Presentation at meeting of data protection commissioners in Madrid on privacy and national security

1. Communications data retention in an evolving Internet Dr Ian Brown Oxford Internet Institute University of Oxford

2. Outline How are communications data retention and access powers being used? Are they proportionate? How are changing patterns of Internet usage and surveillance affecting data retention? How should data retention requirements be updated to meet law enforcement needs and protect privacy?

3. Comms data requests/m people Data: European Commission review of Data Retention Directive; IMF World Economic Outlook

4. Proportionality of retaining data “The decision to retain communication data for the purpose of combating serious crime is an unprecedented one with a historical dimension. It encroaches into the daily life of every citizen and may endanger the fundamental values and freedoms all European citizens enjoy and cherish.” –Article 29 WP Opinion 3/2006 “[70%] of all data are use within 0-3 months … and [85%] within 0-6 months” (EC review)

5. Recent court decisions Bulgarian Supreme Administrative Court blocked remote Ministry of Interior access to data and security service access without a court order (11 Dec 2008) “the obligation to retain the data … as an exception or a derogation from the principle of personal data protection … empties, through its nature, length and application domain, the content of this principle” –Romanian Constitutional Court, 8 Oct 2009 “Given the rapid advance of current technology it is of great importance to define the legitimate legal limits of modern surveillance techniques used by governments… without sufficient legal safeguards the potential for abuse and unwarranted invasion of privacy is obvious” –Irish High Court, 5 May 2010

6. Changing usage patterns Google percentage of traffic Reach of Member Communities

7. Dragnet surveillance Hepting v. AT&T and Jewel v. NSA plaintiffs alleged Narus DPI equipment installed in San Francisco, Seattle, San Jose, Los Angeles and San Diego, and NSA given access to Daytona 300+ terabyte database of comms data UK Intercept Modernisation Programme and GCHQ “Mastering the Internet” contract

9. Efficacy of data mining ~5000 Americans surveilled over 4 years; led to <10 warrants per year “[T]here is not a consensus within the relevant scientific community nor on the committee regarding whether any behavioral surveillance … techniques are ready for use at all in the counterterrorist context" –US National Research Council (2008) p.4

10. Ways forward Update Data Retention Directive: Retain only subscriber data? Set 6 months as retention period? Impose BVFG conditions? Repeal entirely? Implement Cybercrime Convention: Art. 16(1) “Each Party shall adopt such legislative and other measures as may be necessary to enable its competent authorities to order or similarly obtain the expeditious preservation of specified computer data, including traffic data”