Slashdot Mirror
EU Still Looking at Mandatory Data Retention
An anonymous reader writes "Following up on a
previous Slashdot article,
European civil rights advocacy group
Statewatch
is detecting more rumbles of a possible
weakening of privacy rights in the EU. The
European council has been testing the waters
for a new policy mandating retention of
communications "traffic data" by all member states. The previous policy (adopted May 30) merely allowed an exception to EU privacy law for member states who wished to retain such data.
Under the leaked draft proposal, law enforcement is to be allowed access to "traffic data" (identifying source, destination, time, etc.), which is similar to current US law. However, much worse is the requirement that telco providers retain such data for 12-24 months.
Text of the
draft framework decision
is available.
Also
analysis
by Statewatch.
Backup link (in case of Slashdot effect)."
I suspect that the US and UK and other governments spy agencies already have access to whatever electronic communications they want to tap.
This is the case in the UK with regard to phones, however phone tap data is never used in court here because the state might then have to admit how they got it -- they would rather not convict people then admit their sources and the extent of the eve dropping that is going on.
I suspect that draft proposals like this are based on the old trick -- suggest something totally over the top and impossible to implement then let well meaning people water it down, claim that government cares and listens and at the end of the day still get away with yet another outrageous new law and yet more erosion of privacy and civil liberties.
But then again I'm probably not cynical enough, it's probably far worse than I can imagine already...
Check out MKDoc a mod_perl CMS
From the draft:
a) Data necessary to follow and identify the source of a communication;
b) Data necessary to identify the destination of a communication;
c) Data necessary to identify the time of a communication;
d) Data necessary to identify the subscriber;
e) Data necessary to identify the communication device.
And:
These types of data shall not concern the content of the exchanged correspondence or the consulted information, in any form...
So, they couldn't read my e-mail, but they could get a complete list of everyone I've exchanged e-mail with in the last 12-24 months?
What I really wanna know is how this will affect communications between parties outside the EU that just happen to pass through EU routers. I couldn't find any specific mention of this (granted, I didn't comb through the draft too carefully.)
Not that political action won't help too, but it's easier to get a law defeated or repealed if it doesn't work anyway.
More fundamentally, it is my understanding that (and I may well be wrong) that the 1998 Data Protection Act was revised from the original act to generally be updated where appropriate and become compliant with the relevant EU directive on Data Protection. So any new EU directive concerning data retention would not only be fudged at the UK level (kinda surpassable) but would also conflict with an earlier EU directive, which would be a bit messy.
Not that it really matters - this whole process is massively unfeasible. To put it in context, my flatmates and I have easily downloaded over a quarter of a terabyte of data over the last year over our ADSL line - the figure probably reaches much higher. Scale this up across the continent and the figures are going to get unrealistically enormous. Even just logging e-mail and dns activity is going to burn a heck of a lot of storage capacity.
What are the EU going to do? Spend many billions of euros on implementing the required software and (more fundamentally) hardward changes across the continent, money they could be spending on, for example flood relief? Or will they just tell the ISPs to get on with it, leaving them fundamentally crippled with the cost of internet access skyrocketing as ISPs drop like flies?
Such a priori retention of data and access to this data constitutes an interference in the private life of the individual; however, such an interference does not violate the international rules applicable with regard to the right to privacy and the handling of personal data contained, in particular, in the European Convention on the Protection of Human Rights of 4 November 1950, the Convention of the Council of Europe no.108 on the protection of persons in respect of the automated handling of personal data of 28 January 1981, and the Directives 95/46/ce and 97/66/CE, where it is provided for by law and where it is necessary, in a democratic society, for the prosecution of criminal offences.
They admit it's a compromise of individual privacy rights, but say it's allowed under those conventions. I was just looking for the spots in those documents:
that allow mandatory storage of information in the absence of ongoing criminal investigation -- a priori.
The 1950 one includes a very general passage seeming to allow anything "preventive" if it might abridge the rights or freedoms of others. Doesn't make me feel safe. (Hey, someone might want to prevent me using my TiVo in naughty ways. That'd abridge Jack Valenti's right -- or is it a freedom? -- to rake in money.)
The 1981 thing's much more specific to the question, and opens up a world of hurt we could inflict on our various surveillance agencies:
Imagine the /. effect as we all demand access to the records being kept of all our packet traffic, all our phone calls... Hey, people ask for their credit reports. If the European agreement says it has to be "transparent" in this way, just start asking.
"Fundamentalism" isn't about divine morality. It's about human authority.
So, for a little civil disobedience:
1. Option 1. If you're using an external mail server, you're not using the ISP mail server, right? So that gives you a "junk" email box. Why not set up a peer to peer system along the lines of SETI@home, which uses idle cycles to exchange email at the rate of a few hundred a minute.
2. Option 2 - if they're sniffing all traffic, even better - write something similar, but do all the inter-client communication using SMTP. You should be able to simulate a few hundred messages per second. Get enough people on board (using SETI like marketing tactics - email chain letters encouraging people to "fight the spies" etc) and you could utterly dwarf "real" email under a storm of junk data. Even if they can somehow parse out the "real" data, the cost of storing the information has risen exponentially - and all you have to do after that is work out a way to embed real messages in the "fakes", and you've got unmonitored communications again!
PGP only helps hide content, which this legislation doesn't ask for. Remailers would work, of course, but would look "suspicious"....
I will NOT live within a community that supports this flagrent disregard for my human right to privacy. Whilst I realise this information is probably already accessable to see this type of legistation even REACHING the stage of open discussion is disquieting.
This is nothing to do with the 'war on terrorism' it is nothing less than control.
knowledge == power
and power corrupts.
QED
I might run a home brew system which is designed to not leave the keys anywhere in the ned. All they keep is complete bollocks for anyone, including me.
Or what happens if someone transfers something illegal, can you prosecute the telecom company for having illegal documents/child pornography etc? What if they stole it/produced it in the first place, is it all of a sudden legal then, or what?
This is like making thoughts illegal because I might be thinking up a masterplan to steal the gold at fort knox and produce an elite army of terrorists...