• MeetingNotes
• DataRententionLaws

EU data rentention directive

..or why the EU is dumb and TOR is good alex @riseup.net @irc.indymedia.org

politics of the laws

EU Directive

THE goal of the EU, in their words:

• to "harmonize member states" provisions concerning the obligations of providers publicly available electronic communications services with respect to the rention of certain data"

Coordination is still required to get the law implemented by each EU member state until 2007-09-15

Technicalities about the way it was agreed, rather than what was agreed, are making ireland and slovakia challenge the directive

contents of laws

• data much be kept for 6-24 months
• traffic and location data, not content (WHEN + WHO, not WHAT)
• access to the data is restricted to the secret service and police,
• potentially without a warrant.

Q: is it up to parliament to decide if warrants are required? A: yes, each country impliments the laws differently, so long as they stay within the common EU framework.

Data to retain

the phone data which must be retained by the phone companies.

• phone numbers calling
• name and address of registered users of who ordered the telephone account.
• call numbers and call forwarding info.
• names, addresses of the participates of the phone call.
• date, time beginning and end of each phone call.
• the phone service that is used

Mobile Phones

for mobile phones, all the land line data is retained, plus a lot more data specific to mobile phones.

• Subscriber identity, unique number that the phone number is registered to (International Mobile Subscriber Identity - IMSI)
• Hardware identity, unique number for the phone (International Mobile Equipment Identity - IMEI)
• Cell ID, which cell of arials is connected to - where the phone is
• Pre-pay where the first call was made from - phone number activated
• all the beginning of the call, and the duration

Internet

At the ISP level, all this data much be retained for "every internet communication". Do they mean every packet? They don't know, the law is vague. What do they mean by an ISP? This is also vauge, maybe clear when the laws are implemented. Our servers might be considered ISPs, and they might not be.

• ISP user ID - a unique number identifying you at ISP level (or your phone number for dial up)
• name and address of user, or phone number
• sign on and sign off times
• IP address of the user.
• "Used internet service"
  • application protocol? "http, imap..." the law is vague, to be discussed
• e-mail + VoIP, "who contacted who"

how will it work? - assumptions

• the german example, law prior to new EU rules.
  • in germany, only for ISPs that have +1000 users

  • possibility of a blackbox (TKÜV) installed at ISPs, recording who emails whom, remotely controlled by cops, without a warrant. they can access the content of the emails. it was created by a private corporation, and it became a standard just because there were no easy alternatives.

• french situation, implementing the eu directives already in a law called LCEN
  • judge can refer to the eu data protection directive even though it hasn't been through parliament
  • ISPs don't know what can be requested by the Judges yet. If they have not kept the data they will be sued instead of the user
  • encryption or temporary logs just mean the ISP cannot reply to the cops, so they are liable
  • Thought that TOR logs would have to be kept, but that it would make it impossible for authorities
  • ISPs are defined by an organisation, the critera they use is not clear, you should have to pay - but?
• spain
  • there is a technical definition for an ISP - critera are any one of 1) if you give connection to internet 2) phone services 3) if you store unprocessed data including web and mail hosting
  • law is 3 years old, waiting for application of the directive to see how long retain now
  • data only given a judge not to the police

The interpretation of the EU law may mean authorities want access to what information? It may be encoded in the law of each country, or may be up to the ISP to work out how to comply. This is an issue of cost for commercial ISPs. How much data? The blackbox from Germany may give an idea. Do they mean:

• one application could be to scan IP packet headers (for every packet?)
  • source, destination, application protocol
  • on all transport protocols? what about crazy protocols we don't know if they even contain that data
  • claim they don't want the "content" of the packet
• How can they find the information for e-mail? What about when using SSL/TLS to an alternative SMTP server (is it going to be defined as an ISP?)
• What happens when data crosses national boundaries?
  • The laws are different in different countries.
  • For example, IM (Jabber, ICQ), IRC/SILC, P2P talk... these all exist in many countries all at once. There is therefore an implementation difficulty for IRC servers, for example, where traffic goes through the server, no necessarly directly from user to user, so it is difficult to pinpoint the two ends of a communication.

hacking data retention

• IP-Level. use an ip that is not registered under your name.

  • for example: wardriving, prepaid anonymous GPRS/UMTS-cards, TOR, VPN.

• E-Mail

  • type 2 and 3 anonymous remailers (e.g. Mixmaster and Mixminion)

  • "draft"-box of webmail
  • riseup.net patched e-mail programs and no data retention legal obligations - yet!

conclusions

• http://dataretentionisnosolution.com an initiative formed to work against the EU data retention laws. The laws passed anyway, but they are still active.

• use data encrypt (well, d'uh!)

• use TOR!

• educate the masses. And https://help.riseup.net/security https://security.resist.ca

"TOR is the answer to many of our problems" --alex