Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes
from the I'm-shocked,-shocked dept
One of the ironies of European outrage over the global surveillance conducted by the NSA and GCHQ is that in the EU, communications metadata must be kept by law anyway, although not many people there realize it. That’s a consequence of the Data Retention Directive, passed in 2006, which:
requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.
Notice the standard invocation of terrorism and serious crime as a justification for this kind of intrusive data gathering — the implication being that such highly-personal information would only ever be used for the most heinous of crimes. In particular, it goes without saying that there is no question of it being accessed for anything more trivial — like this, say:
Some Dutch telecommunications and Internet providers have exploited European Union laws mandating the retention of communications data to fight crime, using the retained data for unauthorised marketing purposes.
Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created. But it does at least act as a useful reminder that whatever the protestations that privacy-destroying databases will only ever be used for the most serious crimes, there is always the risk of function creep or — as in the Netherlands — outright abuse. The only effective way to stop it is not to retain such personal information in the first place.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: crimes, data retention, marketing, netherlands, telcos, terrorism
Comments on “Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes”
The only thing surprising about this is that it doesn’t happen more often. Or maybe it does, and we just haven’t heard about it yet.
Re: Re:
Well, given how much of spy and police organizations’ time and effort is spent protecting and bolstering commercial enterprises, and given how spy/police organizations circumvent the law by handing off activities that they are specifically prevented from doing, you can be damn sure that this stuff is going on all over the place.
As the NSA could have told the telco’s: No problem, just don’t get caught.
“using the retained data for unauthorised marketing purposes.”
I’m shocked I say …. shocked
no surprise really. any way for a company to make money will be used, even those that do so without permission. try to do something where company information is used without permission, and see the hammer come down quick!
“requires operators to […] make them available, on request, to law enforcement authorities“
This is not true. The data retention doesn’t require any data to be handed over to anyone – it just mandates that traffic data is stored for a certain period of time. The rest is up to each nation to decide. In fact a EU country open to the idea of some political activism could do this:
1) make the retention of data by ISPs mandatory (to comply with the directive), but not allow it to ever be handed over to any external party.
2) have national regulation say that all retained data is to be encrypted with keys rotated on a daily basis and stored a much shorter interval than the retention period.
Since the directive was voted on as a way to harmonize the market (by imposing the same type of costs on all companies – something which failed miserably, but that’s another story) I can’t see how one could legally object to 2) since it would still impose the same costs on ISPs. The data would be stored, although most of it wouldn’t be readable.
Re: Re:
Theorycrafting much?
What you propose is completely unfathomable for any country to do. Even if a country did that, I would bet that the European Commission will renew the directive ahead of schedule to deal with it or even the Council could step in.
“Could” is a political question here. In this case the problem is that the other countries in the union are very unlikely to let such slipshod implementation pass muster.
Re: Re: Re:
If you are familiar with the history of the directive you’ll know that it was not passed as crime prevention cooperation between the EU countries because that would have put a higher demand on a qualified majority of votes and raised the bar for the controversial directive to be passed. Instead it was explicitly passed as a directive that’s meant to harmonize the market.
Given this fact it seems to me that it’s you that have a stronger burden to prove your point than I do mine. Please explain what the objections of the other countries would look like? On what grounds could they object?
I think the risk that such political activism on the national level would be challenged by the EU institutions is significantly less than the risk that our national politicians argue that “hey, since we’re forced to collect all this data anyway, wouldn’t it be a waste not to use it?”
My point is that our national political representatives cannot free themselves of responsibility. Their freedom to act may be restricted, but there are still some options available to minimize the privacy implications of the directive.
Just out of curiosity – have you read the directive?
Re: Re:
It doesn’t even go as far as that; it requires the retention of data that fits within the appropriate categories if the service provider was creating the data in the first place. So if an ISP doesn’t keep logs of anything, they’re not required by the Data Retention Directive to make or retain them.
There are reasons many Governments are unhappy with the Directive and want it expanded…
Re: Re:
if government cared about a paper trail for auditing
1. company holds metadata for period
2. company must encrypt held data with gov. provided public key.
2a. government holds private key.
3. company only hands over material on production of a valid warrant, if warrant in-valid and data handed over then prison time for company directors.
4. company must report all dealings with metadata, including warrants, on pain of prison time for company directors.
Like Google's massive store of information?
“Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created.”
It’s just not credible that you kids can’t see such obvious similarities with the world’s biggest store of such data.
Where Mike sez: “Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn’t a way of encouraging them to buy. It’s a way of encouraging them to want nothing to do with you.” — So why doesn’t that apply to The Google?
02:02:02[c-5-2]
Re: Like Google's massive store of information?
Perhaps because you can opt out of google, by simply not using their services, whereas the same is not true of government spying.
Re: Re: Like Google's massive store of information?
Perhaps because you can opt out of google, by simply not using their services, whereas the same is not true of government spying.
This is pointed out to Blue every single time he brings it up.
It’s like we are beating a brain-dead horse at this point.
as long as politics continues in it’s present form, ie, lobbying and campaign funding, there will be no changes, ever! politicians are in these positions, in the main, for personal gain! they are definitely not in politics for what they can do for the people they are supposed to represent!
Fits with rule one.
The Five Rules of Databases
1. If a database exists it will be abused.
2. The accuracy of information within a database is inversely proportional to its size.
2a. Doubly so for databases held by Government departments.
3. If it contains personal information at some stage law enforcement agencies will want access.
4. If it contains personal information at some stage law enforcement agencies will get access.
5. You can never truly erase your information from a database.
Well hopefully they’ll follow the US justice systems example when dealing with corporate offenses by issuing a fine that is a small fraction of the gains made from these abuses.
Only Dutch telcos? I’d be surprised.
Why is it illegal?
I don’t get it.
A telco log metadata of their users. This metadata then used for marketing purposes. How is this any different from targeted advertising?
(setting aside the feeble justification of “legally obliged to”)