New EU Directive May Go Too Far in Electronic Surveillance

On March 15^th, 2009, a new law went into effect in the European Union (EU) that set in motion a controversial new course for government access into digital information.  The EU Data Retention Directive was derived from the perceived need of the EU's member states to protect national security or public safety. Its goal is to provide law enforcement the access to information it needs to protect public and national interests but it may go too far by capturing too much public information that the public may not view as so public

Most individuals will generally welcome more protection in their lives from hostile terrorist attacks but it is unclear how much they are willing to accept government intrusion into their electronic communications.  Therefore a delicate balancing act is needed and this law may just go too far in the eyes of many as the mandates set forth in this EU directive are abundant, complicated to meet, require the capture of a plethora of electronic information and give governments the authority to access this information for a lengthy period of time. 

A review of the directive highlights the following areas:

• Article 6 titled "periods of retention" states Member States shall store all communication from customers no less than 6 mos., but no longer than 2 years.

Article 5 of the Directive spells out that the communication information must be stored. However there are some of the areas of concern as to what is stored. For instance:

• "Fixed" network telephony and mobile telephony. It will store the calling telephone number as well as the name and address of the subscriber.
• Internet access, Internet e-mail, Internet telephony. This calls for the retention of the user's Id, telephone number, name, address and IP address.
• Data necessary to identify date, time, and duration of the communications.
• Concerning e-mail - Date and time of the log-in and log-off from the ISP, IP address (static or dynamic), user ID of the subscriber or registered users. 

Article 8 of the Directive goes into the storage requirements for retained data by specifying that "data must be retained in a way that can be transmitted upon request to competent authorities without undue delay."  This is a key provision in that it not only requires the need for ISPs to store mountains of data but also puts a burden on them to search the data as well as determine if data meets any previously set criteria and then forward data that meets that criteria to the appropriate authorities without delay. 

Article 3 goes further and specifically calls out providers of public communications networks within the jurisdiction of the member state as the parties responsible for retaining the communication information noted in Article 5. 

Although this is an EU directive, organizations here in the United States need to be mindful of this regulation for a few reasons. First, we are talking about Internet communications that encompass the entire globe and not just the citizens of those Member States of the EU are charged with collecting data, though it is unclear how this would be enforced in the US. 

Second, if a government regulation such as this can pass muster in the EU, it stands to reason the US may follow suit at some point with legislation of this scale, especially with heightened role that the US government has been assumed in private industry.  Finally, Internet Service Providers (ISP) may have to bear the costs associated with this complying with this regulation so Internet access costs may increase. Equally unclear is as ISPs begin to act as cloud storage providers for businesses, how much of this private data will be stored as "public" information in these repositories because it traverses the Internet and is captured by these ISPs.

Organizations now need to begin to ask, "How does this law impact what data they send outside the organization over the public Internet?"  Although there are written safeguards on who can have access to the information and what information need to be stored, history is replete with examples that have shown that these safeguards are not always followed as is evidenced in a recent example that occurred here in the US. 

Email is a prime example of where confidential corporate information could easily end up outside of corporate fire walls and inside one of these "public" data repositories. How or if it may ever be accessed is anyone's guess but an advisable approach that organizations should consider taking is making sure it never ends up there in the first. Blocking the e-mail before it is ever sent using such products as Estorian's LookingGlass ensure that it never ends up in some data repository at an EU ISP that may come back to unexpectedly haunt you at some later point in time.

On the surface, this EU directive appears rooted with well meaning but poorly informed legislators who are looking to better protect their constituents. However, given the growing propensity of government to delve into the affairs of private business, organizations are advised that the less confidential and potentially incriminating data that they make accessible to the government, the safer they are. Technologies such as Estorian LookingGlass can help companies put in place email policies that ensure email communications that never should go outside corporate fire walls never do.