My RSS Feeds
Politicians At Their Best: COM(2005) 438 | 2005/0182 (COD) | SEC(2005) 1131
In one word: Incredibly Stupendous! Allright, that was two.
Enough {bullshit} has been said about this already, but I'm going to add a few things of my own to the mix anyway:
Who exactly are "providers of electronic communications services"?
According to Directive 2002/21/EC (the definitions of which are valid for this Directive as per Article 2.1) "electronic communications services" are:
"...a service...which consists...in the conveyance of signals on electronic communications networks,...but exclude services providing, or exercising editorial control over, content...it does not include information society services...which do not consist wholly or mainly in the conveyance of signals on electronic communications networks;"
Allright, so we're dealing with ISP's, Telco's, Cable providers and so on (I think).
Next flacky definition: "serious criminal offences, such as terrorism and organised crime." This choice of words is pretty consistent. The thing is, "such as" tells me these are examples, which means "serious criminal offences" remains without a clear legal framework. This means that the definition is almost completely left up to the local legislation, which might result in a filedownloader to be arrested using this data in say The Netherlands, whilst only terrorists get busted with it in Spain. But remember, "This Directive aims to harmonise the provisions of the Member States". Well met & well done folks!
Another silly thing I don't get, Article 11:
"In Article 15 of Directive 2002/58/EC the following paragraph 1a is inserted:
”1a. Paragraph 1 shall not apply to obligations relating to the retention of data for the prevention, investigation, detection and prosecution of serious criminal offences, such as terrorism and organised crime,..."
Yeah, allright. So everything in Directive 2002/58/EC does not apply on anything determined through or by this Directive.
Directive 2002/58/EC Article 15, paragraph 1:
"1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union."
To hell with 95/46/EC, I think I've proven Judicial isn't a language for mere mortals anyway. But I can take up on a couple of others:
Article 5/6/9: "All communications including the involved traffic- and location data are confidential and only when the Motherland thinks Article 15 paragraph 1 is appropriate these basic principles can be waivered (unquestioned).
Article 8 paragraph 1-4: "Caller ID has to have the option of switching on and costlessly off per connection."
Treaty on European Union Article 6 paragraph 1 and 2:
"1. The Union is founded on the principles of liberty, democracy, respect for human rights and fundamental freedoms, and the rule of law, principles which are common to the Member States. 24.12.2002 EN Official Journal of the European Communities C 325/11
2. The Union shall respect fundamental rights, as guaranteed by the European Convention for the Protection of Human Rights and Fundamental Freedoms signed in Rome on 4 November 1950 and as they result from the constitutional traditions common to the Member States, as general principles of Community law."
Because Article 15 does not apply to the current Directive I can draw two conclusions (neither of which I'm sure at all):
1) Everything resulting from the new Directive can't be limited or expanded through Article 15.
2) The new directive and everything resulting from it does not need to be in accordince with Article 6 paragraphs 1 and 2 of the EU-treaty.
HUH!? Am I reading this thàt wrong? Of course whereas (19) states "This Directive respects the fundamental rights and observes the principles recognised, in particular, by the Charter of Fundamental Rights of the European Union; in particular, this Directive together with Directive 2002/58/EC, seeks to ensure full respect of the fundamental rights to respect the private life and communications of citizens and the protection of personal data (Articles 7 and 8 of the Charter)", but this is a regard, not a directive. Aside from that, the reference to the fundamental rights mentioned in the EU-treaty vanished into thin air. But am I this daft or is it really this easy to throw Treaty-clauses away with a Directive!?
Moreover, this remark is stupid to say the least, since no mortal at this point can tell how the member states are going to implement the Directive and so one really can't tell if the Directive has enough ensurances and guarantees for protection of privacy. Worse even, the lack of those ensurances and guarantees ànd the undefined "serious criminal offences" make me suspect otherwise.
One final word: NOWHERE is there any mention or instruction regarding guarantees for the integrity of the data. Anybody who has access to the stored data is capable of flicking a few switches, copy-pasting some lines and hitting some buttons to suddenly make it appear I've been e-mail terrorists or have contacts within the Russian crime syndicates.
With that in mind it's quite thinkable that it's impossible to say anything about the value of that data as evidence in court. It's very nice when you've caught a "terrorist" because he's been e-mailing people in Pakistan and because he visits the Allah al-Akhbar-forums regularly, but what are you going to do?
Are you going to take a hard drive stuffed with text to the courts and say "look, your honour, here's more plain text than all the libraries in The Netherlands put together have, and look at the numbers, the suspects' PC has really been there and those e-mails where really sent using suspects' PC."? If I were a judge I'd be laughing my arse off and send the guy home.
Unless there's a firmly anchored securitymechanism which can prove the integrity to judge, it's all utterly useless! Besides, you'r still going to have to prove that it wasn't trojans, hackers, wardrivers, viruses, spyware or the suspect's nephew which or who caused the traffic, something which will prove to be rather difficult.
And even if you could jump all those hoops: Don't you think those people didn't think of that themselves either!? Most arrests you're going to make with this are incompetent stupids who were only really noisy to begin with.
Well organised crime and terrorist organisations know this full well. What do you need? 1) a completely opened up wireless connection ("they've hacked into my uplink, it wasn't me"), or better yet: A secured VPN-tunnel to a full-blown anonymizing proxy in a data-centre somewhere in, o, I don't know, Saudi Arabia or something! Whatever happens from there doesn't really matter anymore. Use webmail, PC stays clean. Web-based SSL-encrypted Instant Messaging (the proxy could even deliver the Java-based messenger), PC remains clean. VoIP through the VPN-tunnel, PC remains clean. Turn off browser caching, PC remains clean. Build the VPN-tunnel across a GPRS/EDGE/UMTS connection and VoIP and/or SMS across that, little expensive, but your cell phone remains clean as well.
And here you are again, a District Attorney holding a hard drive, stuffed with plain text clearly proving that the suspect's devices only had a couple of highly encrypted secure tunnels to a server in Saudi Arabia which you can't reach or eavesdrop on so you completely lost track. WHAT EXACTLY ARE YOU PROVING WITH ALL THOSE REMAINING PETABYTES OF COMPLETELY AND UTTERLY USELESS DATA COSTING MILLIONS UPON MILLIONS A YEAR!?
The aforementioned measures aren't all that easily put in effect, but even if you do only part of them you're allready well on your way. And I sure hope everybody will do so, so when the European Commission is set to evaluate the Directive in 3 years' time they can plainly see they've spent all those millions on the storage of the data for NOTHING, except maybe they've caught themselves some stupid dimwits and you have a huge database detailing the online life of 450 million innocent civilians.
