Internet surveillance laws under pressure
A law forcing telecommunications companies to store data on its customers' internet and phone communications has had only limited success in combating terrorism and organised crime despite costing several hundred million kroner thus far, the Justice Ministry has admitted.
Despite this confession, the justice minister, Morten Bødskov (Socialdemokraterne), announced that there was no need to revise the law until the EU has completed its own study of the effectiveness of the 2006 Data Retention Directive that the Danish law is based on.
The Danish data retention law forces internet and telephone companies to store for one year a range of information about the internet and cellular data being sent to and from phones and computers. The stored data includes which phones a user calls or messages, which phone masts the user’s phone was connected to, and which email addresses a user emails from their computer. The content of messages and phone calls, however, is not stored.
The Danish law also stipulates that internet service providers store so-called session data, otherwise known as session logging. This is meant to provide a record of which websites a person has visited by storing the IP addresses and ports that a user’s computer communicates with. But the storing of this session data is not demanded by the EU directive and has produced information with very little value for fighting organised crime and terrorism.
“There are currently severe practical problems connected to the use of session logging that internet service providers are obliged to store,” a report released by the Justice Ministry last week stated. “The implementation of the session logging was done in such a way that the data is not unusable – a fact that became clear to the police when they first wanted to use session logging in connection with a case.”
According to the IT worker’s union PROSA, over 450 billion ‘packets’ of data were stored on Danish telecommunication traffic in 2008, the year after the law came into effect. It cost telecommunications companies about 200 million kroner to establish storage facilities which cost about 50 million kroner a year to run.
Given that session data comprises 90 percent of theses hundreds of billion of data packets, and the approximate 400 million kroner cost that has so far been passed onto consumers by telecommunications companies, the free-internet organisation Bitbureauet argues that the law presents a disproportionate violation of users' privacy and ought to be revised.
“The directive is badly implemented and the police don’t have the technical skills to use the data properly,” Bitbureauet spokesperson Henrik Chulu told The Copenhagen Post, referring to the fact that telecommunications companies have chosen to gather the session data in a way that it is not always compatible with the police’s IT infrastructure.
Chulu was supported by Camilla Gregersen, a political consultant at PROSA.
“The report illustrates that the directive is over-implemented and that the enormous amount of stored data stands in sharp contrast to any gains made by the police,” Gregersen wrote in a press release.
The Justice Ministry’s report presented three examples of cases that were solved with help from session data, though none relate to organised crime or terrorism and according to both PROSA and Bitbureauet, only one of the examples – a case of internet banking fraud – actually used session data to solve the crime.
The domestic intelligence agency PET also admitted in the report that session data is not a particularly useful crime-fighting tool.
“It has only been relevant in very limited instances to use this sort of information during an investigation,” a statement from PET in the report said.
While Bødskov admitted in an interview with Berlingske newspaper that the vast amount of stored session data had limited applications, he said it was not necessary to revise the Danish data retention law until after the EU presents its own proposals for reforming the directive.
But Chulu argues that this would be a missed opportunity for Denmark to influence EU legislation.
“The European Commission is investigating how different EU countries have implemented the directive, which will then affect what they present," Chulu said. "If Denmark changes its law, it could end up changing what the commission presents.”
According to Chulu, ending the demand to store session data is not only necessary to reduce the financial burden on consumers, but also because surveillance of people’s internet habits is an invasion of privacy and has very limited investigative merit.
“The police’s perfect system is one in which they can sit back and watch which websites we’re visiting, but that would raise so many false flags that it would be useless,” Chulu said, adding that the storage of which websites a person visits puts innocent people, such as researchers and students, at risk of drawing unnecessary attention from the authorities.