Features

net.wars: The big, black bin bag of data retention

Probably the biggest thing I've learned about politics is that there is no such thing as a defeated proposal. Every idea, no matter how awful, resurfaces. Thus we keep refighting the same battles and redebating the same arguments. Eventually, the proposers may get lucky: either their timing will hit current events just right, or they'll wear out all of their opponents.

And so here we are again with data retention, the battle of data retention 2002. In this context, data retention means the requirement that all telecommunications providers of any description store the traffic data generated by their subscribers for a statutory period of time. This would include data such as: email headers and Web addresses accessed and phone numbers called; it would not include the contents of communications. The UK ascended to its six months of presidency of the European Union on July 1, and data retention is one of a package of anti-terrorism elements it's pushing. British law enforcement originally wanted data held for seven years. Right now, it looks like the initial period might be anything from six months to two years.

Like many anti-terrorism proposals, this one is difficult to argue in part because if police have found a target for investigation – as they did when tracking the July 21 London bombers – communications records can in fact help trace conspirators. The question is whether the results are worth the costs and invasiveness. As they say in data protection, is the measure proportionate?

Back in 2002, Clive Feather, regulatory policy analyst for Demon Internet, compared data retention to a "bin bag retention law". After all, he argued, every day people throw away material that might someday be useful in a police investigation. Why not require everyone to store all their garbage for seven years? (Let's hope no bright civil servant thinks this is a good idea.)

The British 2002 discussions wound up with a voluntary code of practice that ISPs could adopt, though it's not clear how many have ever signed up to it. This time round, because of the complexities of European politics, exactly what is being proposed is even less clear. Any data retention imposes costs on ISPs. But are they talking about email headers, Web caches, and so on, or are they talking about every Internet Protocol packet header? If the former, then routing around data retention is not particularly difficult. You run your own mail server and set it to directly deliver your email or run your own secured, encrypted IRC server, for example. If the latter, then even direct IP connections to do instant messaging will be recorded – but the costs will be huge.

If data retention may be helpful in catching terrorists after the fact, that doesn't satisfy European Digital Rights, which opposes data retention, - arguing that no published research supports the notion that data retention will be useful in stopping terrorism.

What we do know is that the EU's claim that the invasion of privacy inherent in such a plan will be limited is simply not true, and there is published research that supports this contention. This sounds counterintuitive. Most people automatically feel more squeamish about others reading the contents of the messages they write or listening in on what they say in phone calls than they do about letting someone see their phone bills or the apparently neutral headers of their email messages. Yet what would be more revealing about the true state of a personal relationship: a single overheard phone call (whether happy and confiding, or miserable and recriminating), or detailed traffic records showing regular, continuing communication over a period of years? If you were the spouse of one of the parties, which would alarm you more?

The scope of traffic data is growing all the time. Five years ago, we were talking about phone numbers, Web and email addresses. Now, we're also talking about location data – and that in particular can be extremely revealing. The two significant pieces of research that I'm aware of in this area are quite separate. First is the work of Alberto Escudero Pascual, who in 2001 began work on his thesis by setting up a network in his department to track the locations of the staff's mobile phones. Within a month, he found it very easy, just from the location data, to draw a social network map of the personal relationships among those staff. The location data showed him how often mobile phones were in the same cell and for how long, and in what combinations. Ed Hasbrouck, who specialises in travel privacy, makes the same point about the travel data collected by airlines, hotels, and other industry players.

The second relevant piece of research was helpfully pointed out by a net.wars reader: the MIT media lab's Reality Mining project, which is using mobile phones as data collection devices. The primary goal of this research has to do with human predictability, and the group's published papers talk about such matters as improving usability and watching how social networks evolve over time. But read Reality Mining: Sensing Complex Social Systems (PDF), due for publication in the Journal of Personal and Ubiquitous Computing in September 2005, and you'll see the same results as those found by Escudero Pascual: location patterns reveal personal relationships.

So: how many terrorists is your data worth?