|
<<
^
>>
Date: 2001-11-30
Inside EU-Cybercrime Hearing
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
Das EU-Hearing zum Thema "Datenspeicherung und Cybercrime"
aus der Sicht einer Person, die daran teilgenommen hat
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
During the Commission's Public Hearing on its Communication
"Creating a Safer Information Society by Improving the Security of
Information Infrastructures and Combating Computer-Related
Crime", which took place on March 7 in the same building, it was
announced that the EU would found a Forum similar to the UK
Internet Crime Forum, in which chief police officers, representatives
of the IT industry and - to a lesser degree - data protection officers
are united. The recent event was the first "plenary session" of this
institution, named the "EU Cybercrime Forum". The Commission,
who hosted the event, declared to be "in listening mode", which
meant basically there was no way of contradicting the conclusions
presented by DG Internal Market's Susan Binns at the very end. In
the light of recent discussions in the EP, the Council and, more so,
the critical public, it was not surprising that "Retention of Traffic
Data" was chosen as the topic for this first session. After critique
uttered during and following the March meeting that the speaker's
list was unbalanced, giving little speaking time to data protection
officials and almost none to privacy advocates, the Commission
took great care to present something more balanced this time.
Still, the industry was a bit over-represented, making up about half
of the participants, with police and data protection sharing the rest
to more or less equal parts. Most interventions should be posted
within a few weeks on the forum's web page, which is for some
reason provisionally housed at http://cybercrime-forum.jrc.it . The
morning was dedicated to keynote speeches and chaired by
Robert Verrue, Director General of the Commission's DG
Information Society (DG INFSO) and his colleague Adrian
Fortescue of the DG Internal Market (DG INT). Keynote speeches
were given by MEP Charlotte Cederschiöld (Conservative, Sweden),
Commissioner Erkki Liikanen, by three industry people, namely
Michel Bartholomew of ETNO (Telecommunication Operators
Association), Alain Hocquet of France Telecom and Joe NcNamee
of EuroISPA (Internet Providers). They were followed by John
Abbott, who spoke on behalf of the National criminal Intelligence
Service of the UK, Jozef Brink from the German Ministry of Justice
and Alexander Datijn from the Netherlands Ministry - two more law
enforcement guys -, David Smith from the Office of the UK
Information Commissioner, and MEP Marco Cappato of the Italian
Radicals. A speech that was to be delivered at that time by Simon
Davies of Privacy International could not take place because, as it
seems, Simon was denied access to his plane at Heathrow airport.
Morris Wessling of Bits for Freedom, who volunteered to substitute
for him felt unable to prepare a 10-15 minute keynote speech within
a few hours and in the middle of the plenary, and limited himself to
a five-minute contribution in the afternoon. Mrs. Cederschiöld, who
was the rapporteur on the Commission's Cybercrime
Communication and as such pretty pro-surveillance, gave what she
certainly considered a "well-balanced presentation: "Any law
enforcement measures must be well defined and foreseeable, and
take place within a clear legal framework*necessary and
proportionate", and so on. She even went on to say that the 911
attacks "must not lead to a carte blanche for retention and
interception as this would facilitate abuse of stored data, thereby
hamper consumer confidence in electronic communications and
services, and decrease security, while at the same time increase
costs for all actors. Now you might think this could only lead you
to a decidedly anti-retention position. Not so. Mrs. Cederschiöld
went on to say that technical standards must be co-ordinated
internationally, and that the financial loa
d of interception must be borne by the State. Ambiguous, to say the very least. I won't spend a lot of words on commissioner Liikanen's contribution, because it was a) an abbreviated version of the discussion paper publis
hed by the Commission a few weeks ago (which can be found as well on the forum's web page as on DG INFSO's Wep page) and because b) it was what you would have expected: Main focus E-Commerce, question of consumer trust, e
Europe action plan, blahblah. Bartholomew of ETNO said the two key issues for Telecom operators were the lack of harmonised rules and the costs caused by interception. I think those who call for harmonised retention instr
uctions and would even be ready to pay the price for it listened very well. Probably not so any more when Bartholomew said retention had to be on a case-by-case base and clear time limitations had to apply. Hocquet of Fra
nce Telecom said his firm had established "retention centres", mainly for billing purposes, only in the mid-nineties, while retention had been technically possible even ten years before that. He also gave some interesting
figures: France Telecom houses some 33 million phone lines, and 25.000 requests for retained data reach their offices each month - he did not comment if they came from the Police only or from secret services as well. The
high figure might explain the fact why, as Hocquet said, the 1997 directive on data protection in electronic communication still has not been implemented in France. What passed a lot quicker, though, is the new Loi de la
Sécurité interne, which provides for 12 months data retention since October 15. McNamee of EuroISPA felt an urge to explain Retention could also protect privacy, e.g. Anti-Spam Hotlists ran by providers could be operativ
e only if a communication could be traced back to its author. he went on to explain that there were 4 kinds of data, each one more intrusive than the preceding one: Subscriber data, Access data (including calling line ID)
, traffic data and contents data. It was pretty obvious he did not consider subscriber data really sensitive at all, while he wanted to safeguard contents data. He failed to comment on the merging of traffic data, content
s data and location data in upcoming mobile services, which was a point raised later on by a number of technically qualified privacy advocates. McNamee suggested to somehow codify the current practice under which police i
s already supplied with data retained for billing purposes, and to reimburse providers for any added costs. Next came another one of the UK Police's super weapons (After chief Superintendent Keith Akerman, the Chairman of
the UK Internet Crime Forum, who was the star at the March 7 Meeting): John Abbott, C.B.E., QPM, B.A. (Hons) (whatever all of this means) and Director Generla of the National Criminal Intelligence Service. It showed he h
ad passed not only one rhetorics course, and he had passed it well. What he wanted was pretty easy to discern: As big as possible a proportion of data - traffic data, no content data, as he pointed out - to be stored for
as long as possible. He spoke a lot in examples, and one of those was of a case that was solved five years later, allegedly with the help of retained traffic data. He commented very long on how the world had changed and h
ow electronic communications had made it possible to commit a crime without leaving any evidence to be used by the police. Therefore it was necessary to create a new kind of evidence, even for the fight against non-hi-tec
h crimes. This kind of evidence was going to become as important in the 21st centuries as fingerprints were in the 20th. To this, someone replied later that the difference was you didn't have your fingerprints taken at ev
ery step you made, even in the 20th century. Brink is the German justice ministry's responsible for international cooperation in criminal matters and at the same time delegate to the G 8 Hi-tech crime unit. He asked for "
all connection data" to be retained "in collaboration with the industry. He does not seem to believe retention will be stipulated by law: At least he considered it important that "as many providers as possible" should ret
ain and also help analyse data on a voluntary basis. He said Germany had no binding policy on the matter yet, but he himself had never agreed with the proposal for compulsory deletion. He demanded the following kinds of d
ata: Headers, dial-in logs, assigned IP addresses, Host Addresses and Caller ID with SMS. Datijn agreed and warned the Data Protection in Electronic communications Directive as Drafted by the EP and the Commission would
break up the hitherto "parallel interests" of telecom providers and law enforcement. David Smith was the next one to speak, on behalf of the UK Information Officer (Data Protection Authority) Although he did not seem to b
e too eloquent, his presentation, based mainly on the European Charter of human Rights and Data protection legislation in effect within the EU, left a good impression and was quoted several times in the final Statement by
the Commission. Smith called for a limitation of data retention to specific cases - which he would not see as problematic - but is opposed to blanket retention. He wanted a set of questions answered: "What is the case fo
r retention? What data is (going to be) retained? How useful would this data be to whom? What has changed as compared to the times of analog telephony, when there simply were no logs to access? What is the management cost
of such a system? Who stores the data? And what about different
retention periods in different EU States?" That kind of questions
showed, I think, that Smith is prepared to withdraw and criticise
retention immanently. The last speaker of the morning was
Cappato, the EP data protection Rapporteur. He sounded less
radical than his amendment to Article 15 may have made believe,
focussing mainly on the need for uniform regulations in the EU. But
he is of course strongly opposed to any kind of blanket retention. I
wont go into detail regarding the speakers in the afternoon, who
had only five minutes for their presentations each (though some of
them stretched this period to its double) and represented the above-
mentioned mix. For that reason, and because there were no new
arguments, neither from the industry, nor from the law protection
side, that had not been heard in the morning. There were some
rather technicist suggestions, e.g. to encrypt logs using a double
key, one half of which would be with data protection authorities, the
other either with industry or law enforcement, but those were not
really important. Morris Wesley, standing in for Simon Davies, drew
a scenario of growing technical skills of users leading to more
consumer awareness and to a loss of trust in electronic
communications (which I myself would not consider a bad thing).
He opposed the artificial distinction between traffic data and
contents data, which he illustrated with an example from future
mobile Internet communications. His call to apply data protection
rules concerning contents data also to traffic data obviously wasn't
shared by the majority of the audience. The next privacy advocate
was Angelika Jennen from the office of Germany's
Bundesbeauftragter für den Datenschutz (National DP officer). She
also pointed to the fact that, as a greater and greater proportion of
our life becomes entangled with electronic communication,
connection data may be used to draw up personality profiles, while
location data might lead to movement profiles. Blanket data
retention, she said, was also in contradiction to the principle of
proportionality. There were several other Data Protection officials
who used more or less the same arguments: Diana Alonso Blas
from Colleg Bescherming Persoongegevens, the Dutch DP
Authority and Alexander Dix from the DP Authority of the German
Land of Brandenburg, and two Belgian Professors - Yves Poullet, a
lawyer, and Jean-Marc Dinant, an information scientist, both of the
Université de Namur - who spoke very strongly in favour of Data
Protection. There was the usual industry batch of AOL, VeriSign,
Business Software Alliance,
Motion Picture Association and so on, offering to co-operate or
confirming they had already done so for quite a while (as is the
case for AOL). There was another fuzz of law enforcement people
from Norway, Sweden and Belgium, as
well as two men from the US Department of Justice (one of them
speaking for the US Gorvenment, the other for the G 8) and a
French guy who heads what seems to be a firm contracting to
"forensic informatics"; Eric Freyssinet, "ENFSI FIT-WG Chairman,
Chef du département informatique électronique de l'IRCGN". The
most radical presentation on our side was by Alberto Escudero-
Pascual, who presented a research project they had done at the
Institute of Technology in Sweden's "Mobile Silicon Valley": They
showed how location data from mobile devices could be used to
establish not nonly movement, but also interaction and thus
personality profiles. Unfortunately, he spoilt the impressing effect of
that statement a little by finishing it up with an insulting statement
against "commission officials", who allegedly scare people with
scenarios taken from Hollywood movies to accept retention - which
may be true for some of them, but certainly not for all, and should
rather be said of the Council. What seemed to turn out as being
the strongest position in the end - but that is merely subjectively
speaking of course - was something that goes into the following
direction: · Retention of traffic data "only" for a limited period, say
six months or so. · EU-wide more or less uniform rules for the
access to this data, upon presentation of a court / state attorney
order · Preservation of data in particular cases, also only with a
judicial warrant. · Co-operation on an international level, perhaps
including the US and other intersted parties. ad, Nov. 29, 2001
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
edited by Harkank
published on: 2001-11-30
comments to office@quintessenz.at
subscribe Newsletter
- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
<<
^
>>
|
|
|
|