Data retention is not working, or …?

Webwereld posted an article today on data retention stating that is does not work. (Click here for the article and here for the evaluation of data retention for the Dutch Second Chamber.) In the article it is written that data retention doesn’t work, because it’s not used often and that quite often the data is too old and/or deleted by the time a Law Enforcement Agency comes to the ISP to seize data. In The Netherlands the retention period is set at six months. Does this mean that data retention does not work? No, I think.

There are three aspects here. The first is that we should be happy that LEAs are not constantly mining the data in retention at ISPs. Apparently they only request data when it’s really necessary. That is what the internet industry ought to look at favourably.

The second is that if data retention doesn’t work because the data is hardly referenced at all, then this would suggest we can do without data retention, as opposed to lengthening the period.

The third is that investigations take time. Take a lot of time. This is an element that is hard to imagine for someone who has no experience at this kind of work. It is a very meticulous task, that has to be 100% correct to hold up in court. Investigators often have multiple cases, a priority comes by and before he or she knows it, six months have flown by and that request still needs to be made. Or, a new lead comes along, that was unknown before, that needs investigation. Etc. Investigating a case from receiving a complaint to a decision or bringing it to court, can take up to one and a half to two years before all evidence is all clear and in place.

Does that mean that the six month period should be made longer, “as it is not working”? That is a democratic decision to make. Does the infringement of the privacy of all citizens weigh less than the possibility to catch a few criminals? That is the question that has to be asked and answered in parliament(s). There is a moment when that weight balances wrong. One thing is certain. If it is made one year, it will be too short, as will one and a half year, etc. There is always a chance that a new lead comes up. From personal experience I know that six months is very short in an investigation. One year may be better, but there has to be a limit that is clear and non-debatable. It has to be set quite clear at a new length or kept where it is. An open end retention is something that is not acceptable in a democratic society.

Wout de Natris, De Natris Consult

Leiderdorp, 17 February 2014.


About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Court decision, Cyber crime, Cyber crime data or the absence of it, Cyber ethics, Privacy and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s