As a result of the attacks on Charlie Hebdo in Paris, many politicians are once again calling for mandatory data retention laws.1) Ignoring the (frankly sickening) eagerness to exploit this tragedy for your own political goals without even having the decency to wait until the victims are buried, and leaving aside questions of the effectiveness of data retention in solving crimes (doubtful), the potential for abuse (high), the costs associated with it (impressive), and the compliance with basic european principles and human rights like the presumption of innocence (problematic at best), I would like to focus on a few (perhaps non-obvious) consequences of a new mandatory data retention law.
I am focussing on the situation in Germany, simply because I live here. Some of the problems are specific to Germany and its sometimes impressively stupid laws (like the infamous “Störerhaftung”, where the owner of an internet connection is responsible for any crimes committed via his/her connection, regardless of who actually committed it), but most should apply to just about any country.
Problem 1: It creates targets
Where there is data, there are so-called “security” services who are interested in using it. Having a country’s own so-called “security” service use the data is bad enough, given the track record of criminal behaviour2) and sloppy data security of most of these so-called “security” services. But it also creates targets for foreign intelligence services.
The NSA appears to be very fond of attacking such centralized data repositories. They have already demonstrated that they are perfectly willing to attack european carriers if they carry interesting data. And given their obsession with metadata, we are doing them a big favor by aggregating all the metadata ourselves and storing it in centralized locations3). The NSA just has to take the metaphorical can-opener to the networks of the ISPs (which, again, they seem to be perfectly willing to do) and query them as much as they like. Which brings us to the second problem:
Problem 2: It’s not “just metadata”
Proponents of surveillance will often cite the argument that “it’s just metadata”. This statement is wrong on so many levels that we would need an escalator to reach them all, so I will only mention a few of them.
- The CIA “kill[s] people based on metadata”
- Metadata is actually at least as telling as the actual contents of communication, while being much easier to automatically analyze
- Metadata can be used to construct stories that are “made up of facts, but not necessarily true”. To quote Jacob Appelbaum:
The data trail you leave behind tells a story about you, but not necessarily one that is true. Even if it’s made up of facts. For years the US government harassed me because they thought Bradley Manning, now Chelsea Manning, had given me documents. But that is not true. — Jacob Appelbaum
- And finally, if metadata really was as useless as they make it sound, why would they spend so much time and effort collecting it?
Problem 3: Data retention leads to problems for small network providers
“Freifunk” is a (mostly German) initiative / movement / however you want to classify it. It involves people setting up WiFi routers in their homes and providing free and open internet access to everyone around them. Anyone can participate, and the decentralized, local communities have done many great things from covering entire small towns with their network to providing free internet access to refugees (German article).
Now, in germany we have a law called “Störerhaftung”, which greatly discourages people from sharing their internet access because they are responsible for any (perceived) crimes committed using their connection, no matter who actually committed the (perceived) crime. This law has an exception for internet service providers (because, understandably, the big telcos are not interested in being responsible for the things their customers do). Freifunk uses this part of the regulation by tunneling all traffic from Freifunk routers to one (or more) central gateways using VPNs, before the traffic is sent into the internet proper. That way, they are classified as a small ISP and are exempt from the Störerhaftung.
However, by classifying itself as a small ISP, Freifunk communities may5) be forced to implement data retention themselves. This would put a major strain on the communities, as the additional costs for data retention and storage hardware would have to be financed somehow. As these communities aren’t really well-supplied with money as it is, this would greatly impact their ability to actually provide internet access to many disadvantaged people, not to mention the ideological problem of logging the connections of their users (most Freifunk operators strongly believe in privacy).
The same problem applies for all small internet providers. Small, regional ISPs with a few hundred customers, or universities providing internet access for student dorms, may (or may not) be subject to data retention laws, and they would all incur costs that would either force them out of service or force them to raise prices for the customers. Which, again, brings us to the next problem:
Problem 4: The monetary costs
If you think that the big internet service providers will let their bottom line suffer because of data retention laws, you obviously have not seen how they operate. The added costs for data retention hardware will either be paid by the customer (meaning you), or by the state and, by extension, the taxpayer (meaning you). In essence, you are forced to pay for your own surveillance and the reduction of your civil liberties. Speaking of which:
Problem 5: The potential for abuse
I am cheating a little here, because I told you that I would not be talking about this, but this is just too important to ignore. The data that is collected can be abused by pretty much any party:
- Anyone with access to the data can use it for blackmail (“It would be a shame if your wife knew that you are talking to Ms. XYZ at 3 in the morning…”)
- ISPs can (and will) use it for marketing
- Business competitors with access to the connection logs of your company could infer information about your business strategy (“They sure have been looking at the website of that one company a lot lately…”)
- It can also be used to infer private information like religious beliefs (are you visiting church websites?), medical conditions (visiting cancer information sites?), political views, social circles, …
- It could be used to identify sources of journalists, clients of lawyers, patients of doctors, basically any form of confidential relationship
- …I can do this all day long…
This obviously is already a problem, because many of the three-letter-agencies are already connecting all of this data (and, probably, for exactly these purposes). But by collecting this data at even more places, the problem only gets worse, because more and more corporations, agencies and individual people6) gain access to them.
To sum things up, data retention laws…
- …support local and foreign intelligence services in their dragnet surveillance tactics
- …lead to big collections of sensitive information that can be abused
- …endanger small Internet Service Providers and projects like Freifunk
- …increase either your phone bill or your taxes
- …go against the basic principles of any democratic country, e.g. the presumption of innocence
- …have been shown to be practically useless for actually fighting crime, as demonstrated by the exact attacks that are used to justify new data retention laws: France already has laws for a data retention of 12 months, which failed to prevent the attack on Charlie Hebdo.7)
A call to action
In closing, I ask of you: Contact your representatives, both in your countries parliaments and the european parliament. Tell them that more surveillance is the wrong answer. Tell them that instead of dismantling our democracy with more surveillance, we should retaliate with more democracy and openness.
But most importantly, make sure to actually tell it to them directly. Tweeting your opposition to something is one thing. Actually taking the 10 minutes it takes to write a (polite!) mail to your representative shows them that you do care, and it forces them to reply to you (or have one of their staffers do so). 8)
Now imagine if hundreds of people were to do the same thing. Imagine the effect of hundreds of well-written, polite (!) eMails arriving in the inboxes of all representatives, complete with sources for all of your claims. Imagine them having to find replies to all of those eMails, trying to defuse your worries. Now imagine hundreds of people replying to those messages, calling out the flawed assumptions or evasive answers, (politely) demanding actual argumentations, demanding sources for their claims.
Write those eMails. Be persistent. Be annoying. Stay polite. Perhaps you can help prevent another disasterous piece of surveillance legislation. Perhaps not. Perhaps it will pass in spite of all the protests. But at least you will have tried.
Thanks go out to niemalsnever and FreeFall for proofreading. Any remaining mistakes are my own.
|The irony of using attacks in a country with 12 months of data retention as a reason why data retention can protect us from these exact attacks is appearently lost on its proponents.
|The german “Verfassungsschutz” (“Constitution protection agency” would be a rough translation) was found to have known about a german right-wing terror cell for years and actively prevented the police from arresting suspected or confirmed members of it. They also actively destroyed files and evidence when suspicion was cast on them. A german summary of the case can be found here.
|If past data retention laws are any indication, the carriers will probably be required to store the data for about half a year, if not longer.
|If you happen to understand german, netzpolitik.org has a number of articles on this topic, which are well worth reading.
|Depending on how the actual data retention laws are written, small providers like Freifunk may or may not fall under the data retention requirements.
|The NSA even has a term for private use of surveillance technology and data: LOVEINT
|The attackers had actually been known to the relevant authorities for quite some time, but due to insufficient capabilities for targeted surveillance, they could not be properly surveilled. Another reason why “more dragnet surveillance” is exactly the wrong thing to ask for right now.
|I’ve recently had a long eMail exchange with my representative in the german parliament, and while she expertly managed to talk past my actual questions (a skill every politician seems to have mastered), at least I forced her to take 10 minutes out of her day to formulate a reply.