|
search / subscribe / upload / contact |
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
| RSS-Feed Depeschen |  |
|
|
||
|
||
Date: 2001-11-30
Inside EU-Cybercrime Hearing-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- aus der Sicht einer Person, die daran teilgenommen hat -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- During the Commission's Public Hearing on its Communication "Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-Related Crime", which took place on March 7 in the same building, it was announced that the EU would found a Forum similar to the UK Internet Crime Forum, in which chief police officers, representatives of the IT industry and - to a lesser degree - data protection officers are united. The recent event was the first "plenary session" of this institution, named the "EU Cybercrime Forum". The Commission, who hosted the event, declared to be "in listening mode", which meant basically there was no way of contradicting the conclusions presented by DG Internal Market's Susan Binns at the very end. In the light of recent discussions in the EP, the Council and, more so, the critical public, it was not surprising that "Retention of Traffic Data" was chosen as the topic for this first session. After critique uttered during and following the March meeting that the speaker's list was unbalanced, giving little speaking time to data protection officials and almost none to privacy advocates, the Commission took great care to present something more balanced this time. Still, the industry was a bit over-represented, making up about half of the participants, with police and data protection sharing the rest to more or less equal parts. Most interventions should be posted within a few weeks on the forum's web page, which is for some reason provisionally housed at http://cybercrime-forum.jrc.it . The morning was dedicated to keynote speeches and chaired by Robert Verrue, Director General of the Commission's DG Information Society (DG INFSO) and his colleague Adrian Fortescue of the DG Internal Market (DG INT). Keynote speeches were given by MEP Charlotte Cederschiöld (Conservative, Sweden), Commissioner Erkki Liikanen, by three industry people, namely Michel Bartholomew of ETNO (Telecommunication Operators Association), Alain Hocquet of France Telecom and Joe NcNamee of EuroISPA (Internet Providers). They were followed by John Abbott, who spoke on behalf of the National criminal Intelligence Service of the UK, Jozef Brink from the German Ministry of Justice and Alexander Datijn from the Netherlands Ministry - two more law enforcement guys -, David Smith from the Office of the UK Information Commissioner, and MEP Marco Cappato of the Italian Radicals. A speech that was to be delivered at that time by Simon Davies of Privacy International could not take place because, as it seems, Simon was denied access to his plane at Heathrow airport. Morris Wessling of Bits for Freedom, who volunteered to substitute for him felt unable to prepare a 10-15 minute keynote speech within a few hours and in the middle of the plenary, and limited himself to a five-minute contribution in the afternoon. Mrs. Cederschiöld, who was the rapporteur on the Commission's Cybercrime Communication and as such pretty pro-surveillance, gave what she certainly considered a "well-balanced presentation: "Any law enforcement measures must be well defined and foreseeable, and take place within a clear legal framework*necessary and proportionate", and so on. She even went on to say that the 911 attacks "must not lead to a carte blanche for retention and interception as this would facilitate abuse of stored data, thereby hamper consumer confidence in electronic communications and services, and decrease security, while at the same time increase costs for all actors. Now you might think this could only lead you to a decidedly anti-retention position. Not so. Mrs. Cederschiöld went on to say that technical standards must be co-ordinated internationally, and that the financial loa d of interception must be borne by the State. Ambiguous, to say the very least. I won't spend a lot of words on commissioner Liikanen's contribution, because it was a) an abbreviated version of the discussion paper publis hed by the Commission a few weeks ago (which can be found as well on the forum's web page as on DG INFSO's Wep page) and because b) it was what you would have expected: Main focus E-Commerce, question of consumer trust, e Europe action plan, blahblah. Bartholomew of ETNO said the two key issues for Telecom operators were the lack of harmonised rules and the costs caused by interception. I think those who call for harmonised retention instr uctions and would even be ready to pay the price for it listened very well. Probably not so any more when Bartholomew said retention had to be on a case-by-case base and clear time limitations had to apply. Hocquet of Fra nce Telecom said his firm had established "retention centres", mainly for billing purposes, only in the mid-nineties, while retention had been technically possible even ten years before that. He also gave some interesting figures: France Telecom houses some 33 million phone lines, and 25.000 requests for retained data reach their offices each month - he did not comment if they came from the Police only or from secret services as well. The high figure might explain the fact why, as Hocquet said, the 1997 directive on data protection in electronic communication still has not been implemented in France. What passed a lot quicker, though, is the new Loi de la Sécurité interne, which provides for 12 months data retention since October 15. McNamee of EuroISPA felt an urge to explain Retention could also protect privacy, e.g. Anti-Spam Hotlists ran by providers could be operativ e only if a communication could be traced back to its author. he went on to explain that there were 4 kinds of data, each one more intrusive than the preceding one: Subscriber data, Access data (including calling line ID) , traffic data and contents data. It was pretty obvious he did not consider subscriber data really sensitive at all, while he wanted to safeguard contents data. He failed to comment on the merging of traffic data, content s data and location data in upcoming mobile services, which was a point raised later on by a number of technically qualified privacy advocates. McNamee suggested to somehow codify the current practice under which police i s already supplied with data retained for billing purposes, and to reimburse providers for any added costs. Next came another one of the UK Police's super weapons (After chief Superintendent Keith Akerman, the Chairman of the UK Internet Crime Forum, who was the star at the March 7 Meeting): John Abbott, C.B.E., QPM, B.A. (Hons) (whatever all of this means) and Director Generla of the National Criminal Intelligence Service. It showed he h ad passed not only one rhetorics course, and he had passed it well. What he wanted was pretty easy to discern: As big as possible a proportion of data - traffic data, no content data, as he pointed out - to be stored for as long as possible. He spoke a lot in examples, and one of those was of a case that was solved five years later, allegedly with the help of retained traffic data. He commented very long on how the world had changed and h ow electronic communications had made it possible to commit a crime without leaving any evidence to be used by the police. Therefore it was necessary to create a new kind of evidence, even for the fight against non-hi-tec h crimes. This kind of evidence was going to become as important in the 21st centuries as fingerprints were in the 20th. To this, someone replied later that the difference was you didn't have your fingerprints taken at ev ery step you made, even in the 20th century. Brink is the German justice ministry's responsible for international cooperation in criminal matters and at the same time delegate to the G 8 Hi-tech crime unit. He asked for " all connection data" to be retained "in collaboration with the industry. He does not seem to believe retention will be stipulated by law: At least he considered it important that "as many providers as possible" should ret ain and also help analyse data on a voluntary basis. He said Germany had no binding policy on the matter yet, but he himself had never agreed with the proposal for compulsory deletion. He demanded the following kinds of d ata: Headers, dial-in logs, assigned IP addresses, Host Addresses and Caller ID with SMS. Datijn agreed and warned the Data Protection in Electronic communications Directive as Drafted by the EP and the Commission would break up the hitherto "parallel interests" of telecom providers and law enforcement. David Smith was the next one to speak, on behalf of the UK Information Officer (Data Protection Authority) Although he did not seem to b e too eloquent, his presentation, based mainly on the European Charter of human Rights and Data protection legislation in effect within the EU, left a good impression and was quoted several times in the final Statement by the Commission. Smith called for a limitation of data retention to specific cases - which he would not see as problematic - but is opposed to blanket retention. He wanted a set of questions answered: "What is the case fo r retention? What data is (going to be) retained? How useful would this data be to whom? What has changed as compared to the times of analog telephony, when there simply were no logs to access? What is the management cost of such a system? Who stores the data? And what about different retention periods in different EU States?" That kind of questions showed, I think, that Smith is prepared to withdraw and criticise retention immanently. The last speaker of the morning was Cappato, the EP data protection Rapporteur. He sounded less radical than his amendment to Article 15 may have made believe, focussing mainly on the need for uniform regulations in the EU. But he is of course strongly opposed to any kind of blanket retention. I wont go into detail regarding the speakers in the afternoon, who had only five minutes for their presentations each (though some of them stretched this period to its double) and represented the above- mentioned mix. For that reason, and because there were no new arguments, neither from the industry, nor from the law protection side, that had not been heard in the morning. There were some rather technicist suggestions, e.g. to encrypt logs using a double key, one half of which would be with data protection authorities, the other either with industry or law enforcement, but those were not really important. Morris Wesley, standing in for Simon Davies, drew a scenario of growing technical skills of users leading to more consumer awareness and to a loss of trust in electronic communications (which I myself would not consider a bad thing). He opposed the artificial distinction between traffic data and contents data, which he illustrated with an example from future mobile Internet communications. His call to apply data protection rules concerning contents data also to traffic data obviously wasn't shared by the majority of the audience. The next privacy advocate was Angelika Jennen from the office of Germany's Bundesbeauftragter für den Datenschutz (National DP officer). She also pointed to the fact that, as a greater and greater proportion of our life becomes entangled with electronic communication, connection data may be used to draw up personality profiles, while location data might lead to movement profiles. Blanket data retention, she said, was also in contradiction to the principle of proportionality. There were several other Data Protection officials who used more or less the same arguments: Diana Alonso Blas from Colleg Bescherming Persoongegevens, the Dutch DP Authority and Alexander Dix from the DP Authority of the German Land of Brandenburg, and two Belgian Professors - Yves Poullet, a lawyer, and Jean-Marc Dinant, an information scientist, both of the Université de Namur - who spoke very strongly in favour of Data Protection. There was the usual industry batch of AOL, VeriSign, Business Software Alliance, Motion Picture Association and so on, offering to co-operate or confirming they had already done so for quite a while (as is the case for AOL). There was another fuzz of law enforcement people from Norway, Sweden and Belgium, as well as two men from the US Department of Justice (one of them speaking for the US Gorvenment, the other for the G 8) and a French guy who heads what seems to be a firm contracting to "forensic informatics"; Eric Freyssinet, "ENFSI FIT-WG Chairman, Chef du département informatique électronique de l'IRCGN". The most radical presentation on our side was by Alberto Escudero- Pascual, who presented a research project they had done at the Institute of Technology in Sweden's "Mobile Silicon Valley": They showed how location data from mobile devices could be used to establish not nonly movement, but also interaction and thus personality profiles. Unfortunately, he spoilt the impressing effect of that statement a little by finishing it up with an insulting statement against "commission officials", who allegedly scare people with scenarios taken from Hollywood movies to accept retention - which may be true for some of them, but certainly not for all, and should rather be said of the Council. What seemed to turn out as being the strongest position in the end - but that is merely subjectively speaking of course - was something that goes into the following direction: · Retention of traffic data "only" for a limited period, say six months or so. · EU-wide more or less uniform rules for the access to this data, upon presentation of a court / state attorney order · Preservation of data in particular cases, also only with a judicial warrant. · Co-operation on an international level, perhaps including the US and other intersted parties. ad, Nov. 29, 2001 -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- edited by Harkank published on: 2001-11-30 comments to office@quintessenz.at subscribe Newsletter - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- 
|
|
|
 |
CURRENTLY RUNNING |
q/Talk 1.Juli: The Danger of Software Users Don't Control
|
|
|
!WATCH OUT! |
bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien
|
|