Slashdot Mirror
EU Still Looking at Mandatory Data Retention
An anonymous reader writes "Following up on a
previous Slashdot article,
European civil rights advocacy group
Statewatch
is detecting more rumbles of a possible
weakening of privacy rights in the EU. The
European council has been testing the waters
for a new policy mandating retention of
communications "traffic data" by all member states. The previous policy (adopted May 30) merely allowed an exception to EU privacy law for member states who wished to retain such data.
Under the leaked draft proposal, law enforcement is to be allowed access to "traffic data" (identifying source, destination, time, etc.), which is similar to current US law. However, much worse is the requirement that telco providers retain such data for 12-24 months.
Text of the
draft framework decision
is available.
Also
analysis
by Statewatch.
Backup link (in case of Slashdot effect)."
Someone has mad equity in the databackup / storage market out there
Walk with Music;
This sounds like a great service from Big Brother, but how are they going to pull this one off? At taxpayer expense?
I see the need to ping eachother with random terrabytes of data. Who's going to pay for this expensive archiving?
Well if all our data was encrypted, would all this "data retention" matter? I can just see Echelon spending gobs of cash to build supercomputers to crack all the mail and data being sent.
:(
Hey wait, they would just legislate to dumb our encryption down...
CausticFit-
oh, heh, sorry bout that... Just thought it was cool.. can't seem to find forums here anyway.. does /. have forums?
There's no way this will get through (he says!)
It will cost too much and with have an impact of inflation which no one in the EU wants to see at the moment. There will be bandwidth implications because of the storage and processing overheads and investment and development in new infrastructure and technologies will be hit.
And who gains, well if the police can actually filter the data and find out what you up to then maybe a few people who have had criminals take away there liberties will feel better.
Who looses, everyone else.
thank God the internet isn't a human right.
How would this effect the European ISP community? Would the governments subsidize it, or would the costs be dumped on the consumer, increasing the cost of net access in Europe even higher then it already is?
I suppose that in many regions where broadband has not been widely adopted (Britain?), this could work very well, but what about places where it has been?
I suspect that the US and UK and other governments spy agencies already have access to whatever electronic communications they want to tap.
This is the case in the UK with regard to phones, however phone tap data is never used in court here because the state might then have to admit how they got it -- they would rather not convict people then admit their sources and the extent of the eve dropping that is going on.
I suspect that draft proposals like this are based on the old trick -- suggest something totally over the top and impossible to implement then let well meaning people water it down, claim that government cares and listens and at the end of the day still get away with yet another outrageous new law and yet more erosion of privacy and civil liberties.
But then again I'm probably not cynical enough, it's probably far worse than I can imagine already...
Check out MKDoc a mod_perl CMS
Given how much storage space two years of ISP logs could take up, the amount of storage hard drives can hold is quite likely to go up VERY fast.
:)
Of course, whether or not that's so good a thing when you take into consideration the privacy concerns can be a rather complex debate.
At least we'll have more room for pr0n!
I mod down anyone who uses M$ in their posts. I like to live on the edge.
You would have to re-write all the network protocols (IP/TCPIP etc...) with encryption.
If you went to a kiddie porn site they could find out from your network traffic and get a search warrant.
If you were frequently on a chat room the same time as xx who was later found dead they'd be round the next morning.
If you were connecting to predominantly Jewish sites then the secret police would be round and take you away.
thank God the internet isn't a human right.
I've always wondered how long my "traffic data" is privy to others who may want to snoop. Anybody know?
I know our benevolant, wise, and responsible US Federal Government would never enact such blantant acts of controll over its freedom-loving, tuned in, and watchful citizens. Oh, wait... /me packs his things and heads for Antarctica
From the draft:
a) Data necessary to follow and identify the source of a communication;
b) Data necessary to identify the destination of a communication;
c) Data necessary to identify the time of a communication;
d) Data necessary to identify the subscriber;
e) Data necessary to identify the communication device.
And:
These types of data shall not concern the content of the exchanged correspondence or the consulted information, in any form...
So, they couldn't read my e-mail, but they could get a complete list of everyone I've exchanged e-mail with in the last 12-24 months?
What I really wanna know is how this will affect communications between parties outside the EU that just happen to pass through EU routers. I couldn't find any specific mention of this (granted, I didn't comb through the draft too carefully.)
The story mentions the existance of a US law requiring data rentention. I have not heard of this. What are the US requirements??
McFly777
- - -
"What do people mean when they say the computer went down on them?" -Marilyn Pittman
This is exactly the information used by drug cartels to assassinate informants, as described in a previous Slashdot article.
If the information is being kept, unauthorized access will occur.
SKG
IF you were to not be taxed by the bit, then simply have everyone move data back and forth to some out-of-country server while you sleep at night.... and make them .EXE files so they don't compress nicely! And, of course, do this while you sleep.... or just poll away on the Slashdot.org home page! Haha!
Just a minute /.
Flips on atari 800xl
pick up microphone and speak into it
"Computer, find me information on Anonymous Coward"
1030 (300 baud) modem dials out
short wait
Faster than you can read, the following appears, often in higher resolution than the computer can drive)
you got a C in gym class in 4th grade
Video of your at the office christmas party
Your rejection letter from MIT
(censered) communication from your bed last night, taken from microphone in your light
copy of your bare butt on the office copier
complete shower videos from 9th grade gym
Complete history of your postings to
At least that is how it would be in the movies.
www.oobersworld.com - For those that ride.
Not that political action won't help too, but it's easier to get a law defeated or repealed if it doesn't work anyway.
are belong to EU.
So, my question is: Would this European Directive (or whatever) override the Data Protection Act?
Is the EU council going to give me funds to buy an extra NAS to store 24 months of communications on?
and if you tell anyone you've given us your passwords, you'll be jailed" laws and London "Every square inch is under 24/7 video surveillance", it really seems like our friends across the pond are giving us a run for the money in the "Who'll completely destroy the notion of privacy and/or civil liberty first" contest. Good thing we've still got TIPS.
Please hold for a moment while I pull up your record. (...) Sir, your retention period is set at 36 months. Is there anything else I can do for you today?
example.org - powered by Linux!
That's funny, that's exactly how the PHBs in office think computers work!
Show up at the council's headquarters with a few hundred thousand pages of traffic logs and say, "Hey, we want to comply with your data retention policy. Just hang onto this for a year or so, OK?"
If/when this becomes law, will so-called "noise generators" become legal? Overflowing an IDS by generating a bunch of false positives (ala Stick/Snot) is a technique used by folks attacking corporate networks... what happens if I buy cable modem access in the UK and choose to spend my bandwidth sending a continuous stream of garbage packets to random IPs from random IPs? It wouldn't be hard for a single user to consume entire gigabytes of storage per month in such a "traffic retention" system.
Makes you wonder if they'll outlaw generating bogus traffic as a defense mechanism.
KWTCMA
Such a priori retention of data and access to this data constitutes an interference in the private life of the individual; however, such an interference does not violate the international rules applicable with regard to the right to privacy and the handling of personal data contained, in particular, in the European Convention on the Protection of Human Rights of 4 November 1950, the Convention of the Council of Europe no.108 on the protection of persons in respect of the automated handling of personal data of 28 January 1981, and the Directives 95/46/ce and 97/66/CE, where it is provided for by law and where it is necessary, in a democratic society, for the prosecution of criminal offences.
They admit it's a compromise of individual privacy rights, but say it's allowed under those conventions. I was just looking for the spots in those documents:
that allow mandatory storage of information in the absence of ongoing criminal investigation -- a priori.
The 1950 one includes a very general passage seeming to allow anything "preventive" if it might abridge the rights or freedoms of others. Doesn't make me feel safe. (Hey, someone might want to prevent me using my TiVo in naughty ways. That'd abridge Jack Valenti's right -- or is it a freedom? -- to rake in money.)
The 1981 thing's much more specific to the question, and opens up a world of hurt we could inflict on our various surveillance agencies:
Imagine the /. effect as we all demand access to the records being kept of all our packet traffic, all our phone calls... Hey, people ask for their credit reports. If the European agreement says it has to be "transparent" in this way, just start asking.
"Fundamentalism" isn't about divine morality. It's about human authority.
So, for a little civil disobedience:
1. Option 1. If you're using an external mail server, you're not using the ISP mail server, right? So that gives you a "junk" email box. Why not set up a peer to peer system along the lines of SETI@home, which uses idle cycles to exchange email at the rate of a few hundred a minute.
2. Option 2 - if they're sniffing all traffic, even better - write something similar, but do all the inter-client communication using SMTP. You should be able to simulate a few hundred messages per second. Get enough people on board (using SETI like marketing tactics - email chain letters encouraging people to "fight the spies" etc) and you could utterly dwarf "real" email under a storm of junk data. Even if they can somehow parse out the "real" data, the cost of storing the information has risen exponentially - and all you have to do after that is work out a way to embed real messages in the "fakes", and you've got unmonitored communications again!
PGP only helps hide content, which this legislation doesn't ask for. Remailers would work, of course, but would look "suspicious"....
I will NOT live within a community that supports this flagrent disregard for my human right to privacy. Whilst I realise this information is probably already accessable to see this type of legistation even REACHING the stage of open discussion is disquieting.
This is nothing to do with the 'war on terrorism' it is nothing less than control.
knowledge == power
and power corrupts.
QED
that rightfully thought the US was backwards with Fritz Holling, DMCA, etc: Welcome!
I got karma to burn. Mod me down if you must.
If I SSH in to a development machine at an ISP that I don't use for dial-up, and E-Mail somebody from it with a question - who is responsible for logging that E-Mail?
This really is a concern, because small co-location facilities, etc, really don't have the facilities to do this. It's OK for large ISPs, but a nightmare for smaller ones.
I might run a home brew system which is designed to not leave the keys anywhere in the ned. All they keep is complete bollocks for anyone, including me.
Or what happens if someone transfers something illegal, can you prosecute the telecom company for having illegal documents/child pornography etc? What if they stole it/produced it in the first place, is it all of a sudden legal then, or what?
This is like making thoughts illegal because I might be thinking up a masterplan to steal the gold at fort knox and produce an elite army of terrorists...
I think this would definately tempt me to put any websites I run onto https and leave http with a simple redirector. Be nice if other people would do the same. I wonder how much they'd enjoy trawling through a few terrabytes of session encrypted traffic...
Seriously though, the sheer data management problem this would pose would be extraordinary. For every 1mbps, you're talking ~4TB of traffic per year! Consider how much traffic there actually is going across the wires:
Just for the hell of it, 9,776.16TB is 48,881 200GB drives. Now, you can buy one of those from Western Digital for ~$400US (retail). You'd be buying a lot of drives, so lets say you get a discount, and can get one for $300 (I don't know how big a discount you'd really get). That's almost $15 million dollars in hard drives per year for an OC48. That's about three times as much as the actual cost of an OC48 (even worse for peering arrangements).
Of course, scale that kind of hard drive usage up across Europe, and I don't think there is the manafacturing capacity to supply that kind of demand. Oh well, I guess we've found holographic storage's killer app, eh?
Also, who records what? Does every router have to record everythign that passes through it? Or only the ISPs that serve end users? What about businesses? What about co-located servers? If you don't want to miss anything, you'll have to cover all of those, and end up grabbing 2-3x as much data as you really have to. Otherwise it'd be trivial to setup a colocated server at a company or a hosting provider, and tunnel an encrypted connection through to that.
On top of that, there's the problem of how you sift through ~10,000TB of data for something useful. We're talking raw data on a totally unmanageable scale.
Why not just record all voice communications too? I'm sure that'd be invaluable in any police investigations. Ah well, nothing to worry about since neither's going to happen. Both are totally infeasable.
2. ???
3. Security!
Seriously, what is needed is some civil disobedience. Set up weird accounts like yarafat@hamas-resistance.il, exchange suspicious e-mails with your friends (in case they don't retain the body, make sure they get to read the subject), get as many people as possible to do it. The more false positives, the more impossible the system will be to maintain.
Remember, they're trying to make you f33r. When only one person stands up, he has a damn good reason to be afraid. When 10,000 stand up, the opposition has a damn good reason to be afraid.
Oh, and in case it needs to be said.. use PGP as much as possible, and try to run your own mailserver.
Just for the record: Osama Project Iraq Desert Storm Hailstorm Bush GWB kill maim murder torture Mossad oil Kuwait Iraq Iran Saudi Arabia we have the assassination plans praise Allah one hundred virgins FBI CIA Hoover Dyson MI5 MI6 James Bond Dr Evil one million pounds safety deposit box Switzerland Nazi gold bank account launch code RSA DSA NSA BSA
Sounds like somebody's being "retentive" alright.
In the US, ISPs can keep traffic data as long as they wish, according to Marc Richards, US DoJ at EU Cybercrime Conference, Nov 2001.
He's there to urge the EU to reverse its mandatory data destruction policy. In the EU, traffic data must be erased or made anonymous at end of communication or end of period in which invoice could be contested.
The metric for how long US ISPs/telco keep traffic data can probably be guessed from anecdotal data. Reading newspaper accounts about prosecutions of net child pornographers or adults soliciting minors suggests a year or two. I'll look for the case of a VA police chief who was after young boys & see how long prosecutors watched and the motions the Chief's counsel made to suppress traffic data evidence.
We have statutory protections against telco passing on traffic data--somewhere in Title 18, Section 2702 (?). US Patriot probably eases the exemptions: IOW, by default it is illegal for a data controller to let this or that party rifle through your data. OTOH, we are almost signing waivers--at the bank, credit apps, insurance apps, and personal finances in US would be near impossible if you didn't grant waivers.
Most important: Your employer can snoop all he wants if your are using his computers. The Administrative Office of the Courts--the management agency for the entire Federal judiciary--last year thought it should begin monitoring Judges' net use. Same logic.
All those hard drive platters, ~50K drives per OC48, times all the OC48s (and fractions as appropriate to the lesser pipes) will add up to enormous amounts of spinning matter.
If properly mounted in line with the Earth's axis, maybe we could make a teensy-tiny little adjustment to the revolution speed when they spin 'em all up and get us a 25 hour day to match our 25 hour biological clock. I tell you, I could use an extra hour per day, and I really wouldn't mind having 15.2 less days per year.
Hottest Canadien babes for 500km? That's really not saying much ;)
J/k
It doesn't matter where you live.. big bro is movin in
privacy nowhere you can run but can not hide oops, wrong discussion
--
making up good sigs is a hard thing to do.
Especially if you own stock in any of several large corporate entites currently pushing SAN data centers. And of course, since this will have to be government subsidized (ISPs balk at the cost), they can lock in contracts with only "government approved" vendors.
This is not a story about rights or law enforcement. Do you seriously think that volume of data can actually be useful? Oh, such and such person sent an e-mail around the beginning of January, maybe after bouncing through a SSH tunnel. Oh, and the e-mail was encrypted with 2048-bit RSA encryption.
If you can't solve that problem, this "exploitation" of privacy is nothing more than writing some giants check to several government members and corporate bigwigs. Folks, this is why the stock market was invented!
What nutter voted this down as offtopic? It is totally relevant to subject at hand. I was thinking exactly the same thing and scanned down to see if someone had already covered it before posting the same comments myself.
The volume of data this would generate is enormous and just who do the egg heads in the EU think is going to foot the bill for all this extra hardware? The Telcos? They already have their backs against the wall cash flow wise and many are up their eyeballs in debt.
This proposal is sheer stupidity.
Imagine seeing a list of old surfing habits from BBS systems of the past?
...hmm I bet that picture would go good with my show and tell on farm animals......downloads with X-modem......opens picture.... Oh my God! My eyes! They are burning! Then somewhere along the line the shock and horror turns into "I had to see this garbage, so I'm making sure everybody else has to as well".
I would be afraid to see some of the filenames of pictures that I downloaded from old BBS systems come back to haunt me. Oh the days of youthful curiosity and innocence. Goatse.gif?
I don't think I could ever recreate the shock or the look on my face the first time I saw it...but I enjoy the look on a coworkers face the first time they see it.
Wow I really have become a warped little bastard haven't I. Damn those addictive BBS systems!
Next time your local comes around asking for your records, point them at the back room of your datacenter, filled with neatly files dot matrix printouts. When they ask for electronic files, shrug, and say "You never said HOW I had to keep the records..."
Might bring back the dot-matrix industry, too. Probably piss off the environmentalists, so everyone wins.
How would this effect the European ISP community?
One way it would affect the Europeans is to create a big incentive for individuals to adopt internet telephony. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It seems that with all this monitoring the only thing that seems to happen is public crucifictions of people like Charles, Di and Lewinsky for their phone calls. Have you ever noticed that company management never apply their appropriate email/internet surfing policy equally to everyone. They only pick on the selected sad sucker they wanted to sack all along. Same goes for govt "law enforcement".
Meanwhile, back in the real world, the really nasty kiddie-porn, neo-nazi-racists, stalkers, serial killers, black market barons, arms dealers, corrupt politicians, corporate board fraudsters and other highly organised criminals slide right under the radar again and again. All they really need to do is open chains of internet cafes, have a couple of free mail servers on some pacific island, and a couple of spam enterprises out of the same pacific island. Then would the government spooks nail them with internet traffic?
This is how: the stuff's all ones and zeros anyway, completely prone to fabrication as opposed to recording. How can anyone know what is on those backups wasn't generated to specification.
I like this idea. If I was an ISP, in order to maintain speed and bandwidth, I think I'd run my backup system standalone, recording fictional traffic.
Is monitoring like this going to get all authors of spy fiction locked up? I can't tell fiction from fact on the net anyway. Even my own emails can contain vast quantities of fiction. Nobody swears on the bible that they'll only send stuff over the net that can be used as fact in a court of law.
BTW creating more traffic to hide your stuff in is completely unnecessary. We're already carrying the millstone of spam and internet advertising. Online casinos aren't legal here, but does that stop geocities from hogging my bandwidth with advertising for it?
Coherent not today.
Anonymous Paranoid Coward
The only thing worse than the fuckin freedom chomping US is the fuckin we never had freedom to begin with european fuckheads.
jeesh..
GLOBAL REVOLUTION. We need a distributed synchronized revolution.
Minimal set:
- Telephone calls and faxes: caller, recipient, time, duration. Already retained by telephone companies for billing purposes. Possible means of circumvention: use a prepaid international calling card to route your calls through a call centre outside the EU. Could be expensive.
- Emails: sender, recipient, time. Require every SMTP server to log the RCPT and FROM fields. Possible means of circumvention: use POP and SMTP servers outside the EU. Use an anonymous remailer (effectively hiding traffic data inside the body of the message).
- Websites: user, domain name, time. Unlikely to rely on webserver logs. Instead, require every DNS server to log every request. Of course this doesn't prove that the user actually looked at the content of the site, but try explaining that to a jury. Possible means of circumvention: use a DNS server outside the EU.
More effective set:- Emails: in addition to logging connections to the ISP's mail server, monitor all traffic on TCP port 25. Parse the traffic as SMTP, extract RCPT and FROM lines. Small performance penalty for users. Possible means of circumvention: find a mail server outside the EU that operates on a non-standard port (unlikely) or uses a non-standard mail protocol (unlikely).
- Websites: user, URL, time. In addition to DNS logs, monitor all traffic on TCP port 80. Parse the traffic as HTTP, extract GET string, use a reverse DNS lookup to complete the URL. Serious performance penalty for users. Illicit websites will simply use non-standard ports or HTTPS.
Paranoid set:there be no troll here.
"If you went to a kiddie porn site they could find out from your network traffic and get a search warrant."
and
"If you were frequently on a chat room the same time as xx who was later found dead they'd be round the next morning."
are the kind of arguments that government boddies would use to 'justify' holding and searching of logs.
which is not that different to:
"If you were connecting to predominantly Jewish sites then the secret police would be round and take you away."
thank God the internet isn't a human right.
I know a canadian babe.