Thursday, 15 July 2010

Data retention illegally implemented, EU privacy regulators say

The EU Data Retention Directive 2006/24/EC, which enables governments to force ISPs, mobile network operators and telephone companies to keep certain data about citizens' phone calls and emails etc for later government inspection, has been implemented unlawfully.

So says a report adopted on 13 July 2010 by EU privacy regulators the Article 29 Working Party, with the long name of "Report 01/2010 on the second joint enforcement action: Compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e-Privacy Directive", WP 172.

The report followed an inquiry by the Working Party mainly on security measures and preventing abuse, compliance with storage limit obligations, and types of retained information.

Their investigations showed that the Directive hasn't been implemented in a harmonised way, with significant discrepancies between the member states especially on retention periods - which vary from 6 months to up to 10 years (well beyond the supposed permitted maximum period of 24 months).

Equally important and perhaps more worrying, they found that more data are being retained than the law allows.

The Directive specified a limited list of the data to be kept, all to do with traffic data (not the content of communications but metadata - e.g. who communicated with who when, but not what they said). Further, it explicitly banned retention of data relating to the content of communications.

Yet the inquiry found that some content data was still being retained (and handed over to government authorities):

  • Internet traffic data - several service providers kept URLs of
    websites visited
    , destination IP addresses, full headers of e-mail messages, as well as all recipients of e-mail messages in “CC”-mode at the destination mail server, and even the port number allocated to users by ISPs.
  • Phone traffic data - not just the location of the telephone caller was retained at the start of the call, but also their location was being monitored continuously!

There's a very useful and impressive Annex to the report, with tables showing for each of the EU member states:

  • the implementation status and implementing legislation,
  • exactly what kind of traffic data is retained for fixed phones, mobile phones and internet use (the UK entry is so long it goes beyond the bottom of the cell!)
  • retention period and communication channel towards LEAs i.e. how law enforcement authorities then get their mitts on the retained data (in Bulgaria, but it seems only Bulgaria, a court order is needed first; UK authorities prefer to just login via SSL)
  • security measures taken in respect of the retained data, both logical and physical (in the UK data at rest is not encrypted but hey, access to it is strictly restricted by requiring id/password, so that's all right then)
  • any specific personnel training for traffic data, backup and disaster recovery, data separation and retention abroad.

The EU data protection authorities have urged the European Commission to take account of their findings when deciding whether to repeal or amend the Directive. (The Commission's evaluation of the Directive is expected to be published quite soon, in September 2010. Ian Brown linked to the leaked draft of their review and produced a chart of EU government requests for user data in 2008 based on the draft.)

The Working Party say their report has made clear that the need for the Data Retention Directive still hasn't been shown. (It was rushed through as a claimed essential anti-terrorism measure after the 2004 Madrid bombings and the 2005 London 7/7 bombings.) States don't provide enough or indeed any statistics on how they've used the retained data, making it impossible for data protection authorities to evaluate independently the necessity or even usefulness of data retention, which has cost service providers (and ultimately citizen taxpayers) a fair few bob to implement.

Statistics are vital for the accountability of government authorities, of course, in order to check abuses of state power. For instance, the European Court of Human Rights just a few months ago in the Gillan & Quinton case found the United Kingdom (again) in violation of human rights, in relation to excessively wide stop and search powers under section 44 of the Terrorism Act 2000. They noted that:

…In his Report into the operation of the Act in 2007, Lord Carlile noted that while arrests for other crimes had followed searches under section 44, none of the many thousands of searches had ever related to a terrorism offence; in his 2008 Report Lord Carlile noted that examples of poor and unnecessary use of section 44 abounded, there being evidence of cases where the person stopped was so obviously far from any known terrorism profile that, realistically, there was not the slightest possibility of him/her being a terrorist, and no other feature to justify the stop…

…While the present cases do not concern black applicants or those of Asian origin, the risks of the discriminatory use of the powers against such persons is a very real consideration, as the judgments of Lord Hope, Lord Scott and Lord Brown recognised. The available statistics show that black and Asian persons are disproportionately affected by the powers, although the Independent Reviewer has also noted, in his most recent report, that there has also been a practice of stopping and searching white people purely to produce greater racial balance in the statistics (see paragraphs 43-44 above). There is, furthermore, a risk that such a widely framed power could be misused against demonstrators and protestors in breach of Article 10 and/or 11 of the Convention.

The use of physical stop and search powers may be a different situation from data retention, but that example illustrates very well that if you give authorities (or indeed any human being) excessive powers, they will use them, and probably misuse them for the wrong purposes and the wrong reasons. It's only human nature. The best solution to that problem is, don't give authorities too-wide powers in the first place and cut down broad powers to what's really necessary and proportionate. I'm with those who feel that increasing state surveillance and intrusion into the everyday lives of citizens, the vast majority of whom are law-abiding, is not the right way to fight terrorism or crime, and in some cases may be counter-productive, triggering resentment and anger that may positively tip some people over the edge into crime or terrorrism. The best anti-terrorism measure is fostering a fair, just, free and happy society.

Back to data retention, the Working Party report recommends increased harmonization, more secure data transmission and standardized data handover procedures - and also not allowing states to impose additional data retention obligations on providers, reducing the maximum retention period to a single, shorter term, reconsideration by the Commission of the overall security of traffic data, clarification at member state level of the concept of “serious crime”, and disclosure to all relevant stakeholders of the list of the entities authorised to access retained data.

The new UK government coincidentally recently announced an urgent review of security and counter-terrorism, which will look at things like the very stop and search powers that have been so criticised, and also the use of the Regulation of Investigatory Powers Act 2000 by local authorities and "access to communications data in general". We'll see the full report in autumn 2010; let's hope they cut down the types of data retained and improve security of retained data as well as severely narrow down exactly which authorities are allowed to have access to our communications data. A court order before they're allowed to peek at retained data would be good, but I'm not holding my breath.

PS. Bruce Schneier pointed to an excellent article "Does Surveillance Make Us Morally Better?". And see also a recent academic article Trusting Children: How do surveillance technologies alter a child's experience of trust, risk and responsibility?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.