Previous Politech message: http://www.politechbot.com/2005/09/23/european-commission-proposes/ -------- Original Message -------- Subject: Re: [Politech] European Commission proposes ordering Internet providers to store 6 months of data [priv] Date: Fri, 23 Sep 2005 12:41:57 +0530 From: Suresh Ramasubramanian <suresh@private> Organization: -ENOENT To: Declan McCullagh <declan@private> References: <43339F60.3090107@private> On Friday 23 September 2005 11:53, Declan McCullagh wrote: > Those enlightened Europeans! It's wonderful to learn that their approach > toward protecting privacy -- basically, trust the bureaucrats -- is > working out so much better than the U.S. model. Perhaps we should adopt > it as well. > > We know this plan must be good for Europeans because the Brussels > bureaucrat responsible for ensuring "freedom" gave it an enthusiastic > thumbs-up. What more could you want? To be fair the original proposal varied from retaining data for 1 to 3 years 6 months is a touch excessive but certainly far better There is definitely a requirement for data retention in that most providers have wildly inconsistent policies, and tracing / prosecuting a spammer, DDoS attacker, virus writer etc may take several weeks. If the logs have disappeared by then - so has the evidence. Data retained is stored, and then destroyed unread (except possibly parsed by scripts checking for signs of spam / DDoS etc - routine network traffic analysis), and released if and only if a valid subpoena is issued by law enforcement in that jurisdiction. [RIAA / MPAA etc letters and takedown notices are different - even if the site is taken down, personal information about the user would not be released without a subpoena issued by law enforcement] > Commission proposes rules on communication data retention which are > both effective for law enforcement and respectful of rights and > business interests The second part is key here > to the actual content of the communications. It also includes a > provision ensuring that the service or network providers will be > reimbursed for the demonstrated additional costs they will have. For This too is extremely key > Fundamental rights aspects have been carefully weighed in the > preparation of the proposal, and solid data protection rules will be > applicable, given that the general and specific data protection > provisions established under Directives 95/46/EC and 2002/58/EC will Extremely key. The EU data protection and privacy legislation is probably the strongest around, and I do wish more countries would adopt it. > Council since April 2004. However, the Commission proposal is founded > on a different legal basis (EC Treaty instead of EU Treaty), which > means that the European Parliament will be fully involved in the > decision making process. Again very key. This gives lots more scope for openness and transparency Speaking from an ISP policy and security enforcement standpoint, it looks very good indeed. regards -suresh -------- Original Message -------- Subject: Re: [Politech] European Commission proposes ordering Internet providers to store 6 months of data [priv] Date: Fri, 23 Sep 2005 09:04:47 +0100 From: gus <i.hosein@private> To: Declan McCullagh <declan@private> References: <43339F60.3090107@private> Declan... Every time you cover data retention you keep on pointing out that it has something to do with the EU's pro-regulatory approach. It doesn't.* Already in the U.S. you have financial services firms required to retain communications content. Canada is talking about freezing content to analyse spam. Argentina also has comms data retention (though recently suspended its rule). The EU just happens to be a place where such policies thrive. But this has little to do with 'bureaucrats' or 'command and control' forms of regulation. This is what happens when decisions are made outside of open democratic processes. The UK only managed to pass a _voluntary_ regime for retention in its response to September 11, but the Government is now seeking a _mandatory_ regime at the EU in order to bring it back home as an EU obligation. The Irish justice minister admitted that the EU was taking too long to pass the data retention rules he wanted so he was compelled to add it in the last stage of debates on a terror bill a few months ago. In fact, most EU countries don't have data retention rules, in part because their national Parliaments have opposed it. As a general rule (and naive, some would say), open debate and consultation leads to restrictions on government powers. This is why these same countries are now pursuing these rules at the EU-level. Such decisions can be made only when hidden away from all the debate, dissenting opinions, oversight regimes and even media coverage. It is kind of like state attorney generals seeking a federal rule on something that they have failed to convince their own state governments (am shocked!). Or it is like the U.S. Federal Government seeking an agreement at some international forum that it could not successfully achieve at home (horror! crypto policy anyone?). Or the Federal Government compelling states to do something that they don't all want to do, with little debate (impossible! REAL ID?!). These are not alien concepts. These are not merely European-bureaucrat ideas. We're talking about policy laundering. Keep well... gus. * I am being mildly disingenuous. Arguably data retention exists because ISPs/telcos have a duty to delete information when it is no longer needed for business purposes, so data retention policy is required to reverse that duty to delete. But I believe that if these countries abandoned data protection rules tomorrow their Governments would still seek data retention policies. The temptation is too great. -------- Original Message -------- Subject: RE: [Politech] European Commission proposes ordering Internet providers to store 6 months of data [priv] Date: Fri, 23 Sep 2005 10:10:41 +0100 From: M Grossmann <M.Grossmann@private> To: Declan McCullagh <declan@private> Declan, Congratulations. You've been assimilated. The nutty Europeans don't trust the bureaucrats. Many EU countries have strict data privacy and protection laws and limits on police powers, wit the most notable exception being the UK, a.k.a. America Junior. Law enforcement agencies around the world have long been seeking ways to obtain as much data as possible. Europe looked at both law enforcement needs and personal protections and compromised, listing one year as the data retention time. There is a sunset time specified. Does the PATRIOT Act have one? Well, it DID, but that's been canned. In short, Europe has done the following: * Specified a definite amount of time that records must be held * Specified the time after which the data may be destroyed * Promised to reimburse any additional costs of the data retention Personal information is already protected in Europe. I live in Germany, where cold-calling and is illegal and the sale or transfer of personal information about anyone is severely restricted and regulated. My bank has to ask my permission to pass on any information about me to anyone else, even other divisions of the same company; your bank sells your info to anyone and everyone who'll buy it, as will the printer of those "free" checks they give you. I never expected cheap sensationalism and a total failure to analyse the issue from you. Sincerely, M W Grossmann -- Condone? My employer doesn't even know that I HAVE an opinion. Hi Declan Please don't attribute to me. Draw your own conclusions on whether US approach better protects privacy (to date). =============================================================== See : http://www.out-law.com/Docs/SEC-05-1131.doc pp.14 [In comparison with the situation in the US, it should be noted that there is a significant difference between the US situation and the European one – there is no data protection legislation in the US which obliges communications service providers to delete data once they are no longer necessary for business purposes. As a consequence, data can be kept for a longer period by those service providers, making it somewhat easier for US law enforcement authorities to obtain the necessary data. US Government representatives have stated, however, that “data preservation could be much less effective in the European context”(Footnote 18) Footnote 18 - Statement US Government on data retention at Article 29 Working Party meeting on data retention, 14 April 2005. These statements were followed by the observation that “This affirmative obligation to destroy traffic data may seriously undercut the effectiveness of a data preservation model because, with European data protection requirements, much less data will exist when law enforcement requests preservation of data relating to a specific investigation”.] And http://www.out-law.com/page-6141 And http://www.out-law.com/Docs/COM-05-438.doc _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Mon Oct 03 2005 - 13:26:11 PDT