Last month, the European Parliament passed far-reaching legislation concerning data retention. Geared toward the telecommunications industry, the new law requires phone companies and ISPs to store information about all customers' phone calls and electronic communications for up to two years. While news of this legislation certainly comes as no surprise — a Parliament committee voted on the measure in late November — I find it interesting that the passing of this law coincided with the US House of Representatives' approval to extend and modify the Patriot Act.
Given the state of the world, there is no question of governments' concern for their citizens, and I won't argue that many malcontents have used the Internet and other forms of telecommunications for their own nefarious needs. However, here's what concerns me: Who decides which activities are illegal, and who's responsible for "policing" these types of activities? I can't help but think that we once again have a situation where lawmakers without sufficient technical understanding have approved legislation that affects the legitimate use of telecommunications far more than its illegal use.
Despite these concerns, however, it's easy to see why governments are passing legislation such as the Patriot Act and the EU data retention directives. Terrorists and international criminal gangs rely heavily on communications, and the Internet and other telecommunications systems are excellent conduits of illegal activity.
Tracking communications and perhaps even eavesdropping are methods that law enforcement groups want to use to identify possible illegal activity — and that's definitely understandable. But it's important to remember that terrorists and criminal gangs have virtually unlimited funds, and they are often far more technically savvy than law enforcement. In addition, criminals typically use communication methods that are unique to their particular group — not only for protection from law enforcement, but for protection from each other as well.
Europe's new data retention laws and the US Patriot Act highlight how out of touch with reality lawmakers in both the United States and Europe really are. Data storage issues aside for the moment, communication logs like the EU's directives call for offer questionable protection from a small group at the expense of both civil liberties and the privacy of the larger group.
But before we start debating privacy vs security, there's a larger issue at hand: these laws simply won't work. How do I know? I've had first-hand experience with this issue already — and more than once.
Over the years, I've had work subpoenaed many times with requests to supply information to US law enforcement. Obviously, such subpoenas compel me to cooperate as best I can — and for free, I might add.
However, usually by the time the subpoena gets to me to request information, things have already changed enough that I don't have the information law enforcement is looking for. It's the computer equivalent of the Heisenberg Uncertainty Principle. Certainly I can and have supplied information — typically only "footprints" of data communication — but I have never been able to offer sufficient evidence to indict anyone for any activity other than using the Internet.
Yes, I have logs of when, where, and what customers are doing on the Internet. But with the current systems the ISP I work for has in use, the best I can do is retain email logs and NetFlow data for approximately one month. The volume of data in question is in the range of hundreds of gigabytes — and it's useless to the majority of law enforcement investigations I have assisted with.
Who will pay for Europe's new data retention directive? Not the European Parliament, that's for sure. Telecommunications companies and ISPs are looking at dramatically increased storage costs in order to comply with the legislation, which is likely to result in many companies shutting their doors or passing those substantially higher bills on to customers.
Meanwhile, all those terrorists and criminals — whose activity is often invisible to the majority of law enforcement anyway — is likely to remain unaffected at the expense of everyone else. For example, a recent episode of Showtime's Sleeper Cell featured a storyline where terrorists used steganography in an eBay image. I can think of many more examples of subtle communications methods that criminals could use that would go undetected despite the EU data retention directives. And if I can think up those approaches, what makes you think the world's terrorists and criminals haven't already?
Talkback
Jonathan's comments ignore several considerations that argue for the value of the data retention provisions. First the requirements will result force providers to effect considerably better identification of their subscribers and improved directory interfaces and services. Second, the stored data is used for all serious crimes - not just terrorist investigations. Third, from a forensic analysis standpoint, there are no alternatives. Fourth, storage is getting very cheap. New HD DVD disks hold close to 100 GB per disk.