Bits of Freedom
Lecture at the conference Total Disinformation Awareness in World-Information.Org Belgrade, April 20, 2003; edited and abbreviated version, May 2008
Bits of Freedom is part of a coalition of ten similar privacy and digital civil rights groups from 7 different EU countries. This coalition is called EDRI, European Digital Rights. EDRI takes an active interest in developments in Europe at large, especially in EU accession countries. Now, we in Western and Northern Europe have started to develop a culture of criticizing ICT policy. But in the EU accession countries this culture hasn't developed yet, resulting in the worst possible implementations of EU legislation, without much public debate. For example, with the Cyber Crime Treaty, an international agreement basically aimed against hacking, the first and the only two countries in the world that have implemented this treaty in their national legislation are Albania and Croatia, not countries that are famous for a strong democratic tradition.
In order to spread knowledge throughout Europe about the need to defend digital civil rights, we created the biweekly newsletter called EDRIgram. The newsletter covers a wide range of topics, such as spam, telecommunications, wiretapping, the cybercrime treaty and the rating and filtering of internet content. On this last topic, every two years the European Parliament has to vote on some ridiculous proposal that would oblige all websites to participate in some rating and filtering program.
For Bits of Freedom, the existence of EDRI is key to be able to lobby in Brussels, usually a pretty boring thing to want. For the past years digital rights activists were behind the facts. Once European regulation is decided upon, it takes four years or more for national governments to implement it in national legislation. In many cases concerning digital rights, you are just too late when you are trying to change anything in your national parliament. On the other hand, influencing or even changing EU legislation isn't very easy either. That is why EDRI is trying to open up an office in Brussels to get ahead of developments, and influence the process in a very early stage.
One of the key issues for EDRI is the fight against traffic data retention. There are some serious plans on a European level for legislation that would require data retention of telecommunication data all over Europe, for the period of 12 to 36 months. Let me try to describe the political history and consequences of this legislation.
Technically, traffic data are data about the communication and not about the content. Legally, traffic data are treated as an innocent category of data. The contents of communication are clearly protected by jurisprudence about the European Convention of Human Rights and in most national constitutions in Europe. But traffic data generally are in a category with much less protection, based on the technology of postal mail and plain old telephony.
With the introduction of mobile telephony and internet, the distinction between traffic data and content has become obscure and unrighteous. In the old telephony world, traffic data are not about the content of the telephone conversation, but about the timing, the length and the dialed numbers. With the introduction of mobile telephony, traffic data include location data, where your mobile phone is and other data, such as for example how many text messages you send and receive and what bills you pay with your GSM. In the internet-world, it has become almost impossible to distinguish between content and traffic data. For example with e-mail, the header of the e-mail is part of the routing and it also provides a very brief description of the content, in the subject line. With web sites, it becomes even more complex. If you type a URL in your browser, it leads you to the DNS server and this DNS server translates your question, for example, "http://www.bitsoffreedom.nl/" into a number, in this case 184.108.40.206. Technically, the ISP just receives a number, similar to telephony, but on the internet, the URL provides a summary of the content you are looking for. If you take a search engine like Google, the search terms you use become part of the URL, thus even more specifically indicating your interests and thoughts. Location data are equally sensitive. When you are calling, your mobile phone is generally traceable up to a 150 meters that is, within a city environment. If you're in the country, this might be up to 30 kilometers. But in the city, if you do cross-measurements between three base stations, you can refine the distance of the mobile phone up to a 100 meters. Lots of mobile telephone companies are building extra checking devices in their network, leading up to a location precision of up to 50 meters. With such precision, it becomes possible to trace visits to locations that may disclose sensitive personal data, for example, your health, religious conviction and your political preferences, if you visit a hospital, mosque or the office of a political party. And location data are not only provided when you are actually calling or being called, but are also collected when your phone is in stand-by mode.
One of the reasons for politicians to want to introduce data retention in Europe is the fact that the telecommunications providers are obliged to delete data after a short period of time. According to the European ISDN Directive of 1997 all traffic data had to be deleted or anonymised once the technical transmission had been accomplished and the billing had been settled. This ISDN Directive was superseded in May 2002 by the new e-Privacy Directive. According to this Directive (still in force in 2008, ed.), national governments may decide to issue legislation to retain traffic data for a limited period of time for law enforcement purposes. The e-Privacy Directive also allows for companies to store traffic data for a long period of time, for commercial purposes, if their customers consent. From a privacy point of view, this Directive is a very serious degradation of the general level of privacy protection. Consent is a very difficult thing to deal with. For example, with mobile location data, can you refuse consent to your employer to access your traffic data? And of course, companies may construct very attractive offers to offer you a reduction if you consent to the use of your data for commercial purposes.
Thus, by technological development, the definition of traffic data has extended to anything that travels through a network. Legally, traffic data are anything that is not absolutely distinguished as content only. And thanks to the e-Privacy Directive these data may be stored for law enforcement purposes. This possibility for national legislation was introduced as a last minute amendment and was supported by the Socialist and Christian-democrat fractions, the two largest political groups in the European Parliament. The amendment in turn was preceded by two wish-lists from 2001. One from G8, that is a group of the 8 richest industrial countries and the second one from the EU ministers of justice and home affairs. These two long wish-lists disclosed the law enforcement lobby didn't just want to know who was online at what time, but they also wanted to know what e-mail was send en received, what files were uploaded with FTP and who downloaded files, who visited which URL's, what IRC (chat-) channels were visited, which newsgroups (Usenet) and who talked to whom about what in chat records. This wish list was disclosed in the middle of the debate about the new e-Privacy Directive. Only after this new e-Privacy Directive was accepted, did the Council of European ministers of Justice disclose its own wish-list. This list even goes beyond the wishes of the G8 with the wish to know passwords used for internet access and numbers of credit cards or bank passes with which you pay for internet access with or for your telephone subscription.
During the past 100 years, people have started to communicate more than anybody could have imagined before. Through traffic data, law enforcement officials may create a perfect summary of behavior and intentions. It saves a lot of time not to have to data-mine huge amounts of content on a word by word-basis. In my opinion it is technically absurd and actually dramatic for the internet providers to have to store even half of the EU ministers' wish list. And it is a political choice not to give to traffic data the same legal protection as content.
The European data protection commissioners have objected strongly to the plans. You would never surf alone. Even if we are threatened with war and terrorism, we have to ground our society on the principles of democracy, civil rights and protection of personal data. To preventively monitor the communication patterns of all citizens, just turns around the principle that everyone is innocent until proven guilty.
The biggest danger I see now is that we put our society to the service of law enforcement, instead of law enforcement serving our society. I hope you will pick up the fight with us, to start defending civil rights.