Data Retention – US style

CDT logoDigital Rights Ireland (of which I am a Director) is making the running against Irish and European data retention legislation (see, for example, Part 7 of the Criminal Justice (Terrorist Offences) Act, 2005 in Ireland, and the EU Data Retention Directive 2006/24/EC).

However, and unfortunately, Ireland is not the only country in which government seeks to compel the retention of its citizens’ traffic data; in fact, the phenomenon of data retention is fast becoming ubiquituous; unsurprisingly, therefore, it’s happening too in the US. The Centre for Democracy and Technology (CDT) has just published an analysis of various bills pending before the Congress (pdf) in which the legitimate aim of the protection of children online is used as cover for alarming government intrusion on all aspects of online life. Given that law enforcement agencies want to be able to monitor significant traffic data (to say nothing of the traffic itself), it is perhaps to be expected that they should attempt to justify that end on this child-protection basis. However, reflecting a CDT report (pdf) of last June on data retention generally, this week’s report cogently summarizes the case against data retention in language as applicable in Ireland and Europe as it is in the US.

The CDT report argues:

• Data retention laws threaten personal privacy at the very time the public is justifiably concerned about privacy online. One of the best ways to protect privacy is to minimize the amount of data collected in the first place. A data retention law would undermine this important principle, resulting in the collection of large amounts of information that could be misused.

• Mandatory data retention laws could result in large databases of subscribers’ personal information, which would be vulnerable to hackers or accidental disclosure. At a time when identity theft is a major concern and security vulnerabilities in the Internet have not been adequately addressed, data retention would aggravate the risk of data breaches and unauthorized use.

• Data retention laws create the danger of mission creep. It is all but certain that the vast databases that ISPs and telecom providers will create will be tapped by law enforcement for other purposes unrelated to child pornography investigations. Service providers themselves might be tempted to use the stored information for a range of currently unanticipated purposes.

• Data retention laws are unnecessary – authority already exists to preserve records. …

• Data retention laws undermine public trust in the Internet. Subscribers are less likely to use services that compromise the privacy and security of their personal information.

• Data retention laws are burdensome and costly. Data retention laws would require investments in storage equipment and force ISPs to incur large annual operating costs. Currently, Internet access is relatively affordable and therefore available to many. The huge costs associated with data retention would be passed on to consumers, inhibiting efforts to expand Internet access. …

I couldn’t have put it better myself, and these concerns are equally applicable to the provisions in the Irish legislation and the EU Directive.

Hat tip to Susan Crawford.

Update (28 February 2007): TJ has written an excellent description of the development of data retention in Ireland. Wonderful piece; required reading.

Update (23 March 2007): Section 14 reports that “America’s Child Online Protection Act was struck down as unconstitutional by Senior U.S. District Judge Lowell Reed Jr. yesterday”. Similarly: Susan Crawford, Lessig, Lex Ferenda, and Media Law Prof Blog. This can only add strength to the arguments in the DCT report mentioned above. [Slighty offpoint: in that post, Lessig powerfully argues, the regulation by parents (rather than government censorship or the market alone) of material “harmful to minorsâ€? is nevertheless a legitmate end in the regulation of cyberspace. In particular, he proposes that legislation should require that “harmful to minorsâ€? material be tagged with a specific html tag which can be blocked by parents in their children’s computer accounts.]