Data Retention presentation

Given 2006-01-10


This is a presentation that I gave to the ISPA Parliamentary Advisory Forum on 10th January 2006. The Forum was on the topic of the EU Data Retention Directive, and other speakers were Charles Clarke (Home Secretary), Jim Gamble (Deputy Director of the National Crime Squad), and Emeric Miszti (Security and AUP Officer for Tiscali).

My original presentation was done using Powerpoint slides but no other notes. I've reproduced the slides here as a sequence of boxes, and added both what I can recall saying and [in brackets] some glosses. All my careful slide animations went wrong on the night, so I haven't bothered trying to reproduce them here.

Clive Feather

This is me. I haven't bothered with an affiliation as no doubt my comments will be disowned by everyone.

Data Retention

The devil is in the details

My job title is "Internet Expert", but sometimes I think it should be "Professional Nit-Picker". So here are some nits in the Directive.

Not as bad as we feared

  • Internet access records
  • Email records
  • Internet telephony records
  • Not every IP packet
  • Not every web page access

What we were afraid of was having to log every single IP packet header, which is what some drafts appeared to be asking for.

Who is covered?

? "Traditional" ISPs like Demon, Tiscali, AOL, BT, West Dorset Internet

? But what about … ?

  • University of Liverpool
  • City Hotel, Glasgow
  • GNER
  • Molly's transport café

Is a University covered? They have a lot more users than West Dorset Internet.

Last time I stayed at the City Hotel they provided me with Internet access. Are they covered?

There's wireless Internet on the trains.

[Molly's transport café was made up, but I wouldn't be surprised to find that transport cafés offer Internet.]

What do the words mean?

Does "Internet Telephony" include MSN?
Access to Skype?
Or only our own VoIP services (if any)?

Does "email" include instant messaging?
Multi-player computer games?

Do we have to log use of MSN, or attempt to detect access to Skype?

If we run a multi-player game that lets people talk to each other, do we have to log who talked to whom?

Still contains nonsense

... together with the IP address, whether dynamic or static, allocated by the Internet Access Service provider to a communication

The date and time of the log-in and log-off of the Internet Access service based on a certain time zone

IP addresses are allocated to users, not communications. Would the Commission like a copy of "Beginner's Guide to TCP/IP"?


A certain time zone - which one? Brussels? Ulan Bator? If they meant "date and time including the time zone", why not say so?

Asks for the wrong thing

The date and time of the log-in and log-off of the Internet e-mail service, Tuesday 10th January 2006

00:00, 00:05, 00:10, 00:15, 00:20, 00:25, 00:30,

not "the date and time that each e-mail was sent or received"?

I looked at the logs for today for my own laptop. It logged-in and -out at midnight, five past midnight, ten past, quarter past, ... because it connects to the POP3 server every few minutes to check for mail.

If they wanted the date and time that e-mails were sent or collected, why not ask for it?

Curious omissions

Doesn't ask for the sender of received e-mails.
Halifax bank
PayPal Billing
Huge LoveHoles
Barrister Abdul Nadeem
Take the Blue Pill
Online Casino
Alexandra N. Fulton

I had a look at who I received e-mail from today.

Jim [Gamble], I hear the Barrister may be able to help you with your budget problems.

On the other hand, perhaps the Commission were cleverer than we think if they don't want to look through this lot.


Member States shall ensure that the categories of data referred to in Article 4 are retained for periods of not less than 6 months and for a maximum of two years from the date of the communication

What's a factor of 4 between friends?

At least it wasn't 7 years.

Some good bits

the retained data shall be of the same quality and shall be subject to the same security and protection as those data on the network;

So no need to design special systems.
No need to be of evidential quality.

Thankfully I don't have to set up special security arrangements or high-reliability systems for keeping this data.

I'm afraid that means the data won't be useful as evidence, but our systems make mistakes.


"Unless some positive reference to consideration of costs incurred by providers is included in a draft EU Framework Decision on retention of communications data the United Kingdom Government would not support it."

- Home Office official

While I was preparing this presentation I found a letter containing these words. [The author of the letter was present, but I won't mention his name here.]

So I was glad to read ...


Article 10





This presentation was reported by ZDNet.

Back Back to the presentations index. CDWF Back to Clive's home page.