Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes

from the I'm-shocked,-shocked dept

One of the ironies of European outrage over the global surveillance conducted by the NSA and GCHQ is that in the EU, communications metadata must be kept by law anyway, although not many people there realize it. That’s a consequence of the Data Retention Directive, passed in 2006, which:

requires operators to retain certain categories of data (for identifying users and details of phone calls made and emails sent, excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism.

Notice the standard invocation of terrorism and serious crime as a justification for this kind of intrusive data gathering — the implication being that such highly-personal information would only ever be used for the most heinous of crimes. In particular, it goes without saying that there is no question of it being accessed for anything more trivial — like this, say:

Some Dutch telecommunications and Internet providers have exploited European Union laws mandating the retention of communications data to fight crime, using the retained data for unauthorised marketing purposes.

Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created. But it does at least act as a useful reminder that whatever the protestations that privacy-destroying databases will only ever be used for the most serious crimes, there is always the risk of function creep or — as in the Netherlands — outright abuse. The only effective way to stop it is not to retain such personal information in the first place.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Dutch Telcos Used Customer Metadata, Retained To Fight Terrorism, For Everyday Marketing Purposes”

Subscribe: RSS Leave a comment
18 Comments
Paul Renault (profile) says:

Re: Re:

Well, given how much of spy and police organizations’ time and effort is spent protecting and bolstering commercial enterprises, and given how spy/police organizations circumvent the law by handing off activities that they are specifically prevented from doing, you can be damn sure that this stuff is going on all over the place.

Martin says:

requires operators to […] make them available, on request, to law enforcement authorities

This is not true. The data retention doesn’t require any data to be handed over to anyone – it just mandates that traffic data is stored for a certain period of time. The rest is up to each nation to decide. In fact a EU country open to the idea of some political activism could do this:
1) make the retention of data by ISPs mandatory (to comply with the directive), but not allow it to ever be handed over to any external party.
2) have national regulation say that all retained data is to be encrypted with keys rotated on a daily basis and stored a much shorter interval than the retention period.

Since the directive was voted on as a way to harmonize the market (by imposing the same type of costs on all companies – something which failed miserably, but that’s another story) I can’t see how one could legally object to 2) since it would still impose the same costs on ISPs. The data would be stored, although most of it wouldn’t be readable.

Anonymous Coward says:

Re: Re:

Theorycrafting much?

What you propose is completely unfathomable for any country to do. Even if a country did that, I would bet that the European Commission will renew the directive ahead of schedule to deal with it or even the Council could step in.

“Could” is a political question here. In this case the problem is that the other countries in the union are very unlikely to let such slipshod implementation pass muster.

Martin says:

Re: Re: Re:

If you are familiar with the history of the directive you’ll know that it was not passed as crime prevention cooperation between the EU countries because that would have put a higher demand on a qualified majority of votes and raised the bar for the controversial directive to be passed. Instead it was explicitly passed as a directive that’s meant to harmonize the market.

Given this fact it seems to me that it’s you that have a stronger burden to prove your point than I do mine. Please explain what the objections of the other countries would look like? On what grounds could they object?

I think the risk that such political activism on the national level would be challenged by the EU institutions is significantly less than the risk that our national politicians argue that “hey, since we’re forced to collect all this data anyway, wouldn’t it be a waste not to use it?”

My point is that our national political representatives cannot free themselves of responsibility. Their freedom to act may be restricted, but there are still some options available to minimize the privacy implications of the directive.

Just out of curiosity – have you read the directive?

Duke (profile) says:

Re: Re:

The data retention doesn’t require any data to be handed over to anyone – it just mandates that traffic data is stored for a certain period of time.

It doesn’t even go as far as that; it requires the retention of data that fits within the appropriate categories if the service provider was creating the data in the first place. So if an ISP doesn’t keep logs of anything, they’re not required by the Data Retention Directive to make or retain them.

There are reasons many Governments are unhappy with the Directive and want it expanded…

Anonymous Coward says:

Re: Re:

if government cared about a paper trail for auditing

1. company holds metadata for period
2. company must encrypt held data with gov. provided public key.
2a. government holds private key.
3. company only hands over material on production of a valid warrant, if warrant in-valid and data handed over then prison time for company directors.
4. company must report all dealings with metadata, including warrants, on pain of prison time for company directors.

out_of_the_blue says:

Like Google's massive store of information?

“Of course, the news will come as no surprise to the many people who warned that exactly this kind of thing would happen if such stores of high-value data were created.”

It’s just not credible that you kids can’t see such obvious similarities with the world’s biggest store of such data.


Where Mike sez: “Any system that involves spying on the activities of users is going to be a non-starter. Creeping the hell out of people isn’t a way of encouraging them to buy. It’s a way of encouraging them to want nothing to do with you.” — So why doesn’t that apply to The Google?
02:02:02[c-5-2]

El_porko says:

Fits with rule one.

The Five Rules of Databases
1. If a database exists it will be abused.
2. The accuracy of information within a database is inversely proportional to its size.
2a. Doubly so for databases held by Government departments.
3. If it contains personal information at some stage law enforcement agencies will want access.
4. If it contains personal information at some stage law enforcement agencies will get access.
5. You can never truly erase your information from a database.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...