December 16, 2005

Europe's unworkable privacy killer

Earlier this week, the European Parliament passed a proposal effectively requiring all ISPs and Telcos to retain details of all internet communications. Within 15 months, every country must have laws in place that implement this.

This law is a nightmare from privacy, legal and technical perspectives. Every time you visit a web page, every time you send and receive email, and every time your computers sends or receives any data over the internet, the details of that communication must be stored and made available to law inforcement on request. Even if you play a game online, they have to log when, with whom and what you played, keeping it for up to 6 months.

Member States shall adopt measures to ensure that data which are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying communication services are retained in accordance with the provisions of this Directive.

Anyone who's used a filesharing program to download something can be tracked up to 6 months later, which will be of particular interest to record companies doing witch hunts. If they suspect you of downloading music, they'll subpoena these logs, and see exactly which IP addresses sent you the traffic, also giving them the ability to go after those people, ad nauseum until they've spidered out to everyone and sued them all. Never mind that you didn't actually copy their songs, the fact that they can use this to prove that you've used the filesharing program is enough to get you into an expensive legal battle.

Next there is the ridiculous technical side of the directive. Even a quick browse through the text shows that whoever wrote it has no idea about how the internet works, and no idea about the impact that this regulation will have on ISPs.

A quick rundown of what's needed to do this. At the moment, there is a network technology called Netflow, which enables routers to log details of traffic flowing through them. This includes source, destination, protocol and duration, most of what you'd require to be able to log the data intended by the directive. Netflow is currently used by ISPs for anonymous statistical purposes and it used to be used for billing also. So there does exist a type of protocol that can log this.

Unfortunately, Netflow was designed for a short retention period, and with small volumes of data. Where I work, we had 5 Gigs of data flow, and our top end routers could only sample 0.1% of all traffic. Any more and they'd melt. With this 0.1% of data, after a week an 18Gig disk would be full of netflow data. This is fine for statistical analysis of traffic, given the low rate that traffic could be sampled.

With this new directive, our routers would have to be able to log traffic at 1000 times what they were capable of, and given the traffic levels have increased 5 times, we're looking at 5000 times the capacity that our high end Juniper routers can handle. The very fastest router might be able to handle 5 or even 10 times the rate that we were doing, but 5000? Absolutely no way.

It's not just the 1000 fold increase in router abilities required that makes the technical requirements ridiculous. The amount of data required is tremendous. At work, sampling 0.1% of traffic and logging it fills an 18Gb disk with this data in a mere 5 days.

Expanding this to 100% of traffic increases this to 18 Terabytes per 5 days.

Increasing this from 5 days to 6 months makes the total storage requirement a staggering 648Terabytes, something that only an operation the size of Google could possibly deal with.

That's not all. These figures are based on 5Gbps of traffic. With current traffic growth, and the requirement to have this in law in just over a year, we see a total storage capacity of 10,000 Terabytes which adds up to a total of 80 thousand x 120G disks. And that's just one ISP.

Anyone can clearly see that this is nothing short of ridiculous. No one has this scale of storage, and even if the disks were to be acquired, they'd need 1 million Watts of power, which is a fair chunk of power station, not to mention cooling and space.

Next there are the details required to be logged. From the text:

Types of data to be retained under the categories identified in Article 4 of this Directive:

a) Data necessary to trace and identify the source of a communication:


(d) Name and address of the subscriber or registered user to whom the IP address, Connection Label or User ID was allocated at the time of the communication.


b) Data necessary to trace and identify the destination of a communication:


(3) Concerning Internet Access , Internet e-mail and Internet telephony:


(b) Name(s) and address(es) of the subscriber(s) or registered user(s) who are the intended recipient(s) of the communication. an ISP in Holland is required to know the full name and address of someone who you have sent an email to, regardless of their location in the world. Or if you fire up an anonymous online gaming session with someone in Asia, your ISP is required to know the name and address of who you played against.

There's more:

c) Data necessary to identify the date, time and duration of a communication:


(2) Concerning Internet Access, Internet e-mail and Internet telephony:

(a) The date and time of the log-in and log-off of the Internet sessions based on a certain time zone.

So, if you're like me and leave your computer on for weeks at a time, and you have a 5 minute chat with some random person, the ISP has to log that you were talking to someone for several weeks.

I just cannot see how this legislation is workable, and if it doesn't get pulled before the coutry's implement it, the only solution I can see is to shutdown the internet. Router requirements, disk requirements, and data requirements are wholly unworkable and ridiculous, not to mention the privacy abbhoration.

To top it off, this section of the text is probably my favourite part of all, of which I can give no commentary:

Collection and use of expertise

  There was no need for external expertise.


Posted by Ben at December 16, 2005 10:12 PM | TrackBack
Post a comment

Remember personal info?

Recent Entries
- Linux on an HP Compaq NC6400
- Sodium in water? Bah..try Caesium!
- I'm off to Lugradio
- Food for thought...
- Replacing ugly Helvetica fonts in Xorg
Support me...

Email me:
NL time:12:16
Book: Assassini (Thomas Gifford)
Amazon wish list
Search the web