Features

net.wars: Copyrighting data retention

You know, a smart person wanting an unpopular policy – like, oh, say, to pick something at random, data retention -- would wait until the policy had been enacted into law before pressing for even more unpopular amendments. The policy is data retention, and the amendment is to make retained data available to combat copyright infringement.

Or, in the precise words of a cover note discussing the directive, "The retention of traffic data can also be important to combat organised crime in the area of intellectual copyright infringements," a point the directive credits to a letter the Creative and Media Business Alliance sent in July 2005. On Wednesday, CMBA sent a letter to all MEPs making the same request, according to the new Open Rights Group, a sort of UK spinoff of the Electronic Frontier Foundation

This is not, of course, what data retention was supposed to be for. Nowhere in any of the years of discussions before has there been a suggestion that EU governments should put in place an infrastructure to serve copyright interests. It is a perfect example of what privacy advocates like to call "function creep": systems put in place for one avowed purpose tend to spread into all sorts of uses for which they were never intended. The typical example is the US Social Security Number, which began life as a way of identifying people for the purpose of receiving state benefits, and is now required for everything from going to school as a five-year-old to getting a driver's license.

Even if you support data retention on the grounds that it will help security services protect us against terrorism, do you really want the data to be handed over to a small group of multinational businesses to help them protect their fading business model? Will you feel better if I tell you that one of the proposed amendments to the draft directive wants to take out the language that would limit the use of the data to "serious" crimes?

It's all going to be decided in the next two weeks. The discussions had been meandering along for years, as these things do, when the July 7 London bomb attacks happened. The UK had just assumed the EU presidency, and therefore the UK's Home Secretary, Charles Clarke, made a strong anti-terrorism pitch, with data retention as one of the priorities. The UK will be succeeded in the presidency on December 24 by Austria, and then in June by Finland. Had it been Ireland or Italy, the only two countries that have actually enacted their own data retention rules, the UK might be in less of a hurry. But with things as they are, this directive is being rushed through so hastily that it's only getting one reading, instead of the usual two. The final vote in the plenary of the European Parliament is on December 13. If you want to say anything, write to your MEP now.

Note that this is a nice example of what Gus Hosein, a Visiting Fellow at the LSE, likes to call "policy laundering": having failed to gain agreement on data retention in the UK itself, the British government is trying to push it through in Europe, so that then they can come back to the UK and say, "Have to pass it. European law."

To review briefly the story so far: the data to be retained is traffic data, not content: telephone calling records, email headers, base Web site addresses (though not complete URLs of inner pages). The retainers of that data will be Internet service providers, telephone companies, mobile network operators, and so on. Traffic data is far more privacy-invasive and revealing than many people realise: who you call or email, how often, and at what times of day can be more revealing than the actual contents of the messages. (What tells you more about a relationship? The fact that two people email each other every night at 2am, or an intercepted message whose content says, "Where are the car keys?") ISPs and telcos hate these proposals. Paying to put systems in place to store the data and comply not only with the data retention rules but also the data protection laws contributes nothing to the bottom line of an ISP – and it consumes resources which then are not available to put towards other opportunities.

Making things more complicated is the process by which legislation is enacted in the EU, which most people don't understand and few national media follow in any detail. Only the European Parliament plenary can make a law. But because no one can be an expert on everything, the actual language and provisions of new laws are hashed out in one or more committees, and the plenary vote usually follows these committees' lead. The vote this week was by the civil liberties committee, which voted yesterday 33 to eight to limit data retention to 12 months. The next vote will be in the EU Council, which is known to want more than that: longer term of storage and more data, including failed call attempts.

The twist in the tail, according to the Open Rights Group, is the upcoming  IPRED2 legislation (PDF), which turns "all intentional infringements of an IP right on a commercial scale" into a criminal offense. So: there you have it. The perfect framework for the Copyright State. Is that what you voted for?