Wednesday 17 November 2010

Shhh – don’t mention the Commission’s data retention conference

So little notice was taken about an obscure European Commission conference on communications data retention, held back in July 2009, that the Commission is going to hold another one. This event is to be held in just a couple of week’s time, although I bet that hardly anyone will be aware that it is either being arranged, or how the items for discussion actually affect them.

The first session was attended by some 140 participants and speakers made up of representatives from law enforcement authorities, industry, civil society, regulators, academics and other examples of the usual suspects. The participant list makes great reading, as it reveals the names and contact details of some extremely interesting people, including someone from the Hungarian Special Service for National Security, and someone from the Romanian Intelligence Service. I hope these spooks weren’t using their real contact details. If they were, they might want to ask for them to be deleted before anyone reads about it.

The presentations were of the predictable sort.

A representative from KPN, the Dutch telecommunications company, commented that KPN was struggling with implementation. The Data Retention Directive was aimed essentially at telephony but has been “copied” to the internet.

A Swedish privacy activist commented that there was a great deal of controversy surrounding the Data Retention Directive when it was discussed by the European Parliament and some MEPs expressed “indignation, anger and frustration” at the way in which negotiations had been carried out between the chairmen of the big political groups and the UK presidency of the EU at the time. This activist could have been referring to Charles Clarke who, at the time, was the British Home Secretary, and would therefore have chaired the relevant meetings of the Council of Ministers.

A representative for a Belgian internet service provider commented that there is uncertainty about implementation requirements with a lack of harmonisation across the EU for pan-European operators. Implementation guidelines are needed to support providers implement interoperable vendor solutions. There is a lack of technical guidance with regard to response times, the format for delivering data to LEAs, the retention obligations with regards to transit and third party providers, centralised storage, internet telephony services and unsuccessful calls, to mention a few issues, results in diverging implementations across Member States. Also, providers' systems were built to be business-grade rather than forensic-grade, designed to retain data for billing, and making them suitable for Law Enforcement Authority investigations requires significant adaptation and expense.

Nothing new here.

And now, there is to be another conference, and many of the issues under consideration look quite significant. They include questions such as
• The purpose of data retention, and whether the retained information ought to be available for investigations into issues other than serious crime. What types of less serious crime, or frivolous crime – or non criminal acts – ought this information be available for?
• Should the rules should be extended to include web browsing, as well as electronic communications. [And whether there is much point in extending the rules if users are going to spend over half their digital lives browsing on Facebook (or Google), which may not be affected by these retention rules if they can successfully argue that they are not a Communications Service Provider. All the internet service providers will be able to record is thet the user has gone to Facebook (or Google). Not what they've done once they've got there.]
• Should the retention periods be tweaked?
• Should the range of authorities able to access this information be changed?
• How should Member States deal with requests from law enforcement agencies from other Member States?
• Should there be changes to the cost recovery rules?
• Should there be more rules to guarantee the security of these systems?

All of this is pretty heavy going for a day’s conference. And quite relevant too, I suppose, if we are to take as gospel the Home Office’s business plan, which I blogged about last Monday, which contained a commitment to complete work on its plans to develop and publish proposals for the storage and acquisition of internet and e-mail records by the end of December, in order that it can start to implement the key proposals between January 2011 and the next General Election.

Perhaps, at some stage, in the new spirit of transparency which is spreading through all aspects of Government, the Home Office will consult widely on what its position ought to be on the issues that will be discussed on 3 December in Brussels. Or, perhaps it may embark on what it might call a “targeted consultation exercise” with the usual suspects, just to make sure it is going to be able to deliver on any commitments (or comments) it makes.

But then again, perhaps the Home Office won’t consult at all. It may not even turn up.

Let’s see if it does any of these.