Whos Watching?

I write my column Who's Watching? in TCS Daily on 23 August 2005.

The dangers of data retention

Data retention used to be about fighting organised crime, cybercrime, and tax evasion. But since the 9/11 attacks it become a focus of the War on Terror. Sweden, together with France, the UK and Ireland, submitted a far-reaching and costly proposal regarding the mandatory retention of communication data for 3 years. The proposal will reveal who has been calling, faxing, SMS-ing and e-mailing whom, what websites people have visited and even where they were with their mobile phones (although the contents would not be retained). Telephone companies and internet service providers would be ordered to store all traffic data of their customers. Police and intelligence agencies in Europe would have access to it.

Critics have argued that this is a severe infraction of human rights, revoking the Data Protection Directives and the European Convention on Human Rights, since every European would be put under scrutiny whether they are suspected of a crime or not.

Finnish Justice Minister Johannes Koskinen has argued that such a vast and complex system could cost European telephone and internet operators €250 million. Today the operators retain traffic data just as long as needed to figure out their invoices, and then they erase it. The costs would be especially prohibitive for IP-telephony, since it generates far more amounts of traffic data than regular telephony.

This July the European Parliament's rapporteur on the legislation, Alexander Alvaro, wrote a very critical report on the proposal. It calls the legislation disproportionate, questioning the necessity, effectiveness and the high costs involved for industry and telecommunication users. In fact, no research supports the necessity and effectiveness of creating such a large-scale database for the purpose of fighting crime and terrorism. It is often far easier for criminals and terrorists to cover their electronic tracks than for the ordinary citizen.

On July 7 the European Parliament rejected the proposal, but the member nations' justice ministers refused to give up on the framework decision, and agreed instead on implementing the proposal as a multi-lateral national treaty, disregarding the European Parliament, the Commission and several national parliaments that have expressively forbidden their governments to agree on any policy on data retention.

Still, even with the separate member states going forward with the proposal and flouting the will of the European Parliament, there will be considerable problems implementing such laws. Only Ireland and Italy currently have mandatory data retention in place, and only for telephony. In the UK, one of the major proponents of the law, the government has sought only a voluntary retention scheme, negotiated in detail with industry.

Interestingly the proposal does not include any coverage of regular mail correspondence traffic. That is still protected by strict laws to benefit the integrity of the mail sender. Electronic communication is still, at the dawn of the 21st century, not seen as equal to written communication. Legislators should not discriminate against certain types of communication.

Another worrying aspect of the proposal for mandatory retention of communication data is a trend that places more legal burdens on operators. Internet service providers lack the competence to make legal judgments.

So, are there benefits to the proposal? Are there technological gains to be made in fighting crime and terrorism? Are all forms of traffic surveillance a hazard to integrity? One of the main faults of the proposal is its lack of transparency and accountability. As David Brin proposed in his book The Transparent Society the rule of thumb for all infractions of the private sphere is that they should be countered by a higher degree of control over the surveillants. Openness must be demanded from all parties.

Even a repressive society can create strict rules for surveillance- more regulations are often good news for regulators, administrators and surveillants, but not necessarily for the citizen. A society that creates methods for accountability will achieve a better balance between society and the opportunities given by emerging technologies.

This would certainly be a far better way of considering security and integrity issues for the European Council of Ministers when it presents its multi-lateral treaty in October.