Friday, December 16, 2005

EU data retention law passed

Well they did it. The European Parliament yesterday passed the law (voted 378-197, with 30 abstentions) which requires internet service providers (ISPs) and mobile phone operators to retain data such as "incoming and outgoing phone numbers, the duration of phone calls, IP addresses, which identify a computer's coordinates on the internet, login and logoff times and email activity details - but not the actual content of communications." (from SMH). The retention period is a minimum of 6 months and a maximum of 2 years. Poland wanted data to be stored for 15 years! There will be "effective, proportionate and dissuasive" penal sanctions for companies who fail to store the data or misuse the retained information (

This will be tough for many smaller ISPs with the costs for storing such large amounts of data being high. I cannot conceive how mobile phone operators with huge customer bases are going to manage it. Even a single day of phone activity in Sweden (a low populated EU nation) is enormous. These costs may be passed on to customers as the EU authorities have said they are not footing the bill for this;

"ISPA (Internet Service Providers' Association) cites estimates from one large UK-based ISP that it would cost £26m a year to set up data retention kit on its systems and £9m a year in running costs to service law enforcement requests." (from The Register)

So it looks like the users of the technologies involved will be paying for the surveillance. It does seem like the music business has been delayed in gaining access to the data, as they wanted to use it to prosecute file sharing:

"Only the competent authorities determined by Member States should have access to the retained data from phone or internet providers. Furthermore, each national government will designate an independent authority responsible for monitoring the use of the data." (

It does however raise questions regarding the commodification of information. Having just spent time at a data mining workshop I am coming to realize the value of "raw information" and how large quantities of demographic data can have great potential for modeling of correlations, patterns and trends. Would the EU authorities be prepared to ignore the fact that they have access to an enormous resource in the data retention system they have just created?

Finally with national boarders becoming increasingly transparent how effective will these laws actually be in monitoring communication traffic for those targeted ("the terrorists"):

"In a statement, the EU's electronic communications industry said it regretted the move and lamented that it did not take into account the Internet world and its global nature. "This directive will impose a significant burden on European e-communications industry, impacting on its competitiveness," said five major European telecommunications organizations in a statement. "However only a fraction of the email services used today would be covered by the EU directive as the world largest email providers are not in Europe, allowing criminals to easily circumvent the rules," they said." (discwrite)

On our local TV news last night Hans Wallberg said (in Swedish) that it is private people who are not committing any crime who will be most effected by data retention. Anyone who is serious about committing crime can easily circumvent these new controls but the average communication technology user would not bother. Once these vast bodies of data have been created they will need to be secured themselves as they provide a valuable resource for such things as industrial espionage, marketing demographics, and multinational business concerns. Not to mention any sort of oppressive state authorities that may come in the future.

No comments: