[Politech] "You're wrong!" Replies in defense of European data-retention approach

From: Declan McCullagh (declan@private)
Date: Mon Oct 03 2005 - 12:52:03 PDT

Previous Politech message:

-------- Original Message --------
Subject: Re: [Politech] European Commission proposes ordering Internet 
providers to store 6 months of data [priv]
Date: Fri, 23 Sep 2005 12:41:57 +0530
From: Suresh Ramasubramanian <suresh@private>
Organization: -ENOENT
To: Declan McCullagh <declan@private>
References: <43339F60.3090107@private>

On Friday 23 September 2005 11:53, Declan McCullagh wrote:
> Those enlightened Europeans! It's wonderful to learn that their approach
> toward protecting privacy -- basically, trust the bureaucrats -- is
> working out so much better than the U.S. model. Perhaps we should adopt
> it as well.
> We know this plan must be good for Europeans because the Brussels
> bureaucrat responsible for ensuring "freedom" gave it an enthusiastic
> thumbs-up. What more could you want?

To be fair the original proposal varied from retaining data for 1 to 3 years

6 months is a touch excessive but certainly far better

There is definitely a requirement for data retention in that most providers
have wildly inconsistent policies, and tracing / prosecuting a spammer, 
attacker, virus writer etc may take several weeks.  If the logs have
disappeared by then - so has the evidence.

Data retained is stored, and then destroyed unread (except possibly 
parsed by
scripts checking for signs of spam / DDoS etc - routine network traffic
analysis), and released if and only if a valid subpoena is issued by law
enforcement in that jurisdiction.  [RIAA / MPAA etc letters and takedown
notices are different - even if the site is taken down, personal 
about the user would not be released without a subpoena issued by law

> Commission proposes rules on communication data retention which are
> both effective for law enforcement and respectful of rights and
> business interests

The second part is key here

> to the actual content of the communications. It also includes a
> provision ensuring that the service or network providers will be
> reimbursed for the demonstrated additional costs they will have. For

This too is extremely key

> Fundamental rights aspects have been carefully weighed in the
> preparation of the proposal, and solid data protection rules will be
> applicable, given that the general and specific data protection
> provisions established under Directives 95/46/EC and 2002/58/EC will

Extremely key. The EU data protection and privacy legislation is 
probably the
strongest around, and I do wish more countries would adopt it.

> Council since April 2004. However, the Commission proposal is founded
> on a different legal basis (EC Treaty instead of EU Treaty), which
> means that the European Parliament will be fully involved in the
> decision making process.

Again very key.   This gives lots more scope for openness and transparency

Speaking from an ISP policy and security enforcement standpoint, it 
looks very
good indeed.


-------- Original Message --------
Subject: Re: [Politech] European Commission proposes ordering Internet 
providers to store 6 months of data [priv]
Date: Fri, 23 Sep 2005 09:04:47 +0100
From: gus <i.hosein@private>
To: Declan McCullagh <declan@private>
References: <43339F60.3090107@private>


Every time you cover data retention you keep on pointing out that it
has something to do with the EU's pro-regulatory approach.  It doesn't.*

Already in the U.S. you have financial services firms required to
retain communications content.  Canada is talking about freezing
content to analyse spam.  Argentina also has comms data retention
(though recently suspended its rule).  The EU just happens to be a
place where such policies thrive.

But this has little to do with 'bureaucrats' or 'command and control'
forms of regulation.

This is what happens when decisions are made outside of open
democratic processes.  The UK only managed to pass a _voluntary_
regime for retention in its response to September 11, but the
Government is now seeking a _mandatory_ regime at the EU in order to
bring it back home as an EU obligation.  The Irish justice minister
admitted that the EU was taking too long to pass the data retention
rules he wanted so he was compelled to add it in the last stage of
debates on a terror bill a few months ago.  In fact, most EU
countries don't have data retention rules, in part because their
national Parliaments have opposed it.  As a general rule (and naive,
some would say), open debate and consultation leads to restrictions
on government powers.

This is why these same countries are now pursuing these rules at the
EU-level.  Such decisions can be made only when hidden away from all
the debate, dissenting opinions, oversight regimes and even media coverage.

It is kind of like state attorney generals seeking a federal rule on
something that they have failed to convince their own state
governments (am shocked!).  Or it is like the U.S. Federal Government
seeking an agreement at some international forum that it could not
successfully achieve at home (horror! crypto policy anyone?).  Or the
Federal Government compelling states to do something that they don't
all want to do, with little debate (impossible! REAL ID?!).

These are not alien concepts.  These are not merely
European-bureaucrat ideas. We're talking about policy laundering.

Keep well...


* I am being mildly disingenuous.  Arguably data retention exists
because ISPs/telcos have a duty to delete information when it is no
longer needed for business purposes, so data retention policy is
required to reverse that duty to delete.  But I believe that if these
countries abandoned data protection rules tomorrow their Governments
would still seek data retention policies.  The temptation is too great.

-------- Original Message --------
Subject: RE: [Politech] European Commission proposes ordering Internet 
providers to store 6 months of data [priv]
Date: Fri, 23 Sep 2005 10:10:41 +0100
From: M Grossmann <M.Grossmann@private>
To: Declan McCullagh <declan@private>


Congratulations. You've been assimilated.

The nutty Europeans don't trust the bureaucrats. Many EU countries have 
strict data privacy and protection laws and limits on police powers, wit 
the most notable exception being the UK, a.k.a. America Junior.

Law enforcement agencies around the world have long been seeking ways to 
obtain as much data as possible. Europe looked at both law enforcement 
needs and personal protections and compromised, listing one year as the 
data retention time. There is a sunset time specified. Does the PATRIOT 
Act have one? Well, it DID, but that's been canned.

In short, Europe has done the following:
* Specified a definite amount of time that records must be held
* Specified the time after which the data may be destroyed
* Promised to reimburse any additional costs of the data retention

Personal information is already protected in Europe. I live in Germany, 
where cold-calling and is illegal and the sale or transfer of personal 
information about anyone is severely restricted and regulated. My bank 
has to ask my permission to pass on any information about me to anyone 
else, even other divisions of the same company; your bank sells your 
info to anyone and everyone who'll buy it, as will the printer of those 
"free" checks they give you.

I never expected cheap sensationalism and a total failure to analyse the 
issue from you.

M W Grossmann
Condone? My employer doesn't even know that I HAVE an opinion.

Hi Declan

Please don't attribute to me. Draw your own conclusions on whether US
approach better protects privacy (to date).


See : http://www.out-law.com/Docs/SEC-05-1131.doc

pp.14 [In comparison with the situation in the US, it should be noted that
there is a significant difference between the US situation and the European
one – there is no data protection legislation in the US which obliges
communications service providers to delete data once they are no longer
necessary for business purposes. As a consequence, data can be kept for a
longer period by those service providers, making it somewhat easier for US
law enforcement authorities to obtain the necessary data. US Government
representatives have stated, however, that “data preservation could be much
less effective in the European context”(Footnote 18)

Footnote 18 - Statement US Government on data retention at Article 29
Working Party meeting on data retention, 14 April 2005. These statements
were followed by the observation that “This affirmative obligation to
destroy traffic data may seriously undercut the effectiveness of a data
preservation model because, with European data protection requirements, much
less data will exist when law enforcement requests preservation of data
relating to a specific investigation”.]

And http://www.out-law.com/page-6141
And http://www.out-law.com/Docs/COM-05-438.doc
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)

This archive was generated by hypermail 2.1.3 : Mon Oct 03 2005 - 13:26:11 PDT