Danish Police Admit That Data Retention Hasn't Helped At All
from the time-to-ditch-it dept
There's been a big push around the globe to ramp up data retention rules, which require various online services to keep all sorts of data on their users for a long time, just in case it's possible that law enforcement officials might need that data at some later date. That this only adds to the pile of data, and often makes it more difficult to find useful data, is never discussed. That this likely puts more people's private data at risk of being hacked or accidentally revealed is never discussed. Also, almost never discussed: whether or not such data retention laws actually help solve crimes.Over in Denmark, we have an answer, and that answer is an emphatic no. After half a decade of having strict data retention laws, the Danish police have announced that it has not helped them find criminals. And, as predicted, having all that data has made it unwieldy for law enforcement when they actually think they need some data.
“Session logging has caused serious practical problems,” the ministry's staffers write in the report. “The implementation of session logging proved to be unusable to the police; this became clear the first time they tried to use [the data] as part of a criminal investigation.”This seems like a pretty damning point concerning data retention. Hopefully, at the very least, this example is raised whenever any other country proposes data retention laws.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data retention, denmark
Reader Comments
Subscribe: RSS
View by: Time | Thread
On behalf of thieves, pedophiles, and blackmailers everywhere
[ link to this | view in chronology ]
Oh it gets better...
[ link to this | view in chronology ]
Re: On behalf of thieves, pedophiles, and blackmailers everywhere
[ link to this | view in chronology ]
Re: On behalf of thieves, pedophiles, and blackmailers everywhere
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
OR, Danish police / software suppliers are incompetent.
Take a loopy tour of Techdirt.com! You always end up same place!
http://techdirt.com/
Even if Mike is absolutely right about problems, he has no solutions to even suggest.
00:34:33[a-157-6]
[ link to this | view in chronology ]
Re: OR, Danish police / software suppliers are incompetent.
The fact that "pretty damning" evidence can't be set aside because he hasn't spoonfed us a solution is irrelevant. In any case, the traditional "Probable cause -} Warrant -} surveillance -} gather evidence, then arrest suspect" methods are the best way of dealing with this.
What drives police states is the self-same authoritarian attitude as your own, okay?
And like it or not, the idea is to provide a treasure trove for fishing expeditions, mostly to catch easy targets, e.g. copyright infringers. And you wonder why the crime rate hasn't plummeted?!
[ link to this | view in chronology ]
Re: OR, Danish police / software suppliers are incompetent.
Is never being right and having no solutions to suggest like you, any better?
[ link to this | view in chronology ]
The law came about in 2006 under a "liberal" government. The specific part of the law says (tranlated):
"The obligation to record information about an Internet session initial and final package ...(red: removing some irrelevant exemptions) If such registration is not technically feasible, the in section 1 mentioned information should be collected instead, for every 500 package."
Since logging first and last package is technically challeging given how nobody can define what either should be, all ISPs collect information for every 500 packages.
The cost is somewhere between 40 and 100 million dollars for the ISPs.
The law had to be reevaluated last year but has been pushed forth several times.
Now the news around the law are completely, well:
The new socialistic government defended the law in march this year by saying that it was used to convict murderers, child pornographers and weapon smugglers.
The police has been asked several times for proof of the use. Initially they could not give any, but came up with 2. 1 was a man being prooven innocence because of a celltower ping (which is completely irrelevant for these data and they later retracted it), the other was someone being prooven innocent because the data was showing that he could not have been the perp.
Hardly seems like proof of murderers, child pornographers and weapon smuggling to me...
The police couldn't use the system untill 2010 because they lacked the programs to search through the data and even afterwards it has had major problems. So far, it is about 7 trillion data-points they can demand to look through...
The renegotiation has been pushed to late 2013, but I do not expect it to happen before 2015 at the earliest since the politicians are waiting for 1. some evaluation reprots, 2. new EU-legislation and 3. they hope for the police to get some experiences with the data before thrashing the system.
There is a popular movement against the session logging and even in the parliament there is a sceptical majority even though some of them are easy to talk into delaying the final decission.
[ link to this | view in chronology ]
Re:
Senders IP
Recievers IP
Transport protocol
Senders Postal code
Receivers Postal code
Since spoofing IP is easy, it is pretty worthless since recievers IP is gonna be irrelevant. Postal code is hardly valuable today.
Furthermore the foloowing is collected by the police:
User ID (whatever)
Name and address of the registed owner of the IP at the time of communication.
The only valuable information is name and address of the registered user. The rest is bunkers for even the police.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
been at the time, went to any particular site. Malicious sites, via scripts, and botnets could cause all sorts of site to be visited without the users knowledge.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Data retention useless without identification
For this reason, the Ministry of Justice has proposed a brand new Orwellian rule requiring personal identification of all users downstream to even private households.
What it means is that you must either implement personal authentification of all users using your connection and retain the information for one year, or limit the number of users to what is manageable for the police.
[ link to this | view in chronology ]
Re: Data retention useless without identification
[ link to this | view in chronology ]
Along with the obvious process flaws mentioned
"Gee, this guy is seriously into 17th century Icelandic quilting patterns."
[ link to this | view in chronology ]
Re: Along with the obvious process flaws mentioned
[ link to this | view in chronology ]
Re: Re: Along with the obvious process flaws mentioned
Heck, It's possible for a home machine to look at a single port on the whole ipV4 internet.
[ link to this | view in chronology ]
Alternatively
[ link to this | view in chronology ]
Although the data retention legislation is fruitless and dangerous, I think it's fair to point out that their problem in this case is that the implementation was lacking. That said, there is the far more troubling point that
So, just like all things Internet, they've taken already-dangerous legislation and built in a back door with giant arrows pointing at it saying "BAD GUYS GO THIS WAY". Good job, that.
[ link to this | view in chronology ]
Re:
As for schools, well, that is your way in if you are a teacher, but not for long. Highschool and above are usually userID-controlled to some extend. There are several weaknesses to the systems, but it is hard to abuse these exemptions since you are identified as the person using the computer at a specific time...
[ link to this | view in chronology ]
Re: Re:
Not my local library.
If you are using their computers, then yes, you need a library card. But anybody can walk in with their own laptop and use the free wifi - no identification required.
[ link to this | view in chronology ]
Re: Re: Re:
Mine too, but only to be allowed into the area with the computers. They don't actually track which library patron is using which computer or when.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Sort of. They could locate which wifi node I was connected to, but that's about it. My laptop spoofs a random MAC address every I time I reboot, just on general privacy principles.
[ link to this | view in chronology ]
Re:
The evaluation report about session logging does make the claim that the problems are caused by the way that the ISPs have implemented it (session logging is data retention of IP/port/protocol/timestamp about all internet packets, or in practice every 500th packet).
However, that statement is even more ridiculous than anything else in the report. First of all, the Danish ISPs have implemented session logging in exactly the way that the Ministry of Justice has required, so there is absolutely nothing to be surprised about. The arguments about "implementation problems" are completely incoherent, and the person who wrote that section really doesn't seem to know what he/she is talking about.
For example, at one point they complain that only information about every 500th packet is retained, so it will not be possible to check "whether people are active on the internet". Makes no sense at all. Visiting a single website with dynamic content from many sources, like cnn.com, tends to generate more that 500 packets, and statistically speaking one will be recorded to "show activity".
But with a little knowledge of how the internet works (a skill that is totally lacking with the Danish Ministry of Justice, where people seem to think that the internet works just like the telephone system) and how data retention is done in practice (say, by talking to people at ISPs), it's pretty clear that the main "implementation" problem (according to the report) is really about the natural limitations for data retention caused by CG-NAT (carrier grade NAT).
From a law enforcement perspective, CG-NAT is a bad thing since CG-NAT means that several customers share the same public IP address (but what can you do when there is an IPv4 shortage?). The data retention directive in the EU requires that ISPs keep track of which customers have been allocated a given public IP address, and that information must be retained for 6-24 months (in most EU countries for 12 months). This has nothing to do with session logging, by the way. The basic idea is that if some IP address shows up in an external server log in connection with criminal activity, the police can identify the customer behind the IP address (basically the same way that RIAA/MPAA try to hunt down file sharers).
Needless to say, this doesn't work very well if, say, 100+ customers share the same public IP because of CG-NAT. This is also a problem that has surfaced in the discussions about the Snoopers' charter in the UK recently, but at least the UK government has understood the nature of the problem.
To make matters worse, a Danish ISP with CG-NAT for mobile subscribers has done some extra data retention (source port logging in the NAT gateway) to address the NAT limitations. So, if the police can obtain an IP address as well as source port from the external server log, then this particular ISP can pick out the customer.
So far so good... except that it doesn't work in most cases because the server logs only contain IP addresses and not source ports (or the Danish police have only ontained the IP address, not the source port).
Put all of this together without understanding CG-NAT or the internet, but with a strong desire to give a "positive" evaluation of sessions logging (despite its total failure), which the Danish Ministry of Justice forced upon the ISPs in 2007 as the only EU country. The only thing to do in a situation like this: blame the ISPs for the failure!
Full disclosure: I am board member of a Danish NGO (IT-Political Association of Denmark) that has opposed data retention since the very beginning. We have tried to communicate the above points to the Ministry of Justice (in more diplomatic ways, of course), but without any noticable success.
[ link to this | view in chronology ]
and is the exact reason why the idiots in governments will continue to want to do it!!
[ link to this | view in chronology ]
Re:
and is the exact reason why the idiots in governments will continue to want to do it!!
Don't worry (unless you are a Dane and have to live with this stupidity and violation of your right to privacy).
The Danish government has just secured a majority to continue with the internet data retention (session logging) that they have admitted is completely useless.
Their supporting party in this matter is arguing that session logging might be useful sometime in the future.
[ link to this | view in chronology ]
lee pa'
[ link to this | view in chronology ]