OK, so here's the data retention story, which I'm going to try to write without recourse to (too much of) the EU jargon that seems to choke these sorts of things. Some is inevitable, and I apologise for that in advance. This is the deal. The UK, France, Ireland and Sweden are trying to push a directive on data retention through into EU legislation which would force all member countries to compel all telecommunications and internet service providers to save information about the use of their services by us, the public (document 8958/2004). They say that this is for 'the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism', but whilst it would have far-reaching consequences, the benefits appear to be non-existent. As Heinz Kiefer, president of the European Confederation of Police, pointed out: "The result would be that a vast effort is made with little more effect on criminals and terrorists than to slightly irritate them." (1) The data to be saved and retained would include what is called 'traffic data', which is things like your geographical location when you make a call or switch your phone on, the telephone number you called, the duration of your call, and your user data. (Note that your phone service provider has to know where your phone is so that it can direct calls to it. Every time you move from one mobile mast cell to another, your move would be recorded.) They wouldn't actually save the call itself, so they wouldn't know what you said, but they'd know who you spoke to, where you were when you made the call or had your phone switched on, and how long you spoke for. SMS traffic data would also be saved. Internet communications would be similarly logged, with the IP addresses of all sites you visited being recorded, along with your MAC address (which identifies the computer you are using), username, email addresses and a logfile of every sent and received email. Quite how they are going to record you MAC address, given that it goes no further than your home router, I'm not sure, but it's in the list of data they want. All this data would be kept for a minimum of six months or one year, depending on data type, and a maximum of 36 months. If that doesn't immediately send chills down your spine, then it should. In short, the government will be keeping track of all your conversations and communications, and the cost of that spying is going to show up on your phone bill. But worse will be the damage to your civil and human rights. The lack of any meaningful checks and balances in the system means that there's a high risk of abuse not just from the government, but potentially from the private sector too. And the benefits from all this will be negligible at best, illusory at worst. Who would want this data and why? So who would be able to access this data? Well, any surveilling authority deemed 'competent' by its government in any country could request access to your data. In the UK, the list of 'competent' bodies (2a, 2b) is long and comprises central and local government departments, namely:
"Given the volume of data to be retained, particularly Internet data, it is unlikely that an appropriate analysis of the data will be at all possible. "[...] one search using existing technology, without additional investment, would take 50 to 100 years. The rapid availability of the data required seems, therefore, to be in doubt."In short, even if they could gather all this data, and even if that data was useful data, they don't have the capacity to search it. Data mining remains a concept that seems like a good idea, but turns out to be at best highly difficult, and at worst impossible to actually implement. The problems with data mining and analysis remain unaddressed in the current draft proposal. There are further questions over how the data retained could be verified. How can you check such a huge amount of data, and against what? Equally, the directive fails to take into account circumvention of these data retention plans by the use of proxies, voice over internet protocol (VoIP), encryption, or service providers based in outside of the European Union and therefore not subject to European law. Criminals would find it relatively easy to avoid having their data harvested and stored, thus rendering the entire directive pointless. Everyone would be tracked, except for the criminals. Alvaro again:
"Individuals involved in organised crime and terrorism will easily find a way to prevent their data from being traced. Possible ways of doing so include using 'front men' to buy telephone cards or switching between mobile phones from foreign providers, using public telephones, changing the IP or e-mail address when using an e-mail service or simply using Internet service providers outside Europe not subject to data retention obligations."Furthermore, EDRI (European Digital Rights) discusses a report published by the Dutch Erasmus University (6) about the 'usefulness and necessity of data retention for law enforcement purposes', the 'first public research in Europe into the actual use by law enforcement of historical traffic data'.
"The researchers looked at 65 police investigations that were provided by the Dutch ministry of justice as good examples of the usefulness for traffic data for law enforcement. They conclude 'in virtually all cases' the police could get all the traffic data they needed, based on average availability of telephony traffic data of 3 months. The researchers also warn they can't qualify the usefulness of these data as direct or indirect evidence, or the representativeness of the sample of cases for law enforcement in general."In other words, the level of data retention demanded by this proposal is beyond that which is actually required for effective police investigations. Yet the researchers who wrote this report still recommend data retention. In fact, their recommendations are harsher than those contained with the UK's directive, but are based on 'talks with several anonymous police representatives', and thus amount to no more than a 'police wishlist'. There is no provision within the directive for any research to be carried out prior to the directive being forced through parliament to assess either the impact of such legislation on the telelcoms and ISP industries, nor on the practicalities of implementation, nor on the necessity for such measures. Legality The measures being proposed are not only disproportionate, they may also be illegal. The first way that they might be illegal is to do with the way that the European Union is governed. The government of the European Union is split into three areas, called Pillars (7). The First Pillar is the European Community pillar and it deals with economic, social and environmental policies. The Second Pillar is the Common Foreign and Security Policy pillar, which deals with issues around foreign policy and the military. The Third Pillar is the Police and Judicial Co-Operation in Criminal Matters pillar, previously called the Justice and Home Affairs pillar. Directives that come under the First Pillar get treated differently to those which come under the Third Pillar. Without wanting to get too deeply into this, what the UK is trying to do is to rush the directive through under the Third Pillar because by doing so they can circumvent the checks and balances that would apply under the First Pillar, thus denying the European Parliament any proper say on the directive. This tactic is actually illegal. EDRI reports that the European Parliament will take the Justice and Home Affairs Council (which deals with stuff in the Third Pillar) to court if they try to get this directive passed through the Third Pillar. The position that this whole imperative is illegal is backed by the European Parliament's Committee on Legal Affairs and the European Commission's Legal Service, and discussed in more detail in Alvaro's report. Despite this, Home Secretary Charles Clarke is determined that this directive should be pushed through under the Third Pillar during the UK's Presidency of the European Council, which ends 31 December 2005. Human rights The second way that this directive may be illegal is that it may contravene the European Convention on Human Rights, which states that any such measures for the monitoring and storage of data must:
"After the dreadful terrorist attacks in London on 7 July 2005 it is absolutely right for the intelligence and security agencies concerned with finding the perpetrators to have all the necessary powers. "If this proposal was limited to tackling terrorism that would be one thing but it is not. It will put everyone in the EU under surveillance, be used to tackle crime in general and potentially could be used for social and political control. The agencies already have the powers to place suspects under surveillance and this will add little to the existing intelligence - it will simply build a bigger 'haystack' from which to find the same number of needles. "It is understandable that governments want to respond to the tragedy but to put in place a system that: makes everyone in the EU a 'suspect', which is potentially open to misuse and abuse, and which has no data protection provisions at all would seriously undermine the democracy that is being defended."6. Escalation. The initial push for this directive came from the United States. On 16 October 2001, President Bush requested that the EU relax its data protection directives which stood as an exemplar for the rest of the world. In 2002, the EU passed the Privacy and Electronic Communications Directive (2002/58/EC), which allowed member states to compel the retention of personal information data, but only when explicit legislation had been passed, and only when it was necessary, appropriate, and proportionate in a democratic society. Only Italy and Ireland chose to do so. The United States, however, has held back from introducing such legislation, but if this new directive is passed in the EU, it will have all the ammunition it needs to propose equally strong, or stronger, legislation at home. As, indeed, will any other country wishing to go down this route. We can then assume that should the issue come up again for discussion in the EU, precedents will have been set and future amendments or new directives will only become more and more draconian. So what can you do? Well, you can sign the EDRI petition, and you can email or fax your MP or MEP and tell them that you oppose the directive. And you can blog about it. We need to get this issue out into the light so that more people - individuals, journalists, and MPs alike - become more aware of the travesty that Charles Clarke is trying to perpetrate. It only takes an objection from one of the 25 member states to stop this. It's imperative that we act in order to secure that objection. We have until 12 October 2005 - that's just eight weeks - to kick up enough of a fuss that the Justice and Home Affairs Council reject the Framework Decision (which would later turn into the Directive) at their meeting. However, their informal meeting, at which arms will be twisted and brains washed, is scheduled for 8/9 September, which is less than four weeks away. If you want to support a campaign against data retention, amongst other issues, don't forget to sign our pledge so that we can get going. __________________ Footnotes: (1) EDRI: Europarl protests against UK push for EU data retention http://www.edri.org/edrigram/number3.14/retention (2) Lists of competent bodies http://www.opsi.gov.uk/si/si2003/20033172.htm http://www.opsi.gov.uk/si/si2005/20051083.htm (3) Reasons for examining the data http://www.opsi.gov.uk/acts/acts2000/00023--c.htm#22 (4) Alexander Nuno Alvaro's draft report http://www.europarl.eu.int/meetdocs/2004_2009/documents/DT/553/553885/553885en.pdf (5) Web Host Industry News: Data Retention Costs Too High, Say ISPs http://www.thewhir.com/marketwatch/isp121602.cfm (6) EDRI: Dutch study fails to prove usefulness and necessity data retention http://www.edri.org/edrigram/number3.13/retention (7) Wikipedia entry on the Three Pillars of the European Union http://en.wikipedia.org/wiki/Three_pillars_of_the_European_Union (8) BBC: Officer on misconduct charge http://news.bbc.co.uk/2/hi/uk_news/england/london/3073753.stm (9) The Wellcome Trust. Loading the dice: Genes and the insurance industry http://www.wellcome.ac.uk/en/genome/geneticsandsociety/hg14f002.html (10) Statewatch: Call for mandatory data retention of all telecommunications http://www.statewatch.org/news/2005/jul/05eu-data-retention.htm Further links: New EU Commission proposal data retention (20.07.2005) http://www.edri.org/docs/EUcommissiondataretentionjuly2005.pdf Last UK prepared version of the JHA working document on data retention (29.06.2005) http://www.edri.org/docs/Data-retention-council-draft-29062005.pdf EDRI: New EU Commission proposal data retention http://www.edri.org/edrigram/number3.15/commission FIPR: Surveillance and Security http://www.fipr.org/surveillance.html Data Retention is no Solution Wiki http://wiki.dataretentionisnosolution.com:81/index.php/Main_Page Write To Them http://www.writetothem.com/ Fax Your MP http://www.faxyourmp.com/ Thanks to Danny O'Brien and Ian Brown for ongoing discussions, clarifications and pointers. (Jeeze, I don't think I've ever done thankyous at the end of a blog post before!) Originally posted at Chocolate and Vodka. digital rights, data retention, europe