Contact Join Member Login
Home » Cyber Security Issues » Data Retention

Data Retention: Get the Facts

What is data retention?

The term "data retention" refers to the recording and storage of certain information such as the number of logs of telephone calls made, the source and destination addresses of email transactions, certain customer billing information including IP addresses and Web sites visited. The term is generally not used to describe access to the traffic data automatically generated in the course of communications. Law enforcement officials in the European Union (EU) and in the U.S. have been encouraging various types of customer service providers to retain certain customer records which are particularly useful when conducting investigations of illegal online activities such as terrorist plots and child pornography. However, the privacy concerns over recording and storing this type of information make data retention a controversial issue.

Some law enforcement personnel are urging the U.S. Congress to enact legislation that would require Internet Service Providers (ISPs) to retain customer information for a certain length of time. Some ISPs already record and retain data, but others do not and there is no consistent standard for the industry to follow. While the EU has passed a data retention directive, no legislation has been enacted in the United States.

Why is data retention controversial?

Some privacy advocates are concerned that a new data retention law could give government entities access into the private lives of citizens. Some argue that in the U.S., there are already adequate laws in place to meet the needs of law enforcement and government officials, such as the Electronic Communication Transaction Records Act of 1996. The Act requires ISPs to retain any record for 90 days "upon the request of a governmental entity." Opponents of data retention law argue that this Act, combined with a current federal law that requires ISPs to report child pornography, is sufficient.

ISPs have raised concerns over the costs associated with storing the retained data. They are also concerned that the vast amount of sensitive information stored by ISPs will be a huge target for criminals.

Are there technologies available that could be used to circumvent data retention?

There are several methods that can be used to conduct secure Internet communications where the addressing information would normally not be retained. For instance, Webmail hosting companies allow users to send and receive emails through a secure interface that does not capture addressing information.

Organizations can also set up VPNs to allow employees safe access to corporate data. These connections are recorded as an entire company, making it difficult to single out the transactions of one employee. Anonymous proxy servers allow users to access the Web, and again, the only thing that is recorded is the connection to the server.

Also available to circumvent data retention are peer-to-peer communications and privacy enhancing tools.

Is there U.S. legislation on data retention?

The Justice Department began to discuss the idea of data retention legislation in June 2005, marking a significant shift from 2001 when the Bush Administration expressed serious concerns over mandating data retention. Because of the controversial nature of data retention, no federal legislation has been enacted to-date but these recent efforts are worth noting:

  • In May 2006, Representative James Sensenbrenner (R-WI) introduced legislation that would require ISPs to record information about their customers' online activities, to aid law enforcement in conducting criminal investigations. However, a few days after the legislation was introduced, Sensenbrenner announced he would not be pursuing it.
  • Representative Diana DeGette (D-CO) of Colorado first proposed a data retention amendment in April 2006. Her proposal did not require ISPs to retain the content of communications, but did require retention of data that would allow law enforcement officials and civil litigants to subpoena IP addresses. Her amendment failed. 
  • In December 2006, Virginia Attorney General Bob McDonnell and the Youth Internet Safety Task Force introduced a report that, instead of requiring data retention, urged ISPs to keep data for a longer period of time to help law enforcement in criminal investigations.

What would be included in U.S. data retention legislation?

There are two directions that data retention legislation could take. One approach would require ISPs, social networking sites and search engines to record communication activities, such as Web pages visited and the identities of users involved in email transactions and instant message conversations. The other approach would require these companies to record only the IP addresses of each user.

Additionally, proponents of data retention legislation differ on specifics, such as the type of information that would have to be recorded and the length of time it should be retained.

Who are the proponents of data retention legislation?

Several public figures have been quite vocal in calling for legislation to mandate data retention. Attorney General Alberto Gonzales called for federal legislation on data retention in 2006, stating that the inability to review online records is harming criminal investigations of online predators.

Gonzales, FBI Director Robert Mueller and senior level Justice Department officials met with industry representatives in May 2006 to discuss data retention legislation. During the private meeting, government attendees discussed the need to retain data for up to two years to help prosecute child pornographers.

In October 2006, Mueller called on ISPs to record information about the online activities of their customers, to help uncover terrorist plots conducted online. In a speech to the International Association of Chiefs of Police, Mueller stated that we must find a balance between privacy and law enforcement's need to retain data.

What is being done in Europe on data retention?

The EU has progressed further than the United States in dealing with the issue of data retention. The need for European action in this area was confirmed by the European Council's declaration on Combating Terrorism in March 2004, adopted shortly after the Madrid bombings. Up until then, the majority of EU Member States did not have mandatory data retention obligations or lacked implementing measures to enforce mandatory data retention obligations in place. In addition, the data retention period required, as well as the scope, varied substantially between those EU Member States that did have data retention obligation laws enacted.

A draft framework decision on the retention of traffic data, submitted in April 2004 on the initiative of France, Ireland, Sweden and the UK, initially addressed the issue. This framework decision is a so-called 'third pillar' legal instrument which gives sole decision-making power on the issue to the EU Member States. However, after a detailed review by the European Commission and the legal service of the Council and the European Parliament, it was decided that the proposal should come from the European Commission with input from the EU Member States and the European Parliament. To this end, the European Commission put forward a proposal for an EU Data Retention Directive in September 2005.

In a final agreement reached between the European Parliament and the EU Member States in March 2006, it was decided that:

  • Retention time will range between a minimum of six months and two years. The exact duration will be set at the discretion of each Member States; 
  •  Data is retained for the purpose of serious criminal offences, as defined by each Member State in its national law; 
  •  Telephone (fixed and mobile) providers, as well as ISPs, need to retain and make available to law enforcement authorities data generated or processed as a consequence of a communication or a communication service (traffic and location data), which does not include content of communications; and 
  •  Data related to unsuccessful calls must be retained only if the data is generated or processed, stored (telephony data) or logged (Internet data).

The Directive goes into effect September 15, 2007 and by March 2009, all EU countries must have capacity to retain the data on Internet access, telephony and e-mail.

The question of who pays for the additional costs associated with the retention and security data, industry or Member States, has been left open. In addition, it is up to the Member States to decide which technical standards will apply which could result in potentially differing and burdensome technical requirements for service providers in different EU countries. Furthermore, questions have arisen regarding certain issues such as the role of transit providers, VoIP and web mail services that are not easy to answer, as the Directive leaves substantial room for interpretation.

With regard to data protection and security, in addition to the general provisions of Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on privacy and electronic communications, service providers must ensure that:

  • The retained data is of the same quality and subject to the same security and protection as those data on the network; 
  • The data is subject to appropriate technical and organizational measures to protect the data against accidental or unlawful destruction, accidental loss or alteration or unauthorized or unlawful storage, processing, access or disclosure; 
  • The data can only be accessed by specially authorized personnel; and 
  • The data, except those that have been accessed and preserved, will be destroyed at the end of the period of retention.

The Directive has to be transposed into national law within 18 months of its enactment. Member States have the option to defer the application of the directive for an additional period of 18 months in relation to the retention of communications data on Internet access, Internet telephony and e-mail. However, it should be noted that due to delays and difficulties relating to the interpretation of certain parts of the Directive, it is not likely that all Member States will have implemented the Directive on time. In order to clarify some of the issues and identify potential problems, the Commission is in the process of setting up an expert advisory group.

To view the EU Directive on Data Retention, visit: http://europa.eu.int/eur-lex/lex/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf.

Who has challenged the EU data retention directive?

The Irish government, which wanted stricter privacy protections included in the Directive, argued that the process used to pass it was wrong and urged the courts to undo its passage. Citing that the Directive was passed through a Commission-led process, which requires only a majority vote in the Council of Ministers and approval by the European Parliament, the Irish government was unable to veto the Directive. Normally, the Irish government stated, a security matter such as this requires a non-binding opinion from the Parliament and unanimity in the Council. The matter has been referred to the European Court of Justice (ECJ) which will have to rule on the validity of the legal basis of the Directive. This could leave the Directive void if the ECJ decides to rule in favor of the Irish government.

What is CSIA's position on data retention?

CSIA believes that one standard that addresses data retention could be of significant help to law enforcement agencies in criminal investigations both in the U.S. and Europe. However, it is important that any new law establish clear limits on the types and duration of information that must be retained and require effective security and sufficient privacy protections to ensure that the information is protected and the personal privacy of citizens is not infringed upon.

It is especially critical that security requirements are included in this legislation. Storing vast amounts of sensitive data is an inviting temptation to online criminals, and in order to prevent data breaches and identity theft, service providers must implement appropriate security measures.