Data retention directive in Europe considered illegal by EU court

23.04.2014 by Sachar Paulus

Have you seen this WSJ article?

This is great news for privacy, human rights and a profound public security based on individual freedom: nations can no longer require IT and telecom companies to store communication data about all customers and communication partners – at least there need to be clear indications for the need to store that data and clearly defined, very restrictive rules on doing that.

For some time now, security organizations claim that they can only cope with the new risks through internet and information technology by having more or less unlimited access to the user data. The primary idea is that keeping this data in the first place makes it easier to have evidences on communication and its metadata. But it may also be used for creating profiles and thus prejudging innocent people. And recent history has shown that it is not only possible, but that security agencies actually proactively act on this.

The reasoning is wrong in the first place, anyway. To have access to profiling information does neither support better prevention of crime nor does it help solving it. Crime will always exist, and those committing crimes will always try to use means by which the risk of being tracked is as low as possible. Consequently, security organizations will only be successful if they do not uncover the tracking means and technologies – but exactly this is the very same risk of creating prejudice and destroying social freedom.

Many European nations now have to revisit their legal frameworks. Since Europe by now is one of the largest legal ecosystems, this will have a significant impact on individual information security and freedom – at least within Europe. It will be interesting to observe whether it also influences other regions.

This will, in turn, have some impact on companies’ IT security architecture on the long run. Those companies that have started to track their employee’s digital activities for security prevention and did bet on such a practice being allowed or even supported for nationwide cybersecurity, need to rethink this approach. Many solution providers have emerged in the last years, offering profiling information as used by security agencies, these will need either to step out from Europe or have additional, privacy/friendly products in their basket.

Note that this is not the end of profiling end users (and especially security organizations shall listen carefully): most consumers actively offer more than enough data to track and trace them across the internet – one only needs to go look at these data, e.g. with Google and other ad companies. This area is not in scope of the EU court decision. And just as with communication metadata: you will with high probability not find the REAL bad guys there…

 


Services
© 2014 Sachar Paulus, KuppingerCole