Last month, the European Parliament passed far-reaching legislation
concerning data retention. Geared toward the telecommunications industry,
the new law requires phone companies and Internet service providers (ISPs) to
store information about all customers’ phone calls and electronic
communications for up to two years. While news of this legislation certainly
comes as no surprise—a Parliament committee voted on the
measure in late November—I find it interesting that the passing of this law
coincided with the U.S. House of Representatives’ approval to
extend and modify the Patriot Act.

Given the state of the world, there is no question of
governments’ concern for their citizens, and I won’t argue that many
malcontents have used the Internet and other forms of telecommunications for
their own illegal, nefarious needs. However, here’s what concerns me: Who decides
which activities are illegal, and who’s responsible for “policing” these
types of activities? I can’t help but think that we once again have a situation
where lawmakers without sufficient technical understanding have approved
legislation that affects the legitimate use of telecommunications far more than
its illegal use.

Despite these concerns, however, it’s easy to see why
governments are passing legislation such as the Patriot Act and the EU data
retention directives. Terrorists and international criminal gangs rely heavily
on communications, and the Internet and other telecommunications systems are
excellent conduits of illegal activity.

Tracking communications and perhaps even eavesdropping are
methods that law enforcement groups want to use to identify possible illegal
activity—and that’s definitely understandable. But it’s important to remember
that terrorists and criminal gangs have virtually unlimited funds, and they are
often far more technically savvy than law enforcement. In addition, criminals
typically use communication methods that are unique to their particular group—not
only for protection from law enforcement, but for protection from each other as
well.

Europe’s new data retention laws and the U.S. Patriot Act
highlight how out of touch with reality lawmakers in both the United States and
Europe really are. Data storage issues aside for the moment, communication logs
like the EU’s directives call for offer questionable protection from a small
group at the expense of both civil liberties and the privacy of the larger
group.

But before we start debating privacy vs. security, there’s a
larger issue at hand: These laws simply won’t work. How do I know? I’ve had
first-hand experience with this issue already—and more than once.

Over the years, I’ve had work subpoenaed many times with
requests to supply information to U.S. law enforcement. Obviously, such
subpoenas compel me to cooperate as best I can—and for free, I might add.

However, usually by the time the subpoena gets to me to request
information, things have already changed enough that I don’t have the
information law enforcement is looking for. It’s the computer equivalent of the
Heisenberg
Uncertainty Principle. Certainly I can and have supplied information—typically
only “footprints” of data communication—but I have never been able to
offer sufficient evidence to indict anyone for any activity other than using
the Internet.

Yes, I have logs of when, where, and what customers are doing
on the Internet. But with the current systems the ISP I work for has in use,
the best I can do is retain e-mail logs and NetFlow data
for approximately one month. The volume of data in question is in the range of hundreds
of gigabytes—and it’s useless to the majority of law enforcement investigations
I have assisted with.

Who will pay for Europe’s new data retention directive? Not
the European Parliament, that’s for sure. Telecommunications companies and ISPs
are looking at dramatically increased storage costs in order to comply with the
legislation, which will likely result in many companies shutting their doors or
passing those substantially higher bills on to customers.

Meanwhile, all those terrorists and criminals—whose activity
is often invisible to the majority of law enforcement anyway—will likely remain
unaffected at the expense of everyone else. For example, a recent episode of Showtime’s
Sleeper Cell
featured a storyline where terrorists used steganography
in an eBay image. I can think of many more examples of subtle communications
methods that criminals could use that would go undetected despite the EU data
retention directives. And if I can think up those approaches, what makes you
think the world’s terrorists and criminals haven’t already?

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.