Wednesday, July 11, 2007

Data retention: the right balance between privacy and security


Citizens should have a right to privacy online. And governments have an obligation to keep their citizens safe. Finding the right balance between privacy and security is a delicate balancing act. Europe’s recent experience with data retention holds interesting lessons for everyone concerned with this balance.

In the aftermath of the Madrid bombings in 2004, the European Council adopted a Declaration on Combating Terrorism, which stated the need for rules on the retention of communications traffic data by European service providers for the first time. In some European countries, the ability to monitor communications was perceived as a practical priority in helping law enforcement agencies prevent and investigate terrorist acts. In April of 2004, the UK, Sweden, Ireland and France put forward a proposal for a Framework Decision calling for the retention of a wide variety of data for between 12 and 36 months.

However, for some politicians, the idea of adopting wide-ranging measures, requiring providers of telecommunications and Internet services to retain details of calls and electronic communications for periods of time beyond their pure operational needs, was not entirely justified. Indeed, for a while European privacy rights appeared to have the upper hand and the European Union institutions seemed to listen to the objections of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs.

According to the calculations of this group of European Members of Parliament, if all the traffic data covered by the proposal did indeed have to be stored, the network of a large Internet provider would accumulate up to 40,000 terabytes – the equivalent of four million kilometers worth of paper files -- or about 10 stacks of files each reaching from Earth to the moon. But others pointed out that even the slowest terrorist would figure out that he could simply avoid his communications being traced by using a non-European service provider. Nonetheless, the political pressure continued, and the European Commission went on to propose a directive on data retention in September 2005.

The rest is history… and now law. Although the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs succeeded at introducing some amendments aimed at softening the effect of the proposal, an unprecedented data retention directive was adopted by the European Council on 15 March 2006. This directive imposes retention obligations between six months and two years in relation to accessible data generated or processed as a consequence of a communication or a communication service.

On paper, the aim behind the directive is simple and proper: to harmonise data retention rules across the EU and to ensure that the necessary information is available for the purpose of the investigation, detection and prosecution of serious crime. Unfortunately, the simplicity pretty much ends there. For a start, using the words “directive” and “harmonisation” in the same sentence is often an oxymoron, especially when a directive is cobbled together as a compromise between conflicting ideological positions.

On a practical level, the likelihood of seeing a consistent implementation of the rules across the EU is effectively zero. The timing of the implementation – due by September 15, 2007 – will certainly vary. 16 of the 27 EU Member States have already declared that they will delay the implementation of data retention of Internet traffic data for an additional period of 18 months, as permitted by the directive. The compulsory retention period for each type of data will also vary from country to county (e.g. Germany has proposed 6 months, the UK 12 months, and the Netherlands 18 months). The interpretation of other key elements, such as “serious crime," “competent national authorities,” or “electronic communications services” will be different across jurisdictions too.

These uncertainties impact on the justification for any privacy intrusions. Is a country more democratic than its neighbour because of its shorter retention period? Or do the citizens of that country face a greater security risk for the same reason? If there is something about the data retention directive that can be called into question is its proportionality – not necessarily in terms of financial cost to service providers, but in terms of privacy and anonymity loss. And what will Internet companies do in practice, especially if they operate one data architecture that cannot vary from one country to another: apply the longest retention period, or the shortest, or some “average”?

The data retention directive is of course just part of the picture. Several other initiatives provide additional evidence of the fact that traditional concepts of Internet privacy are in turmoil. One example was a proposal by the German government to complement its anti-terrorism measures by prohibiting the use of anonymous email accounts, by mandating that service providers verify the identity of their account holders.

Thankfully, the German government has recently retracted this proposal. Nonetheless, the idea continues to appeal to many: to make sure that every single e-mail user can be tracked down to an identifiable individual, so that the police can locate the terrorist behind the e-mail with the bomb-making instructions attachment, to take the most blatant possible example. The issue once again is whether this threat to anonymity on the Internet will be effective in making the world a safer place. Or will it do nothing to catch your average technology-savvy terrorist while eroding yet another layer of Internet privacy?

So, against this background, what is Google doing? We have recently announced a new policy to anonymize our search server logs after 18 months (we’re the first in our industry to have taken this step). We’re trying to get the balance right too, between privacy and other goals (like security, fraud prevention, and search improvements). People want to be free as much as they want to be safe. That’s true online too.

7 comments:

Mittal said...

Is it fair to say that "the act of storing data" itself will breach the privacy.

If someone provides right implementation of security and right access restrictions.

e.g. Data is encrypted and keys are stored with a government agency. Court orders are required to get access to the data.

Is it not possible to find right balance between privacy and security?

pr said...

Come on, Google. You can do better than continually recyclying the bogus Data Directive argument:

http://blog.wired.com/27bstroke6/2007/07/google-still-us.html

Ronan said...

Peter, nice summary. I'd comment that the political pressure has placed the DRED in the wrong 'channel' or pillar of EU governance, which can lead to constitutional protections being invoked by member states. Note: Ireland and Slovenia rejected the UK proposal to proceed at the council.

Litigation is underway at the Court of Justice by the Irish Government.

Another issue is Judicial power. Member states such as Italy have actually potentially 4 year durations extended by two should a judge decide so.

There is a nice SSRN article on this here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565

I firmly believe that doing the right think is balancing rights.

Summary: Market for Data storage to increase!

Grym said...

Guess being dishonest isn't "evil" huh?

"Do No Evil (cept lie)"

"There is no United States or E.U. law that requires Google to keep detailed logs of what individuals search for and click on at Google's search engine. It's simply dishonest to continually imply otherwise in order to hide the real political and monetary reasons that Google chooses to hang onto this data."
http://blog.wired.com/27bstroke6/

Tho... it is nice to see SOME Sites point out the liers ;)

东东 said...

分子蒸馏
短程蒸馏
薄膜蒸发器
导热油
真空泵油
胎毛笔
手足印
婴儿纪念品
婴幼儿纪念品
园林机械
草坪机
油锯
小型收割机
收割机
割灌机
割草机
电动喷雾器
地钻
采茶机
婚纱
北京婚纱
婚纱定制
婚纱礼服
婚纱
北京婚纱
北京婚纱出租店
北京婚纱店
个性婚纱
礼服
北京礼服
礼服定制
礼服出租
飘人|飘人2008|云淡风清

zxcvd said...

Cheap WOW GOld, Please look here
Buy wow GoLd,
World of Warcraft WOw golD and woW gOld money,
wOw Gold.Acquista WOw gold oro,
wow goldSoldi, WOw GOld to each loyal and
woW goLD siamo uno dei miglioriWoW gold which is very cheap.

piaoren2008 said...

铜米机