Friday, January 02, 2009

Log retention initiatives

Just posted on Slaw:

Slaw: Log retention initiatives

I wrote two weeks ago about privacy issues related to the log files that are created and retained by internet companies. The moral of that story was that there is a significant amount of information that is collected in these logs and when they are retained and collated, they can reveal a lot of personal information. I concluded by saying:

I don’t think it’s too far fetched to think of a day when it will become standard for all investigations involving the internet to include a warrant served on Google or Yahoo! or Microsoft for all logs related to a particular user or IP address or both.

In Canada, many may remember "lawful access", which was the subject of a number of consultations beginning in 2002. The consultation backgrounder and FAQ solicited comment on preservation orders (here) but the topic was not addressed when the Liberal government introduced the Modernization of Investigative Techniques Act (MITA). I am sure that preservation orders remain on the wish lists for law enforcement in Canada, but they're not here yet.

Europe has taken a different path. In 2006, the European Union adopted Directive 2006/24/EC entitled "on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks". The Directive is meant to harmonize the retention rules of the members of the European Union. It requires that member states adopt rules or legislation to make it mandatory for communications providers to retain certain log-type data for at least six to twelve months. From the "Subject Matter and Scope" clause of the Directive:

1. This Directive aims to harmonise Member States' provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.

The Directive goes beyond web communications and includes e-mail, telephone, VOIP and mobile phones. The sort of data that has to be collected and retained is that which identifies the source of the communication, the destination of the communication, the device that was used to make the communication and the "user ID" (defined to mean "a unique identifier allocated to persons when they subscribe to or register with an Internet access service or Internet communications service"). The Directive makes is plain that communications providers are not to retain the content of the communication (Article 5(2)).

While the Directive is aimed at saving information so that it can be obtained after the fact in connection with investigations, the debate over data retention in the United States has mainly focused on what has been reported to be informal and secret arrangements made by the National Security Agency and various telephone companies to save telephone calling information. This story was broken by USA Today: - NSA has massive database of Americans' phone calls.

In addition, US criminal law permits law enforcement to make a written request for the preservation of records for 90 days (renewable for a further 90 days) (US CODE: Title 18, s. 2703(f)):

(f) Requirement To Preserve Evidence.—

(1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

(2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

More recently, the Bush Administration has been pushing for broader retention requirements: FBI, politicos renew push for ISP data retention laws | Politics and Law - CNET News.

This posting has presented a brief snapshot of some legal initiatives that affect internet log retention in a selection of countries. It does not seem likely to me that the debate is over; we will likely see EU-type proposals put forward in both Canada and the US in the coming years.

No comments: