Comment: Data Retention – The Privacy Threat Hidden in Plain Sight

Unlike the NSA's recent activities, very few column inches have been written about data retention
Unlike the NSA's recent activities, very few column inches have been written about data retention

The PRISM scandal confirmed many of our suspicions about the scale of state-level snooping on US citizens' online activity. While the controversy has failed to generate any real public anger, it has created a milestone in the wider conversation around internet privacy and will surely stoke fears over what other hidden programs are lurking deep within the NSA's bowels.

Americans, however, don't need to theorize about what might be hidden from sight to envision the next step in a surveillance-dominated future. Not when one of the world's largest mass online surveillance programs already openly exists in a number of Western democracies. I am of course referring to mandated ISP data retention.

As readers of Infosecurity will no doubt be aware, ISP data retention is when an internet service provider stores your personal information for a period of time. This information typically includes your web logs, time stamps, billing information and address. Data retention differs from the objectives of PRISM, which was to mine information directly from online services. ISP web logs don't give an eavesdropper access to content (such as emails), but they do provide a much broader overview of a user's entire web activity, encompassing every website visited – whether a 'government backdoor' exists or not.

Unlike the NSA's recent activities, very few column inches have been written about data retention – neither today nor in 2006 when it became a legal requirement in every European country. Nevertheless, the EU Data Retention Directive has still seen its fair share of controversy. Germany refused to comply with the law because of serious privacy concerns within its famously independent judicial system (East Germany's experience with the Stasi is probably not such a distant memory). Romania has also refused to implement the directive, arguing that it violates constitutional rights. Both countries are currently facing fines from the EU.

German and Romanian stubbornness aside, Europe's acceptance of mandated data retention is what makes the program so dangerous, as it gives law makers in other democracies, like the US, the justification to pursue similar legislation on their home turf. Currently data retention is not legally mandated in the US, but that could change. A few weeks before the PRISM scandal broke, the author of the Patriot Act, Rep. James Sensenbrenner (R-WI), was forced to backtrack after he tried to wedge data retention legislation proposals into the 1986 Electronic Communications Act. All the while, the US Justice Department, under both the George W Bush and Obama's presidencies, has voiced its support for compelling ISPs to record web activity.

US-based ISPs already voluntarily store data in order to assist the authorities. As this leaked memo from 2011 reveals, some ISPs, like Verizon, hold onto user web logs for as long 12 months. As worrying as this is, at least current US law allows the possibility for ISPs to offer a service without storing data and doesn't force them to hold onto any personal information after you leave their service (although, after PRISM, such assurances may indeed ring hollow).

The PRISM revelations are something of a double-edged sword for politicians in the US who are pushing for EU-style mandated data retention. On the one hand, the practice could become a harder sell due to the NSA's activities. But PRISM has so far failed to spark any real action within the population. Inertia from these revelations could lead US citizens – like their European cousins – to simply shrug shoulders and accept data retention legislation as an inevitability of the internet age.


Nick Pearson is the founder and CEO of IVPN – a privacy platform, and Electronic Frontier Foundation member, committed to protecting online freedoms and privacy. He has 15 years of experience in information security across the telecommunications and government sectors. Pearson holds an MSc in information security, with areas of interest that include enterprise risk assessment, penetration testing and information security awareness.

What’s hot on Infosecurity Magazine?