The EU Directive on Data Retention: Surveillance 2.0

by Andreas Rietzler  (Andreas.Rietzler@uni-konstanz.de)

"It remains easy for criminals to avoid detection through fairly simple means; for example, mobile phone cards can be purchased from foreign providers and frequently switched.  The result would be that a vast effort is made with little more effect on criminals and terrorists than to slightly irritate them.  Activities like these are unlikely to boost citizens' confidence in the EU's ability to deliver solutions to their demand for protection against serious crime and terrorism."

      --- Heinz Kiefer, President of EuroCOP, the European Confederation of Police, about the value of the new directive on data retention.

It Has Already Begun

In Spring 2006, EU member states voted to require that communications providers must retain communication data to trace and identify the source and the destination of a communication; to identify the date, time, duration and the type of a communication; and to identify the communication device and the location of mobile communication equipment from now on.

The start date of these requirements varies from state to state, from September 2007 to March 2009.  The data will be be retained for a period of between six months and two years, depending on the member state, and will be available to national authorities in specific cases, "For the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law."

Because every single EU citizen is affected, this law creates a groundless general suspicion of each individual and the disgraceful end of the presumption of innocence.

Political Background

Proposals for regulations for EU-wide data retention began to be considered shortly after 9/11, but a concrete proposal by the Council of the European Union was not drafted until March 2004, after the Madrid bombings.

The reason for the new European national laws on data retention today is the EU Directive 2006/24/EC on:

"The retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC"

Which was formally adopted in March 2006 by the European Parliament.

The directive requires Member States to ensure adherence to the measures listed above.

Ireland instituted proceedings against the directive in July 2006, arguing that the European Parliament had no legal authority to adopt it.

If Ireland is right, then the directive will be declared invalid because of lack of jurisdiction of the European Parliament.  The European Court of Justice is expected to pass judgment on this issue in the middle of 2008.  You could pin your hopes on this suit, but there still is a catch: if a member state passed a law to fulfill the directive before the case is adjudicated, that law will remain even if the directive is declared invalid.

Surveillance 2.0

The Directive requires the retention of data in the following categories, among others:

Subscriber Information:  Subscriber details relating to the person, such as their name, date of birth, installation and billing addresses, payment methods, account or credit card details.  Contact information (that is, information held about the subscriber but not verified by the CSP) such as the user's telephone number and email address.  Identity of services subscribed to (information determined by the communication service provider).  Customer reference or account number.  A list of telephony services subscribed to: telephone number(s), IMEI, IMSI(s).  For email, email address(es), IP at registration.  For instant messaging: Internet messaging handle, IP at registration.  For a dial-up ISP: log-in, CLI at registration (if kept).  For an always-on ISP: unique identifiers, MAC address (if kept), ADSL end points, IP tunnel address.

Telephony Data:  All numbers associated with each call, such as the physical, presentational, and network-assigned CLI, DNI, IMSI, IMEI, and exchange or divert numbers.  The date and time of the start of call, the duration of call or the date and time of end of call.  The type of call if available.  Location data at start and/or end of call, in the form of a latitude and longitude reference.  Cell site data from time cell ceases to be used.  IMSI/MSISDN/IMEI mappings.  For GPRS and 3G, the date and time of the connection, IMSI, IP addresses assigned.  Any mobile data exchanged with foreign operators.  IMSI and MSISDN, sets of GSM triples, sets of 3G quintuples, global titles of equipment communicating with or about the subscriber.  Data on change of location of mobile equipment.  This can be related or unrelated to the communication, or it can be at all times that the apparatus is switched on, based on national requirements.  This might be on a periodic basis.  (Vodafone records this data hourly.)

SMS, EMS and MMS Data:  Calling number and IMEI, called number and IMEI, date and time of sending.  Delivery receipt, if available.  Location data when messages sent and received, in form of a latitude and longitude reference.

Email Data:  Log-on information: authentication username, date and time of log-in and log-off, IP address logged-in from.  Sent email: authentication username, from, to, and CC: email addresses, date and time sent.  Received email: authentication username, from and to email addresses, date and time received.

Spurious Arguments and Human Rights

As you can imagine, the main argument for data retention is that it is necessary to combat terrorism.

It is also argued to be in the interest of national security, public safety and the combat against organized crime.

However, data retention clearly cannot prevent any terrorist attacks.  It is an invasion of privacy and a disproportionate response to the threat of terrorism.

It interferes with human rights which are guaranteed by the European Convention on Human Rights (ECHR) such as Article 8, The Right to Respect for Private Life and Correspondence, and Article 10, Freedom of Expression.

Article 10 of the ECHR guarantees the right to freedom of expression, including the freedom to hold opinions and to receive and impart information and ideas without interference by public authorities.

For Article 10 to afford effective protection, indirect obstructions of freedom of expression must fall within its scope if they typically and clearly hinder the free exchange of opinions and facts.

Data retention has this hindering effect.

First, retaining all traffic data about the population's communications would have a disturbing effect on the free expression of information and ideas as described above.

Second, if the state does not fully compensate the affected telecommunications companies, prices for their services will rise and formerly free services may cease to be offered, thus decreasing the amount of information people can afford to circulate.

Therefore, the directive on data retention interferes with the freedom of expression.

Article 8 of the ECHR guarantees respect for a person's private life and correspondence.

In its jurisprudence, the European Court of Human Rights has repeatedly held that the metering of traffic data without the consent of the subscriber constitutes interference to this respect for private life and correspondence.  Data retention may also be abused by the police to monitor the activities of any group which may come into conflict with the state, including those engaged in legitimate protests.

Moreover, data retention gives the state excessive power to monitor the lives of individual citizens.  And who controls the surveillance?

The directive gives no answer to that important question.  Therefore, the directive on data retention also interferes with the right to respect for private life.

Legal experts also see interference with Protocol 1 of the ECHR, which deals with protection of private property, because the data retention directive is an improper invasion in the rights of the telecommunications companies guaranteed under Protocol 1 if the government does not compensate their costs.

One must not forget that compulsory data retention would impose financial burdens not only on service providers and telephone companies but also on all companies and other organizations which would need to retain records of traffic passing through their switchboards and servers, and that it would thus result in a loss of profits.

And, in the end, consumers will have to pay for this loss.

The German Federal Criminal Office calculated that the rate of solved crimes will only rise by 0.006 percent at best by using retained data.  That implies that the value of data retention for combating crime and the associated arguments remain dubious.

Data Retention in the U.S.

In March 2006, the NSA was accused of approaching three land-line phone companies in the U.S. and collecting traffic data on millions of telephone communications for the purpose of data mining.

Amazon and Google are known to retain extensive data on customer transactions, searches, and other transactions.  By using a National Security Letter (NSL), the FBI and other federal agencies can obtain access to this information.

Use of these NSLs was greatly expanded by the USA PATRIOT Act.  NSLs also allow the FBI to search telephone, email, and financial records without a court order and without any judicial oversight.

Approximately ten weeks after the EU directive on data retention was adopted, the U.S. Department of Justice began asking Internet companies to retain data on the web surfing activities of their customers, so that this data could be subpoenaed through existing laws and procedures (NSL).

The (((DOJ))) may propose legislation to force them to do so.  A coincidence?

Where Will It End?

What is the value of the data retention directive?

It will still be easy for terrorists to avoid having their communications recorded.

It is possible to avoid monitoring by using peer-to-peer technologies like Retroshare and eMule; VPNs; special protocols like H.323/H.245 or SILC; Freenet or other darknets; Internet cafes; anonymous proxies; anonymous prepaid GSM/UTMS-cards; or several other methods.

That means that the people most affected by the directive are the particularly decent citizens of the EU.  At best, data retention may assist the police in finding culprits after an attack has already taken place.

But the cost is that the presumption of innocence is ended.  The risks of being blackmailed and of industrial espionage from abroad will enormously rise.

Member states retain the flexibility to go substantially further than the Directive mandates.

Subject to notification to the Commission, they may require data to be held for longer than the two year maximum set by the Directive and they maintain the freedom to require retention of additional data beyond that specified by the Directive.  Germany has indicated that it seeks to make retained data admissible in certain civil copyright cases.

The Danish government has drafted a bill proposing to require that ISPs log the source, time and destination of every single Internet data packet, rather than just the details of logins and logouts to the ISP that the directive actually seems to require.

In the U.K., logging web activities has meanwhile become the custom.  Proxy server logs, giving the date and time of each web site visit, the IP address used, and the URLs visited, are now customarily retained for four days.

The German government already drafted a bill handling the shared use of the retained data with 52 foreign states, including the U.S. and Russia.

Wolfgang Schäuble, German Minister of the Interior, has proposed plans for an "online-search" of local hard disks by authorities using Trojans which would authorize the state to hack its own citizens.  Has the time of civil rights come to an end?

Sources

The article excerpts and summarizes some parts of the following sources.

Sources in English:

Special thanks to ILF, Dirk Weil, and Niamh Murphy.
Return to $2600 Index