Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes
from the I'm-shocked,-shocked dept
One of the ironies of European outrage over the global surveillance conducted by the NSA and GCHQ is that in the EU, communications metadata must be kept by law anyway, although not many people there realize it. That's a consequence of the Data Retention Directive, passed in 2006, which:
requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.
Notice the standard invocation of terrorism and serious crime as a justification for this kind of intrusive data gathering -- the implication being that such highly-personal information would only ever be used for the most heinous of crimes. In particular, it goes without saying that there is no question of it being accessed for anything more trivial -- like this, say:
Some Dutch telecommunications and Internet providers have exploited European Union laws mandating the retention of communications data to fight crime, using the retained data for unauthorised marketing purposes.
Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created. But it does at least act as a useful reminder that whatever the protestations that privacy-destroying databases will only ever be used for the most serious crimes, there is always the risk of function creep or -- as in the Netherlands -- outright abuse. The only effective way to stop it is not to retain such personal information in the first place.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: crimes, data retention, marketing, netherlands, telcos, terrorism
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
I'm shocked I say .... shocked
[ link to this | view in thread ]
[ link to this | view in thread ]
This is not true. The data retention doesn't require any data to be handed over to anyone - it just mandates that traffic data is stored for a certain period of time. The rest is up to each nation to decide. In fact a EU country open to the idea of some political activism could do this:
1) make the retention of data by ISPs mandatory (to comply with the directive), but not allow it to ever be handed over to any external party.
2) have national regulation say that all retained data is to be encrypted with keys rotated on a daily basis and stored a much shorter interval than the retention period.
Since the directive was voted on as a way to harmonize the market (by imposing the same type of costs on all companies - something which failed miserably, but that's another story) I can't see how one could legally object to 2) since it would still impose the same costs on ISPs. The data would be stored, although most of it wouldn't be readable.
[ link to this | view in thread ]
Like Google's massive store of information?
It's just not credible that you kids can't see such obvious similarities with the world's biggest store of such data.
Where Mike sez: "Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn't a way of encouraging them to buy. It's a way of encouraging them to want nothing to do with you." -- So why doesn't that apply to The Google?
02:02:02[c-5-2]
[ link to this | view in thread ]
Re: Like Google's massive store of information?
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
What you propose is completely unfathomable for any country to do. Even if a country did that, I would bet that the European Commission will renew the directive ahead of schedule to deal with it or even the Council could step in.
"Could" is a political question here. In this case the problem is that the other countries in the union are very unlikely to let such slipshod implementation pass muster.
[ link to this | view in thread ]
Re: Re: Like Google's massive store of information?
This is pointed out to Blue every single time he brings it up.
It's like we are beating a brain-dead horse at this point.
[ link to this | view in thread ]
Re:
It doesn't even go as far as that; it requires the retention of data that fits within the appropriate categories if the service provider was creating the data in the first place. So if an ISP doesn't keep logs of anything, they're not required by the Data Retention Directive to make or retain them.
There are reasons many Governments are unhappy with the Directive and want it expanded...
[ link to this | view in thread ]
Re: Re:
Given this fact it seems to me that it's you that have a stronger burden to prove your point than I do mine. Please explain what the objections of the other countries would look like? On what grounds could they object?
I think the risk that such political activism on the national level would be challenged by the EU institutions is significantly less than the risk that our national politicians argue that "hey, since we're forced to collect all this data anyway, wouldn't it be a waste not to use it?"
My point is that our national political representatives cannot free themselves of responsibility. Their freedom to act may be restricted, but there are still some options available to minimize the privacy implications of the directive.
Just out of curiosity - have you read the directive?
[ link to this | view in thread ]
Fits with rule one.
1. If a database exists it will be abused.
2. The accuracy of information within a database is inversely proportional to its size.
2a. Doubly so for databases held by Government departments.
3. If it contains personal information at some stage law enforcement agencies will want access.
4. If it contains personal information at some stage law enforcement agencies will get access.
5. You can never truly erase your information from a database.
[ link to this | view in thread ]
Re:
1. company holds metadata for period
2. company must encrypt held data with gov. provided public key.
2a. government holds private key.
3. company only hands over material on production of a valid warrant, if warrant in-valid and data handed over then prison time for company directors.
4. company must report all dealings with metadata, including warrants, on pain of prison time for company directors.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Why is it illegal?
A telco log metadata of their users. This metadata then used for marketing purposes. How is this any different from targeted advertising?
(setting aside the feeble justification of "legally obliged to")
[ link to this | view in thread ]