Data retention question

Fri Jul 25 10:46:44 BST 2014

James
On the question of what might be lost, a long time ago LINX consulted Elizabeth France (yes, *that* long ago) and concluded that "necessary for security" probably covered retention of all logs for roughly six months. Since Janet is a private network, not covered by either set of Data Retention laws (nor ATCSA) we've continued to recommend that retention period to universities and colleges, and it still feels about right. Sadly the time to detect security incidents hasn't improved much (see, the Verizon DBIR, for example). LINX still publish that recommendation as their Traceability BCP, though I've long had a suspicion that we were the only ones still using it!

Other business processes in commercial telcos/ISPs may provide a DPA justification for keeping (some) logs for longer than six months, but I don't know whether they'd extend to the full period covered by the Data Retention Regs. Since ATCSA was phrased as a new DPA justification, I suspect that someone back then thought not. So I'd expect the same logs to be retained without the Regs, but maybe not for as long?

Cheers
Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: https://community.ja.net/blogs/regulatory-developments
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is
registered in England under No.2881024 and whose Registered Office is at Lumen House, Library
Avenue, Harwell Oxford, Didcot, Oxfordshire, OX11 0SG. VAT No. 614944238

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of AO Forum Email
> Sent: 21 July 2014 09:12
> To: 'UK Cryptography Policy Discussion Group'
> Subject: RE: Data retention question
> 
> I don't know if anyone caught my blog on the subject but I noticed that
> DRIP
> was notified to Europe last week under the Authorisation Directive,
> since it
> constitutes a technical measure that will affect cross-border supply of
> telecommunications services.
> 
> http://www.sroc.eu/2014/07/emergency-data-retention-legislation.html
> 
> This is interesting because in practice the EC Trade and Industry body
> is
> being asked to rubber-stamp legislation that replaces EU legislation
> that
> the ECtHR has struck down.
> 
> The timetable will be interesting. Usually it's a 3-month notification
> period to allow interested parties to comment (and other member states
> to
> raise objections) but some discussion on Twitter indicated an
> "emergency"
> timetable is allowed under Article 9 ss7 of the Authorisation Directive
> (98/34/EC):
> http://eur-
> lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:1998:204:0037:004
> 8:EN:PDF
> 
> It will be interesting to see if this leads to a stand-off with govt
> and UK
> politicians claiming Europe is blocking emergency laws needed to tackle
> terrorists.
> 
> In fact it will be interesting to see whether the UK government claims
> this
> law is active or not once Royal Assent has been granted. Maybe the 3-
> month
> notification window is why Government decided to rush it through before
> summer recess?
> 
> Also I would be interested to know how much capability would be lost if
> DRIP
> stalled. TSPs could lose some extraneous data but one assumes billing
> data
> and many email logs etc would be retained.
> 
> And retained, "legitimately", under DPA, claiming necessary for e.g.
> security (who accessed my account and when), spam filter tuning,
> billing
> records, etc - plus all the location data Application Service Providers
> like
> to keep to tune their targeted advertising profiles, etc.
> 
> But my suspicion is the vast bulk of data requested by police forces
> would
> remain available. Who texted whom, etc.
> 
> James Firth
> 
> 
> > -----Original Message-----
> > From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> > bounces at chiark.greenend.org.uk] On Behalf Of Mary Hawking
> > Sent: 19 July 2014 8:30 PM
> > To: 'UK Cryptography Policy Discussion Group'
> > Subject: RE: Data retention question
> >
> > Is that (conspiracy theory) the reason they were not given any
> opportunity
> > for scrutiny?
> >
> > Mary Hawking
> > Retired from NHS on 31.3.13 because of the Health and Social Care Act
> 2012
> > "thinking - independent thinking - is to humans as swimming is to
> cats: we
> > can do it if we really have to."  Mark Earles on Radio 4
> > blog http://maryhawking.wordpress.com/ And Fred!
> > http://primaryhealthinfo.wordpress.com/2013/11/02/freds-saying-you-
> just-
> > dont
> > -get-it/
> >
> > -----Original Message-----
> > From: Peter Fairbrother [mailto:zenadsl6186 at zen.co.uk]
> > Sent: 18 July 2014 23:14
> > To: UK Cryptography Policy Discussion Group
> > Subject: Re: Data retention question
> >
> > On 18/07/14 17:18, Brian Morrison wrote:
> >
> > > This time 450+ MPs appear to have not noticed that the new
> legislation
> > > makes the blanket data retention aspects even worse and hence the
> ECJ
> > > objection to its predecessor is quite unchanged.
> >
> > I don't think that's the case - while it does nothing to make the
> > blanket collection regime better, it doesn't seem to me to make it
> any
> > worse.
> >
> >
> >
> > What the MPs apparently did fail to notice was that the Bill was in
> two
> > unrelated parts: though the first clue was in the name, the Data
> > Retention and Investigatory Powers bill.
> >
> >
> > The Data Retention bit, sections 1 and 2, while wrong-headed and the
> > wrong way to do it, and not complying with the ECtJ decision, and
> mostly
> > caused by their previous inaction, was in fact a real possible
> emergency.
> >
> > "Paedophiles and terrorists will walk free if you vote this down" - I
> > can't say I can actually disagree with that.
> >
> >
> >
> > The Investigatory Powers part (sections 3-5), on the other hand, was
> no
> > emergency.
> >
> > More important, and I don't care how much Teresa May doublespeaks
> > otherwise, it also begins to implement the measures in the Comms bill
> > which was rejected a couple years ago.
> >
> >
> >
> > They didn't see the latter, didn't care, or were complicit. But
> anyone
> > who believed it had nothing to do with the comms bill got screwed.
> >
> >
> >
> > -- Peter Fairbrother
> >
> >
> >
> >
> > > Or did the whips
> > > blackmail them all by referring to their character notes?
> > >
> >
> >
> >
> >
> >
> 
> 