Some people believe the Internet is like the Agora of ancient Greek cities where everybody meets and everything happens in public and open sight while others regard it is as their boudoir where they can pursue their private business without anyone peeping through the keyhole. The challenge is that the Internet is both and this calls for rules, which will satisfy both expectations.
If you didn’t guess it already: I’m talking about telecommunications data retention and the recent act in the European Union which requires service providers to log details about communications on the Internet and retain the data for a minimum of six months. But why do I bring up this topic? Because I believe this discussion affects the security and privacy (also known as confidentiality) of organizations and private persons. The European Data Retention Act went into force in Austria as of 1st of April this year. We were lucky in Austria because the data retention act was drafted by the Ludwig Boltzmann Institute for Human Rights and was implemented close to the draft with very limited access to the sensitive data. But still the data exists somewhere in databases or storage and requires protection and auditing. This is, besides of privacy concerns, our main point of criticism: The best way to prevent data loss is to avoid the data. If you don’t believe that just browse a little bit through the DataLossDB, which has it’s origins at attrition.org and is now a project of the Open Security Foundation.
Communication patterns alone (without the content) can reveal a lot about your intentions and activities which includes of course your business activities like customer contacts, topics of research and interests and so on. In Austria the access to communication data is regulated in a quite strict manner: the “Datendurchlaufstelle” (loosely translated “data passage center”), through which all inquiries are channelled, is using PKI, state official signatures and a limited interface and restricted data formats, which prevent data mining and mass queries. But there are some aspects and loopholes which put the data at risk:
- There are no requirements for in-depth auditing of the whole logging system.
- Auditing is done only at the “Datendurchlaufstelle”, not at the database level.
- There is no definition how to “destruct” the data after 6 months.
- There are several exceptions for inquiries, which can bypass the audit system.
- The data centers are operated like normal data centers (again, take a look at DataLossDB).
A few weeks ago I attended a panel discussion about data retention in Vienna and at the socializing event afterwards I could talk to Christof Tschohl from the Ludwig Boltzmann Institute, who had a leading role in the drafting of the data retention law, Mag. Peter Gildemeister, senior public prosecutor in Vienna, who strongly supports data retention and delegates from AK Vorrat, who are currently preparing a complaint of unconstitutionality at the constitutional court.
What somehow stuns me is that apparently nobody is putting any emphasis on the technical aspects of keeping the highly sensitive data secure and prevent misuse and accidents. Just recently data abuse by authorities became public in the UK which puts the trust in authorities a little bit in doubt. I’m especially troubled by this sentence:
513 civil servants were found to have made “unauthorised disclosures of official, sensitive, private and/or personal information”
What kind of information can be disclosed to whom? Can anyone who bribes a public servant with access to sensitive information get any data? This would be quite a challenge for your security policy and risk assessment I say.
Do you trust you government organizations and service providers so much to keep your sensitive data secure and prevent unauthorized access or abuse?
We are hoping for some feedback and comments on this topic.