FC: Europe weighs recording all phone calls, Net traffic for 7 yrs

From: Declan McCullagh (declanat_private)
Date: Thu May 17 2001 - 07:01:18 PDT

  • Next message: Declan McCullagh: "FC: Nevada politician unwittingly emails porn to colleagues"

    ---
    News coverage:
    http://www.theregister.co.uk/content/5/19003.html
    The Council of the European Union, which represents the 15 member 
    governments, will discuss implementing a policy originally designed with 
    the FBI six years ago. It calls for the retention of "every phone call, 
    every mobile phone call, every fax, every e-mail, every website's contents, 
    all internet usage, from anywhere, by everyone, to be recorded, archived 
    and be accessible for at least seven years," notes the journal.
    ---
    
    Date: Thu, 17 May 2001 01:48:42 +0100
    To: declanat_private
    From: Tim Dedopulos <timat_private>
    Subject: Any interest -- EU to open 7yrs full data retention to police
    In-Reply-To: <20010515174103.B20430at_private>
    
    Hi Declan.
    
    Is the following Statewatch report of any interest to you for Politech? It 
    basically details European Union plans to (a) mandate the recording and 
    storage of all telecoms data within the EU for seven years and (b) to give 
    law enforcement agencies more or less free access to that data... (quote: 
    "The EU governments are, in effect, to tell the European Commission (and 
    European Parliament) that the demands of the law enforcement agencies take 
    precedence over the privacy and freedoms of people.")
    
    Very worrying for those of us on this side of the pond.
    
    Tim.
    
    ---
    
    
    http://www.statewatch.org/news/2001/may/03Benfopol.htm
    
    investigation, full report: EU-FBI telecommunications surveillance system
    
    EU governments to give law enforcement agencies access to all 
    communications data
    
    
    The new initiative by the EU governments to back the demands of their law 
    enforcement agencies (LEAs) only came to light when Statewatch "acquired" a 
    series of EU documents which it had been refused access to. The documents 
    in question were refused on the grounds that:
    
    "the matter was still under discussion..[and] disclosure of these document 
    could impede the efficiency of the ongoing deliberations."
    
    The demands of the law enforcement agencies centre on the issue of "data 
    retention", that is the recording and storage of all telecommunications data:
    
    - every phone call, every mobile phone call, every fax, every e-mail, every 
    website's contents, all internet usage, from anywhere, by everyone, to be 
    recorded, archived and be accessible for at least seven years
    
    The move by the EU governments (the Council of the European Union) has been 
    sparked by a draft proposal put forward by the European Commission on "the 
    processing of personal data and the protection of privacy in the electronic 
    communications sector" (COM(2000)385 final, 12.7.00). The proposal would 
    update Directive 97/55/EC but is not "intended to create major changes to 
    the substance of the existing Directive", merely to "update the existing 
    provisions". The proposal thus builds on the principles of the 1997 law and 
    data protection rules established in EU community law.
    
    Also under discussion is a related Communication from the Commission on 
    "Creating a Safer Information Society by improving the security of 
    information infrastructures and combating computer-related crime 
    (COM(2000)890 final) (see Statewatch, vol 11 no 1). Here the Commission, in 
    line with community law, emphasises that: "interceptions are illegal unless 
    they are authorised by law when necessary in specific cases for limited 
    purposes".
    
    The EU-FBI surveillance plan comes home
    
    The EU adopted the "Requirements" developed by the FBI on 17 January 1995 - 
    the "Requirements" set out demands on network and service providers to 
    provide the law enforcement agencies with both data from intercepted 
    communications and real-time access to transmissions (see Statewatch, vol 7 
    no 1 & 4 and 5; vol 8 no 5 & 6; vol 9 no 6; vol 11 no 1).
    
    In September 1998 the EU's Police Cooperation Working Party proposed that 
    the "Requirements" be extended to cope with internet and satellite phone 
    telecommunications. The initial report (ENFOPOL 98) went through several 
    drafts and ended up as ENFOPOL 19 (15 March 1999) which gathered dust. It 
    transpired that because of the "negative press" surrounding ENFOPOL 98, 
    which coincided with exposures on the ECHELON spying system, there was a 
    lack of "political support" to move forward on the issue (report on the 
    Police Cooperation Working Party meeting on 13-14 October 1999 by the 
    European Commission).
    
    In the spring of 2000 the EU's Police Cooperation Working Party decided 
    that issues previously discussed under the title of "interception of 
    telecommunications" would now be called "advanced technologies". A report 
    by the same working party (ENFOPOL 52, 12 July 2000) spelled out that "an 
    informal inter-pillar link" should be created between their work and that 
    being carried out under the "first pillar" on the "global Information 
    Society". The purpose was to bring to the attention of the 
    Telecommunications Council and the Internal Market Council, working on 
    technical and commercial decisions, the need to: "safeguard the possibility 
    of lawful interception".
    
    On 29 May 2000 the Convention on Mutual Assistance in criminal matters was 
    agreed by EU Justice and Home Affairs Council and is now out for 
    ratification by each of the 15 EU national parliaments. This includes 
    provisions for the interception and exchange of telecommunications data 
    based on specific requests but makes no provision for the retention of data 
    (except in individual, authorised, instances).
    
    This Convention and the work of intergovernmental groups, like ILETS 
    (International Law Enforcement Telecommunications Seminar) and the G8 Sub 
    group on High-Tec Crime, and the adopted 1995 "Requirements" provide the 
    basis for provisions in new national laws on the interception of 
    telecommunications across the EU - for example the UK's Regulation of 
    Investigatory Powers Act (R.I.P. Act) which came into force on 28 July 2000.
    
    All of these new legal powers and demands on the network and services 
    providers under the "Requirements" do not, however, give the law 
    enforcement agencies everything they need as they only cover the exchange 
    and interception of data on the production of an "interception order" (eg: 
    warrants under national laws). None of them provide for the wholesale 
    retention of data and access to it by law enforcement agencies except in 
    specific authorised cases.
    
    EU Data Protection officials come out against data retention
    
    Data Protection Commissioners in the EU and their officials, who attend a 
    multitude of working parties, have long been aware that the "law 
    enforcement agencies" in quasi-secret international fora have been arguing 
    not for data to be retained for 30 days or 90 days (as it is currently for 
    billing purposes) but for much longer - for up to seven years at least. In 
    her annual report for 2000 the UK Data Protection Commissioner, Elizabeth 
    France, said: "The routine long-term preservation of data by ISPs [internet 
    service providers] for law enforcement purposes would be disproportionate 
    general surveillance of communications".
    The spring Conference of European Data Protection Commissioners in 
    Stockholm, 6-7 April 2000, issued a declaration on the "Retention of 
    Traffic Data by Internet Service Providers" saying:
    
    "such retention would be an improper invasion of the fundamental rights 
    guaranteed to individuals by Article 8 of the European Convention on Human 
    Rights. Where traffic data are to be retained in specific cases, there must 
    be a demonstrable need, the period of retention must be as short as 
    possible and the practice must be clearly regulated by law."
    
    The meeting of the International Working Group on Data Protection in 
    Telecommunications in Berlin on 13-14 September 2000 adopted a common 
    position on the Council of Europe draft Convention on "cyber-crime" (see 
    Statewatch vol 10 no 6). This said that the storing of "data on all 
    telecommunications and Internet traffic for extended periods" is:
    
    "disproportionate and therefore unacceptable. The Working Party underlines 
    that traffic data are protected by the principle of confidentiality to the 
    same extent as content data (Article 8 of the European Convention on Human 
    Rights)."
    
    The European Commission lent weight to the Data Protection officials' 
    arguments in its draft proposal, put out at the end of last year (and 
    agreed on 26.1.01), on "Creating a Safer Information Society by improving 
    the security of information infrastructures and combating computer-related 
    crime". This says that laws in EU member states have to be in line with 
    community law on data protection and privacy:
    
    "safeguards for the protection of the individual's fundamental rights of 
    privacy, such as limiting the use of interception to investigations of 
    serious crime, requiring that interception in individual investigations 
    should be necessary and proportionate, or ensuring that the individual is 
    informed about the interception as soon as it will no longer hamper the 
    investigation" (p16)
    
    On 22 March 2001 EU Data Protection Working Party also published a strong 
    opinion on the Council of Europe's Draft Convention on cyber-crime. It said 
    that the provision in the draft proposal which does "not oblige signatories 
    to compel providers to retain traffic data of all communications should in 
    no way be revised". The EU has already indicated that it will adopt this 
    Convention.
    
    The Data Protection Commissioners and others in the field have, together, 
    made formidable arguments for maintaining rights and protections put into 
    place in the EU during the 1990s on data protection and privacy.
    
    Law enforcement agencies fight back
    
    In the face this substantial opposition to the automatic retention and 
    storage of content and traffic data for long periods (for longer than 
    allowed under EU law, around 30 days) the law enforcement agencies needed 
    heavy-weight "political support", denied earlier, from the governments of 
    the EU (the Council).
    
    A far-reaching report sent by the UK National Criminal Intelligence Service 
    (NCIS) to the Home Office on 21 August 2000 set out the demands of the 
    agencies which reflect the conclusions of discussions in international fora 
    in which the UK plays a prominent role, such as in G8 (see Statewatch, vol 
    10 no 6). The report called for the retention of all content and traffic 
    data from all forms of telecommunications (phone-calls, mobile phone-calls, 
    faxes, websites and internet usage) to be recorded and kept for at least 
    seven years. What was of particular note is that this report was presented 
    on behalf of all the UK law enforcement agencies and all the UK's security 
    and intelligence agencies (MI5, MI6 and GCHQ). This suggests that while the 
    primary demand is coming from the former the latter have a major stake too. 
    This report was not in the public domain until December 2000.
    
    Confirmation of a counter-attack by the law enforcement agencies emerging 
    in the EU came in July 2000. As noted earlier, ENFOPOL 52 (12.7.00) from 
    the Working Party on Police Cooperation had called for "an informal 
    inter-pillar link" to be created between their work and that being carried 
    out under the "first pillar" on the "global Information Society". This was 
    the very same day, 12 July 2000, that the Commission put out its proposal 
    on personal data and the protection of privacy (COM(2000)385).
    
    The minutes of the Council's Working Party on Police Cooperation for the 
    meeting on 19/20 July note a lengthy "exchange of views" with the French 
    Presidency on the "relations between the first and third pillars in the 
    field of advanced technologies". It also noted the Commission's proposal 
    and "decided to come back to this item regularly during the next six months".
    
    It was a report from the working party to the Article 36 Committee (senior 
    interior ministry officials from the 15 EU member states) dated 31 October 
    2000 which began to express the need for urgent action. This report 
    (ENFOPOL 71) said six countries - Belgium, Germany, France, Netherlands, 
    Spain and the UK - had "grave misgivings" about the effect of Article 6 
    which effectively states traffic data "must be erased or made anonymous 
    upon completion of the transmission" (emphasis in original). The provision 
    would "render it impossible to trace "historical" data and seriously reduce 
    the investigation services' chances of identifying perpetrators.." The 
    report then tries to justify its demands by reference to: i) the 17 January 
    1995 "Requirements" which it do not cover the retention of data 
    indefinitely; ii) the Council of Europe draft Convention on cyber crime 
    which in the latest version excludes general data retention and iii) the 
    Convention on Mutual Assistance in criminal matters where data retention is 
    "implied".
    
    The report concludes by noting that the Commission's proposed measure "is 
    already well advanced" and the Working Party urges the Article 36 Committee to:
    
    "examine these observations so that it may use every available channel to 
    bring this problem to the attention of the authors of the draft Directive 
    concerned."
    
    The minutes of the Article 36 Committee on 6 November 2000 state that the 
    government delegations be asked to contact their colleagues working on 
    "first pillar working parties to coordinate:
    "the first and third pillar work in the field of advanced technologies, 
    notably the telecommunications sector. It should be avoided that first 
    pillar data protection measures hinder unduly thrid pillar attempts to 
    monitor telecommunications connections."
    The Working Party on Police Cooperation updated its report in ENFOPOL 71 
    REV 1 (27.11.00) (see Statewatch, vol 11 no 1). This report states the 
    demands of the law enforcement agencies starkly. While noting that their 
    demands:
    
    "would probably not be considered proportionate, as it would call into 
    question the very aim of the draft Directive"
    
    namely the protection of personal data and privacy, but it still goes on to 
    argue that:
    
    "It is impossible for investigation services to know in advance which 
    traffic data will prove useful in a criminal investigation. The only 
    effective national legislative measure would therefore be to prohibit the 
    erasure or anonymity of traffic data."
    
    This report urged the Article 36 Committee to "take into account the 
    serious consequences the Directive would have for criminal investigations, 
    public security and justice."
    
    At a meeting on 14 December the Article 36 Committee some delegations 
    (representing their governments) "advocated harmonising the period for 
    storing data." The Committee decided to wait and see "how much account" the 
    Commission took of delegations' (government) comments before deciding 
    "whether to alert COREPER and the Council to the issue."
    
    At the Justice and Home Affairs Council on 15 March this year, Commissioner 
    Vittorino reported that at a hearing which took place on 7 March "the 
    central question of the retention of traffic data dominated discussions".
    
    However, it is clear that the Commission was not taking "much account" of 
    the Council's view so that by 30 March the Swedish Presidency felt obliged 
    to draw up draft Council Conclusions on the issue of data retention. The 
    report recommending draft Conclusions on access by the law enforcement 
    agencies to traffic data was discussed at the meeting of the Working Party 
    on Police Cooperation on 6 April. The minutes of this meeting say that it:
    
    "took note of the reservation by the representative of the Commission 
    concerning the procedure followed within the Council"
    
    Clearly the Commission was concerned that the Council was, unusually, 
    considering adopting "Conclusions" which would fundamentally undermine its 
    proposed Directive. The two new reports, dated 30 March (see below) were 
    discussed at the Article 36 Committee meetings on 10 April and 3 May.
    
    The key reports
    
    The first new crucial report is ENFOPOL 29 (30.3.01) which reintroduces the 
    highly criticised new definition of the "Requirements" to be laid on 
    network and service providers in "ENFOPOL 98". It is intended that this 
    report and an accompanying Council Resolution will go through the Justice 
    and Home Affairs Council on 28-29 May.
    The report looks at the "operational needs" of the LEAs as applied to the 
    "Requirements" (IURs) adopted on 17 January 1995 (by the EU under "written 
    procedure" and not made public until November 1996). It gives much more 
    detail on their expectations than the bland "Requirements". As such it is 
    an attempt to re-introduce the highly-controversial ENFOPOL 98 (and later 
    drafts) which led to much adverse comment in the media (as a result of 
    which it has been held up since March 1999).
    
    The report looks at: "Applicable services" and makes clear that 
    interception will cover all forms of telecommunications eg: ISDN (e-mail 
    and internet usage), mobile phones and satellite phones. On IUR 
    ("International User Requirement") no.1 it says, like ENFOPOL 98, that the 
    law enforcement agencies expect to have access not just to the call content 
    but also to:
    
    "user addresses, equipment identities, user name/passwords, port 
    identities, mail addresses etc"
    
    plus IP addresses, account numbers, logon ID/passwords, PIN numbers and 
    e-mail addresses. They also want access to the "transmitted" and "received" 
    data and "any telecommunications associated with.. the subject of 
    interception". A redefined "IUR 1.4" states that "associated data" includes 
    "conference calls, call forwarding, mobile calls, network calls, call back 
    services etc" must also be provided on the intercepted subject. An ominous 
    "NB" says it also includes data "where it has been retained by providers in 
    accordance with the requirements of their national legislation". "IUR 1.5" 
    extends the meaning of "geographical location" to "geographical, physical 
    or logical" location and "IUR 1.3" again refers to "national jurisdictions" 
    in the context of excluding data which is not "within the scope of the 
    interception authorisation", ie: some national laws might allow the 
    inclusion of "excluded" data. "IUR 6" is another direct inclusion of a 
    controversial proposal taken from ENFOPOL 98. It says that the LEAs are to 
    be provided with:
    
    a. full name of the person (company)
    b. the residential address and
    c. credit card details
    
    This report extends the remit for interception to: all forms of 
    telecommunications (including e-mails and internet usage) and requires 
    personal details on the interception subject. It also contains a number of 
    references to "national jurisdictions" where, by implication, powers may be 
    greater than the norm.
    
    Some EU governments see ENFOPOL 29 ("ENFOPOL 98") as simply "technical" 
    changes to the "Requirements". However, they fail to understand that it is 
    precisely the details of how the "Requirements" will be used that signals 
    the enormity of the threat to data protection, individual privacy and 
    fundamental freedoms.
    
    A greater, and complementary, danger is the battle between the Data 
    Protection officials and the law enforcement agencies over the retention of 
    data (content and traffic details) for long periods (seven years or more) 
    and the right of the law enforcement agencies to access this archived data 
    at will for purposes of investigating any crime however minor or for the 
    purpose of intelligence-gathering - so-called "fishing expeditions".
    
    This is the enormous significance of the "Council Conclusions" in ENFOPOL 
    23 (30.3.01). The EU governments are, in effect, to tell the European 
    Commission (and European Parliament) that the demands of the law 
    enforcement agencies take precedence over the privacy and freedoms of 
    people. Council officials will "spin" the usual line that "Conclusions" are 
    not binding, but the timing of the decision and the enormity of its effect 
    will brush this aside.
    
    The draft proposal says that:
    
    1. The obligation for operators to erase and make traffic data anonymous 
    "seriously obstructs" criminal investigations;
    
    2. It is the "utmost importance" that "access" be "guaranteed" for criminal 
    investigations;
    
    3. It calls on the European Commission to:
    
    a) to take "immediate action" to ensure that law enforcement agencies can 
    have access now and "in the future" in order to "investigate crimes where 
    electronic communications systems are or have been used" (emphasis added);
    
    b) the "action" should be "a review of the provisions that oblige operators 
    to erase traffic data or to make them anonymous".
    
    The "Conclusions" say that the Council:
    
    1. "considers it important that the law enforcement authorities be not 
    obstructed or hampered in their efforts to investigate crime, such as 
    dissemination of child pornography or agitation against an ethnic group via 
    the Internet"
    
    This blatantly cynical use of "child pornography" and racism has become a 
    standard justification for the extension of EU surveillance powers not just 
    for these offences - but for all and any offence. These phrases have 
    replaced "organised crime" and "illegal immigration", used for many years 
    in a similar way.
    
    2. "understands that on this issue.. it is important to find a solution 
    that is well founded, proportionate and well-balanced"
    
    It is not possible to "balance" the different interests. There is no need 
    under EU law for commerce to keep data except for very limited periods (eg: 
    30 days to check billing). The existing "Requirements" and most national 
    laws allow for the gathering of data for criminal investigation in specific 
    instances subject to proper authorisation and legal safeguards.
    
    3. "emphasises the opinion of the Council that the obligation for operators 
    to erase and make traffic data anonymous, besides obstructing seriously 
    crime investigations, also can lead to a decreasing confidence in, 
    particularly, the electronic commerce..."
    
    The EU governments fail to understand that is precisely the erasure of data 
    and anonymity which creates "confidence in electronic commerce" by 
    citizens. A wholesale reversal of this policy as envisaged would indeed 
    create a "crisis of confidence".
    
    4. "invites.. the European Commission to take immediate action with the 
    purpose of ensuring that the law enforcement authorities also in the future 
    will have the opportunity to investigate crimes where electronic 
    communications systems are or have been used.. the action to be taken 
    should comprise a review of the provisions that oblige operators to erase 
    traffic data or to make them anonymous; the object of the action should be 
    to ensure that the purpose of limitations regarding the personal data do 
    not come into conflict with the law enforcement authorities' needs of data 
    for crime investigation purposes."
    
    In effect the Council is telling the European Commission (and the European 
    Parliament) that the proposed Directive on the table has to be changed and 
    that all existing EU data protection and privacy laws have to be reviewed. 
    It is calling for an end to the obligation, under current EU law, of 
    commerce to erase data and to end anonymity and to ensure that law 
    enforcement agencies have the "opportunity" to access all data held.
    
    The next legislative steps
    
    The urgency on the part of the law enforcement agencies is due to the fact 
    that the first proposal they want changed is the Commission's proposed 
    Directive on personal data and privacy in electronic communications is 
    already before European Parliament committees under the co-decision 
    procedure - Citizens' Freedoms and Rights (lead committee), Environment, 
    Industry and Legal Affairs. These committees are due to put a report to the 
    parliament's plenary session on 3 September. However, the Council is likely 
    to adopt a common position at the Telecommunications Council on 27 June. 
    Co-decision means all three institutions (Commission, Council and European 
    Parliament) have to agree on the new measure. The Council is trying to 
    pre-empt the parliament's opinion by putting forward radical changes on the 
    retention of content and traffic data.
    
    Summary: Summary
    Documentation, full-text documents: Documents
    
    
    back to Statewatch News online
    
    
    --
                       Imagine there were two of you. Which one would win?
    
                                    timat_private
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if it remains intact.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 07:08:24 PDT