Last week I participated in yet another workshop on traffic data retention, in ICRI, with the added twist that now traffic data retention is in ‘European Law’, and shall become actual law in most EU countries very soon. It was a special treat to be talking just after Chief Superindendent Luc Beirens, Head of the Belgian Federal Computer Crime Unit, that tried to sell the idea of retention to a crowd of people from the flagship EU privacy project PRIME.
As usually Beirens assured us that proper judicial oversight exists and will regulate access to traffic data. Yet a different pictured emerged when we got into the details of how cyber-crime investigations are conducted. It turns out that the first thing that the police does, to the suspects but also the victims, of cyber-crime is to take a forensic image of their hard disk. This is a sound precaution: booting up the machine to extract evidence may activate malware on a victim’s machine to erase traces, or an alert system on a suspects computer.
The obvious question becomes: how does this policy of automatic forensic imaging and analysis of a hard disk interacts with traffic data retention? Luc was keen to acknowledge that the investigation procedure would proceed unchanged, and an image of a hard disk that may contain retained data would be taken — and forensic tools used on the totality of the hard disk. To be fair, tools that take a forensic image or only look at parts of the disk according to a set security policy do not exist.
What does this mean? If you are a victim of cyber-crime, or a company you have given your data to is a victim of cyber-crime, all the data will end up with the police. This will be the case irrespective of judicial oversight, or any other safeguards. You may ask yourself what the chance is that the retained data will be kept of a computer that maybe part of an investigation? First do not underestimate the fact that these machines will end up on-line to serve requests, and therefore will be subject to their fair share of attacks. But most importantly this case will obviously occur as part of an investigation on themisuse, unauthorized access, or attempted access to the traffic data retention systems!
This standard procedure may also explain why companies are so reluctant to call in the high tech crime units to help them investigate cyber-crime. Their procedures are simply incompatible with any security policy with a confidentiality component. Would you report some of your documents being stolen from your home or business, if this meant the police taking a copy of every single paper in the building?
6 thoughts on “Traffic Data Retention and Forensic Imaging”
Privacy enhancing technologies (PETs) and data retention in telecommunications
Lothar Fritsch, Johann Wolfgang Goethe – Universität, Frankfurt am Main
This is a position statment that was made in the context of the PRIME-internal discussion about data retention. It does reflect my personal opinion only, but nontheless I’d like to share it. Following George Danezis view on forensic imaging, I’d like to point out the necessity of strong protection for retention data with this text.
Data retention is a contemporary topic of political and scientific debate. For PRIME, the law initiatives concerning data retention might be highly relevant for a number of reasons:
• Is PET systems operation still legal after implementation of the data retention directive?
• Are PET systems a way for telecommunications operators to minimize the amount of data they are supposed to store?
• Is the data retention directive a powerful vehicle to widely deploy PRIME technology?
This position paper aims at a brief discussion of some of my thoughts around PRIME and data retention. It is intended as an interdisciplinary stimulus for the brainstorming session on the 1st day of the PRIME general meeting in Karlstad.
How can PETs be legally used with data retention policies?
The questions in this paragraph are mostly for the legal discipline. How will the data retention directive be transformed into national laws in the European Union? Various possible flavours are imaginable. The duty to record whatever is there (if it isn’t there, then there is no recording) would be an approach that favours PET deployment. A ban of using PET in service providers might introduce vast difficulties on the future of PET systems altogether. Some questions arising for legal analysis:
• Does the data retention directive’s wording allow for a ban of PETs?
• Does the sector of ‘telecommunications’ being regulated by the data retention directive possibly leave room for legal definition of PETs and PRIME as information systems that are clearly outside of the telecommunication to be stored with retention systems?
• Is there any way the directive could be interpreted to illegalize personal use or the offering of services to others by non-telecommunications people through PET technologies?
• How would national implementations of the data retention directive have to be constructed to allow PETs and enable users & providers to intentionally operate them legally?
• Who will be held liable if, for example, crucial business secrets (e.g. pharmaceutical patents) will be wasted due to abuse of data that has been kept under retention?
Are PETs a solution to ease telecommunication providers’ business in the age of data retention?
The first thing that should be done upon implementation of data retention is a personal, vast financial investment in mass storage and database vendor stock. Every single node of any kind of communications network will require hard disks, hard disks, hard disks, and a searchable index of them.
Next, when the true financial dimensions of data retention implementation will hit telecommunication providers, solutions to minimize data collection and handling will be sought after by the market. Many of today’s implementations of wiretapping leave the cost of digging through a call-connection database with the telecommunications company. If the company is big enough, there will be a big database to search through for a particular authority’s request. Enter Oracle “power units”. The cost of the extra power of the data base to satisfy the police’s requests can be enormous. ISDN wiretapping in Germany requires each provider to install a government-certified crypto box on a dedicated line, connected to a data base for searching. The box, the data base, and the technician for 24/7 availability of the wiretapping line are paid for by the Telco.
Let’s jump into the future now. Say, into the year 2011. Hard disks and data base indexes with all telco providers for voice, mobile, data, DSL etc. have filled up with 3 years worth of communication data. A case is will be taken into court with retention data that will date back into the year 2008. Some data base at some telco will have to produce 3-year-old data in a way that satisfies several conditions:
• It shall be unaltered, and original.
• It shall have been kept absolutely confidential over 3 years
• It shall be released only to authorized parties
• It shall have warning mechanisms that will enable data abuse detection
• The data shall not be usable for any other purpose than investigation and proof in court.
With today’s security technology, I imagine ALL retention data being electronically signed with signatures that are based on qualified certificates from accredited certificate authorities according to the EU directive on electronic signatures. Additionally, there must me encryption, key updates, access control and fraud management – on EVERY node of the data retention infrastructure. You may add smartcard vendor stock to your portfolio at this time.
To avoid unproductive power units, large and secure hard disks, security audits and other cost factors upon the telecommunications business … why not deploy PRIME technology to minimize the amount of data that needs handling according to the retention directive? There could be a win-win situation for telcos.
I like to think data retention will be one of the major innovative tools for law enforcement and the European legal system of the near future. Not because of the tens of thousands of lives that will be saved from terrorists. What will happen is that a large number of laws-in-existence that cannot be economically enforced now all the sudden will be enforceable through data retention. Think of:
• Prosecution of unwanted advertising calls
• Prosecution of libel and other offense in on-line communities
• Using mobile phone location tracks from retention data to prove that a suspect-to-corruption politician actually met with the Mafia men.
• Prosecution of 0900 fraud with diallers and lottery fraud
• Civil legal battles, e.g. over divorce cases and adultery can all the sudden access data retention data
• Doping offence prosecution upon Tour the France doping scandals (aka Jan Ullrich’s SMS to his Spanish doctor)
• Consumer protection law suits (imaging a laptop vendor claiming he didn’t know about a problem with the burning batteries… while retention data has all the prior complaints about them on the record)
While some of these uses are ethically questionable, they will inevitably occur some day in the future. The consequence for data retention can be that the number of requests to find and release data from a telco’s data base could be higher than expected by several degrees of magnitude. Any claim of a few thousand people under terrorist observation will be easily exceeded by several 100,000 unwanted marketing calls per month.
Buy Oracle stock, too, if you want.
But… hey … policies? Access control? Authentication? Control over data release? Wait… does that sound familiar? Read on…
Will data retention be the first widely-deployed business case for PRIME-like systems?
If you carefully look at the bullet list above, you can imagine a trusted platform with policy-enforcing systems that manage retention data in a secure and reliable (and auditable) way. Many of the components developed in PRIME can contribute to these functions. What, if a full deployment of the PRIME privacy management system can be used to
1. Provide secure, enforced, policy-based personal data handling to telecommunications providers that are subject to data retention?
2. Provide Identity Management, Privacy management and data control functions to the same companies along with the retention management for the purpose of data minimization and cost-effectiveness?
In my opinion, once data retention is in-place, it provides an unseen opportunity for PRIME technology to be deployed to all major players in telecommunications. Perhaps this is a topic for PRIME?
Concluding this discussion, it seems that data retention’s influence on PET & PRIME strongly depends on the details of its implementation into national laws. Data retention certainly will open new legal tools, and new application of existing European laws. This will lead to a new dimension in cost and procedure complexity of handling law enforcement requests at the level of telecommunications providers. The crucial question will be whether the directive’s implementation will hinder PET & PRIME or will allow for the application of PRIME technology.
The win-win situation can be the deployment of data retention security systems based on the PRIME technology. Data retention is a prime use case of how to deploy PRIME (project) technology for the sake of privacy protection. If there should be data retention, then it should be secured at least on PRIME level. PRIME could show how to secure retention data in appropriate ways. Data retention could be a PRIME showcase – and a great PR opportunity for PRIME to fuel public debate about PET technology.
Does your company have a patent office? A financial services department? A product management team? Then better be aware that all their activities will be on the record for months or years soon…
and even without police forensics, chances are good that some telecommunications service personnel is in urgent-enough need of extra cash that they will sell a tape with your retention data to someone with money.
If they do image the whole hard disk how does this affect the NGO’s who directly / indirectly hold priveladged information on their machines?
For instance a law firm has a legal duty of care to protect corespondance between them and a client…
They would be unable to call in a law enforcment agency with anything to do with their computers. Further if one of their machines was stolen then as a victim of the crime under this policy the Police on recovering the machines hard drive from the criminals or others image the drive…
Likewise your local Citizans Advice Bureau (CAB) who word process stuff for people who cannot afford legal representation would be likewise at risk.
The implication for people with legaly priveledged information is either do not use ICT equipment with storage, or use very strong crypto etc. Either option is going to be very very expensive to put into practice.
The issue of privleged material (and also special procedure material, which can include journalistic material that is being held in confidence) remains somewhat vague in practice albeit notionally clearly described in PACE.
The ACPO manual on computer evidence sets out the basic approach fairly baldly: “Once seized the items must be separated or identified as soon as practicable. Any item found for which there is no power to have seized it must be returned as soon as reasonably practicable as would items found of legal privilege, excluded and special procedure material if there is no power to retain it.”
Some further clues may be garnered form New Zealand (Director of the Serious Fraud Office v A Firm of Solicitors). See also this commentary for more lay-friendly explanations of this.
The former UK National High Tech Crime Unit’s Confidentiality Charter sought to reassure businesses that only the minimum necessary disruption would be caused, when investigating a computer based crime.
However, since they have been subsumed into the secretive Serious Organised Crime Agency, this document, and presumably the policy it outlined, has vanished.
What about the proposed European Evidence Warrant within the European Union ?
How about Mutual Legal Assistance Treaty cases such as the Indymedia server seizure affair in 2004 ?
A clever cracker might stage + report an attack as a way of getting bulk data copied to somewhere relatively insecure, from where it can be attacked.
If imaged data is relevant to a court case – or on the same system as relvant data – presumably copies will be made available to the prosecution and defense. How secure is this?
If you control confidential data, it may be best to assume that it will be imaged by the police at some future time, and implement strong encryption now.
There are a number of reasons why businesses are reluctant to involve the police, generally and specifically to High-Tech Crime Units, in their affairs and it generally doesn’t involve confidentiality between the police and the business.
In no particular order:
Actually getting help: HTCUs are too busy dealing with matters of greater concern to their management chain (and, to a considerable extent of society as a whole) – terrorism, paedophiles, drugs, terrorism, paedophiles, murder, terrorism, etc – to spend much time on economic crime. Certainly, their forensics specialists are, even if you can get a few minutes of a DC’s time (beer helps here :).
Timeliness: police investigation (where life is not deemed to be at risk) and criminal prosecution (especially for fraud) are very slow – and I am an advocate for keeping the protections of English / British common law, not weakening them further. Businesses want things fixed now and the systems back up (rather than languishing in a police evidence store.) If a fraudulent employee doesn’t get prosecuted, at least they get the sack (most of the time).
Publicity: criminal prosecutions (quite rightly) are normally open to public and press. The mere fact of having employed a criminal is often detrimental to business’s reputation, never mind what is said in evidence regarding their systems and processes. This, in particular the lack of control, scares business execs.
There may be more. To be fair to the police, with SOCA e-Crime and the SCDEA, rather than NHTCU and NHTCU(S), there is an increasing and welcome emphasis on providing resource to support economic and online crime-fighting.
To respond specifically to giafly’s comment about strong encryption: if you are looking for police assistance in an investigation, they will ask you to decrypt it, honest. And, of course, RIPA Part III may soon apply anyway if you are the target of the investigation 🙁 (or the victim, or either’s ISP, or collaterally involved in any way, shape or form.)