Main

September 26, 2005

Briefing for members of the European Parliament on data retention

Privacy International have put together an excellent open letter to all members of the European Parliament, addressing the current proposals on communications traffic data retention. It begins:

Dear Members of the European Parliament,

We would like to take this opportunity to address you regarding the current proposals on communications data retention. As you are well aware, both the Council and the Commission have put forward proposals on data retention. It now appears that the policy is finally shifting to the first pillar away from the third. This does not mean that the policy has improved. Despite many edits over the last two years, both the Council and the Commission proposals continue to be invasive, illegal, illusory and illegitimate.

These proposals continue to require the collection and logging of every telecommunication transaction of every individual within modern European society. Almost all human conduct in an information society generates traffic data. Therefore traffic data can be used to piece together a detailed picture of human conduct.[1] Under the various proposals, this data will be kept for between six months and four years.

There are clear challenges for these proposals with respect to the European Convention on Human Rights, the European Charter on Fundamental Rights and national constitutions. The case still has not been made that retention is necessary in a democratic society.[2] The claimed need for harmonisation is premature at best and challenges democratic process.

The letter, which is well worth reading, has been endorsed by:

  • Association Electronique Libre, Belgium
  • BBA Switzerland
  • Bits of Freedom, the Netherlands
  • Chaos Computer Club, Germany
  • Computer Professionals for Social Responsibility - ES, Spain
  • Digital Rights, Denmark
  • EFFi, Finland
  • Forum InformatikerInnen für Frieden und gesellschaftliche Verantwortung, Germany
  • Foundation for Information Policy Research, UK
  • GreenNet, UK
  • ISOC-Bulgaria
  • Open Rights Group, UK
  • Privacyblog.net, Slovenia
  • Netzwerk Neue Medien, Germany
  • quintessenz.org, Austria
  • Stand.org.uk, UK
  • Statewatch, UK
  • Stop1984, Germany
  • Swiss Internet User Group, Switzerland
  • VIBE!AT, Austria

September 24, 2005

Baroness Sarah Ludford MEP: No justification for data retention

On her website, Baroness Sarah Ludford MEP worries that there has been no serious cost-benefit analysis of the UK's data retention proposals for Europe, and calls on other MEPs to question the necessity for such 'sloppy' legislation:

"[S]torage of everyone's phone, email and website use is costly as well as a massive invasion of privacy and increase in state surveillance, so the threshold for justification is a high one."

"I am still worried by the absence of a serious cost-benefit analysis. Assertions are made about the need to keep records for a considerable time, but the evidence is thin. No decent rebuttal has been delivered of the case for a short retention time plus specific 'freezing orders' for communications records of suspects."

"Since we will have the leverage to do so now, MEPs must probe the real necessity for invasive measures. Whilst EU-wide cooperation is crucial to stop terrorism and organised crime, Member States should first end cross-border turf wars and actually implement cooperative arrangements they've signed up to."

, , , , ,

September 21, 2005

ORGnews Issue 1

OPENRIGHTSGROUPOPENRIGHTSGROUPOPENRIGHTSGROUPDOATYKITESOUPOPENRIGHTS
ooo First Beta Edition - Do Not Use On Children or The Elderly ooo

o Boring Administrivia
o URGENT DATA RETENTION ACTION NEEDED BY THURSDAY 2005-09-22
o Free Culture UK - Grassroots Action for The Public Domain
o Open GeoData Campaign Gets a Monkey

PLEDGE NOW STANDS AT: 865 FOUNDING MEMBERS

http://www.pledgebank.com/rights

>>> Boring Administrivia
You're receiving this mail because you joined the Digital Rights Pledge http://www.pledgebank.com/rights/ at some point, and we thought you'd like to know what was going on.

Dull technicalities such as arranging a bank account, free office space, a budget and grant applications continue apace. After several press enquiries addressed to "your digital rights thing", a name was chosen: the OPEN RIGHTS GROUP. Acclaimed as "okay", it served its principal purpose, which was to delay incorporation while the Secretary of State personally checks whether we are, technically, a "group": a special term, it turns out, in company law. No, we're not joking.

Those wanting an ongoing update on this fascinating stuff (and to help out) can watch Suw Charman's ORG proto-blog at:
http://www.openrightsgroup.org/

Explanation of what ORG will do:
http://www.guardian.co.uk/online/story/0,3605,1537039,00.html

But these things are not important. What is, is this:

>>> Urgent Data Retention ACTION NEEDED BY THURSDAY 2005-09-22
You don't need us to tell you that the mandatory retention of data about every EU citizen's calls, mobile phone movements, and internet usage would be a bad thing (if you do, check http://www.edri.org/docs/lettertoUKpres.pdf for a joint letter from EDRi and Privacy International to the Council of Ministers on the problems with data retention).

But it's happening anyway: the EU Commission just published their proposal to do just that:
http://www.statewatch.org/news/2005/sep/com-data-retention-prop.pdf

And there's a live streaming press conference with Commissioner for Justice, Freedom and Security Franco Frattini on the 'retention of data and the radicalisation and recruitment of terrorists' today (Wednesday 21 Sept) at 12.15pm.
http://europa.eu.int/comm/ebs/schedule.cfm

One of the key EU institutions considering their position on this proposal is the ARTICLE 29 WORKING GROUP: that's all of the Information Commissioners (data protection registrars) in the EU, acting as one.

Word has it that many of the Article 29 Working Group want to fight data retention.

But the UK Information Commissioner says he can't join the fight because he doesn't feel that he can publically stand against the UK government's recent paper "Liberty and Security: Striking the Right Balance".
http://www.edri.org/docs/UKpresidencypaper.pdf

Short summary: it has a CCTV picture of the London Bombers on the front page. Says civil liberties are nice and all but, woo, terrorism.

Longer summary (from the excellent Privacy International coverage):
http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-346410

EDRi has produced a short analysis of the paper, which finds that none of the examples used by the UK government would justify their data retention proposals:
http://www.edri.org/node/view/679

The latest draft of the EU's data retention plans have already excised the Article 29 working group from overseeing what sort of data gets retained.

The group want to fight, but the UK commissioner is reticent.

You can get them fighting back. Tell your Info Commissioner to stand up for your rights.

IF YOU HAVE TWO MINUTES:

Visit http://www.dataretentionisnosolution.com and sign European Digital Rights (EDRi)'s Europe-wide petition. EDRi is working hard at the EU level to alert politicians to the issues with data retention; the petition helps it demonstrate the size of the constituency it represents and will help boost Article 29's confidence.

IF YOU HAVE TWENTY MINUTES:

The UK Information Commissioner doesn't answer to the government: he answers to Parliament, and from them, to you. His mission (should he choose to accept it) includes: "protecting your personal information".

For that he doesn't need the government's backing: he needs yours.

1. Write to your MP, and tell him or her that you want the UK Information Commissioner to speak in the EU on your behalf against data retention. Use http://www.writetothem.com/

2. When you're done, copy and paste your message to the Commissioner's office email at: mail@ico.gsi.gov.uk If you like, cc: us at suw.charman+ico@gmail.com.

(You may want to check http://www.openrightsgroup.org/ before you send that second mail. We want the information commissioner to know we support him, but don't want to spam him to death. If he complains, we'll put up a sign.)

3. Forward this mail. Feel free to cut out everything but this plea. But make sure you include the expiry date: THURSDAY 2005-09-22.

Here's some points you could mention in your letter to your MP:

* Ask your MP to tell the Information Commissioner to speak for you, not the British government. Your right to have your personal data protected will outlast the current incumbents and must be assured by the appropriate legislation.

* The Commissioner has previously commented on both the expense of and lack of need for data retention. Ask your MP to ask that he fully and thoroughly investigate any data retention plans before rolling them out across Europe. Try not to mention "45 minute claims": it makes MPs uncomfortable and sweaty.

* The "Liberty and Security" paper published by the government actually only asks for "internet logins and logouts". The EU proposal also demands the To: and From: of emails. Tell your MP that even if the Commissioner is beholden to the government's stance, he should agree to no more than the minimum amount of data requested.

Be polite; be pursuasive: we want him on our side.

But most of all, be prompt. The Article 29 Working Group meets Thursday and Friday of this week.

We'll let you know how you get on. Remember, 850 people have your back.

>>> Free Culture UK - Grassroots Action for the Public Domain
Free Culture UK is a grassroots organisation that campaigns for key creative freedoms: a vibrant public domain, open formats, and free licenses. On October 1st, they're meeting up for their first Congress to set their agenda for the next year. If you're near London, you should pop along. If you're not, FC-UK has local groups in Birmingham, Brighton, Deptford, Exeter, Leeds and Reading - and can advise you on how to start your own.

http://www.freeculture.org.uk/wiki/MeetingMinutes/2005-Congress

>>> Open GeoData Campaign Gets a Monkey
Itching to chuck a fiver before the Open Rights Group pledge matures? The Pledge to support open access to state-collected geospatial date matured last week. They're collecting names to make sure that when you get tax-funded maps, you *really* get them: free for use and redistribution. And they're not sitting on their backsides waiting either: the OPENSTREETMAP project is creating a body of free data collected from geohackers all over the world. The pledge should earn them 500UKP, but a few more fivers wouldn't go amiss:

See what they've done: http://openstreetmap.org/
Find out why they're doing it: http://okfn.org/geo/manifesto.php
Paypal fivers or offers of help to: steve@fractalus.com

OPENRIGHTSGROUPOPENRIGHTSGROUPOPENRIGHTSGROUPSOUPYCAKEWAXGROUP

Are you doing something that defends or extends digital rights? Want more people to know about it? Worried about an issue that no-one has spotted yet? Mail suw.charman@gmail.com with your details. It's our job to tout you to the skies.

Groups mentioned:

http://privacyinternational.org/ - 15 years fighting for privacy
http://www.edri.org/about/sponsoring - 21 orgs, 14 countries
http://openstreetmap.org/ - the free wiki world map
http://www.freeculture.org.uk/ - grassroots for an open culture
http://www.openrightsgroup.org/ - because your rights are reserved

September 16, 2005

The Register: Phone cos and rights activists round on Clarke

i was so caught up in the conference I was at last Friday that I entirely failed to notice that we were in The Register, on data retention. As were ETNOA:

The European Telecommunications Network Operators's Association (ETNOA) called on UK Home Secretary Charles Clarke and his fellow ministers to engage in fuller discussions with industry.

Michael Bartholomew, a spokesman for the organisation, said the case for the compulsory retention of communications data had not been proven, and argued that tracking data for unsuccessful calls would be extraordinarily expensive, with operators having to make system changes costing in the region of £108m each.

"We think this is a rather unsophisticated approach to a complex problem," he told The Guardian.

Good to see other people getting vocal about it too.

, , ,

September 08, 2005

Clarke fails to understand his own data retention proposal

Charles Clarke manages to misunderstand his own EU data retention proposal and thinks we have too many rights anyway.

From Sky News:

[Charles Clarke] told Euro MPs at the parliament in Strasbourg: "Of course criminals and terrorists use modern technology - the internet and mobile communications - to plan and carry out their activities.

"We can only effectively contest them if we know what they are communicating. Without that knowledge we are fighting them with both hands tied behind our backs."

The data retention draft framework would require telecos and ISPs to retain traffic data - traffic about where you were when you made a call, and who you called, for example - not the actual phone call itself. Even if this legislation makes it on to the EU books, Clarke still won't be able to listen to your mobile phone conversations, although I suspect he'd really like to.

As for human rights, well, Clarke seems to think we don't really need them:

He stressed that a rethink of the [European] Convention [on Human Rights] - which prevents terror suspects being deported to countries where they may face persecution - will be central to the EU's response to the bombings.

He also made a dig at the reluctance of Euro MPs to agree access to information technology used by terrorists because of fears of breaching human rights.

He warned: "This European Parliament, as well as national parliaments, needs to face up to the fact that the legal framework within which we currently operate makes the collection and use of this intelligence very difficult, and in some cases impossible."

The legal framework which protects citizens from undue harassment, invasion of privacy and loss off free speech? That framework? I rather liked it, myself.

The BBC, meanwhile, tells us that according to the Home Office, data retention won't really cost all that much, honest guv:

A Home Office dossier published on Wednesday - entitled Liberty and Security: Striking the Right Balance - hits back at industry fears the cost of retention would be excessive.

It says that a government-funded project by a mobile phone company to keep data for 12 months had cost £875,999 (1,291m euros).

I'd like to see independent and comprehensive studies completed for a number of telecos and ISPs before I believed that this isn't going to put smaller ISPs out of business and increase our phone bills.

August 25, 2005

BBC Radio 5 interview now up online

The interview I did with Kevin Anderson for BBC Radio 5 Pods and Blogs show is now up online, for a limited time only. It will likely be replaced some time around Monday 29 Aug-ish, when the next show goes out at which point I'll post/podcast the MP3 of my 10 minute segment.

The nice thing about blogging this, though, is that I can correct a slip of my tongue. I said that 1.6 billion AOL customer records were stolen, but in fact it was 1.6 billion Acxiom customer records. I have no idea why Acxiom morphed into AOL in my head, but at least I can clarify that here.

UPDATE: My section is now online as an mp3 and in Ogg Vorbis format (thanks JG).

(Originally posted on Chocolate and Vodka.)

, , , ,

August 21, 2005

BBC Radio Five (not quite so live)

Have to pop over to BBC TV Centre tomorrow to record an interview about this digital rights group that I'm helping set up, and data retention. The interview will be aired overnight, during the Blog and Podcast Hour. When I get more details, I'll let you know, but I'm guessing it'll be easier to listen after the event via their streaming than to stay up all night wondering what time it's on.

(Originally posted on Chocolate and Vodka.)

, , , ,

August 16, 2005

Data retention in 15 words

40,000 terabytes of useless, illegal communications traffic surveillance data, paid for by you, the surveilled.

(Originally posted on Chocolate and Vodka.)

, ,

Data Retention in the EU - Your Digital Rights at Risk

OK, so here's the data retention story, which I'm going to try to write without recourse to (too much of) the EU jargon that seems to choke these sorts of things. Some is inevitable, and I apologise for that in advance.

This is the deal. The UK, France, Ireland and Sweden are trying to push a directive on data retention through into EU legislation which would force all member countries to compel all telecommunications and internet service providers to save information about the use of their services by us, the public (document 8958/2004). They say that this is for 'the purpose of prevention, investigation, detection and prosecution of crime and criminal offences including terrorism', but whilst it would have far-reaching consequences, the benefits appear to be non-existent.

As Heinz Kiefer, president of the European Confederation of Police, pointed out: "The result would be that a vast effort is made with little more effect on criminals and terrorists than to slightly irritate them." (1)

The data to be saved and retained would include what is called 'traffic data', which is things like your geographical location when you make a call or switch your phone on, the telephone number you called, the duration of your call, and your user data. (Note that your phone service provider has to know where your phone is so that it can direct calls to it. Every time you move from one mobile mast cell to another, your move would be recorded.)

They wouldn't actually save the call itself, so they wouldn't know what you said, but they'd know who you spoke to, where you were when you made the call or had your phone switched on, and how long you spoke for. SMS traffic data would also be saved.

Internet communications would be similarly logged, with the IP addresses of all sites you visited being recorded, along with your MAC address (which identifies the computer you are using), username, email addresses and a logfile of every sent and received email. Quite how they are going to record you MAC address, given that it goes no further than your home router, I'm not sure, but it's in the list of data they want.

All this data would be kept for a minimum of six months or one year, depending on data type, and a maximum of 36 months.

If that doesn't immediately send chills down your spine, then it should. In short, the government will be keeping track of all your conversations and communications, and the cost of that spying is going to show up on your phone bill. But worse will be the damage to your civil and human rights. The lack of any meaningful checks and balances in the system means that there's a high risk of abuse not just from the government, but potentially from the private sector too. And the benefits from all this will be negligible at best, illusory at worst.

Who would want this data and why?
So who would be able to access this data? Well, any surveilling authority deemed 'competent' by its government in any country could request access to your data. In the UK, the list of 'competent' bodies (2a, 2b) is long and comprises central and local government departments, namely:

  • The Department for Environment, Food and Rural Affairs
  • The Department of Health
  • The Home Office
  • The Department for Transport, Local Government and the Regions
  • The Department for Work and Pensions
  • The Department of Enterprise, Trade and Investment for Northern Ireland
  • Any local authority within the meaning of section 1 of the Local Government Act 1999
  • Any fire authority as defined in the Local Government (Best Value) Performance Indicators Order 2000
  • The Scottish Drug Enforcement Agency
  • The Scottish Environment Protection Agency
  • The Civil Nuclear Constabulary
  • A Universal Service Provider within the meaning of the Postal Services Act 2000
  • A council constituted under section 2 of the Local Government etc. (Scotland) Act 1994
  • A district council within the meaning of the Local Government Act (Northern Ireland) 1972
  • The Common Services Agency of the Scottish Health Service
  • The Northern Ireland Central Services Agency for the Health and Social Services
  • The Environment Agency
  • The Financial Services Authority
  • The Food Standards Agency
  • The Health and Safety Executive
  • The Information Commissioner
  • The Office of Fair Trading
  • The Postal Services Commission
  • The Independent Police Complaints Commission
  • The Office of Communications
  • The force comprising the special constables appointed under section 79 of the Harbours, Docks and Piers Clauses Act 1847 on the nomination of the Dover Harbour Board
  • The force comprising the constables appointed under article 3 of the Mersey Docks and Harbour (Police) Order 1975 on the nomination of the Mersey Docks and Harbour Company
  • The Office of the Police Ombudsman for Northern Ireland
It is, as you can see, quite a long list, and questions have to be asked as to why some of these bodies would need to access your communications traffic data. Why on earth could the Postal Services Commission need to know where you were at any given time? What relevance does your internet usage have to the Financial Services Authority?

Here are some of the reasons (3) that these bodies might be able to use to justify snooping through your data:

  • in the interests of national security
  • for the purpose of preventing or detecting crime or of preventing disorder
  • in the interests of the economic well-being of the United Kingdom
  • in the interests of public safety
  • for the purpose of protecting public health
  • for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department
  • for the purpose, in an emergency, of preventing death or injury or any damage to a person’s physical or mental health, or of mitigating any injury or damage to a person’s physical or mental health
OK, national security and crime prevention and detection are to be expected, but 'economic well-being of the United Kingdom'? I can smell the potential abuse from here, and that's before considering that the tax man can examine this data as well. Slip a train ticket that wasn't actually yours into your expenses? Well, the tax man can check to make sure you were really where you said you were.

Practicalities
The practical ramifications of forcing telecoms companies and ISPs to retain this volume of data for between one and three years are huge. According to a report by Alexander Nuno Alvaro (4), this would produce 20,000 - 40,000 terabytes of data, at today's traffic levels. That's 20 - 40 million gigabytes, enough to fill 5 - 10 million DVDs. (Note: Alvaro is unclear whether that's over a year, or longer.)

All that data would require storage, and the volume of data produced can only increase as broadband usage increases, as it inevitably will. Telecoms companies and IPSs will be forced to create new storage systems; to change and expand their in-house processes and resources for secure data archiving; and find capacity for processing and analysing the data to answer security authorities' enquiries.

This is going to cost millions of Euros. Alvaro estimates that each traditional telecoms firm would have to invest €180m a year, with operating costs of €50m. The costs for ISPs would be far higher.

The new directive suggests that the government will pay a subsidy to ISPs, something which was previously suggested in 2002. Then, Web Host Industry News (5) reported that the cost of the UK government's eventually abandoned Anti-Terrorism, Crime and Security Act would 'far exceed' the £20 million estimated by the government. AOL estimated that it would cost them £30 million alone, with a similar running costs - it's not hard to do the maths to see that figures for the whole industry would come in at sky high levels.

You can guess who would eventually pay for all this. You. Whether in the form of more expensive phone and internet services, or through your taxes. And the chances are that many small ISPs wouldn't even survive the implementation of the directive, thus killing competition and leaving only the biggest ISPs to divvy up the market.

Usefulness
There is, to date, no evidence that such a huge data retention scheme would prove useful. To quote Alvaro again:

"Given the volume of data to be retained, particularly Internet data, it is unlikely that an appropriate analysis of the data will be at all possible.

"[...] one search using existing technology, without additional investment, would take 50 to 100 years. The rapid availability of the data required seems, therefore, to be in doubt."

In short, even if they could gather all this data, and even if that data was useful data, they don't have the capacity to search it.

Data mining remains a concept that seems like a good idea, but turns out to be at best highly difficult, and at worst impossible to actually implement. The problems with data mining and analysis remain unaddressed in the current draft proposal.

There are further questions over how the data retained could be verified. How can you check such a huge amount of data, and against what?

Equally, the directive fails to take into account circumvention of these data retention plans by the use of proxies, voice over internet protocol (VoIP), encryption, or service providers based in outside of the European Union and therefore not subject to European law. Criminals would find it relatively easy to avoid having their data harvested and stored, thus rendering the entire directive pointless. Everyone would be tracked, except for the criminals.

Alvaro again:

"Individuals involved in organised crime and terrorism will easily find a way to prevent their data from being traced. Possible ways of doing so include using 'front men' to buy telephone cards or switching between mobile phones from foreign providers, using public telephones, changing the IP or e-mail address when using an e-mail service or simply using Internet service providers outside Europe not subject to data retention obligations."
Furthermore, EDRI (European Digital Rights) discusses a report published by the Dutch Erasmus University (6) about the 'usefulness and necessity of data retention for law enforcement purposes', the 'first public research in Europe into the actual use by law enforcement of historical traffic data'.
"The researchers looked at 65 police investigations that were provided by the Dutch ministry of justice as good examples of the usefulness for traffic data for law enforcement. They conclude 'in virtually all cases' the police could get all the traffic data they needed, based on average availability of telephony traffic data of 3 months. The researchers also warn they can't qualify the usefulness of these data as direct or indirect evidence, or the representativeness of the sample of cases for law enforcement in general."
In other words, the level of data retention demanded by this proposal is beyond that which is actually required for effective police investigations.

Yet the researchers who wrote this report still recommend data retention. In fact, their recommendations are harsher than those contained with the UK's directive, but are based on 'talks with several anonymous police representatives', and thus amount to no more than a 'police wishlist'.

There is no provision within the directive for any research to be carried out prior to the directive being forced through parliament to assess either the impact of such legislation on the telelcoms and ISP industries, nor on the practicalities of implementation, nor on the necessity for such measures.

Legality
The measures being proposed are not only disproportionate, they may also be illegal. The first way that they might be illegal is to do with the way that the European Union is governed.

The government of the European Union is split into three areas, called Pillars (7). The First Pillar is the European Community pillar and it deals with economic, social and environmental policies. The Second Pillar is the Common Foreign and Security Policy pillar, which deals with issues around foreign policy and the military. The Third Pillar is the Police and Judicial Co-Operation in Criminal Matters pillar, previously called the Justice and Home Affairs pillar.

Directives that come under the First Pillar get treated differently to those which come under the Third Pillar. Without wanting to get too deeply into this, what the UK is trying to do is to rush the directive through under the Third Pillar because by doing so they can circumvent the checks and balances that would apply under the First Pillar, thus denying the European Parliament any proper say on the directive.

This tactic is actually illegal. EDRI reports that the European Parliament will take the Justice and Home Affairs Council (which deals with stuff in the Third Pillar) to court if they try to get this directive passed through the Third Pillar.

The position that this whole imperative is illegal is backed by the European Parliament's Committee on Legal Affairs and the European Commission's Legal Service, and discussed in more detail in Alvaro's report.

Despite this, Home Secretary Charles Clarke is determined that this directive should be pushed through under the Third Pillar during the UK's Presidency of the European Council, which ends 31 December 2005.

Human rights
The second way that this directive may be illegal is that it may contravene the European Convention on Human Rights, which states that any such measures for the monitoring and storage of data must:

  • be laid down by law
  • be necessary in a democratic society
  • serve one of the legitimate purposes specified in the Convention
It seems pretty clear that this directive can't fulfil these three basic criteria and so is incompatible with European human rights law. Any move to indiscriminately collect data violates the right to the presumption of innocence, not to mention privacy, and would dismiss the controls already provided by the existing Privacy and Data Communications Directive.

Unanswered questions
I've seen no discussion on data verification or security, both of which will add to the expense of data storage by the telecos and ISPs.

I've seen no discussion over accessibility - who should actually be allowed to use this data? What checks and balances will be put in place to ensure that the data is not misused? In the UK, it seems that there will be very little done to ensure that abuse is prevented.

Why should you care?
It's very easy with issues like this to glance over the story and wonder why you should care. You're innocent, you've got nothing to hide, so why should you bother about whether or not the government knows stuff about you?

1. The cost. Whether this project is funded by the EU or the telecos/ISPs, you will pay for it, through either taxes or increased costs of phone calls and internet access. The costs are likely to be vast, and that money's got to come from somewhere. That where is your pocket. You will end up paying for being put under surveillance.

2. Your rights will be abused. Your civil and human rights are going to take a flogging if this directive goes through. Your right to privacy, to a private live and private correspondence, your freedom of expression and association, the presumption of innocence. All these basic rights are under assault and if we don't protect them, we'll find ourselves in the sort of society our forebears fought to protect us from.

3. Your data - and innocence - will be at risk. There are no data protection provisions in this directive. Thus we cannot assume that the only people who will search this data will be those law enforcement officials with a real, demonstrable need (if such a thing exists).

Because of the lack of detail over who will be deemed 'competent' to access it, we have to assume the worst and that any government agency will, quite legally, be able to find a way into the database and that they will be able to abuse it. By this data's very existence, we lower the bar to suspicion, and turn everyone into a potential criminal.

4. Technology spreads. Just as soon as the technology required for this sort of data harvesting, retention and analysis - technology which currently does not exist - has been created, it will find its way into the hands of the private sector and, quite possibly, criminals.

We've already seen that national police databases are open to abuse, with at least one case of a police officer running unauthorised checks on behalf of a foreign embassy official (8).

The insurance industry has in the past been accused of raising premiums for anyone who has had a gene test regardless of the result, and has been put under a moratorium (9) for using gene tests to determine when assessing insurance applications. Imagine what they could do if the had access to your web browser history and could see which health-related sites you visited.

5. This directive will not significantly help the security and intelligence agencies, or the police, to combat crime or terrorism. There exist already plenty of powers for the monitoring of telecommunications by known or suspected criminals or terrorists. All this directive will do will be to create a massive data dump which won't provide any value to the authorities. From Statewatch (10), Tony Bunyan, Statewatch editor, comments:

"After the dreadful terrorist attacks in London on 7 July 2005 it is absolutely right for the intelligence and security agencies concerned with finding the perpetrators to have all the necessary powers.

"If this proposal was limited to tackling terrorism that would be one thing but it is not. It will put everyone in the EU under surveillance, be used to tackle crime in general and potentially could be used for social and political control. The agencies already have the powers to place suspects under surveillance and this will add little to the existing intelligence - it will simply build a bigger 'haystack' from which to find the same number of needles.

"It is understandable that governments want to respond to the tragedy but to put in place a system that: makes everyone in the EU a 'suspect', which is potentially open to misuse and abuse, and which has no data protection provisions at all would seriously undermine the democracy that is being defended."

6. Escalation. The initial push for this directive came from the United States. On 16 October 2001, President Bush requested that the EU relax its data protection directives which stood as an exemplar for the rest of the world. In 2002, the EU passed the Privacy and Electronic Communications Directive (2002/58/EC), which allowed member states to compel the retention of personal information data, but only when explicit legislation had been passed, and only when it was necessary, appropriate, and proportionate in a democratic society. Only Italy and Ireland chose to do so.

The United States, however, has held back from introducing such legislation, but if this new directive is passed in the EU, it will have all the ammunition it needs to propose equally strong, or stronger, legislation at home. As, indeed, will any other country wishing to go down this route.

We can then assume that should the issue come up again for discussion in the EU, precedents will have been set and future amendments or new directives will only become more and more draconian.

So what can you do?
Well, you can sign the EDRI petition, and you can email or fax your MP or MEP and tell them that you oppose the directive. And you can blog about it. We need to get this issue out into the light so that more people - individuals, journalists, and MPs alike - become more aware of the travesty that Charles Clarke is trying to perpetrate.

It only takes an objection from one of the 25 member states to stop this. It's imperative that we act in order to secure that objection.

We have until 12 October 2005 - that's just eight weeks - to kick up enough of a fuss that the Justice and Home Affairs Council reject the Framework Decision (which would later turn into the Directive) at their meeting. However, their informal meeting, at which arms will be twisted and brains washed, is scheduled for 8/9 September, which is less than four weeks away.

If you want to support a campaign against data retention, amongst other issues, don't forget to sign our pledge so that we can get going.

__________________

Footnotes:

(1) EDRI: Europarl protests against UK push for EU data retention
http://www.edri.org/edrigram/number3.14/retention

(2) Lists of competent bodies
http://www.opsi.gov.uk/si/si2003/20033172.htm
http://www.opsi.gov.uk/si/si2005/20051083.htm

(3) Reasons for examining the data
http://www.opsi.gov.uk/acts/acts2000/00023--c.htm#22

(4) Alexander Nuno Alvaro's draft report
http://www.europarl.eu.int/meetdocs/2004_2009/documents/DT/553/553885/553885en.pdf

(5) Web Host Industry News: Data Retention Costs Too High, Say ISPs
http://www.thewhir.com/marketwatch/isp121602.cfm

(6) EDRI: Dutch study fails to prove usefulness and necessity data retention
http://www.edri.org/edrigram/number3.13/retention

(7) Wikipedia entry on the Three Pillars of the European Union
http://en.wikipedia.org/wiki/Three_pillars_of_the_European_Union

(8) BBC: Officer on misconduct charge
http://news.bbc.co.uk/2/hi/uk_news/england/london/3073753.stm

(9) The Wellcome Trust. Loading the dice: Genes and the insurance industry
http://www.wellcome.ac.uk/en/genome/geneticsandsociety/hg14f002.html

(10) Statewatch: Call for mandatory data retention of all telecommunications
http://www.statewatch.org/news/2005/jul/05eu-data-retention.htm


Further links:

New EU Commission proposal data retention (20.07.2005)
http://www.edri.org/docs/EUcommissiondataretentionjuly2005.pdf

Last UK prepared version of the JHA working document on data retention (29.06.2005)
http://www.edri.org/docs/Data-retention-council-draft-29062005.pdf

EDRI: New EU Commission proposal data retention
http://www.edri.org/edrigram/number3.15/commission

FIPR: Surveillance and Security
http://www.fipr.org/surveillance.html

Data Retention is no Solution Wiki
http://wiki.dataretentionisnosolution.com:81/index.php/Main_Page

Write To Them
http://www.writetothem.com/

Fax Your MP
http://www.faxyourmp.com/

Thanks to Danny O'Brien and Ian Brown for ongoing discussions, clarifications and pointers. (Jeeze, I don't think I've ever done thankyous at the end of a blog post before!)

Originally posted at Chocolate and Vodka.

, ,

August 14, 2005

Grokking data retention

I can't quite believe that it's 1.30am and I'm sitting here reading up on data retention and the new directive/framework being proposed by the UK for Europe. It's really ugly stuff, and I'll blog more on it once I've got my head round it.

What amazes me - in a way, although also not - is that one can go through life quite unaware of the crap that goes on. Quite blissfully unaware. Then you start to think a bit harder about what's happening, and it's like picking the scab off a wound, only to find out that it's deeper and more badly infected that you had originally thought. Suddenly, you not only feel compelled to pick off the rest of the scab, but you also start to have visions of scalpels and maggots.

I've had an interest in digital rights for a while now, but with the birth of our new digital rights organisation, I am doing much more research into what's going on in the UK and Europe, and it's not pretty. Our civil rights are being eroded away from under our noses, and yet there's hardly a mention of it in the press. Everyone has learnt to call people who download music as 'pirates', even though the real pirates are the ones that run their own pressing plants in Asia and produce millions of fake CDs and DVDs. But only a tiny minority of people are aware that our right to privacy, to freedom of expression and association, our civil and human rights, are being attacked by the very people who should be protecting them.

We're working pretty hard at the moment, in between such minor things as earning a living, to get our digital rights organisation into a position where we can launch when the pledge matures, and the more I look at what's going on the more eager I become to start taking action, to do something about the abuses visited upon our rights by our government, by the European Union, and by big business. Just let me at 'em.

Originally posted on Chocolate and Vodka.

, ,