søndag 20. mars 2011

EU Retention of Protected Data Directive

The Norwegian government has been discussing the Data Retention Directive for years, and the government has been fairly split about it. So split, in fact, that it has been declared that the vote is now dependent on one single party in the right wing. And their verdict just came out: "Yes, we want the directive, but slightly modified." (The no-side, obviously referring to the Data Protection Directive, which they claim is at odds with the DRD.)

While I'm all for solving crimes and preventing terrorism, I try to be a little bit realistic. Because logs of IP traffic, SMS contents and email headers are at best circumstantial evidence and will be difficult to hold up in court. Why? The data logged is about the communication between devices and does not guarantee the identity of the people using them.

The information might be interesting in terms of indicating where to look, as a tool of finding potential clues, but it is not real evidence in itself. Similarly, I once received a ticket for passing a toll road without paying - except both I and my electronically identified car was some 100 km away at the time - I had a time stamped photo where I was at the time.

How could this happen? The car that passed the toll road carried the same letters and numbers on its registration plates as my own car - except his registration plate was from a different state, and the system didn't pick up this tiny detail.

So imagine this going a little further - for some tougher crime: Someone steals a gun from the local home defence, shoots someone, and drops the gun. Police picks up the gun, reads its registration number and uses this as evidence that the local home defence did it.

As for the Data Retention Directive? Just because someone hacked into my Wifi doesn't mean I started the video conference that was logged. And no, I was not even near Düsseldorf during that bank robbery - my cell phone was there, yes, it was stolen! And I did not sent that text message, a friend "borrowed" my cell while I was in the bathroom.

The DRD does not indicate any automated analysis of the data, which would have some kind of use in detecting "suspicious behaviour" - whatever that is. There will be enough arguments that illegal activities can not be properly detected by automatic data analysis - though I suspect the most resoureful governments have been doing this kind of analysis for ages already.

Actual value is therefore limited to following circumstancial traces - akin to the situation you have when analyzing every finger print in a bank after a bank robbery. And at that point, you already expect the bank robber to wear gloves.

Real world results from the directive?
And in Norway? The final decision is scheduled for April 5th, where the only two parties that want the directive are expected to vote under the whip. And if they don't vote by the whip, the directive won't pass.

It's a bit scary to see that the secret service sees the directive as their "most important tool."

Ingen kommentarer:

Legg inn en kommentar