Wednesday, October 14, 2015

Germany set for re-introduction of data retention

According to netzpolitik.org and other articles, the German federal parliament will authorize a new version of the old data retention law that was declared illegal by the European Court of Justice.

After criticism by experts, an evaluation clause was added to the current version of the law. The new clause calls for a study of the efficiency, the costs, compliance with data protection rules and determination of any need for improvement of criminal investigations and prevention.

The law itself is a pretty awful piece of legislation written mainly to try and avoid specific points of criticism laid out in the EU court decision and adds insult to injury with a brand new provision on "receiving data that are not publicly accessible". According to experts, this clause can be used to go after specialists or consultants who are approached by journalists to vet and analyze leaked data.

According to journalist Richard Gutjahr, the law is nothing short of fraudulent.

The effort of legal relabeling of the old concept is hilarious and scary at the same time. Since the old label "retention of data for future use" was thoroughly discredited, government lawyers came up with "maximal retention period" (“Höchstspeicherfrist”).

The label by itself sounds pretty cool, and you would be forgiven if you thought it is meant to protect consumers from over zealous collection of data.

It is not, despite the fact that some companies currently store some data for six months or more. Current practice regarding the details and duration of storage differ vastly between providers.

It forces telecommunications providers and internet service providers to save a detailed set of metadata for either four (mobile phone/smart phone location data) or ten weeks (connection metadata and web activity for both phone and computer use).

Providers will have to save data they do not save today, which really means that the current retention period of connection or location data goes from how ever many milliseconds it takes today to establish a connection or locate a cell tower to 4 weeks/10 weeks.

Hailed as "maximal retention period", we 'd expect the data collected under this law to be deleted once the four or ten weeks have passed.

The provision regarding deletion of the data reads: once the retention period has elapsed, data shall be irreversibly deleted immediately or within one week, or provider has to ensure irreversible deletion.

The blogster has not seen any comment on what appears to be an unnecessary addition in "or provider has to ensure irreversible deletion". Since the law does not seem to explicitly provide for optional storage of collected data by a third party, the purpose of this phrase appears unclear.
Since good things come to those who wait, having the post sit in the drafts folder for a day turns out to be perfect. Just yesterday, there was an article about how mobile phone companies experience problems with the process of deletion of vast amounts of disparate data.

This should not come as a surprise to anyone familiar with large amounts of disparate data systems, from fancy, well designed relational databases to rolling logs with lots of batch processing and synching.

At best, the additional statement is superfluous, which nobody should expect in a finely parsed law, at worst, we have a loophole with the ability to extend storage at will as long as deletion "is ensured".

As Mr. Gutjahr details on his blog and as explained by others, the wide range of allowed uses by government agencies once again goes beyond the touted limited use in cases of terrorism and child abuse.

Communications metadata of lawyers, doctors and other professionals covered under confidentiality regulations are, unfortunately, also collected but are supposed to be used only in investigation of "serious" crimes. The list of "serious" crimes is extensive enough to make the restriction much less protective.

The reimbursement schedule included in the law is not a bad deal for fully automated queries, although the estimated cost to the industry for getting the systems in place is around 250 million Euros, which they may try to pass on to their customers. 

Courts will likely be busy when this law goes into effect.

No comments:

Post a Comment