CSPs To EC: Show Need for Traffic Data Retention

The EC launched its consultation on the proposed framework decision in late July, and Tues. held a workshop in Brussels. It’s said to have received more than 65 submissions on the proposal, and has apparently told interest groups the comments won’t be made public. Two- thirds of the responses came from industry, 1/3 from civil society, and one from a European Union (EU) member state’s ministry of justice, said Maria Farrell, policy mgr.-e- business, information technology & telecoms, International Chamber of Commerce (ICC). The Commission told attendees the “overwhelming majority” of responses called on the EC to demonstrate the need for data retention, said Farrell, who attended the workshop. Submissions also questioned whether blanket retention -- rather than targeted preservation -- was proportionate to the law enforcement aims to be served, she said. The EC didn’t comment by our deadline.

Both incumbent telcos and competitors panned the proposal. The European Telecom Network Operators’ Assn. (ETNO) listed several concerns, including: (1) An overbroad definition of “data” that will extend retention responsibilities to areas in which companies don’t normally keep such information. (2) Soaring data retention costs due to increased storage capacity, changes in systems’ design, additional security measures, verification and responses to law enforcement access requests, retrieval of raw date and providing court evidence about the authenticity and reliability of data. Not only is the draft proposal silent on cost issues, ETNO said, it doesn’t call for CSPs to be reimbursed. (3) The questionable ability of CSPs to retrieve massive amounts of raw data. In addition, there are several ways to circumvent retention of the data -- through anonymous Internet access in Internet cafes, in peer-to-peer networks and in other ways. (4) Restriction of citizens’ rights to determine how their data are handled, and a lowering of consumer confidence in the protection of their private information.

The European Competitive Telecom Assn. (ECTA) echoed ETNO’s concerns about the lack of justification for such a law and its failure to address who pays for data retention. ECTA also complained that the draft framework decision won’t harmonize legislation because it will permit member states to make individual assessments on the need for data retention based on their own criminal justice systems.

European ISPs called data retention “one of the most important issues ever faced” by the industry. Forcing ISPs to retain data for long periods could devastate the sector, the European Internet Services Providers Assn. (EuroISPA) said. The “united, pan-industry voice” opposing the proposal shows how alarmed CSPs are about it, the group said. ISP concerns include: (1) The infeasibility of collecting voluminous data from various parts of a CSP’s network. If the directive is implemented, EuroISPA said, “a conservative estimate is that ISPs would be forced to log anywhere between 50 and 100 times the data that is currently logged, depending on their network configurations.” (2) The technical difficulties of storing large amounts of data for long periods. (3) The complexities of mining the stored data in response to law enforcement requests. (4) The costs, which “will be huge.” (5) The lack of evidence that billing data now retained for short periods is insufficient for law enforcement needs.

There’s been “disappointingly little effort by govts. to seek an adequately informed balance between the legitimate interests of govt., the communications industry, and end-users on the issue,” the ICC said. Business worries that the lack of international coordination and the “low level of dialog” with experts from affected groups will result in data retention policies that severely harm CSPs and their customers, it said. It joined telcos and ISPs in calling for data preservation, and urged the EC and member states to coordinate closely with CSPs on technical capabilities required for data storage and access. It also recommended that govts. bear the costs of mandatory data retention, access to stored data and deleting data at the end of the retention period. The ICC urged that both corporate/closed users group services and backbone service providers be exempt from any retention requirements, saying those services don’t directly serve public end- users and are less likely to be of interest in law enforcement bodies.

The Motion Picture Assn. (MPA), on the other hand, said data retention is necessary to combat counterfeiting and piracy. Traffic data are often the only way rights owners have of tracking the activities of offenders online and proving their identity and offenses, the MPA said. In many cases, law enforcement agencies have been able to access data retained by CSPs as part of their normal business practices, but the “picture across all member states is unclear,” the group said. Moreover, it said, some evolutions of ISP business models could lead to essential data being destroyed under data protection rules. Europe needs “harmonized, proportionate” data retention rules which don’t undermine access to data by judicial authorities on behalf of intellectual property owners, the MPA said.

The ICC’s Farrell said law enforcement agencies “didn’t even bother to turn up” at the workshop -- even those from the U.K., which is driving the data retention proposal. Moreover, she said, “there were no answers at all” from the EC. Finally, Farrell said, civil liberties advocates want a further hearing on whether the proposal fairly balances law enforcement interests against the right to privacy. They urged that any harmonization start with existing CSP business practices and then expand if a greater need is established.

The Information Technology Assn. of America (ITAA) warned that “inconsistent and disproportionately heavy retention requirements will drain limited resources without strengthening either the cooperative bond” between law enforcement authorities and CSPs or the investigative utility of information retrieved. Most retention requests are addressed with data at most weeks old, ITAA said, so there’s no reason to hold it 12-36 months. The association urged the EC to define traffic data to reflect the current global state of communications networks and services and to allow assimilation of next-generation services. It suggested a maximum 6 months’ mandatory retention, to balance law enforcement and privacy interests. ITAA said any retention regime should seek harmony between privacy and retention rules in the 25 member states to avoid a patchwork of laws.

Earlier this month, Privacy International (PI) and European Digital Rights filed a joint submission arguing the proposal is invasive and illegal. More than 90 nongovernmental organizations and 80 companies endorsed their call to abandon the proposal, PI said. The identities of the remaining respondents are unknown.

The workshop was dedicated to the needs of law enforcement and govts., and current business practices, EDRI reported. “Painfully absent” was any discussion about privacy and fundamental human rights, EDRI said. A call for a new session devoted to the balance between civil rights and law enforcement won support from many speakers, including a U.K. member of the European Parliament who suggested the matter be taken up by legislators, EDRI said.

The EC reportedly said more consultation is needed but it’s clear the proposal’s minimum retention term of 12 months might have to be reconsidered if 6 months is adequate, EDRI said. EC officials also suggested data preservation should be investigated as a serious alternative to retention, and -- given the lack of input from law enforcement -- that new research was needed to find a balance between criminal investigation and civil rights, EDRI said.