Since roughly september, a resolution has been making its way through
the EU bureaucracy to institute mandatory storage times for, among other
things, internet traffic logs with ISPs. Throughout the discussions, the
image has been coming through that the resolution would in endeffect
require ISPs to log more or less everything a user does, requiring
insane disk volumes for the logs and infringing exceedingly on personal
privacy.
The resolution, as it ended up, is actually less panicky than it could
have been - somewhat surprisingly. I'm reading the changes instituted by
the parliament during the first reading and acceptance of the
resolution. They include addition of, among other things, the following
text blocks
In particular when retaining data related to Internet e-mail and
Internet Telephony, the scope may be limited to the providers' own
services or the network providers'.
making the ISP responsible for their own services, but not for
connectiontracking outside their own services.
[...]attacks against information systems provides that the
intentional illegal access to information systems, including to data
retained therein, shall be made punishable as a criminal offence.
punishing computer intrusion has been in the loop for quite some time.
Nothing really extraordinary here, unless the scope of "intentional
illegal access to information systems" suddenly widens.
Considering that the obligations on providers of electronic
communications services should be proportionate, the Directive
requires that they only retain such data which are generated or
processed in the process of supplying their communications services;
to the extent that such data is not generated or processed by those
providers, there can be no obligation to retain it.
This means that if the ISP doesn't log, it has no obligation to retain
the logs they don't have. ONLY the logs that the ISP makes anyway are
under storage obligation for 6-24 months, and with judiciary request
necessary for mandatory disclosure.
Furthermore, it is reminded in the resolution that a ruling by the
European Court on Human Rights
requires that interference by public authorities with privacy rights
must respond to requirements of necessity and proportionality and
must therefore serve specified, explicit and legitimate purposes and
be exercised in a manner which is adequate, relevant and not
excessive in relation to the purpose of the interference.
Thus, disclosure of logs may only be forced when this is an adequate,
relevant and not excessive measure in comparison to whatever is being
investigated.
The motivation of the directive was rewritten to replace the reference
"serious criminal offences, such as terrorism or organized crime" with
"serious criminal offences, as defined by each Member State in its
national law".
All in all, the text seems, upon first cursory reading, to be less
dangerous than it could have ended up. Most of the edits performed by
the EP in plenum go toward more respect for individual privacy, and
slightly away from the Big Brother scenario.
However, and this is always a major however, the leniency of this
resolution, and of the implementations coming in the member states
during the coming 18 months, is extremely dependent on whether my
reading will be retained, or a harsher reading will be introduced. The
terrorism language has been taken out of the resolution, guarding
against at least some of the hyperreactions we'd await, but still the
signal sent is one that may be abused. The way that the anti-piracy
lobby screams bloody murder would make me wonder if they would not try
to pronounce use of DC or eMule to be a "serious criminal offence" and
start bullying ISPs with this as backup as well.
We need a counterlobby. A sensible one.