EU Forum on Data Retention and Cybercrime

30 November 2001

Statement by the US Department of Justice.

Report on EU Forum on Cybercrime by AD.

[Thanks to Anonymous.]

Statement by Mark Richard, Senior Counselor for Criminal Justice Matters, DoJ, speaking on behalf of the U.S. Government, on the retention of traffic data Given at the EU Commission's Forum on Cybercrime, Brussels, November 27th, 2001.

____________________________________________

UNITED STATES MISSION

TO THE

EUROPEAN UNION

Prepared statement of the United States of America
Presented at EU Forum on Cybercrime
Brussels, 27 November 2001

Thank you Mr. Chairman. It is a pleasure to be here today speaking on behalf of the government of the United States. My name is Mark, Richard and I am with the Criminal Division of the United States Department of Justice.

Prior to assuming my present position as Senior Counselor for law enforcement matters at the U.S. Mission to the European Union, I supervised for twenty years at the U.S. Justice Department investigations and prosecutions of international terrorism as well as extradition and mutual legal assistance programs. My statement, however, reflects the position of the United States Govemment and not merely that of the Department of Justice.

The United States Government welcomes this opportunity to speak on the issue of data retention by Internet and mobile communications service providers. This on-going dialogue regarding the complex issues associated with the storage of Internet traffic data and mobile device location data greatly benefits the European Union and the United States and other non-Member States. Any data protection regime should strike an appropriate balance between the protection of personal privacy, the legitimate needs of service providers to secure their networks and prevent fraud, and the promotion of public safety. This dialogue is not simply a transatlantic discussion between the United States and Europe. Rather, these issues are the subject of debate within the public safety, civil rights and private industry communities throughout the world. We hope these comments serve to highlight the significant parallel interests shared by the United States and the European Union, explain our position with respect to the handling of traffic and mobile device location data, and contribute to the continuing and valuable discussion facilitated by the Commission on this topic of immense importance and timeliness,

We live, and have been living for some time, in a world where terrorists and cybercriminals -- and the acts they plan and execute -- are not confined by national borders or geography. As is true regarding those responsible for the attacks on the World Trade Center and the Pentagon, terrorists and cybercriminals, criminals acting in one country communicate with and are supported by individuals in other countries. The terror attacks of September 11, 2001 did not usher in a new era but serve as a stark reminder of the globalization of terrorist and criminal threats to public safety. The use by such criminals of the Internet and mobile devices to communicate requires a coordinated, international response.

Access to historic computer traffic data, such as connection logs, in conformity with accepted due process protections, is particularly critical for investigators to identify terrorists and criminals who commit offenses on or through the use of networks. Analysis of traffic data may in some cases be the only way to connect the terrorists with their co-conspirators. Moreover, transactional logs are an invaluable tool for the private sector to monitor the integrity of its networks and to protect against fraud. Without the freedom to retain traffic data as they see fit, service providers lose their ability to effectively protect their networks. Consideration of public safety issues is also vital with respect to mobile device tracking data. As more and more communications nodes art becoming mobile, and as criminals increasingly use mobile communications devices, the ability to track their location becomes substantially more difficult.

Because traffic data and mobile device location data are critical to apprehend terrorists and criminals and to prevent the execution of planned terrorist and criminal acts, the United States opposes mandatory data destruction regimes. Public safety authorities frequently use traffic data stored by Internet and mobile communication service providers during investigations. Erasing or anonymizing data immediately after the telecommunications service is provided would impede criminal investigations and, ultimately, diminish public safety. Such an approach would also undercut critical provisions of the Council of Europe's Cybercrime Convention. The Convention seeks to ensure a prompt and broad exchange of information among law enforcement agencies to facilitate the investigation and prevention of criminal acts. A mandatory data destruction regime stands in tension with the Convention's provisions. Allowing service providers the ability to retain data for billing purposes does not solve the problem, because the type of data kept for such purposes is limited in scope and the amount of billing data retained continues to shrink throughout the industry in light of flat-rate pricing models and free Internet and email services.

Mandatory data destruction also hinders the ability of Internet and mobile communications service providers to protect their networks. These providers often choose to retain data to ensure network security and protect against fraud, efforts that promote public safety as well as the confidentiality and integrity of personal data and telecommunications systems. It has been our experience that the type of information retained by providers in this context (e.g., IP addresses and transactional logs) is the type of information of use to the public safety community. Requiring the erasure of all data ties the hands of service providers that wish to protect their property interest and the privacy interest of their clients.

The United States believes that permitting Member States to adopt legislative measures to restrict the scope of the obligation to erase traffic data is not an adequate solution. The urgent nature of counter-terrorism and cybercrime investigation is inconsistent with the time needed for implementation of such exceptions. Moreover, the inconsistency in implementation among Member States can hinder crossborder investigations. With the globalization of communications networks, public safety is increasingly dependent on effective law enforcement cooperation across borders. That cooperation may not be possible, or at a minimum would be significantly complicated, if public safety authorities were confronted with a patchwork quilt of data destruction exceptions, especially because sophisticated criminals and terrorists can and do transmit communications through multiple carriers and countries. In such cases, the failure of a single country to enact an exception to the default rule of data destruction would hamper efforts to investigate and prevent criminal activity, Thus, we ask the Commission to work with Member States to ensure that these issues are dealt with effectively and consistently across the European Union so that the destruction of critical evidence is not mandated.

We wish to emphasize that the U.S. Government position on the handling of Internet traffic data and mobile device location data has been and remains in opposition to mandatory destruction proposals. We understand that the Commission may be discussing the imposition of mandatory data retention for a set period of time to accommodate public safety concerns. If such a resolution is reached, we hope that it will permit service providers to choose to retain data to protect their computer networks for lengthier periods than permitted by a mandatory retention regime.

The United States recognizes that access to electronic evidence is critical to the success of computer crime and terrorist investigations. Investigators and prosecutors need the ability to have service providers preserve (without disclosing) for a limited period of time data which already exists within their network architecture and which relates to a specific investigation. In the United States, we have balanced the competing interests through laws governing data preservation. Public safety officials rely on providers to preserve log files, electronic mail, and other records quickly upon notification that such information is necessary for a specific investigation, before such information is altered or deleted. Later access to these historical records is obtained by court order or other statutory processes in conformity with accepted due process protections. Preservation, however, does not require a service provider to collect data prospectively. The Council of Europe Cybercrime Convention contains a similar scheme, reflecting general agreement that, for now, this preservation regime strikes the proper balance between the competing policy interests. With respect to Internet service providers choosing to retain data, the United States has taken an approach that neither requires the destruction of critical data, nor mandates the general collection and retention of personal information. Rather ISPs are permitted to retain or destroy the records they generate based upon individual assessments of resources, architectural limitations, security, and other business needs.

Because the impact of legislation in this field so clearly extends beyond the borders of any one country, the United States hopes to confinue working closely with the Commission and the Member States on this issue so that unintended extraterritorial effects are minimized. Our goal is to ensure compatible and complementary approaches, which will advance our shared goals of protecting the privacy of citizens, giving service providers the flexibility to protect their networks as they see fit, and ensuring that public safety officials will have access to information of critical importance to the success of terrorist and cybercrime investigations. As the events of September 11th and the weeks that followed have demonstrated, terrorists and cybercriminals are not confined to any one country or region of the world. The need to address the issue of data destruction exists in every place where there is Internet or mobile communications connectivity.

The United States Government appreciates this opportunity to speak to the Forum on Cybercrime and the Commission's encouragement of a constructive dialogue through the establishment of the Forum and plenary sessions such as this, The United States Government remains available to meet with the Commission, on these and other issues, as the need arises.

From: "q/depesche" <depesche@quintessenz.at>
To: quintessenz-list@quintessenz.at
Date: Fri, 30 Nov 2001 12:09:38 +0100
Subject: Inside EU-Cybercrime Hearing

q/depesche 01.11.30/1

Inside EU-Cybercrime Hearing

Das EU-Hearing zum Thema "Datenspeicherung und Cybercrime" aus der Sicht einer Person, die daran teilgenommen hat

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

By AD, Nov. 29, 2001

During the Commission's Public Hearing on its Communication "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-Related Crime", which took place on March 7 in the same building, it was announced that the EU would found a Forum similar to the UK Internet Crime Forum, in which chief police officers, representatives of the IT industry and -- to a lesser degree -- data protection officers are united. The recent event was the first "plenary session" of this institution, named the "EU Cybercrime Forum".

The Commission, who hosted the event, declared to be "in listening mode", which meant basically there was no way of contradicting the conclusions presented by DG Internal Market's Susan Binns at the very end. In the light of recent discussions in the EP, the Council and, more so, the critical public, it was not surprising that "Retention of Traffic Data" was chosen as the topic for this first session.

After critique uttered during and following the March meeting that the speaker's list was unbalanced, giving little speaking time to data protection officials and almost none to privacy advocates, the Commission took great care to present something more balanced this time.

Still, the industry was a bit over-represented, making up about half of the participants, with police and data protection sharing the rest to more or less equal parts. Most interventions should be posted within a few weeks on the forum's web page, which is for some reason provisionally housed at http://cybercrime-forum.jrc.it .

The morning was dedicated to keynote speeches and chaired by Robert Verrue, Director General of the Commission's DG Information Society (DG INFSO) and his colleague Adrian Fortescue of the DG Internal Market (DG INT). Keynote speeches were given by MEP Charlotte Cederschiöld (Conservative, Sweden), Commissioner Erkki Liikanen, by three industry people, namely Michel Bartholomew of ETNO (Telecommunication Operators Association), Alain Hocquet of France Telecom and Joe NcNamee of EuroISPA (Internet Providers). They were followed by John Abbott, who spoke on behalf of the National criminal Intelligence Service of the UK, Jozef Brink from the German Ministry of Justice and Alexander Datijn from the Netherlands Ministry - two more law enforcement guys - David Smith from the Office of the UK Information Commissioner, and MEP Marco Cappato of the Italian Radicals.

A speech that was to be delivered at that time by Simon Davies of Privacy International could not take place because, as it seems, Simon was denied access to his plane at Heathrow airport. Morris Wessling of Bits for Freedom, who volunteered to substitute for him felt unable to prepare a 10-15 minute keynote speech within a few hours and in the middle of the plenary, and limited himself to a five-minute contribution in the afternoon.

Mrs. Cederschiöld, who was the rapporteur on the Commission's Cybercrime Communication and as such pretty pro-surveillance, gave what she certainly considered a "well-balanced presentation: "Any law enforcement measures must be well defined and foreseeable, and take place within a clear legal framework*necessary and proportionate", and so on. She even went on to say that the 911 attacks "must not lead to a carte blanche for retention and interception as this would facilitate abuse of stored data, thereby hamper consumer confidence in electronic communications and services, and decrease security, while at the same time increase costs for all actors. Now you might think this could only lead you to a decidedly anti-retention position. Not so. Mrs. Cederschiöld went on to say that technical standards must be co-ordinated internationally, and that the financial load of interception must be borne by the State. Ambiguous, to say the very least.

I won't spend a lot of words on commissioner Liikanen's contribution, because it was a) an abbreviated version of the discussion paper published by the Commission a few weeks ago (which can be found as well on the forum's web page as on DG INFSO's Wep page) and because b) it was what you would have expected: Main focus E-Commerce, question of consumer trust, eEurope action plan, blahblah.

Bartholomew of ETNO said the two key issues for Telecom operators were the lack of harmonised rules and the costs caused by interception. I think those who call for harmonised retention instructions and would even be ready to pay the price for it listened very well. Probably not so any more when Bartholomew said retention had to be on a case-by-case base and clear time limitations had to apply.

Hocquet of France Telecom said his firm had established "retention centres", mainly for billing purposes, only in the mid-nineties, while retention had been technically possible even ten years before that. He also gave some interesting figures: France Telecom houses some 33 million phone lines, and 25.000 requests for retained data reach their offices each month - he did not comment if they came from the Police only or from secret services as well. The high figure might explain the fact why, as Hocquet said, the 1997 directive on data protection in electronic communication still has not been implemented in France. What passed a lot quicker, though, is the new Loi de la Sécurité interne, which provides for 12 months data retention since October 15.

McNamee of EuroISPA felt an urge to explain Retention could also protect privacy, e.g. Anti-Spam Hotlists ran by providers could be operative only if a communication could be traced back to its author. he went on to explain that there were 4 kinds of data, each one more intrusive than the preceding one: Subscriber data, Access data (including calling line ID), traffic data and contents data. It was pretty obvious he did not consider subscriber data really sensitive at all, while he wanted to safeguard contents data. He failed to comment on the merging of traffic data, content s data and location data in upcoming mobile services, which was a point raised later on by a number of technically qualified privacy advocates. McNamee suggested to somehow codify the current practice under which police is already supplied with data retained for billing purposes, and to reimburse providers for any added costs.

Next came another one of the UK Police's super weapons (After chief Superintendent Keith Akerman, the Chairman of the UK Internet Crime Forum, who was the star at the March 7 Meeting): John Abbott, C.B.E., QPM, B.A. (Hons) (whatever all of this means) and Director General of the National Criminal Intelligence Service. It showed he had passed not only one rhetorics course, and he had passed it well. What he wanted was pretty easy to discern: As big as possible a proportion of data -- traffic data, no content data, as he pointed out -- to be stored for as long as possible. He spoke a lot in examples, and one of those was of a case that was solved five years later, allegedly with the help of retained traffic data. He commented very long on how the world had changed and how electronic communications had made it possible to commit a crime without leaving any evidence to be used by the police. Therefore it was necessary to create a new kind of evidence, even for the fight against non-hi-tech crimes. This kind of evidence was going to become as important in the 21st centuries as fingerprints were in the 20th. To this, someone replied later that the difference was you didn't have your fingerprints taken at every step you made, even in the 20th century.

Brink is the German justice ministry's responsible for international cooperation in criminal matters and at the same time delegate to the G 8 Hi-tech crime unit. He asked for "all connection data" to be retained "in collaboration with the industry. He does not seem to believe retention will be stipulated by law: At least he considered it important that "as many providers as possible" should retain and also help analyse data on a voluntary basis. He said Germany had no binding policy on the matter yet, but he himself had never agreed with the proposal for compulsory deletion. He demanded the following kinds of data: Headers, dial-in logs, assigned IP addresses, Host Addresses and Caller ID with SMS.

Datijn agreed and warned the Data Protection in Electronic communications Directive as Drafted by the EP and the Commission would break up the hitherto "parallel interests" of telecom providers and law enforcement.

David Smith was the next one to speak, on behalf of the UK Information Officer (Data Protection Authority) Although he did not seem to be too eloquent, his presentation, based mainly on the European Charter of human Rights and Data protection legislation in effect within the EU, left a good impression and was quoted several times in the final Statement by the Commission. Smith called for a limitation of data retention to specific cases - which he would not see as problematic -- but is opposed to blanket retention. He wanted a set of questions answered: "What is the case for retention? What data is (going to be) retained? How useful would this data be to whom? What has changed as compared to the times of analog telephony, when there simply were no logs to access? What is the management cost of such a system? Who stores the data? And what about different retention periods in different EU States?" That kind of questions showed, I think, that Smith is prepared to withdraw and criticise retention immanently.

The last speaker of the morning was Cappato, the EP data protection Rapporteur. He sounded less radical than his amendment to Article 15 may have made believe, focussing mainly on the need for uniform regulations in the EU. But he is of course strongly opposed to any kind of blanket retention. I wont go into detail regarding the speakers in the afternoon, who had only five minutes for their presentations each (though some of them stretched this period to its double) and represented the above-mentioned mix.

For that reason, and because there were no new arguments, neither from the industry, nor from the law protection side, that had not been heard in the morning. There were some rather technicist suggestions, e.g. to encrypt logs using a double key, one half of which would be with data protection authorities, the other either with industry or law enforcement, but those were not really important.

Morris Wesley, standing in for Simon Davies, drew a scenario of growing technical skills of users leading to more consumer awareness and to a loss of trust in electronic communications (which I myself would not consider a bad thing). He opposed the artificial distinction between traffic data and contents data, which he illustrated with an example from future mobile Internet communications. His call to apply data protection rules concerning contents data also to traffic data obviously wasn't shared by the majority of the audience.

The next privacy advocate was Angelika Jennen from the office of Germany's Bundesbeauftragter für den Datenschutz (National DP officer). She also pointed to the fact that, as a greater and greater proportion of our life becomes entangled with electronic communication, connection data may be used to draw up personality profiles, while location data might lead to movement profiles. Blanket data retention, she said, was also in contradiction to the principle of proportionality.

There were several other Data Protection officials who used more or less the same arguments: Diana Alonso Blas from Colleg Bescherming Persoongegevens, the Dutch DP Authority and Alexander Dix from the DP Authority of the German Land of Brandenburg, and two Belgian Professors - Yves Poullet, a lawyer, and Jean-Marc Dinant, an information scientist, both of the Université de Namur - who spoke very strongly in favour of Data Protection. There was the usual industry batch of AOL, VeriSign, Business Software Alliance, Motion Picture Association and so on, offering to co-operate or confirming they had already done so for quite a while (as is the case for AOL).

There was another fuzz of law enforcement people from Norway, Sweden and Belgium, as well as two men from the US Department of Justice (one of them speaking for the US Govennment, the other for the G 8) and a French guy who heads what seems to be a firm contracting to "forensic informatics"; Eric Freyssinet, "ENFSI FIT-WG Chairman, Chef du département informatique électronique de l'IRCGN".

The most radical presentation on our side was by Alberto Escudero-Pascual, who presented a research project they had done at the Institute of Technology in Sweden's "Mobile Silicon Valley": They showed how location data from mobile devices could be used to establish not only movement, but also interaction and thus personality profiles. Unfortunately, he spoilt the impressing effect of that statement a little by finishing it up with an insulting statement against "commission officials", who allegedly scare people with scenarios taken from Hollywood movies to accept retention -- which may be true for some of them, but certainly not for all, and should rather be said of the Council.

What seemed to turn out as being the strongest position in the end -- but that is merely subjectively speaking of course -- was something that goes into the following direction:

Retention of traffic data "only" for a limited period, say six months or so.

EU-wide more or less uniform rules for the access to this data, upon presentation of a court / state attorney order

Preservation of data in particular cases, also only with a judicial warrant.

Co-operation on an international level, perhaps including the US and other intersted parties.

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

relayed by harkank@quintessenz.at

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-

q/depesche taeglich ueber
zivile freiheiten im netz

subscribe/unsubscribe

http://www.quintessenz.at/q/depesche/

comments

harkank@quintessenz.at miller@quintessenz.at