Slashdot Mirror
EU Still Looking at Mandatory Data Retention
An anonymous reader writes "Following up on a
previous Slashdot article,
European civil rights advocacy group
Statewatch
is detecting more rumbles of a possible
weakening of privacy rights in the EU. The
European council has been testing the waters
for a new policy mandating retention of
communications "traffic data" by all member states. The previous policy (adopted May 30) merely allowed an exception to EU privacy law for member states who wished to retain such data.
Under the leaked draft proposal, law enforcement is to be allowed access to "traffic data" (identifying source, destination, time, etc.), which is similar to current US law. However, much worse is the requirement that telco providers retain such data for 12-24 months.
Text of the
draft framework decision
is available.
Also
analysis
by Statewatch.
Backup link (in case of Slashdot effect)."
Given how much storage space two years of ISP logs could take up, the amount of storage hard drives can hold is quite likely to go up VERY fast.
:)
Of course, whether or not that's so good a thing when you take into consideration the privacy concerns can be a rather complex debate.
At least we'll have more room for pr0n!
I mod down anyone who uses M$ in their posts. I like to live on the edge.
This is exactly the information used by drug cartels to assassinate informants, as described in a previous Slashdot article.
If the information is being kept, unauthorized access will occur.
SKG
www.oobersworld.com - For those that ride.
IPSec is part of IPv6. It is in FreeBSD and will be in Linux soon. Encryption at IP level of the stack is a pretty old idea. If you are paranoid now, you can get FreeSwan (sp?) for Linux.
They weren't talking about US law re data retention. They were talking about US law re what's accessible to law enforcement such as "traffic data".
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
and the answer is, YES, as that's what EU directives do : they override national legislation.
I think the general problem is that there is no public debate over any issue of IP and data privacy. I personnaly believe that these are the two mot important topics that may affect citizens in this century, and that these discussion should become central at any level of democracy, which inludes the EU. Citizens should stop whining with their national governments since these are helpless anyway, and should concentrate on pressuring the EU, through European Parliement elections and by closely monitoring the stance of their national governments in the Council. That's what corporate lobbies, which know better, do.
I think this would definately tempt me to put any websites I run onto https and leave http with a simple redirector. Be nice if other people would do the same. I wonder how much they'd enjoy trawling through a few terrabytes of session encrypted traffic...
Seriously though, the sheer data management problem this would pose would be extraordinary. For every 1mbps, you're talking ~4TB of traffic per year! Consider how much traffic there actually is going across the wires:
Just for the hell of it, 9,776.16TB is 48,881 200GB drives. Now, you can buy one of those from Western Digital for ~$400US (retail). You'd be buying a lot of drives, so lets say you get a discount, and can get one for $300 (I don't know how big a discount you'd really get). That's almost $15 million dollars in hard drives per year for an OC48. That's about three times as much as the actual cost of an OC48 (even worse for peering arrangements).
Of course, scale that kind of hard drive usage up across Europe, and I don't think there is the manafacturing capacity to supply that kind of demand. Oh well, I guess we've found holographic storage's killer app, eh?
Also, who records what? Does every router have to record everythign that passes through it? Or only the ISPs that serve end users? What about businesses? What about co-located servers? If you don't want to miss anything, you'll have to cover all of those, and end up grabbing 2-3x as much data as you really have to. Otherwise it'd be trivial to setup a colocated server at a company or a hosting provider, and tunnel an encrypted connection through to that.
On top of that, there's the problem of how you sift through ~10,000TB of data for something useful. We're talking raw data on a totally unmanageable scale.
Why not just record all voice communications too? I'm sure that'd be invaluable in any police investigations. Ah well, nothing to worry about since neither's going to happen. Both are totally infeasable.
In the US, ISPs can keep traffic data as long as they wish, according to Marc Richards, US DoJ at EU Cybercrime Conference, Nov 2001.
He's there to urge the EU to reverse its mandatory data destruction policy. In the EU, traffic data must be erased or made anonymous at end of communication or end of period in which invoice could be contested.
The metric for how long US ISPs/telco keep traffic data can probably be guessed from anecdotal data. Reading newspaper accounts about prosecutions of net child pornographers or adults soliciting minors suggests a year or two. I'll look for the case of a VA police chief who was after young boys & see how long prosecutors watched and the motions the Chief's counsel made to suppress traffic data evidence.
We have statutory protections against telco passing on traffic data--somewhere in Title 18, Section 2702 (?). US Patriot probably eases the exemptions: IOW, by default it is illegal for a data controller to let this or that party rifle through your data. OTOH, we are almost signing waivers--at the bank, credit apps, insurance apps, and personal finances in US would be near impossible if you didn't grant waivers.
Most important: Your employer can snoop all he wants if your are using his computers. The Administrative Office of the Courts--the management agency for the entire Federal judiciary--last year thought it should begin monitoring Judges' net use. Same logic.