When some of the world's leading security experts are getting worried about the imposition of too much security in our lives, under suspicious circumstances, backed by spurious arguments from governments as to why these extreme measures are necessary, we all need to sit up and listen.
That's the word I was hearing at the four-day COSAC security conference in Naas that took place over the anniversary of the September 11th attacks - a conference that often took those attacks as the main context of presentations and referred back to them every day.
This relatively small event draws some of the most highly respected figures in the security industry, and some of the top experts in this broad field.
The topics under discussion ranged widely, from securing computer networks from hackers to global information warfare to the most effective ways to impede someone trying to find incriminating information on a computer or within electronically sent communications (from the perspective, of course, of those trying to decode such systems). And, of course, the security lessons learned from September 11th.
What emerged over and over, from lawyers, cryptography experts, forensic investigators, database experts and those who know and understand all the ways in which security can be used, applied and abused, was this: National governments, particularly in the United States and Europe, are using the events of September 11th to reintroduce appalling security measures and increased surveillance powers that were rejected by politicians and citizens prior to those events.
In addition, those powers are offensive, open to abuse, and are far in excess of what is required.
Remember, these opinions are coming from long-recognised experts in the field. It seems that when it comes to a desire by law enforcement to seize more power of investigation, they will proceed without listening to those who actually (unlike them) understand computer security, information warfare, malevolent hacking and compromising of networks, clandestine spying, and every other aspect of how terrorists might engage in a digital assault or be apprehended through the use of digital investigation.
What are the practical implications for Irish citizens? Well, we are still sorting out how we might bring into Irish law a potential directive that nearly every one of our MEPs voted for, which would require the retention of electronic data records from the internet, mobile phones, faxes and e-mail for up to seven years. This is in direct conflict with current data protection laws, where such information may only be retained for a short time for billing purposes, unless a specific warrant has been issued.
The seven-year element caused an uproar in some corners, and it seems unlikely that the EU will try to bring in such a long time span in regard to this legislation. But the British privacy watchdog agency Statewatch (www.statewatch.org) was leaked a draft document for such a binding directive two weeks ago, which indicates that the EU is considering a holding period of one to two years.
This is hardly an improvement: it is still far, far beyond what has ever been considered acceptable in EU law.
There's been a formal response to the initial movement of the European Parliament (meaning, let me say again loudly, OUR MEPs) to their decision to support legislation that would alter completely the privacy protections afforded the citizens they represent.
For the second time, all the European data protection commissioners have written a strongly-worded letter expressing serious reservations to such proposals. They did this months ago when the changes were merely rumours rather than something that MEPs - contrary to all previous votes, and against all expectations - would actually rubber-stamp in parliament.
This time, the data commissioners issued their letter at an international conference in Cardiff, held, ironically, over September 11th. It states the case against such retention measures clearly and concisely: "The European data protection commissioners have grave doubt as to the legitimacy and legality of such broad measures. They also want to draw attention to the excessive costs that would be involved for the telecommunication and internet industry, as well as to the absence of such measures in the United States.
"The European data protection commissioners have repeatedly emphasised that such retention would be an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights that retention of traffic data for purposes of law enforcement should meet strict conditions. . .: i.e. in each case only for a limited period and where necessary, appropriate and proportionate in a democratic society.
"Where traffic data are to be retained in specific cases, there must therefore be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse.
Systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case."
Most of our MEPs seem to think they know better than the unanimous opinion of the data protection commissioners appointed to safeguard their own citizens. They also seem to think they know better than some of the best international minds in the security industry.
Go figure. In the meantime, it is of the utmost importance that both citizens and businesses oppose these suggested provisions being enacted into law. Neither businesses nor citizens in a democracy should have to live in a surveillance state. And such laws will definitely make the State extremely unattractive as an investment location for US multinationals, who will hardly want their electronic communications subject to such oversight by Europe.
klillington@irish-times.ie
http://radio.weblogs.com/0103966/
