The scandal over PRISM, the NSA’s alleged secret backdoor into some of the biggest services on the internet, shows little sign of dying down. But while PRISM’s data mining has been hidden away from the eyes of American citizens, over in Europe there is a mass surveillance program that’s been operating out in the open for the last eight years. The European Data Retention Directive forces all EU Internet Service Providers to log data on its users and store that data for up to two years after their subscription ends. Something similar could be heading to U.S. shores.
In March, the author of the Patriot Act James Sensenbrenner, who was quick to condemn PRISM, made his second attempt to push for ISP data retention laws, hoping to tack proposals onto the 1986 Electronic Communications Privacy Act. After questioning from journalists Sensenbrenner backed down. But with Obama’s Justice Department fully supporting data retention, this latest skirmish is just the start of a long war that could see ISPs legally forced to record details of every website you’ve ever visited. In this article we’ll take a look at what data retention is, the impact it’s had on privacy in Europe, and what you can do to protect yourself.
What is Data Retention?
Data retention is, essentially, when your ISP logs and stores the personal data attached to your IP address (unlike PRISM, which focuses on cloud-based internet services). The data an ISP typically stores includes web logs, which let them know exactly what websites you have visited and when you visited them. An ISP will also store email logs (though not the contents), if you’re using their email services — or let law enforcement know about which third-party email services you use. All of this data will be linked to your IP address, which in turn is linked to your physical address and can be used to identify you.
As I mentioned, mandatory data retention laws are already in place in certain parts of the world, but Europe has pioneered the practice. The 2006 European Data Retention Directive has been enacted in the vast majority of EU nations, but not without huge controversy. In fact, Germany — the EU’s biggest economy — is currently facing heavy fines because its own High Court court ruled the directive unconstitutional and a violation of citizens’ privacy rights.
The EU Catastrophe
he fears of German citizens are not theoretical either. The UK government has been one of the EU’s most enthusiastic supporters of data retention, as well as online surveillance in general, and its citizens have suffered because of it. In 2000 the UK enacted the Regulatory Investigatory Powers Act (RIPA), which allowed public bodies to carry out surveillance of citizens without a warrant. RIPA, combined with the Data Retention Directive, has had grave repercussions for the online privacy of UK citizens. Over 400 UK agencies and police forces are now able to access data from ISPs with no judicial oversight whatsoever. These agencies include everything from pension regulators, to agricultural agencies. In April 2008, a family from the UK county of Dorset were put under surveillance by their local council. The couple were not terrorism suspects, nor engaging in criminal activities. They were simply under suspicion for sending their children to a school outside the council’s catchment area.
The above case is not isolated. In 2009 alone there were over 1,700 requests made by UK agencies for ISP data on UK citizens which required a warrant. In the same year there were over 500,000 requests for data from agencies that did not require a warrant. The UK government now refuses to make public the number of information requests made by authorities and agencies, claiming it would undermine national security.
Global data retention
The EU’s data retention practices are catching on globally. In Australia, the current government is pushing hard for even longer periods of retention than Europe, with law Australian enforcement stating they’d prefer ISPs hold onto personal data indefinitely. As we saw with Congressman Sensenbrenner’s latest proposals, the U.S. won’t be immune from this global trend.
But even if state-mandated data retention doesn’t come into practice in the U.S., there’s nothing stopping your ISP from logging your data right now. In fact, it’s already happening. As this survey of U.S. ISPs shows, data retention is alive and well, with Time Warner retaining for six months and Verizon for 18 months — AT&T won’t even disclose the length of time. However, currently U.S. ISPs only store information during your subscription period (so they say), and there are some — such as Calyx — that are aiming to offer more privacy-led solutions. That would be impossible if Obama goes the way of the EU.
Thankfully there are ways you can fight back and prevent your data from being stored. There are various privacy platforms available, from the free-to-use Onion Router (TOR), to I2P and commercial VPN services (full disclosure: I work for the privacy VPN service IVPN). It’s also important to stay informed of any changes to the laws around data retention and to get involved in campaigns promoting internet privacy and online freedoms. Visit the Electronic Frontier Foundation website for a good place to start.
Christopher Reynolds is Head of Business Development for IVPN, an online privacy service for journalists and privacy-conscious individuals.