EU Still Looking at Mandatory Data Retention

An anonymous reader writes "Following up on a previous Slashdot article, European civil rights advocacy group Statewatch is detecting more rumbles of a possible weakening of privacy rights in the EU. The European council has been testing the waters for a new policy mandating retention of communications "traffic data" by all member states. The previous policy (adopted May 30) merely allowed an exception to EU privacy law for member states who wished to retain such data. Under the leaked draft proposal, law enforcement is to be allowed access to "traffic data" (identifying source, destination, time, etc.), which is similar to current US law. However, much worse is the requirement that telco providers retain such data for 12-24 months. Text of the draft framework decision is available. Also analysis by Statewatch. Backup link (in case of Slashdot effect)."

Sounds like...

[cez]

Someone has mad equity in the databackup / storage market out there

Bad for the echonomy

[oliverthered]

There's no way this will get through (he says!)

It will cost too much and with have an impact of inflation which no one in the EU wants to see at the moment. There will be bandwidth implications because of the storage and processing overheads and investment and development in new infrastructure and technologies will be hit.

And who gains, well if the police can actually filter the data and find out what you up to then maybe a few people who have had criminals take away there liberties will feel better.

Who looses, everyone else.

The spooks have access already...

[Chris+Croome]

I suspect that the US and UK and other governments spy agencies already have access to whatever electronic communications they want to tap.

This is the case in the UK with regard to phones, however phone tap data is never used in court here because the state might then have to admit how they got it -- they would rather not convict people then admit their sources and the extent of the eve dropping that is going on.

I suspect that draft proposals like this are based on the old trick -- suggest something totally over the top and impossible to implement then let well meaning people water it down, claim that government cares and listens and at the end of the day still get away with yet another outrageous new law and yet more erosion of privacy and civil liberties.

But then again I'm probably not cynical enough, it's probably far worse than I can imagine already...

I'm sure glad I don't live in Europe...

[bsDaemon]

I know our benevolant, wise, and responsible US Federal Government would never enact such blantant acts of controll over its freedom-loving, tuned in, and watchful citizens. Oh, wait... /me packs his things and heads for Antarctica

What about global communcations?

[Auridel]

From the draft:

a) Data necessary to follow and identify the source of a communication;

b) Data necessary to identify the destination of a communication;

c) Data necessary to identify the time of a communication;

d) Data necessary to identify the subscriber;

e) Data necessary to identify the communication device.

And:

These types of data shall not concern the content of the exchanged correspondence or the consulted information, in any form...

So, they couldn't read my e-mail, but they could get a complete list of everyone I've exchanged e-mail with in the last 12-24 months?

What I really wanna know is how this will affect communications between parties outside the EU that just happen to pass through EU routers. I couldn't find any specific mention of this (granted, I didn't comb through the draft too carefully.)

Information used by Drug Cartels..

[sadr]

This is exactly the information used by drug cartels to assassinate informants, as described in a previous Slashdot article.

If the information is being kept, unauthorized access will occur.

SKG

Re:Question: How Long Do US Telecos Retain "data"

[bluGill]

Just a minute
Flips on atari 800xl
pick up microphone and speak into it
"Computer, find me information on Anonymous Coward"
1030 (300 baud) modem dials out
short wait
Faster than you can read, the following appears, often in higher resolution than the computer can drive)
you got a C in gym class in 4th grade
Video of your at the office christmas party
Your rejection letter from MIT
(censered) communication from your bed last night, taken from microphone in your light
copy of your bare butt on the office copier
complete shower videos from 9th grade gym
Complete history of your postings to /.

At least that is how it would be in the movies.

Re:How?

[JCCyC]

"Gee, officer, our server just had a fatal crash last week."

Or:

"Gee, officer, the warehouse where we hold our pile of DVD-Rs with traffic logs just caught fire!"

Or:

"What the...? Someone seems to have demagnetized our entire pile of backup HDs! I'm shocked, just shocked!"

What now? Mandatory data reliability? Or will you just have to hand your logs to the Gestapo every Tuesday?

Re:US law???

[Amazing+Quantum+Man]

They weren't talking about US law re data retention. They were talking about US law re what's accessible to law enforcement such as "traffic data".

Re:Does it trump the Data Protection Act?

[LichP]

More fundamentally, it is my understanding that (and I may well be wrong) that the 1998 Data Protection Act was revised from the original act to generally be updated where appropriate and become compliant with the relevant EU directive on Data Protection. So any new EU directive concerning data retention would not only be fudged at the UK level (kinda surpassable) but would also conflict with an earlier EU directive, which would be a bit messy.

Not that it really matters - this whole process is massively unfeasible. To put it in context, my flatmates and I have easily downloaded over a quarter of a terabyte of data over the last year over our ADSL line - the figure probably reaches much higher. Scale this up across the continent and the figures are going to get unrealistically enormous. Even just logging e-mail and dns activity is going to burn a heck of a lot of storage capacity.

What are the EU going to do? Spend many billions of euros on implementing the required software and (more fundamentally) hardward changes across the continent, money they could be spending on, for example flood relief? Or will they just tell the ISPs to get on with it, leaving them fundamentally crippled with the cost of internet access skyrocketing as ISPs drop like flies?

Worried? Just ask for your file...

[ianscot]

Point nine of this draft gets to our privacy worry:

Such a priori retention of data and access to this data constitutes an interference in the private life of the individual; however, such an interference does not violate the international rules applicable with regard to the right to privacy and the handling of personal data contained, in particular, in the European Convention on the Protection of Human Rights of 4 November 1950, the Convention of the Council of Europe no.108 on the protection of persons in respect of the automated handling of personal data of 28 January 1981, and the Directives 95/46/ce and 97/66/CE, where it is provided for by law and where it is necessary, in a democratic society, for the prosecution of criminal offences.

They admit it's a compromise of individual privacy rights, but say it's allowed under those conventions. I was just looking for the spots in those documents:

• the 1950 one,
• the 1981 one

that allow mandatory storage of information in the absence of ongoing criminal investigation -- a priori.

The 1950 one includes a very general passage seeming to allow anything "preventive" if it might abridge the rights or freedoms of others. Doesn't make me feel safe. (Hey, someone might want to prevent me using my TiVo in naughty ways. That'd abridge Jack Valenti's right -- or is it a freedom? -- to rake in money.)

The 1981 thing's much more specific to the question, and opens up a world of hurt we could inflict on our various surveillance agencies:

The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection").
...
Any person shall be enabled:

a) to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;

b) to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;

Imagine the /. effect as we all demand access to the records being kept of all our packet traffic, all our phone calls... Hey, people ask for their credit reports. If the European agreement says it has to be "transparent" in this way, just start asking.

Peer to Peer email flooding?

[Contact]

There are two possibilities. Either this will work by simply archiving the information from the ISP mail server (in which case, just use a mailserver in another country...) or they're going to have to sniff all traffic to check whether it's SMTP / POP / IMAP etc.

So, for a little civil disobedience:

1. Option 1. If you're using an external mail server, you're not using the ISP mail server, right? So that gives you a "junk" email box. Why not set up a peer to peer system along the lines of SETI@home, which uses idle cycles to exchange email at the rate of a few hundred a minute.

2. Option 2 - if they're sniffing all traffic, even better - write something similar, but do all the inter-client communication using SMTP. You should be able to simulate a few hundred messages per second. Get enough people on board (using SETI like marketing tactics - email chain letters encouraging people to "fight the spies" etc) and you could utterly dwarf "real" email under a storm of junk data. Even if they can somehow parse out the "real" data, the cost of storing the information has risen exponentially - and all you have to do after that is work out a way to embed real messages in the "fakes", and you've got unmonitored communications again!

PGP only helps hide content, which this legislation doesn't ask for. Remailers would work, of course, but would look "suspicious"....

For all the Europeans ..

[i_want_you_to_throw_]

that rightfully thought the US was backwards with Fritz Holling, DMCA, etc: Welcome!

I got karma to burn. Mod me down if you must.

Completely infeasable

[jpmorgan]

I think this would definately tempt me to put any websites I run onto https and leave http with a simple redirector. Be nice if other people would do the same. I wonder how much they'd enjoy trawling through a few terrabytes of session encrypted traffic...

Seriously though, the sheer data management problem this would pose would be extraordinary. For every 1mbps, you're talking ~4TB of traffic per year! Consider how much traffic there actually is going across the wires:

T1 (1.54mbps): 6.07TB
DS3 (45mbps) : 177.39TB
OC3 (155mbps) : 611.01TB
OC48(2.48gbps): 9,776.16TB

Just for the hell of it, 9,776.16TB is 48,881 200GB drives. Now, you can buy one of those from Western Digital for ~$400US (retail). You'd be buying a lot of drives, so lets say you get a discount, and can get one for $300 (I don't know how big a discount you'd really get). That's almost $15 million dollars in hard drives per year for an OC48. That's about three times as much as the actual cost of an OC48 (even worse for peering arrangements).

Of course, scale that kind of hard drive usage up across Europe, and I don't think there is the manafacturing capacity to supply that kind of demand. Oh well, I guess we've found holographic storage's killer app, eh?

Also, who records what? Does every router have to record everythign that passes through it? Or only the ISPs that serve end users? What about businesses? What about co-located servers? If you don't want to miss anything, you'll have to cover all of those, and end up grabbing 2-3x as much data as you really have to. Otherwise it'd be trivial to setup a colocated server at a company or a hosting provider, and tunnel an encrypted connection through to that.

On top of that, there's the problem of how you sift through ~10,000TB of data for something useful. We're talking raw data on a totally unmanageable scale.

Why not just record all voice communications too? I'm sure that'd be invaluable in any police investigations. Ah well, nothing to worry about since neither's going to happen. Both are totally infeasable.

three-step solution to terrorism

1. Deny rights.

2. ???

3. Security!

Seriously, what is needed is some civil disobedience. Set up weird accounts like yarafat@hamas-resistance.il, exchange suspicious e-mails with your friends (in case they don't retain the body, make sure they get to read the subject), get as many people as possible to do it. The more false positives, the more impossible the system will be to maintain.

Remember, they're trying to make you f33r. When only one person stands up, he has a damn good reason to be afraid. When 10,000 stand up, the opposition has a damn good reason to be afraid.

Oh, and in case it needs to be said.. use PGP as much as possible, and try to run your own mailserver.

Just for the record: Osama Project Iraq Desert Storm Hailstorm Bush GWB kill maim murder torture Mossad oil Kuwait Iraq Iran Saudi Arabia we have the assassination plans praise Allah one hundred virgins FBI CIA Hoover Dyson MI5 MI6 James Bond Dr Evil one million pounds safety deposit box Switzerland Nazi gold bank account launch code RSA DSA NSA BSA

Re:Prices?

[Tackhead]

> Would the governments subsidize it, or would the costs be dumped on the consumer, increasing the cost of net access in Europe even higher then it already is?

Where, pray tell, do you think governments get the money they then distribute for "subsidies"?