Sunday, 30 October 2011

Communications Data Retention: the public debate resumes

Here we go again. Reports are emerging of politicians seeking to change the current EC data retention regime. What do they want? The retention of more types of records. And who should be doing this retention? Ah, that’s the interesting bit, as some are now proposing that it should be content providers (eg the likes of Google, Yahoo!, Twitter and Facebook) rather than internet service providers (ie the folks whose pipes are simply used to access this content).

Back in 2006, the Data Retention Directive made it a requirement for telecoms companies to retain information about communications records for a period determined by national governments of between six months and two years. Not every EC Member State has yet implemented this Directive – but while there has been talk of the Commission issuing infraction proceedings against the laggards, to be honest with you I have not read a single word of criticism from the relevant law enforcement agencies complaining at their inability to do their job properly because that measure had not yet been implemented in that Member State. Perhaps this means that no-one cares about the lack of enforcement of a retention standard that is pretty irrelevant in those countries. Perhaps, in those countries, their own domestic policing techniques work perfectly well without this retention rule. And if that is the case, then presumably they won’t take much advantage of the newly retained data anyway, as they have not really needed it in the past.

The new rules are designed to recognise reality, which is that people use the internet to browse websites, as well as make communications. And it’s this internet browsing behaviour that some politicians now seek to track.

There could be pretty intensive discussions ahead, and I would expect the usual suspects to gather around the usual tables to develop credible responses to the usual questions.

These questions include, let’s not forget:

If the new rules are really to apply to internet browsing, and people use all manner of different communication service providers to do the browsing, then wouldn’t it be better for the new rules to apply to the provider of the service people are actually using - eg Facebook, Twitter or Google? After all, the whole point of mobile devices, such as iPads and smart phones, is to enable users to log onto their Facebook site from any hotspot or their provider’s mobile cell site. So the hotspot or mobile providers will only ever have just part of the complete picture.

What information should be retained and how helpful will this really be to law enforcers? The current (UK) rules prevent content records from being retained, and these, as far as Parliament is concerned, are records which go past the first slash of an internet address. So, a traffic record is This is not a lot of help to investigators who want to know just what on Facebook a user tried to do. They want more of the web log – but that brings us past the line of what is traffic and what is content.

For how long should these records be retained? All the solution providers are interested in this point, because their public service contracts are drying up so they are ever keener to sell technologies capable of searching huge databases to companies in the private sector.

What else will the private sector companies be allowed to do with the retained information? And who will be making sure that there won’t be any sneaky stuff going on?

How many more criminals is this initiative likely to deter, or even catch? And, how much will this initiative cost? The deterrence, prosecution and cost questions are actually important – not because I want to wade into the “who pays” argument, but because we need to look at “utility” argument. What I mean is whether the substantial investment that will be required to deliver this initiative might not be better spent in another area of law enforcement. In the UK, police budgets are under severe pressure for the forseeable future. Could the money be better spent on more fuel, to enable more police cars to drive more miles each week? Or could the money be better spent on more training, to enable more law enforcement investigators to better analyse and react on the information that phone and internet service providers already have? If they can’t cope with what is currently available, is it strictly necessary for them to be drowned by a tsunami of even more stuff?

The biggest question, though, is simply Why bother? On the back of a recent high profile murder trial, resulting in the successful conviction of an individual at Bristol Crown Court, I’ve read press reports that very clearly indicate what internet activity the offender had been engaged in, both in the UK and while they were abroad. Enough records were evidently available to give the investigators a very clear picture of what this person had been up to. So, if that’s the case under the current regime, where is the pressing need to change things?

I do hope someone will state this case quite forcibly.

I can certainly see why Governments in various African and Middle Eastern countries are very keen to know what their citizens are up to when they use Facebook, YouTube or Twitter. And I can understand the lengths the providers are going to in order to protect the identities of their users, to prevent them from unfortunate consequences, or visits from representatives of the national authorities. But as users (and content providers) develop ever more clever encryption techniques to evade these authorities, it won’t be that long before those very same techniques are used in EC Member states too. And whose benefit would that really serve? Probably not the EC law enforcers – nor the EC service providers. No-one really wants to be forced to retain huge amounts of information they can’t access or can’t understand.

Let’s hope that pragmatism will be permitted to prevail – eventually.