Although the data retention legislation is fruitless and dangerous, I think it's fair to point out that their problem in this case is that the implementation was lacking.
The evaluation report about session logging does make the claim that the problems are caused by the way that the ISPs have implemented it (session logging is data retention of IP/port/protocol/timestamp about all internet packets, or in practice every 500th packet).
However, that statement is even more ridiculous than anything else in the report. First of all, the Danish ISPs have implemented session logging in exactly the way that the Ministry of Justice has required, so there is absolutely nothing to be surprised about. The arguments about "implementation problems" are completely incoherent, and the person who wrote that section really doesn't seem to know what he/she is talking about.
For example, at one point they complain that only information about every 500th packet is retained, so it will not be possible to check "whether people are active on the internet". Makes no sense at all. Visiting a single website with dynamic content from many sources, like cnn.com, tends to generate more that 500 packets, and statistically speaking one will be recorded to "show activity".
But with a little knowledge of how the internet works (a skill that is totally lacking with the Danish Ministry of Justice, where people seem to think that the internet works just like the telephone system) and how data retention is done in practice (say, by talking to people at ISPs), it's pretty clear that the main "implementation" problem (according to the report) is really about the natural limitations for data retention caused by CG-NAT (carrier grade NAT).
From a law enforcement perspective, CG-NAT is a bad thing since CG-NAT means that several customers share the same public IP address (but what can you do when there is an IPv4 shortage?). The data retention directive in the EU requires that ISPs keep track of which customers have been allocated a given public IP address, and that information must be retained for 6-24 months (in most EU countries for 12 months). This has nothing to do with session logging, by the way. The basic idea is that if some IP address shows up in an external server log in connection with criminal activity, the police can identify the customer behind the IP address (basically the same way that RIAA/MPAA try to hunt down file sharers).
Needless to say, this doesn't work very well if, say, 100+ customers share the same public IP because of CG-NAT. This is also a problem that has surfaced in the discussions about the Snoopers' charter in the UK recently, but at least the UK government has understood the nature of the problem.
To make matters worse, a Danish ISP with CG-NAT for mobile subscribers has done some extra data retention (source port logging in the NAT gateway) to address the NAT limitations. So, if the police can obtain an IP address as well as source port from the external server log, then this particular ISP can pick out the customer.
So far so good... except that it doesn't work in most cases because the server logs only contain IP addresses and not source ports (or the Danish police have only ontained the IP address, not the source port).
Put all of this together without understanding CG-NAT or the internet, but with a strong desire to give a "positive" evaluation of sessions logging (despite its total failure), which the Danish Ministry of Justice forced upon the ISPs in 2007 as the only EU country. The only thing to do in a situation like this: blame the ISPs for the failure!
Full disclosure: I am board member of a Danish NGO (IT-Political Association of Denmark) that has opposed data retention since the very beginning. We have tried to communicate the above points to the Ministry of Justice (in more diplomatic ways, of course), but without any noticable success.
'This seems like a pretty damning point concerning data retention'
and is the exact reason why the idiots in governments will continue to want to do it!!
Don't worry (unless you are a Dane and have to live with this stupidity and violation of your right to privacy).
The Danish government has just secured a majority to continue with the internet data retention (session logging) that they have admitted is completely useless.
Their supporting party in this matter is arguing that session logging might be useful sometime in the future.
Techdirt has not posted any stories submitted by jesperl.
Re:
The evaluation report about session logging does make the claim that the problems are caused by the way that the ISPs have implemented it (session logging is data retention of IP/port/protocol/timestamp about all internet packets, or in practice every 500th packet).
However, that statement is even more ridiculous than anything else in the report. First of all, the Danish ISPs have implemented session logging in exactly the way that the Ministry of Justice has required, so there is absolutely nothing to be surprised about. The arguments about "implementation problems" are completely incoherent, and the person who wrote that section really doesn't seem to know what he/she is talking about.
For example, at one point they complain that only information about every 500th packet is retained, so it will not be possible to check "whether people are active on the internet". Makes no sense at all. Visiting a single website with dynamic content from many sources, like cnn.com, tends to generate more that 500 packets, and statistically speaking one will be recorded to "show activity".
But with a little knowledge of how the internet works (a skill that is totally lacking with the Danish Ministry of Justice, where people seem to think that the internet works just like the telephone system) and how data retention is done in practice (say, by talking to people at ISPs), it's pretty clear that the main "implementation" problem (according to the report) is really about the natural limitations for data retention caused by CG-NAT (carrier grade NAT).
From a law enforcement perspective, CG-NAT is a bad thing since CG-NAT means that several customers share the same public IP address (but what can you do when there is an IPv4 shortage?). The data retention directive in the EU requires that ISPs keep track of which customers have been allocated a given public IP address, and that information must be retained for 6-24 months (in most EU countries for 12 months). This has nothing to do with session logging, by the way. The basic idea is that if some IP address shows up in an external server log in connection with criminal activity, the police can identify the customer behind the IP address (basically the same way that RIAA/MPAA try to hunt down file sharers).
Needless to say, this doesn't work very well if, say, 100+ customers share the same public IP because of CG-NAT. This is also a problem that has surfaced in the discussions about the Snoopers' charter in the UK recently, but at least the UK government has understood the nature of the problem.
To make matters worse, a Danish ISP with CG-NAT for mobile subscribers has done some extra data retention (source port logging in the NAT gateway) to address the NAT limitations. So, if the police can obtain an IP address as well as source port from the external server log, then this particular ISP can pick out the customer.
So far so good... except that it doesn't work in most cases because the server logs only contain IP addresses and not source ports (or the Danish police have only ontained the IP address, not the source port).
Put all of this together without understanding CG-NAT or the internet, but with a strong desire to give a "positive" evaluation of sessions logging (despite its total failure), which the Danish Ministry of Justice forced upon the ISPs in 2007 as the only EU country. The only thing to do in a situation like this: blame the ISPs for the failure!
Full disclosure: I am board member of a Danish NGO (IT-Political Association of Denmark) that has opposed data retention since the very beginning. We have tried to communicate the above points to the Ministry of Justice (in more diplomatic ways, of course), but without any noticable success.
Re:
and is the exact reason why the idiots in governments will continue to want to do it!!
Don't worry (unless you are a Dane and have to live with this stupidity and violation of your right to privacy).
The Danish government has just secured a majority to continue with the internet data retention (session logging) that they have admitted is completely useless.
Their supporting party in this matter is arguing that session logging might be useful sometime in the future.
Techdirt has not posted any stories submitted by jesperl.
Submit a story now.