While the rest of the world has been embroiled in the cybersurveillance activities of the United States, China and Russia, Sweden may be about to adjust its data retention requirements of ISPs. A proposed law will require the ISPs in Sweden to increase their metadata retention period from six months to 10.
Sweden introduced the requirement to capture metadata in 2010, six years after the European Union had passed a data retention directive—one that met its demise in 2014. The European Court of Justice (ECJ) unambiguously took its stand on the 2006 EU Data Retention Directive by annulling the law in its entirety, and declaring it to be invalid. What followed were a number of EU countries adjusting their data retention policies as the courts took a sledgehammer to the legislation—Austria, Belgium, Bulgaria, Czech Republic and Denmark all suspended mandatory data retention.
Now to be clear, retaining metadata is not the same as retaining session content, as has been explained ad nauseum following the Wikileaks of U.S. metadata collection efforts by the National Security Agency. That said, metadata provides the nuclei from which investigations are born.
An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on someone. The detective would plant bugs in that person’s home, office, and car. He would eavesdrop on that person’s phone and computer. And you would get a report detailing that person’s conversations.
Now imagine that you asked the detective to put that person under surveillance. You would get a different but nevertheless comprehensive report: where he went, what he did, who he spoke to and for how long, who he wrote to, what he read, and what he purchased. That’s metadata.
Eavesdropping gets you the conversations; surveillance gets you everything else.
Metadata Collection, No Matter How You Package It, is Surveillance
What has gotten the Swedish ISPs’ shorts in a twist is not only the increase in opex that the extended data retention period will entail, but also the proposed requirement to require all other communication modes to be registered. Jon Karlung, CEO of Bahnhof (a Swedish ISP), notes that for his company, the impact is significant. Bahnhof will have to rebuild its system to accommodate the monitoring and storage of approximately 300TB of data at its expense. Karlung characterized it in the neighborhood of “millions of crowns.”
He said Bahnhof intends to fight the changes, as he believes the Swedish government should be moving closer to the opinion of the ECJ, not increasing the monitoring of users.
Is Data Retention Effective?
According to a recently released study from the Institute for Critical Infrastructure Technology, data retention doesn’t work. The study author argues that “dragnet surveillance cannot stymie terrorism, but A.I. can,” by having social networks do a better job at filtering out the extremist content (some may argue censorship, others prudence). The piece goes on to note that identified individuals who are a threat to society should be surveiled, but mass surveillance is not how to identify those individuals.
With Sweden proposing this type of legislation, others cannot be far behind, as evidenced by the UK’s Section 229 of the Investigatory Powers Act, which compels ISPs to retain metadata for a period of one year. The effectiveness of data retention policies in support of law enforcement and intelligence entities will continue to be hotly debated.