Leaving out notification requirements for data collection orders?
Do you know what data is retained by telecommunication providers? How does that affect your privacy? This blog will provide you with a more concrete picture of how the retention of location data by telecom providers effects your privacy.
Each time you make a phone call with your mobile phone, the (i) date, (ii) time and (iii) duration of your phone call, as well as the (iv) numbers dialed and the (v) location of the antennas (or region (Cell ID)) your mobile phone connects to are retained by your telecommunication service provider. The data is retained in order to ensure the availability of the data for serious crime investigations by law enforcement authorities.
The Dutch Minister of Safety and Justice believes that data collection orders from third parties only create ‘minor infringements’ to your right to privacy. Taking this into account, he reasons that the poorly enforced requirement that law enforcement authorities must notify individuals about data collection orders when reasonably possible, causes too much of an administrative burden and should therefore be abolished. His bill proposing the measure caused some controversy last week (10 October 2013) in the Netherlands (article is in Dutch).
But ask yourself: do you know exactly what data is retained by telecommunication providers? And does data retention create only ‘minor’ privacy infringements? Is this a valid argument to get rid of the notification requirements?
Minor privacy infringements?
The European Data Retention Directive from 2006 obliges telecommunication providers to retain subscriber data (name and address data) and ‘traffic data’ (such as the date, time and duration of the call as well as the numbers dialled) between 6 and 24 months (see article 5 of the Directive). The subjects of data collection orders are not only suspects. In some cases they could also be other individuals, on the condition that the data collected is relevant to the criminal investigation. The problem is that the categories of data described in art. 5 of the Data Retention Directive are, in my opinion, relatively abstract and leave a lot of leeway in terms of what is exactly retained by what provider.
In order to gain more clarity about exactly what data is retained by telecom providers and to get a feeling of what that might mean for the right to privacy, I conducted a few data access requests (a right provided by European privacy laws) with my telecommunication providers. Only focusing on my ‘location data’ and accompanying ‘time stamps’ related to my mobile phone in a period of 3 days, my data request revealed the following (interactive) map:
The blue, red and green points represent the antennas my mobile phone connected to on the 25th, 26th and the 27th of April 2013, each time my mobile phone made a connection with my telecommunication provider (49 times in total). The red line indicates a railway to emphasise the route I took when I travelled by train to Utrecht Central Station and back to Leiden CS (travelling via Schiphol on the 26th of April 2013). On the 27th of April I worked from home as can be seen by the green points. I used a public tool (BatchGeo) to create the map using the raw data provided by my provider, but law enforcement officials can also easily create maps as shown above and even visualise the movements the individual concerned made within a particular time frame with specialized software. It is not hard to imagine why data retention is useful for law enforcement authorities. The data can also be enriched with other data, such as public transportation data from public transportation chip cards, CCTV footage, ANPR data and other network communication data when available. This is what investigating crime in a networked world looks like. The minister stated in the explanatory report on the bill, that collecting data from third parties is now “almost standard to criminal investigations”.
So ask yourself again: does the collection of data by law enforcement authorities from third parties, as illustrated above, create only ‘minor’ privacy infringements? Personally I do have some sympathy with the argument that notification is not desirable for all investigatory methods, taking efficiency reasons into consideration. But I do not think that data collection orders create minor privacy infringements and that this would be a valid reason for abolishing notification. Also bear in mind that without notification, many individuals would not be aware that the government had collected the data, depriving them of the opportunity to object to the data collection. This raises issues relating to art. 13 of the European Convention on Human Rights (not so much art. 8 ECHR as mentioned in the explanatory report), although this aspect is not further considered here.
More transparency about data collection
Even after years of research, it is still not clear to me exactly what data (especially internet related data) is retained by what provider. In addition, the minister refuses to provide statistics on the collection of data, other than telecommunication providers, citing ‘national security interests’ and that it is ‘not in the interest of police investigations’. As I have stated in a previous blog post, I believe that more transparency, by way of providing these statistics, is essential. Parliamentary Members can then pose questions to the governmental representatives involved, in order to maintain (some) control over these far-reaching investigatory powers and try to uphold the integrity of the investigatory process.