Since roughly september, a resolution has been making its way through the EU bureaucracy to institute mandatory storage times for, among other things, internet traffic logs with ISPs. Throughout the discussions, the image has been coming through that the resolution would in endeffect require ISPs to log more or less everything a user does, requiring insane disk volumes for the logs and infringing exceedingly on personal privacy.
The resolution, as it ended up, is actually less panicky than it could have been – somewhat surprisingly. I’m reading the changes instituted by the parliament during the first reading and acceptance of the resolution. They include addition of, among other things, the following text blocks
In particular when retaining data related to Internet e-mail and Internet Telephony, the scope may be limited to the providers’ own services or the network providers’.
making the ISP responsible for their own services, but not for connectiontracking outside their own services.
[...]attacks against information systems provides that the intentional illegal access to information systems, including to data retained therein, shall be made punishable as a criminal offence.
punishing computer intrusion has been in the loop for quite some time. Nothing really extraordinary here, unless the scope of “intentional illegal access to information systems” suddenly widens.
Considering that the obligations on providers of electronic communications services should be proportionate, the Directive requires that they only retain such data which are generated or processed in the process of supplying their communications services; to the extent that such data is not generated or processed by those providers, there can be no obligation to retain it.
This means that if the ISP doesn’t log, it has no obligation to retain the logs they don’t have. ONLY the logs that the ISP makes anyway are under storage obligation for 6-24 months, and with judiciary request necessary for mandatory disclosure.
Furthermore, it is reminded in the resolution that a ruling by the European Court on Human Rights
requires that interference by public authorities with privacy rights must respond to requirements of necessity and proportionality and must therefore serve specified, explicit and legitimate purposes and be exercised in a manner which is adequate, relevant and not excessive in relation to the purpose of the interference.
Thus, disclosure of logs may only be forced when this is an adequate, relevant and not excessive measure in comparison to whatever is being investigated.
The motivation of the directive was rewritten to replace the reference “serious criminal offences, such as terrorism or organized crime” with “serious criminal offences, as defined by each Member State in its national law”.
All in all, the text seems, upon first cursory reading, to be less dangerous than it could have ended up. Most of the edits performed by the EP in plenum go toward more respect for individual privacy, and slightly away from the Big Brother scenario.
However, and this is always a major however, the leniency of this resolution, and of the implementations coming in the member states during the coming 18 months, is extremely dependent on whether my reading will be retained, or a harsher reading will be introduced. The terrorism language has been taken out of the resolution, guarding against at least some of the hyperreactions we’d await, but still the signal sent is one that may be abused. The way that the anti-piracy lobby screams bloody murder would make me wonder if they would not try to pronounce use of DC or eMule to be a “serious criminal offence” and start bullying ISPs with this as backup as well.
We need a counterlobby. A sensible one.