Posted on 03/03/2014 on Oerlemansblog
“Data retention of web data is useless” were the headlines of some news outlets in the Netherlands a few weeks ago. In my view the journalists jumped to conclusions after quickly reading the evaluation report (.pdf) of the Research and Documentation Centre of the Dutch Ministry of Safety and Justice with regard to data retention (English summary is available on p. 151-159). I think some more nuance is needed and it may be interesting to compare the report to my own research results with regard to data retention after several successful data access requests.
Retention of telephony data
The authors of the report explain that telephony data is nowadays used in almost every criminal investigation. Location data and call detail records are particularly useful according to interviewed investigators and based on case law.
Two researchers tried to obtain their own telecommunications data with a data access request, but were unable to obtain location data. My own data access request proved more successful as described is a previous blog post. I recognize the researchers experience it was too difficult to obtain the data and stress there are questions surrounding our governments plans to leave out notification requirements after certain types of data have been collected by law enforcement officials.
Retention of internet data
The retention of internet related data regards internet access, e-mail provided by ISPs and managed VoIP-telephony. The full list of data that must be retained for 6 months is available here at section “B”. Thus, search queries and visited websites are not retained by telecommunication companies, as well as the ‘contents’ of e-mail messages and other messages or conversations held using the Internet.
My own data request at broadband internet access provider revealed that in a period of three days was only one IP-address and the subscriber data was retained. Since I do no use the e-mail client provided by my ISP, there is no e-mail data available. The report tellingly quoted a law enforcement official that stated that practically “only 55-years-olds and above” still privately use e-mail of their internet access providers. Webbased telecommunication services are not obligated to retain data. The available data can only be obtained using legal aid requests. Researchers point out there are significantly less data requests in the Netherlands at these foreign providers than in other EU countries, but they cannot explain why.
Identifying internet users
An important question is how internet related data retention data is used in criminal investigations. The authors of the report explain that the retention of internet data is primarily used in cybercrime investigations (investigations in which the Internet plays a facilitating role in the commission of the crime). The retention of the assigned IP-address to the router of a broadband internet connection may enable law enforcement officials to (eventually) identify suspects. In cybercrime investigations, in some cases a logged IP-address of a device used to perpetrate a crime is the only lead available. Tracing back the IP-address may to an ISP, depending on what service is used to access the Internet and whether anonymizing services are used.
Since suspects may just as well live in a different country than the Netherlands when committing a cybercrime, the trace often leads to a foreign ISP. According to the author of the report, investigators therefore largely depend legal aid requests to collect the available data. When data retention regulations are in place, the data is at least available for a period of time. However, not all EU Member States implemented the EU Data retention directive and local regulations always differ which can be frustrating for law enforcement officials.
Most significantly, the researchers suggest it may be very difficult to identify mobile internet users solely upon the basis of an IP-address (p. 102-106). My own data access request at my telephone provider revealed that the assigned IP-addresses by the telephone company was often the same. It is likely that many people at the same time make use of the same IP-address using Network Address Translation (NAT) technologies, after which the internet traffic is distributed further through the companies infrastructure. All these people then make use of the same IP-address. When there is no additional information retained about the devices it may be difficult to identify individual users who were all assigned the same IP-address. I cannot determine upon the basis of the available information whether telecommunication providers are able to trace back individual users upon the basis of an IP-address, but if I’m reading it correctly the research report suggests they cannot. That seems as a rather significant conclusion to me.
Interestingly, the interviewed law enforcement officials unanimously agree the retention period of 6 months for internet related data is too short. Taking in consideration the amount of time criminal investigations can take I understand these statements from an investigation perspective. But the Dutch parliamentary shortened the retention of internet data from 1 year to 6 months in 2011 citing privacy concerns. The researchers report also explain how many of the interviewed law enforcement officials were unaware internet related data was retained. Internet related retention data is primarily used in cybercrime investigations. The researchers point out there is still a knowledge deficit among law enforcement officials on how to the use internet related data in criminal investigations regarding crimes of all types.
Contrary to what some news articles suggest, the collection of data at telecommunication providers – of which the availability is ensured by data retention legislation – is almost standard practice in criminal investigations. It is deemed as ‘very useful’ by investigators and case law suggests the data is relatively often used as evidence in criminal cases.
Data retention of internet related communications prove to be particularly useful in many cybercrime investigations, because the retention of assigned IP-addresses to broadband Internet customers may enable law enforcement officials to identify internet users. When a different internet connection than a household internet connection is used, it may be difficult to identify internet users. Perhaps internet users can even stay anonymous by using a mobile internet connection. This seems strange, because data retention legislation is specifically created to identify people and aid in criminal investigations. Indeed, the obligatory retention of mobile internet related data seems rather useless in case the information cannot be used to identify people. However, the location data that is retained every time data is transmitted through a telecommunications network still often aids in criminal investigations.
Before the legislator considers to expand data retention regulations, it may be worth considering whether there is other information available at third parties that can be collected to identify internet users. People also often have to login to make use of the internet access service which may provide for leads and there may be camera footage available for example. The regulations for the retention of internet data must be reviewed on its own merits, because it is simply not the same as telephony data. The future will tell us how the legislators respond to the research findings of the report. The Dutch minister of Security and Justice already announced he will review in the coming months whether expanding the list of data retention is desirable.