increases taxes paid by the citizens because cleanup costs have increased.

A ruse

[Jeffrey+Baker]

This certainly seems like the US strong-arming the EU to pass these measures. After they get passed in the EU it is much easier to get them passed in the USA.

George Bush, President of the USA, sent this demand -- among many others -- to the EU on October 16, 2001:

Revise draft privacy directives that call for mandatory destruction to permit the retention of critical data for a reasonable period.

Re:A ruse

[GGardner]

After they get passed in the EU it is much easier to get them passed in the USA.

Huh? How about some evidence for this? Do you think that the Kyoto protocols are going to be mandated in the US because they've been accepted in Europe? Ditto for socialized medicine? Mandated shorter work weeks? The Euro?

Opening for a proxy service, maybe?

[meta-monkey]

Well, I'm a syadmin at a University research lab, and when I want to do something the University may not like on the net (visit websites that may violate AUP or something) and I don't want those nosy upstream admins to notice, I pipe it through an IPSec tunnel I set up between my lab and my home network, since my DSL provider doesn't care what I do. So, I'll login remotely and run mozilla or something on my home comp and pipe the display back through the tunnel, so all anybody between my computer at the lab and my computer at home would see is a bunch of encrypted ESP packets flowing back and forth.

I wonder if a company in a place where laws like this don't exist (is Sealand still around?) could set up a proxy service provider, so all your traffic (or at least any traffic you don't want somebody spying on, like email, some web traffic) would be routed securely through them, so your local ISP wouldn't have anything but encrypted packets to monitor. Then they wouldn't have anything of consequence to share when the cops come knocking. I'd pay for such a service, would you?

Just horrific....

Data that must be retained by Internet Service Providers:

1. Network Access Systems - Date and time of connection of client to server - User-id and password - Assigned IP address NAS Network attached storage IP address - Number of bytes transmitted and received - Call Line Identification (CLI) - User's credit card number / bank account for the subscription payment

2. Email servers - Date and time of connection of client to server - IP address of sending computer
- Message ID (msgid) - Sender (login@domain)
- Receiver (login@domain) - In some cases identifying information of email retrieved

3. File upload and download servers - Date and time of connection of client to server - P source address - User-id and password - Path and filename of data object uploaded or downloaded

4. Web servers - Date and time of connection of client to server - IP source address - Operation (i.e. GET command) - Path of operation (to retrieve html page or image file) - Those companies which are offering their servers to accommodate web pages should retain details of the users who inserts these web pages (date, time, IP, User ID, etc.) - "Last visited page" - Response codes

5. Usenet - Date and time of connection of client to server - Protocol process ID (nnrpd[NNN...N]) - Hostname (DNS name of assigned dynamic IP address)
- Basic client activity (no content) - Posted message ID

6. Internet Relay Chat - Date and time of connection of client to server - Duration of session - Nickname used during IRC connection - Hostname and/or IP address

7. Data that must be retained by telephone companies for fixed numbers' users: - Called number even if the call was not successful - Calling number even if the call was not successful
- Date and time of the start and the end of the communication - Type of communication (incoming, outgoing, link through, conference) - In case of conference calls or call to link through services, all intermediate numbers - Information both on the subscriber and on the user (name, date of birth, address) - Address where the bill is sent - Both dates (starting and ending) from when the subscription has been signed and dismissed - Type of connection the user has (normal, ISDN, ADSL, etc., and whether it is for in-out calls or for incoming only) - The forwarded called number - The time span of the call - Bank account number/other means of payment - For a better investigative purpose Telcos should be able to know the nature of the telecommunication: voice/modem/fax etc.

8. Data that must be retained by telephone companies for mobile / satellite numbers' users:- Called number even if the call was not successful- Calling number even if the call was not successful - Date and time of the start and the end of the communication - Type of communication (incoming, outgoing, link through, conference) - For conference calls or call to link through services, all intermediate numbers - Information both on the subscriber and on the user (name, date of birth, address) - IMSI and IMEI numbers - Address where the bill is sent - Both dates (starting and ending) from when the subscription has been signed and dismissed - The identification of the end user device - The identification and geographical location of the cells that were used to link the end users (caller, called user) to the telecommunication network - Geographical llocation (coordinates) of the mobile satellite ground station - Type of communication (incoming, outgoing, link through, conference) [duplicate item] - GPRS service - For conference calls or call to link through services, all intermediate numbers [duplicate item] - The forwarded called number - The time span of the call - Bank account number/other means of payment - As GPRS and UMTS work on Internet base, thus all the data above mentioned (as IP address) should be preserved - For a better investigative purpose Telcos should be able to know the nature of the tgelecommunication: voice/modem/fax etc.

Re:Most likely do to the War On Terror

[bafu]

It seems to me that it's more likely to be a side effect of the US War On Terror that is driving them to keep better log info.

I doubt the EU is just waiting for the US to tell them what to do all the time. It's probably just the normal disconnect between the people whose job it is to investigate things and other elements of the gov't. The law enforcement elements will obviously focus on the benefits of collecting and keeping data that will make it easier for them to investigate things (especially in internal documents, like this one). It is to be hoped that their wish list, once offered, will be turned back due to privacy concerns. I guess what I am saying is that the bigger story will be the larger EU reaction to this, not the proposal itself.

Isn't this already standard practice?

[mpearce]

Every ISP I have ever worked with has kept logs of assigned IP for dialup, caller id (when available and not cost prohibitive), email and ftp server logs. These logs are referred to when following up complaints of abuse (mainly spammers). Even if an ISP were not interested in fielding abuse complaints, they would be insane not to keep this information in the face of subpeonas and requests for cooperation by law enforcement (and lately DMCA notices).

Why is this a violation of privacy? While the information may be handled casually in many cases, it is not published publicly. Do users really think they have an expectation of privacy in this way? Do they really think they have a right to be untracable and unaccountable for their actions online?

I know slashdotters seem to be always fighting a losing battle for privacy, but these logs seem to be common sense.

Not asking for a lot

[freakinPsycho]

I'm sure to get flamed for this, but they aren't really asking for that much. Let's face it, most of this information is available with verbose logs on systems. A lost of it is stuff that ISPs in the US have to keep anyway, for legal reasons and just to help with tech support.

These are actually very reasonable requests. I work for a large company that is sometimes asked to produce some of this kind of information. Most of this is kept in our basic logs. Again, this is partly for legal reasons, but also so taht we can effectively troubleshoot problems that customers may have.

Re:It's europe, for god sake

[pacman+on+prozac]

Pretty horrid, I'd say.

We've had bombs placed in the centers of our cities, people being shot, mugged, raped and generally fucked over so whats wrong with putting up the cameras if they help prevent it, or at least track down the guilty person afterwards.

Why should I care if the police/govt/anyone watches me walk down the main street of town or sitting on a bus? I never understood the argument that they're invading our privacy by putting camera's in public places.

WISH list

[nick_davison]

I find it odd that Europe is moving from a position of protecting a great deal of data with fairly strong laws to [storing a great deal of information for law inforcement].

Europol != Europe. Seriously, does Chicago PD equal the US government? It's a draft of a law enforcement agency's wish list - a starting point for one side of a debate, not anything that's passed in to law. Just because the MPAA have probably had a debate along the lines of "OK, what'd it be cool if we could force on users?" doesn't mean they get it - or even ask for it.

Re: WISH list

[nick_davison]

Holy bleeding shit!!! Where do you live? in Milpitas or something?

Actually, I'm English. As a result, I come from a nation that's endured decades of [primarily US citizen sponsored (IRA)] terrorism. That in turn means that while America got to do a "Holy Shit!" knee jerk response and dress it all up as patriotism, we got over it in the 70s with internment. While England's by no mean's perfect, or even as far as "OK", the seriously insane stuff does tend to get blocked ever since we saw what a f*** up it was with internment.

Curious about the benefits...

[NanoGator]

Okay, there are huge privacy concerns at stake. I know that. I'm just curious what good could come from it. If that's the type of thing that can stop another 9/11 from happening, then it's possible I'd reluctantly approve of something like that.

Unfortunately, I don't see the immediate connection between logging ftp logs and stopping terrorism. If anything, I think the MPAA or the RIAA would have more to gain than the War on Terrorism.

So my question is, can anybody think of benfitis to this type of surveillance? I'm not looking for justification, just silver linings here and there.

Heck, I'd love to hunt down that guy who modded me down earlier. Heh.

Re:Curious about the benefits...

[sik+puppy]

only one I can think of - getting ahold of spammers identities. Be nice if that info was made public.

Re:It's europe, for god sake

[Dark+Legend]

It's not what it's used for now, it's what it WILL be used for in the future, once the infrastructure is there to be abused it will be abused.. Have you never read 1984, yes i know it's a cliche, but it is SOO on the money.. How do you disagree with a government that has you under surveilance 24/7? How do you organise a resistance or a revolution without planning with other people? How can this EVER happen when you are under this constant surveillance. The more you hand people the means to control you the more they will try. Do you think it could never get to this stage? Well it will with people like you saying 'So What?' at every turn. These things are never a sudden shock, they are a gradual eroding change.. Barely perceptibly slipping towards complete control, before you know it, complee control IS possible and then it is a matter of time before it IS exerted.. once you are in that situation there is no way out.. Fully automated surveilance with facial recognition and computer controlled tracking of all subjects it's already theoretically possible, the infrastructure just needs setting up.. and THAT is why you should care..

Tuttle....Buttle....

[Bobzibub]

Hey. We're all in this together!
-b

Don't get your panties in a bunch, michael.

[Wakko+Warner]

This is a wish list compiled by an investigative police agency. What did you think would be on their wish list? A Barbie Dream House?

- A.P.

Re:Don't get your panties in a bunch, michael.

[pyrrho]

ok, thanks for the explanation.

Re:What the hell is going on in Europe?

[vkg]

Yeah, but the whole surveilence thing got seriously started in the UK at least ten years ago, and there have been cameras everywhere for at least the last five...

Re:Cost?

[SirSlud]

Hehe. Sometimes I wish I could leave people with their 'clean gene pool' of choice. I think, more often than not, you'd find the people made from the your preferred 'gene' pool would be just as likely to kill your before you kill them.

Do you really want to be left alone in a gene pool filled with the same intelligent, elitist, passionate genes that you have? Stop assuming they'd all share your opinions and start thinking about having to face off against those with skills equivilent to yours (whatever those may be.)

Re:It's europe, for god sake

[GigsVT]

people being shot, mugged, raped and generally fucked over so whats wrong with putting up the cameras if they help prevent it, or at least track down the guilty person afterwards.

People are shot, raped, beat up, get drunk, get high, write anti-government essays, organize terrorist activities, and plan revolutions all from their own private homes! So what's wrong with putting up the cameras in everyone's house, if it helps prevent it, or at least track down the guilty person afterwards?

Re:It's europe, for god sake

[Bobzibub]

Personally I like my cops walking the beat, not watching TV.

Cheers,
-b

Re:turnabout is fair game

[Shimbo]

when will you think it's a good idea to get along and not bitch and make fun of the people you relied on 50 years ago for your very existance

Who brought the Soviet Union into it?

With apologies to Oscar Wilde

[PHAEDRU5]

Europe is one of those political unions that goes from fairly liberal democracy to fascist police state without an intervening period of civilization.

Re:These records will be gold mines for ....

[mvdwege]

Nicely paranoid, but that doesn't add up. I haven't read the directive per se, but the common way to handle this kind of data in Europe is to only make them available to law enforcement that can present a court order for the info.

So, yes, the fact that this much data gets logged is worrisome, and I'd need some iron-clad guarantees from my government to make sure abuse is curbed before I feel comfortable with it, but it is nowhere near as bad as you make it seem.

I will make sure to watch how my government is going to implement these directives.

Mart