The Data Protection Authority, after having received the information, will decide what can be still done without informing the customer, what can be done AFTER having informed the customer and obtained his approval and what cannot be done at all. Furthermore, the Data Protection Authority will release a set of technical and management rules to ensure the concerned subjects’ compliance.

If these new set of rules will mimic those recently established for data-retention purposes and system administrators, telcos and ISPs will face again a mayhem of useless bureaucracy so hard to understand that the Data Protection Authority itself did release a FAQ to explain what these regulation actually meant (and we’re still waiting for the FAQ interpretation.)

Although the decision is limited to the Internet and telephony world, it is clear that in the near future it will affects too energy firms, banks, insurance companies and, in general, everybody who relies upon aggregate data to tweak its supply chain of services.

Once again, the Italian Data Protection Authority is proved to be one of the biggest blocking factor of Italian telco market, while not granting citizens some sort of protection.

DRI Chairman TJ McIntyre said:

“These laws require telephone companies and internet service providers to spy on all customers, logging their movements, their telephone calls, their emails, and their internet access, and to store that information for up to three years. This information can then be accessed without any court order or other adequate safeguard. We believe that this is a breach of fundamental rights. We have written to the Government raising our concerns but, as they have failed to take any action, we are now forced to start legal proceedings.”

“Accordingly, we have now launched a legal challenge to the Irish government’s power to pass these laws. We say that it is contrary to the Irish Constitution as well as Irish and European Data Protection laws.”

“We also challenge the claim that the European Commission and Parliament had the power to enact the Data Retention Directive. We say that this kind of mass surveillance is a breach of Human Rights, as recognised in the European Convention on Human Rights and the EU Charter on Fundamental Rights which all EU member states have endorsed.”

“If we are successful, the effect will be to undermine Data Retention laws in all EU states, not just Ireland, and to overturn the Data Retention Directive. A ruling from the European Court of Justice that Data Retention is contrary to Human Rights will be binding on all member states, their courts and the EU institutions.”

Attack on Private Life

He continued: “These mass surveillance laws are a direct, deliberate attack on our right to have a private life, without undue interference by the government. That right is underpinned in the laws of European countries and is also explicitly stated in Article 8 of the European Convention on Human Rights. The Article specifies that public authorities may only interfere with this right in narrowly defined circumstances.”

“The information will be collected and stored on everyone, regardless ofwhether you are a criminal, a policeman, a journalist, a judge, or an ordinary citizen. Once collected, this information is wide open to misappropriation and misuse. No evidence has been produced to suggest that data retention laws will do anything to stop terrorism or organized crime.”

“We accept, of course, that law-enforcement agencies should have access to some call data. But access must be proportionate. In particular, there should be clear evidence of a need to move beyond the six months of storage which is already used for billing purposes. Neither the European Commission nor the European police forces have made any case as to why they might require years of data to be retained.”

“Data Retention, as legislated for in Ireland and mandated by the Data Retention Directive is unjustified mass surveillance. The government is deliberately recording information about innocent citizens without cause.”

Legal background

The action challenges the law on data retention contained in the Irish Criminal Justice (Terrorist Offences) Act, 2005 and the European Data Retention Directive passed in 2006. The action has been commenced in the High Court by McGarr solicitors on behalf of DRI and names as defendants the Minister for Communications, Marine and Natural Resources, the Minister for Justice, Equality and Law Reform, the Garda Commissioner, Ireland and the Attorney General. DRI will ask the Irish courts to refer the Directive to the European Court of Justice for a decision on whether it is valid.

International Support

Digital Rights Ireland is the only group bringing a challenge to these laws, but it is supported by many international privacy and civil rights groups.

Danny O’Brien of the Electronic Frontier Foundation said:

“The EU Data Retention Directive is an excessive invasion of the privacy and security of all Europeans. Mandatory recording and retention of European citizens’ telephone calls by telephone companies and their online behaviour by Internet Service Providers creates a precedent for mass surveillance and is likely to chill freedom of expression on political and social issues that are at the very core of a well-functioning democracy. Digital Rights Ireland’s legal challenge to the directive will help protect not only the fundamental rights of citizens of Europe, but also those of other countries tempted along the same path.”

Other organisations supporting the action include

ALCEI (Electronic Frontiers Italy), Italia
Digital Rights, Danimarca
EDRI (European Digital Civil Rights), Europa
Electronic Frontier Finland, Finlandia
Electronic Frontier Foundation, Stati Uniti
FITUG (Förderverein Informationstechnik und Gesellschaft e.V.), Germania
Foundation for a Free Information Infrastructure, Europa
Internet Society, Bulgaria
IRIS (Imaginons un Réseau Internet Solidaire), Francia
Liga voor de Mensenrechten (League for Human Rights), Belgio
luridicum Remedium, Repubblica Ceca
Netzwerk Neue Medien, Germania
Open Rights Group, Gran Bretagna
Privacy International, Gran Bretagna
Quintessenz, Austria
VIBE!AT (Austrian Association for Internet Users), Austria

Contact details:

Phone: TJ McIntyre on 087 2075919
Email: contact@digitalrights.ie
Web: www.digitalrights.ie

Background for Editors:

The initial letter from DRI threatening legal action is outlined here:
www.digitalrights.ie/2006/07/29/dri-challenge-to-data-retention/#more-40

Media coverage of that letter is summarised here:
www.digitalrights.ie/2006/08/06/media-roundup-data-retention/

The Irish Times dealt with the letter in an editorial here:
www.digitalrights.ie/2006/08/08/irish-times-endorses-data-retention-case/

Per informazioni e approfondimenti:
02-40030031 335-5668996 02-867045 alcei@alcei.it

This is a summary of a few key points in a new document [1] published by ALCEI on January 24, 2004. In addition to privacy there are other, and very serious, problems relating to how protection from crime is reconciled with individual rights and freedom.

The concept of responsibility is shifting from proven fact to assumed intention. Sanction or punishment no longer relate to the actual effects of a behavior, but to the “status” of a “category” of people.

While prevention, per se, is legitimate and correct, this way of applying the concept leads to suspicion against (real or imaginary) characterization of people. “Criminal models” are created, to be persecuted not for what they *do*, but for what they *are* – or are assumed to be.

These arbitrary definitions empower anyone who has control to persecute, with a variety of pretexts, anyone who is considered to be uncomfortable, unfriendly or untamed.

As many “behavior patterns” can be made up as suit the whims of whoever has access to retained data. Various forms of persecution are developed against “virtual identities” that can be created “ad hoc” on the basis of prejudice or questionable intentions.

There is no limit to the number or kind of “tendencies” or “types” that can be made to include any person or category of people. The result is a sort of institutionalized pogrom, without even the visibility of a publicly declared ethnic or cultural prejudice.

A consistent watch is to be kept in the defense of civil rights and personal freedom – and this isn’t only a matter of privacy. The issue goes far beyond the single case of a hastily and clumsily conceived Italian law – that is only an episode in a series that has been going on for several years and is getting worse all the time.

This particular set of rules isn’t much more restrictive, or mischievous, than rules and practices that came before (and more are likely to follow.) It’s messy, poorly conceived and confusing – hastily put together to amend the previous one (June 2003) that made data retention compulsory but (for alleged “privacy” reasons) set a limit of 30 months – while now it’s up to five years. The fact that it’s a “decree law” isn’t just a technicality. It’s the equivalent of a law, but it’s issued by the government, without prior parliamentary discussion. In theory this should be done only in case of urgency, but it’s often used to bypass the attention of political debate and public opinion.

Telephone companies and internet providers, that anyhow retain data for accounting reasons, are now forced to keep them for an extended period, for the sake of inspection by magistrates, police or any other government or state authority. This adds to, but doesn’t substantially innovate, existing laws and practices.

The new law is only an episode in a trend that has been in place for several years.

Discussion on data retention generally relates to privacy. If applied correctly, and following the declared (but unspecified) “good intentions”, this new law wouldn’t make the existing situation much worse (or any better) than it was. But that is only half the story – or less. There are other, and very serious, problems relating to civil rights – and to the general framework of how protection from crime is reconciled with individual rights and freedom.

There is a trend that has been in place de facto for a long time, but only now is being formalized. The concept of responsibility is shifting from proven fact (a crime has been committed) to intention (a certain type of person may be likely to act illegally.) Sanction or punishment no longer relate to the actual effects of a behavior, but to the “status” of a “category” of people, that is considered guilty because of what it is, not for what it does.

While prevention, per se, is legitimate and correct, this way of applying the concept leads to arbitrary sanction, suspicion or persecution against (real or imaginary) characterization of people who are “assumed to be guilty.”

In this perspective the focus is not on an actual burglary, but on “the thief.” Not on someone creeping illegally into a network, but on “the pirate” (an improper and confusing definition, that is applied to a variety of unrelated behaviors, illegal or not, none of which has anything to do with manslaughter or armed robbery at sea.) Not (as stated by the Italian law) a person viewing or keeping «pornographic images produced by the sexual exploitation of minors», but “the paedophile.” Etcetera.

This means that “criminal models” are created, to be punished not for what they do, but for what they are – or are assumed to be. Even if the “prototype” doesn’t do anything illegal or reproachable.

Obviously these definitions, inherently vague as they are, empower anyone wh o has control and sanction resources to persecute, with a variety of pretexts or assumptions, anyone who is considered to be uncomfortable unfriendly or untamed.

Things get seriously worse with a dangerous and dramatic threat such as terrorism. There is a real need to prevent and preempt – i.e. to find and stop terrorists before they act. That can be done in a civilized manner. It is more effective, as well as ethically correct, to avoid witch-hunts, to stay away from prejudice and arbitrary “categorization” – and to avoid any violation of those human rights, and personal freedoms, that anti-terrorism action claims to be protecting.

In this context data retention (combined with the arbitrary, and often clumsy, criteria of data analysis and clustering) plays a key role, because it encourages the creation of as many “behavior patterns” as suit the whims of whoever is searching – or of whoever else, for any reason, has access to the data.

Furthermore, if we consider that a widespread retention of traffic data is extremely cumbersome and hard to manage, it’s not unlikely that choices will be made about whose traffic is to be retained. Thus leading to mass “labeling” of people who are disliked or mistrusted by anyone in power. This already exists – but with vast technical resources it can not only be enormously increased, but also warped by the inevitable imperfection and arbitrarily of automatic devices.

We know, from practical experience, that commercial “profiling” doesn’t work (even when it does, it is much less effective than other, more civilized, ways of developing customer relations.) In spite of that fact the profiling legend, spread by list merchants, has caused not only justified concern, but also exaggerated alarm. As a result, while there are attempts to limit “profiling” as a commercial tool, it is (quite wrongly) assumed that it can work wonders in criminal investigation – or for other controls of human attitudes and behavior that are much less legitimate or justifiable.

With the use of tools that are often unreliable, and can be easily manipulated, inquiries and trials (and other forms of persecution) are developed against “virtual identities” that can be created “ad hoc” on the basis of prejudice or a variety of questionable intentions. With the added problem that people can’t defend themselves because “the inquiry was done by a computer” and there is no way of finding out how the data were generated.

The myth of “machine infallibility” combines with the obnoxious notion of “criminal personality.” There is no limit to the number or kind of “tendencies” or “types” that can be made to include any person, or category of people, that is considered unpleasant or uncomfortable. The result is a sort of institutionalized pogrom, without even the visibility of a publicly declared ethnic or cultural prejudice.

And, to make things worse, a variety of errors or manipulations can be hidden in any “automated” inquiry. Improper or arbitrary criteria can be included invisibly, in ways that are hard, if not impossible, to discover. And equally hidden distortions can be caused by incompetence, or deliberate trickery, of any individual using the system.

A combination of intentional prejudices or involuntary mistakes (with countless complications resulting from the “convergence” of the two factors) can lead to consequences so vast and complex that it’s worrying to even imagine them.

Sooner or later we shall return to this subject, in an even wider perspective. But in the meantime, to reach a temporary and partial conclusion, let’s get back to the specific case of this recent Italian law. It’s true that it vaguely mentions the need to have “fair” procedures in data retention, but it gives no indication of how such guarantees should be put in place. Another problem is that, if there are deliberate tricks, or errors of any sort, in the way the databases are generated and collected, “correct” retention in this context simply means mass retention of bad data.

The key point is that a consistent watch is to be kept in the defense of civil rights and personal freedom – and this isn’t only a matter of privacy. The issue goes far beyond the single case of this hastily and clumsily conceived “decree law” – that is only an episode in a series that has been going on for several years and is getting worse all the time.