A hard Act

WIRED: Last week was the due date for companies across Europe to start retaining data on all of their users

WIRED:Last week was the due date for companies across Europe to start retaining data on all of their users. Telecommunication corporations, mobile phone companies and internet service providers (ISPs) were all due to start keeping records of every call, every mobile phone location and every recipient of every e-mail, for a minimum of six months and up to two years.

It hasn't happened, of course. The directive as it stands is vague and difficult to conform with the reality of any of those industries. A string of postponement requests and fudging has come from almost every state in the EU (apart from countries such as the Republic, which already had such demands in the lawbooks). Even those who almost made the deadline, such as Britain, have postponed the retention of data on internet access, net telephony and e-mail, perhaps because the EU directive that demands all of this doesn't make any sense. There's no way an ISP can record all its subscribers' e-mail recipients without somehow intercepting its customers' use of other companies' mail servers. If it is not the ISP's responsibility, literally hundreds of thousands of companies and communities are breaking the law by not recording their users' mails.

But such inconsistencies only seem to delay, not reverse even the most ridiculous of laws. Technology companies should be warned that even the most outrageous of technical government plans will return to bite you, no matter how crazy they seem at first.

The recent implementation in the UK of a seven-year-old requirement of the 2001 Regulation of Investigatory Powers Act (RIPA) is a good example of this. At the time, it was difficult to imagine Part 3 of that law being activated. It was this section that made it a crime not to hand over your password or secret key to the authorities. How could it be enforced in any reasonable way?

READ MORE

It reversed the burden of proof by making it possible for law enforcement to lock you up if they suspected you of having a password. After all, how could you prove you did not have the password for that otherwise innocent file on your hard drive? But RIPA Part 3 had other ramifications. A law on the books that obliged companies to hand over secret keys means more than just passing over your corporate login password. Some keys are worth far more than others. There are private keys which, if revealed, even to law enforcement, could risk the financial security of millions. The Verisign master root key, for instance, if handed over could allow the possessor the power to impersonate about 60 per cent of the secure sites online. Obtaining Microsoft's signing key would allow a government to send its own automated updates to Microsoft machines.

Any law that could force representatives to hand over these valuable keys with only an official document (not even a court order) made critical financial institutions very nervous.

The authorities in Britain have sworn they would not use their powers to obtain signing keys like these, insisting they would only use these powers while investigating very serious crimes: terrorism, child pornography and the like. But that made the law even odder. If you had a drive full of encrypted child pornography, why would you give up your password, when you could cop to the (presumably) lesser crime of withholding it?

After seven years of these contradictions remaining unsolved, the assumption was that Part 3 would never be activated, and live on as a vestigial, unenforced law. Then, last year, as part of a general ramping up of security powers after 9/11, and the 2005 London bombings, the enforcement of Part 3 was re-introduced.

The fuss was far less than when the Act was first signed into law. Times had changed, groups fighting the provisions had grown exhausted and the controversial terms were activated by a simple announcement in Parliament.

From this Monday, companies in Britain may be obliged to hand over passwords, encrypted material and secret keys to law enforcement. And they may be forced by law to keep silent about it.

That's an object lesson on the direction the data retention directive will take. Country after country has postponed its internet provisions because, currently, they beggar belief. But the implementation has only been postponed until a quiet moment, or a new security alert, shifts the political landscape enough to slide them through.

Of course, by that point, the internet and mobile telephony will be even more firmly embedded in our lives, and the knowledge that can be gleaned from the vast info-stores created by data retention will be far greater than was originally understood by the directive's drafters.

With luck, Europe's only own legal challenge against the directive, in the form of Digital Rights Ireland's suit against the Government and the EU, will resolve these laws as unlawful under the EU and the State's own rules before they can take effect.