About this blog…

I am employed by Netnod as head of research and development and am among other things chair of the Security and Stability Advisory Committee at ICANN and very active in the UN multistakeholder process IGF (Internet Governance Forum). You can find CV and photos of me at this page.

As I wear so many hats, I find it being necessary to somewhere express my personal view on things. This is the location where that happens. Postings on this blog, or at Facebook, Twitter etc, falls under this policy.

The views expressed on this post are mine and do not necessarily reflect the views of Netnod or any other of the organisations I have connections to.

Data retention in Denmark

A friend of mine asked me to comment on what Oscar Swartz writes in his blog about the data retention legislation in Denmark. I am happy to do so.

I am a member of the investigation in Sweden looking at what a Swedish implementation could look like. I partly because of this has both met the Danish ministry that is responsible for their law, and also a group in the European Commission that is looking at creating (I hope, the goal is a bit unclear) a guide that will lead to better harmonization between the implementation in the different member states.

So, I have met the people in Denmark. And, what Oscar writes in his blog (in Swedish) is correct. ISPs in Denmark (a provider of IP packets that have customers) is to store information about the first and last IP packets in what normally is called a flow (unique combination of {IP-address of sender and receiver, port number on each side and protocol}). A five-tuple. And also correct is as Oscar writes that if they can not do this because of technical issues, it is “enough” to store one packet out of 500 belonging to a customer.

This has to be stored at the point in the network of the ISP where they either exchange traffic with other ISPs, or where the packet go from the network to a service (that the end user subscribe to). This last I guess because the European Directive say that one only have to store information in one place, so this is to minimize the risk that data has to be stored multiple times.

Anyway, the implications are enormous, and they have not at all been thinking of the implications. Just the fact they talk about customers and services. What if two end users exchange traffic? And what about the requirement in the directive to store information about caller id when doing phone calls and email address when email is sent? Well, the response was a lot of handwaving that resulted in (my interpretation) that the legislator in Denmark did not want to disclose they have made the same mistake as in Finland. They think ISPs are the only ones that run services on top of IP.

The conclusion is that things are as Oscar writes, or worse.

There is something rotten in the kingdom of Denmark…

I just hope we can manage to get something better in Sweden.

And all of this just because the European Directive is so completely broken. It has as a goal that we should be able to find criminals, but it does not help with that. It is written by people that have absolutely no clue how networks and Internet works. And, they did not listen. Many of us tried to talk with them (including Department of Justice in Sweden), but noone wanted to listed. We all said this will be a mess. And here we are.

I can just say I will continue to do the best I can to make the Swedish implementation at least doable from a technical point of view. Will it help the police? Maybe. Will the cost be too high? Definitely!

And we will definitely not get the harmonisation between the member states that was the intention. At least someone in the commission seems to have recognized that. But, this is too late. We already have extremely broken legislation in some countries (like Denmark), partly broken like in the UK and possibly only a bit broken (that still does not help compared with the tools that already exists today) in Sweden.

Can we not stop with this stupidity?