WTB16
From What The Wiki?!
(This is the Data retention legislation transcription, tape 16. It is part of Transcribing the Rehash videos, aka What The Book.)
2005-07-28
Maurice Wessling (MW)
Sjoera Nas (SN)
Greg Newby (GN)
[16/00:04]
GN: I apologize for the delay in getting started here, it was completely my fault. I only have one computer, and I promised that it would be in two places at the same time. Does anyone have a computer like that? I could use one.
Our one o'clock talk is Maurice. He is going to talk about data retention.
[16/01:25]
MW: Ok, hello. We are a little bit late, because we had to find a computer. I will try to go as quickly as possible, so that we stay in the time that is set for this presentation.
My name is Maurice Wessling. I am very happy to be here. I am very honored to have the opportunity to talk in the start of the program, just after the keynote, and I hope I can tell you something important and something interesting. And maybe we even have some time for a small discussion, but I think we are a little bit tight on the schedule.
I am going to talk about data retention, and especially the data retention plans that are at the moment floating around in Europe.
First of all I will explain a little bit about what the data retiontion plans are about, some of the mile stones, important events that came up in the last two years around the whole data retention discussion in Europe. I will tell you a little bit about how you could campaign against data retention, some ideas from my experience, and later on my colleague Sjoera Nas will tell you something about what you can do right now.
So first: Something about my background. I work for Bits of Freedom. Bits of Freedom is a Dutch civil rights movement, in the Netherlands. Based in Amsterdam. Founded almost five years ago. We campaign for privacy, freedom of speech, all kinds of rights in the digital world. We have different activities. We have a bi-weekly newsletter about major developments in the Netherlands in the policy area. We give out big brother awards every year. Same like many of our fellow digital rights organisations in Europe do. Big brother awards is a price for governments or persons that do evil things in privacy, and we have lots to choose from every year.
Bits of Freedom is also involved in an organisation called European Digital Rights. European Digital Rights was founded in 2002, Bits of Freedom was one of the founding members. It is a not for profit organisation in Brussels. Currently we have 17 digital civil rights organisations, from 11 countries, that are members. The purpose of European Digital Rights is to help campaign specifically in Brussels. Aimed at the European institutions there: The Council, The Commission, The European Parliament. The whole idea came up after alot of small groups in Europe realized that they didn't have the ressources, to actually go to Brussels and have a presence there. So European Digital Rights is a way of combining all of those organisations, and try and do it together. European Digital Rights also has a bi-weekly newsletter in English, which focuses on important policy developments in Europe and especially in Brussels.
There is a European mandatory data retention plan. Or actually, there are several plans. And to make it more complicated, those proposals actually compete with eachother. The proposals also change over time. So it's difficult to talk of รก plan, it's a whole process of different European institutions and national governments, trying to push their agenda on data retention.
In essence data retention proposals are about an obligation for providers of public communication services and networks, to store the data of their customers. That is the most simple way to explain it. Of all their customers, so we are not talking about certain types of customers, we are not talking about suspects in a crime, we are not talking about potential terrorists, we are talking about everybody. And if you talk about the European plan you talk about 450 million people, because that's the amount of people that live in the European Union.
The different retention periods in the plan are between 6 months and 4 years. It depends on which plan, old or new, you take. It is going up and down all the time. It covers both traditional telephones, fixed and mobile, and it covers all kinds of Internet services and Internet networks.
In all proposals, the list that governments and the EU want to retain is not fixed, it's fluent. So it is a proposal with an initial list of data they want to see retained, but that list can easily be updated or expanded. So we never know where we are 2 years after the data retention plan is enforced. It will change, and change means expansion, so the list will only get longer, it will not get shorter.
Just some history, to put this into perspective. Because some people might think that data retention plans are new, or some people might think that they are only a reaction to terrorist attacks. Well, they are not. The first plans, which were actually lists of data that law enforcement officers would like to see retained and would like to have access to. The first plans were already made up in 2001 in May, well before the 11th of September. And it is interesting to look at that list, because it extensively talks about a balanced approach, really beautiful, and then when you go to the last pages you get a very very greedy list which I will show you an example of.
You will see this in most of the proposals: It starts with sweet music. A balanced approach. A consistant, clear and transparant process. Continual consultations. Legitimate purposes in line with privacy principles. These are the first pages of every plan, and you can skip them, you can go to the essentials. And the essentials are for example in this plan: Give us everything. This is about web, HTTP. They want everything, they want even the full part of the GET request. So they want to see actually which page you looked at. I think it is funny, they even want the response codes. So they even want to know if you were actually able to see the page, or that the server said it was unavalible, or the server was busy. So they even want to know if you actually got an opportunity to see it.
An important mile stone in the discussion about data retention was in 2002: It was the E-privacy directive. The E-privacy directive is European law, made by the European Commission, approved by the European Parliament. And E-privacy was a framework for privacy in telecommunications. It is about what service providers are allowed to do with the data of their customers. It is about spam. This is actually the directive which holds the spam-ban in Europe. It is from this directive. And the important thing is that in this E-privacy directive there was a part that said that service providers should destroy or anonymize traffic data of their customers, after the business purpose of the data was fulfilled. So if they as a provider, for their business purpose, were actually finished with the data. When they had sent the bills, when everything was done. They were obliged to destroy it. It was a quite strict privacy rule.
The interesting thing is that governments wanted a back door in the directive. They wanted to drill a hole that would make it possible to have data retention in the future, because in principle the directive forbid it. It said: Destroy it if you don't need it, and there is no exception for law enforcement. And then there was a very interesting trade-off with spam. Because when the discussion in the European Parliament about spam, the discussion of opt-in versus opt-out was done, there was not immediately a clear majority for opt-in. And in the end there was an interesting trade-off between different political groups in the parliament, where one group said: I will give you opt-in for spam, you give me a hole in the directive which enables data retention in the future. And they did it like that. So every time you are happy that spam is forbidden in Europe, you should think that it was actually done that way, so that you will get data retention later.
There have been a few proposals in 2002 and 2003, but they never really got off. The real push for these plans came after the attacks in Madrid in March 2004. That gave the political space and the political firepower to really launch a plan for data retention. The first proposal was initiated by the UK, Spain, France and Sweden. And they did this in the council of Europe, which is a gathering of the European ministers of justice. They can make decisions in the field of justice and home affairs. They have to do this on the basis of unanimity between all member states. And the European Parliament has a very small role in that process, they only have an advisory role. So they can say "we don't like it", but nobody has to listen to them. And that is actually what, in the first instance, happened.
So the European ministers of justice started discussing a plan with a retention period of 1 to 4 years. And they wanted not only to have data retained that the telcos needs for their business purposes, they wanted to make their own list. A list which would be much broader. So they also wanted to retain data that actually no telco and no Internet provider has any use for to store. And they wanted to do this in two steps: They wanted to have a mandatory data retention for telephones, mobile and fixed, first. And then after one or two years they wanted to update that with data retention for Internet.
There were different reasons for this phased implementation: I think the first of it is pure tactics. There was a very good campaign, I think, from civil rights organisations and Internet providers against data retention. So the whole idea was "let's do it for telephone first, because the telephone companies are not really shouting out very loud, and we'll deal with Internet later". Another reason was that they didn't know yet, what they actually wanted to retain on the Internet. It also served the purpose of giving themselves a little bit more time to make up a solid list.
There has been alot of criticism of this proposal and one of the critiques is very fundamental and that is that the proposal does not have a legal basis.
[16/15:23]
