[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FYI] (Fwd) FC: Europe weighs recording all phone calls, Net traffic

To: debate@fitug.de
Subject: [FYI] (Fwd) FC: Europe weighs recording all phone calls, Net traffic
From: "Axel H Horns" <horns@ipjur.com>
Date: Thu, 17 May 2001 19:15:12 +0200
Comment: This message comes from the debate mailing list.
Organization: NONE
Sender: owner-debate@fitug.de

------- Forwarded message follows -------
Date sent:      	Thu, 17 May 2001 10:01:18 -0400
To:             	politech@politechbot.com
From:           	Declan McCullagh <declan@well.com>
Subject:        	FC: Europe weighs recording all phone calls, Net traffic for 7 yrs
Send reply to:  	declan@well.com

---
News coverage:
http://www.theregister.co.uk/content/5/19003.html
The Council of the European Union, which represents the 15 member
governments, will discuss implementing a policy originally designed
with the FBI six years ago. It calls for the retention of "every phone
call, every mobile phone call, every fax, every e-mail, every
website's contents, all internet usage, from anywhere, by everyone, to
be recorded, archived and be accessible for at least seven years,"
notes the journal. ---

Date: Thu, 17 May 2001 01:48:42 +0100
To: declan@well.com
From: Tim Dedopulos <tim@midnight.demon.co.uk>
Subject: Any interest -- EU to open 7yrs full data retention to police
In-Reply-To: <20010515174103.B20430@cluebot.com>

Hi Declan.

Is the following Statewatch report of any interest to you for
Politech? It basically details European Union plans to (a) mandate the
recording and storage of all telecoms data within the EU for seven
years and (b) to give law enforcement agencies more or less free
access to that data... (quote: "The EU governments are, in effect, to
tell the European Commission (and European Parliament) that the
demands of the law enforcement agencies take precedence over the
privacy and freedoms of people.")

Very worrying for those of us on this side of the pond.

Tim.

---


http://www.statewatch.org/news/2001/may/03Benfopol.htm

investigation, full report: EU-FBI telecommunications surveillance
system

EU governments to give law enforcement agencies access to all 
communications data


The new initiative by the EU governments to back the demands of their
law enforcement agencies (LEAs) only came to light when Statewatch
"acquired" a series of EU documents which it had been refused access
to. The documents in question were refused on the grounds that:

"the matter was still under discussion..[and] disclosure of these
document could impede the efficiency of the ongoing deliberations."

The demands of the law enforcement agencies centre on the issue of
"data retention", that is the recording and storage of all
telecommunications data:

- every phone call, every mobile phone call, every fax, every e-mail,
every website's contents, all internet usage, from anywhere, by
everyone, to be recorded, archived and be accessible for at least
seven years

The move by the EU governments (the Council of the European Union) has
been sparked by a draft proposal put forward by the European
Commission on "the processing of personal data and the protection of
privacy in the electronic communications sector" (COM(2000)385 final,
12.7.00). The proposal would update Directive 97/55/EC but is not
"intended to create major changes to the substance of the existing
Directive", merely to "update the existing provisions". The proposal
thus builds on the principles of the 1997 law and data protection
rules established in EU community law.

Also under discussion is a related Communication from the Commission
on "Creating a Safer Information Society by improving the security of
information infrastructures and combating computer-related crime
(COM(2000)890 final) (see Statewatch, vol 11 no 1). Here the
Commission, in line with community law, emphasises that:
"interceptions are illegal unless they are authorised by law when
necessary in specific cases for limited purposes".

The EU-FBI surveillance plan comes home

The EU adopted the "Requirements" developed by the FBI on 17 January
1995 - the "Requirements" set out demands on network and service
providers to provide the law enforcement agencies with both data from
intercepted communications and real-time access to transmissions (see
Statewatch, vol 7 no 1 & 4 and 5; vol 8 no 5 & 6; vol 9 no 6; vol 11
no 1).

In September 1998 the EU's Police Cooperation Working Party proposed
that the "Requirements" be extended to cope with internet and
satellite phone telecommunications. The initial report (ENFOPOL 98)
went through several drafts and ended up as ENFOPOL 19 (15 March 1999)
which gathered dust. It transpired that because of the "negative
press" surrounding ENFOPOL 98, which coincided with exposures on the
ECHELON spying system, there was a lack of "political support" to move
forward on the issue (report on the Police Cooperation Working Party
meeting on 13-14 October 1999 by the European Commission).

In the spring of 2000 the EU's Police Cooperation Working Party
decided that issues previously discussed under the title of
"interception of telecommunications" would now be called "advanced
technologies". A report by the same working party (ENFOPOL 52, 12 July
2000) spelled out that "an informal inter-pillar link" should be
created between their work and that being carried out under the "first
pillar" on the "global Information Society". The purpose was to bring
to the attention of the Telecommunications Council and the Internal
Market Council, working on technical and commercial decisions, the
need to: "safeguard the possibility of lawful interception".

On 29 May 2000 the Convention on Mutual Assistance in criminal matters
was agreed by EU Justice and Home Affairs Council and is now out for
ratification by each of the 15 EU national parliaments. This includes
provisions for the interception and exchange of telecommunications
data based on specific requests but makes no provision for the
retention of data (except in individual, authorised, instances).

This Convention and the work of intergovernmental groups, like ILETS
(International Law Enforcement Telecommunications Seminar) and the G8
Sub group on High-Tec Crime, and the adopted 1995 "Requirements"
provide the basis for provisions in new national laws on the
interception of telecommunications across the EU - for example the
UK's Regulation of Investigatory Powers Act (R.I.P. Act) which came
into force on 28 July 2000.

All of these new legal powers and demands on the network and services
providers under the "Requirements" do not, however, give the law
enforcement agencies everything they need as they only cover the
exchange and interception of data on the production of an
"interception order" (eg: warrants under national laws). None of them
provide for the wholesale retention of data and access to it by law
enforcement agencies except in specific authorised cases.

EU Data Protection officials come out against data retention

Data Protection Commissioners in the EU and their officials, who
attend a multitude of working parties, have long been aware that the
"law enforcement agencies" in quasi-secret international fora have
been arguing not for data to be retained for 30 days or 90 days (as it
is currently for billing purposes) but for much longer - for up to
seven years at least. In her annual report for 2000 the UK Data
Protection Commissioner, Elizabeth France, said: "The routine
long-term preservation of data by ISPs [internet service providers]
for law enforcement purposes would be disproportionate general
surveillance of communications". The spring Conference of European
Data Protection Commissioners in Stockholm, 6-7 April 2000, issued a
declaration on the "Retention of Traffic Data by Internet Service
Providers" saying:

"such retention would be an improper invasion of the fundamental
rights guaranteed to individuals by Article 8 of the European
Convention on Human Rights. Where traffic data are to be retained in
specific cases, there must be a demonstrable need, the period of
retention must be as short as possible and the practice must be
clearly regulated by law."

The meeting of the International Working Group on Data Protection in
Telecommunications in Berlin on 13-14 September 2000 adopted a common
position on the Council of Europe draft Convention on "cyber-crime"
(see Statewatch vol 10 no 6). This said that the storing of "data on
all telecommunications and Internet traffic for extended periods" is:

"disproportionate and therefore unacceptable. The Working Party
underlines that traffic data are protected by the principle of
confidentiality to the same extent as content data (Article 8 of the
European Convention on Human Rights)."

The European Commission lent weight to the Data Protection officials'
arguments in its draft proposal, put out at the end of last year (and
agreed on 26.1.01), on "Creating a Safer Information Society by
improving the security of information infrastructures and combating
computer-related crime". This says that laws in EU member states have
to be in line with community law on data protection and privacy:

"safeguards for the protection of the individual's fundamental rights
of privacy, such as limiting the use of interception to investigations
of serious crime, requiring that interception in individual
investigations should be necessary and proportionate, or ensuring that
the individual is informed about the interception as soon as it will
no longer hamper the investigation" (p16)

On 22 March 2001 EU Data Protection Working Party also published a
strong opinion on the Council of Europe's Draft Convention on
cyber-crime. It said that the provision in the draft proposal which
does "not oblige signatories to compel providers to retain traffic
data of all communications should in no way be revised". The EU has
already indicated that it will adopt this Convention.

The Data Protection Commissioners and others in the field have,
together, made formidable arguments for maintaining rights and
protections put into place in the EU during the 1990s on data
protection and privacy.

Law enforcement agencies fight back

In the face this substantial opposition to the automatic retention and
storage of content and traffic data for long periods (for longer than
allowed under EU law, around 30 days) the law enforcement agencies
needed heavy-weight "political support", denied earlier, from the
governments of the EU (the Council).

A far-reaching report sent by the UK National Criminal Intelligence
Service (NCIS) to the Home Office on 21 August 2000 set out the
demands of the agencies which reflect the conclusions of discussions
in international fora in which the UK plays a prominent role, such as
in G8 (see Statewatch, vol 10 no 6). The report called for the
retention of all content and traffic data from all forms of
telecommunications (phone-calls, mobile phone-calls, faxes, websites
and internet usage) to be recorded and kept for at least seven years.
What was of particular note is that this report was presented on
behalf of all the UK law enforcement agencies and all the UK's
security and intelligence agencies (MI5, MI6 and GCHQ). This suggests
that while the primary demand is coming from the former the latter
have a major stake too. This report was not in the public domain until
December 2000.

Confirmation of a counter-attack by the law enforcement agencies
emerging in the EU came in July 2000. As noted earlier, ENFOPOL 52
(12.7.00) from the Working Party on Police Cooperation had called for
"an informal inter-pillar link" to be created between their work and
that being carried out under the "first pillar" on the "global
Information Society". This was the very same day, 12 July 2000, that
the Commission put out its proposal on personal data and the
protection of privacy (COM(2000)385).

The minutes of the Council's Working Party on Police Cooperation for
the meeting on 19/20 July note a lengthy "exchange of views" with the
French Presidency on the "relations between the first and third
pillars in the field of advanced technologies". It also noted the
Commission's proposal and "decided to come back to this item regularly
during the next six months".

It was a report from the working party to the Article 36 Committee
(senior interior ministry officials from the 15 EU member states)
dated 31 October 2000 which began to express the need for urgent
action. This report (ENFOPOL 71) said six countries - Belgium,
Germany, France, Netherlands, Spain and the UK - had "grave
misgivings" about the effect of Article 6 which effectively states
traffic data "must be erased or made anonymous upon completion of the
transmission" (emphasis in original). The provision would "render it
impossible to trace "historical" data and seriously reduce the
investigation services' chances of identifying perpetrators.." The
report then tries to justify its demands by reference to: i) the 17
January 1995 "Requirements" which it do not cover the retention of
data indefinitely; ii) the Council of Europe draft Convention on cyber
crime which in the latest version excludes general data retention and
iii) the Convention on Mutual Assistance in criminal matters where
data retention is "implied".

The report concludes by noting that the Commission's proposed measure
"is already well advanced" and the Working Party urges the Article 36
Committee to:

"examine these observations so that it may use every available channel
to bring this problem to the attention of the authors of the draft
Directive concerned."

The minutes of the Article 36 Committee on 6 November 2000 state that
the government delegations be asked to contact their colleagues
working on "first pillar working parties to coordinate: "the first and
third pillar work in the field of advanced technologies, notably the
telecommunications sector. It should be avoided that first pillar data
protection measures hinder unduly thrid pillar attempts to monitor
telecommunications connections." The Working Party on Police
Cooperation updated its report in ENFOPOL 71 REV 1 (27.11.00) (see
Statewatch, vol 11 no 1). This report states the demands of the law
enforcement agencies starkly. While noting that their demands:

"would probably not be considered proportionate, as it would call into
question the very aim of the draft Directive"

namely the protection of personal data and privacy, but it still goes
on to argue that:

"It is impossible for investigation services to know in advance which
traffic data will prove useful in a criminal investigation. The only
effective national legislative measure would therefore be to prohibit
the erasure or anonymity of traffic data."

This report urged the Article 36 Committee to "take into account the
serious consequences the Directive would have for criminal
investigations, public security and justice."

At a meeting on 14 December the Article 36 Committee some delegations
(representing their governments) "advocated harmonising the period for
storing data." The Committee decided to wait and see "how much
account" the Commission took of delegations' (government) comments
before deciding "whether to alert COREPER and the Council to the
issue."

At the Justice and Home Affairs Council on 15 March this year,
Commissioner Vittorino reported that at a hearing which took place on
7 March "the central question of the retention of traffic data
dominated discussions".

However, it is clear that the Commission was not taking "much account"
of the Council's view so that by 30 March the Swedish Presidency felt
obliged to draw up draft Council Conclusions on the issue of data
retention. The report recommending draft Conclusions on access by the
law enforcement agencies to traffic data was discussed at the meeting
of the Working Party on Police Cooperation on 6 April. The minutes of
this meeting say that it:

"took note of the reservation by the representative of the Commission
concerning the procedure followed within the Council"

Clearly the Commission was concerned that the Council was, unusually,
considering adopting "Conclusions" which would fundamentally undermine
its proposed Directive. The two new reports, dated 30 March (see
below) were discussed at the Article 36 Committee meetings on 10 April
and 3 May.

The key reports

The first new crucial report is ENFOPOL 29 (30.3.01) which
reintroduces the highly criticised new definition of the
"Requirements" to be laid on network and service providers in "ENFOPOL
98". It is intended that this report and an accompanying Council
Resolution will go through the Justice and Home Affairs Council on
28-29 May. The report looks at the "operational needs" of the LEAs as
applied to the "Requirements" (IURs) adopted on 17 January 1995 (by
the EU under "written procedure" and not made public until November
1996). It gives much more detail on their expectations than the bland
"Requirements". As such it is an attempt to re-introduce the
highly-controversial ENFOPOL 98 (and later drafts) which led to much
adverse comment in the media (as a result of which it has been held up
since March 1999).

The report looks at: "Applicable services" and makes clear that 
interception will cover all forms of telecommunications eg: ISDN
(e-mail and internet usage), mobile phones and satellite phones. On
IUR ("International User Requirement") no.1 it says, like ENFOPOL 98,
that the law enforcement agencies expect to have access not just to
the call content but also to:

"user addresses, equipment identities, user name/passwords, port
identities, mail addresses etc"

plus IP addresses, account numbers, logon ID/passwords, PIN numbers
and e-mail addresses. They also want access to the "transmitted" and
"received" data and "any telecommunications associated with.. the
subject of interception". A redefined "IUR 1.4" states that
"associated data" includes "conference calls, call forwarding, mobile
calls, network calls, call back services etc" must also be provided on
the intercepted subject. An ominous "NB" says it also includes data
"where it has been retained by providers in accordance with the
requirements of their national legislation". "IUR 1.5" extends the
meaning of "geographical location" to "geographical, physical or
logical" location and "IUR 1.3" again refers to "national
jurisdictions" in the context of excluding data which is not "within
the scope of the interception authorisation", ie: some national laws
might allow the inclusion of "excluded" data. "IUR 6" is another
direct inclusion of a controversial proposal taken from ENFOPOL 98. It
says that the LEAs are to be provided with:

a. full name of the person (company)
b. the residential address and
c. credit card details

This report extends the remit for interception to: all forms of 
telecommunications (including e-mails and internet usage) and requires
personal details on the interception subject. It also contains a
number of references to "national jurisdictions" where, by
implication, powers may be greater than the norm.

Some EU governments see ENFOPOL 29 ("ENFOPOL 98") as simply
"technical" changes to the "Requirements". However, they fail to
understand that it is precisely the details of how the "Requirements"
will be used that signals the enormity of the threat to data
protection, individual privacy and fundamental freedoms.

A greater, and complementary, danger is the battle between the Data
Protection officials and the law enforcement agencies over the
retention of data (content and traffic details) for long periods
(seven years or more) and the right of the law enforcement agencies to
access this archived data at will for purposes of investigating any
crime however minor or for the purpose of intelligence-gathering -
so-called "fishing expeditions".

This is the enormous significance of the "Council Conclusions" in
ENFOPOL 23 (30.3.01). The EU governments are, in effect, to tell the
European Commission (and European Parliament) that the demands of the
law enforcement agencies take precedence over the privacy and freedoms
of people. Council officials will "spin" the usual line that
"Conclusions" are not binding, but the timing of the decision and the
enormity of its effect will brush this aside.

The draft proposal says that:

1. The obligation for operators to erase and make traffic data
anonymous "seriously obstructs" criminal investigations;

2. It is the "utmost importance" that "access" be "guaranteed" for
criminal investigations;

3. It calls on the European Commission to:

a) to take "immediate action" to ensure that law enforcement agencies
can have access now and "in the future" in order to "investigate
crimes where electronic communications systems are or have been used"
(emphasis added);

b) the "action" should be "a review of the provisions that oblige
operators to erase traffic data or to make them anonymous".

The "Conclusions" say that the Council:

1. "considers it important that the law enforcement authorities be not
obstructed or hampered in their efforts to investigate crime, such as
dissemination of child pornography or agitation against an ethnic
group via the Internet"

This blatantly cynical use of "child pornography" and racism has
become a standard justification for the extension of EU surveillance
powers not just for these offences - but for all and any offence.
These phrases have replaced "organised crime" and "illegal
immigration", used for many years in a similar way.

2. "understands that on this issue.. it is important to find a
solution that is well founded, proportionate and well-balanced"

It is not possible to "balance" the different interests. There is no
need under EU law for commerce to keep data except for very limited
periods (eg: 30 days to check billing). The existing "Requirements"
and most national laws allow for the gathering of data for criminal
investigation in specific instances subject to proper authorisation
and legal safeguards.

3. "emphasises the opinion of the Council that the obligation for
operators to erase and make traffic data anonymous, besides
obstructing seriously crime investigations, also can lead to a
decreasing confidence in, particularly, the electronic commerce..."

The EU governments fail to understand that is precisely the erasure of
data and anonymity which creates "confidence in electronic commerce"
by citizens. A wholesale reversal of this policy as envisaged would
indeed create a "crisis of confidence".

4. "invites.. the European Commission to take immediate action with
the purpose of ensuring that the law enforcement authorities also in
the future will have the opportunity to investigate crimes where
electronic communications systems are or have been used.. the action
to be taken should comprise a review of the provisions that oblige
operators to erase traffic data or to make them anonymous; the object
of the action should be to ensure that the purpose of limitations
regarding the personal data do not come into conflict with the law
enforcement authorities' needs of data for crime investigation
purposes."

In effect the Council is telling the European Commission (and the
European Parliament) that the proposed Directive on the table has to
be changed and that all existing EU data protection and privacy laws
have to be reviewed. It is calling for an end to the obligation, under
current EU law, of commerce to erase data and to end anonymity and to
ensure that law enforcement agencies have the "opportunity" to access
all data held.

The next legislative steps

The urgency on the part of the law enforcement agencies is due to the
fact that the first proposal they want changed is the Commission's
proposed Directive on personal data and privacy in electronic
communications is already before European Parliament committees under
the co-decision procedure - Citizens' Freedoms and Rights (lead
committee), Environment, Industry and Legal Affairs. These committees
are due to put a report to the parliament's plenary session on 3
September. However, the Council is likely to adopt a common position
at the Telecommunications Council on 27 June. Co-decision means all
three institutions (Commission, Council and European Parliament) have
to agree on the new measure. The Council is trying to pre-empt the
parliament's opinion by putting forward radical changes on the
retention of content and traffic data.

Summary: Summary
Documentation, full-text documents: Documents


back to Statewatch News online


--
                   Imagine there were two of you. Which one would win?

                                tim@midnight.demon.co.uk





----------------------------------------------------------------------
--- POLITECH -- Declan McCullagh's politics and technology mailing
list You may redistribute this message freely if it remains intact. To
subscribe, visit http://www.politechbot.com/info/subscribe.html This
message is archived at http://www.politechbot.com/
----------------------------------------------------------------------
---

------- End of forwarded message -------
Follow-Ups:
- Re: [FYI] (Fwd) FC: Europe weighs recording all phone calls, Net traffic
  - From: lutz@iks-jena.de (Lutz Donnerhacke)
Prev by Date: [FYI] Eurocops want seven-year retention of all phone, Net traffic
Next by Date: [FYI] BGH: Gattungsbegriffe als Domainnamen frei
Prev by thread: [FYI] Eurocops want seven-year retention of all phone, Net traffic
Next by thread: Re: [FYI] (Fwd) FC: Europe weighs recording all phone calls, Net traffic
Index(es):
- Date
- Thread