Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: European Data Directive prevents anti-hacker network logging

From: Declan McCullagh <declan () well com>
Date: Fri, 07 Jul 2000 09:36:37 -0400
I confess I've always been somewhat skeptical of the European Data Directive, and this news courtesy of Prof. Palme reinforces my suspicions. It seems like the directive is becoming yet another excellent example of good intentions gone astray, with no regard for the unintended consequences.
The Swedish law, in case it's not clear, comes from that nation's implementation of the Europe-wide directive. Earlier this week the European Parliament told the U.S. it must take similar steps: 
  http://www.epic.org/privacy/intl/EP_SH_resolution_0700.html
Although my system administration skills are rusty (I wrote chapters in a book on the subject and once was a sysadmin at Carnegie Mellon's school of computer science, but both were a while ago), it strikes me as absolutely necessary to do network logging when you think a crime is taking place. The irony is that thwarting that logging supposedly protects privacy -- but tell that to your users after their accounts have been penetrated. 

More:
 http://www.politechbot.com/cgi-bin/politech.cgi?name=palme

-Declan

********

Date: Sun, 2 Jul 2000 11:24:52 +0200
From: Jacob Palme <jpalme () dsv su se>
Subject: Personal Information law and network logging
Cc: Declan McCullagh <declan () well com>

One of the most important ways to catch network criminals
(virus distributors, mail bombers, ping bombers, crackers,,
distributors of racial agitation, etc.) is logging. By
logging information on the traffic on the Internet, it is
possible, after the fact, to find out who sent the illegal
information.

Technically, it is not possible to log everything, in
particular, routers cannot log all traffic passing them.
Useful would then be to be able to switch partial logging
on temporarily when a suspected crime is being committed.
Since network crimes often take a few hours, and since
they are sometimes observed immediately, there is time
to switch on partical logging. And net criminals, like
many other criminals, tend to repeat similar crimes
more than once. It is then possible, the second time,
to log what was done the previous time in order to
catch the criminal.

It is therefore interesting if such logging is legal
or not. The Swedish Data Inspection Board
(http://www.datainspektionen.se/in_english/) publishes
an article on this in the latest issue of their
official newsletter "Direkt från Datainspektionen"
No. 2/2000. The full text (in Swedish) can be found
at
http://www.datainspektionen.se/kunskapsbanken/artiklar_och_notiser/juni2000/2000-06-29.shtml

Here is a translation to English of a passage from
the paper in their newsletter:

    Every year, the directors of data protection agencies
    in the European countries and some of their employees
    meet to discuss issues of common interest.

    <snip>

    During the last day of the conference, the participants
    agreed on a common declaration against unnecessary logging
    of information regarding Internet traffic. In the
    statement, the directors of data protection express their
    concern regarding requirements to request that ISPs should
    be obliged to log information during a longer time, for
    example because police might need the information in their
    investigations. The group said that traffic data should
    only be logged if this is needed for the ISP to perform,
    for example, invoicing. The data protection directors call
    attention to the fact that long time storage of traffic
    data is incompatible with article eight in the European
    convetion on human rights, which guarantees the rights to
    protection of privacy.

    In Sweden, this is regulated by the telecommunications act,
    which specifies that ISPs must erase traffic data as soon
    as the traffic stops. There are certain exceptions, among
    others information needed for invoicing can be saved until
    the invoice has been paid or time-barred. With permission
    from the customer, the information can also be used in
    marketing.

My comments:

(1) As usual, the data inspection board is vague. Phrases
    like "unnecessary" and  "for example" and "among others"
    indicate that they do not forbid all logging, but rather
    wants power to control what kind of logging is done.

(2) There is no discussion at all in the statement about
    computer crime and how to combat computer crime. This is
    interesting, because the data inspection board has
    instigated police investigations and prosecutions in
    several cases where information was published on the
    Internet in ways they find illegal. It would be interesting
    to know if they would forbid the logging necessary to
    investigate crimes which they themselves have started. Or
    is these exceptions covered by the terms "unnecessary".
    This is particularly interesting, since the data inspection
    board has in previous statements shown that they interpret
    the European data directive very widely, so widely that it
    is, for example, not permitted to criticize people on the
    Internet without permission from the criticized person.
    Does the data inspection board mean that police are not
    allowed to investigate crimes, which the board itself has
    requested investigation of?

(3) The statement by the data inspection board directors
    seem to indicate that logging in order to investigate
    computer crimes would be illegal. Why would this be more
    illegal than other police methods, for example searching
    for fingerprints or DNA analysis? Searching for
    fingerprints and DNA analysis can certainly be misused just
    as much as logging on the Internet. And computer crime
    costs billions of dollars each year. Should really police
    not be allowed to use logging in order to investigate such
    crimes? Would it not be a better solution to specify in the
    law exactly which kinds of criminal investigations are
    allowed to use such logging? In the same way as there is
    legal control of who may perform wiretapping, which is only
    allowed for investigation of certain crimes (according to
    Swedish law).

Texten i detta e-brev finns även på
    http://dsv.su.se/jpalme/society/PUL-and-logging.html
--
Jacob Palme <jpalme () dsv su se> (Stockholm University and KTH)
for more info see URL: http://www.dsv.su.se/jpalme/

--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: