Grokking data retention

by Suw on August 14, 2005

I can't quite believe that it's 1.30am and I'm sitting here reading up on data retention and the new directive/framework being proposed by the UK for Europe. It's really ugly stuff, and I'll blog more on it once I've got my head round it.
What amazes me – in a way, although also not – is that one can go through life quite unaware of the crap that goes on. Quite blissfully unaware. Then you start to think a bit harder about what's happening, and it's like picking the scab off a wound, only to find out that it's deeper and more badly infected that you had originally thought. Suddenly, you not only feel compelled to pick off the rest of the scab, but you also start to have visions of scalpels and maggots.
I've had an interest in digital rights for a while now, but with the birth of our new digital rights organisation, I am doing much more research into what's going on in the UK and Europe, and it's not pretty. Our civil rights are being eroded away from under our noses, and yet there's hardly a mention of it in the press. Everyone has learnt to call people who download music as 'pirates', even though the real pirates are the ones that run their own pressing plants in Asia and produce millions of fake CDs and DVDs. But only a tiny minority of people are aware that our right to privacy, to freedom of expression and association, our civil and human rights, are being attacked by the very people who should be protecting them.
We're working pretty hard at the moment, in between such minor things as earning a living, to get our digital rights organisation into a position where we can launch when the pledge matures, and the more I look at what's going on the more eager I become to start taking action, to do something about the abuses visited upon our rights by our government, by the European Union, and by big business. Just let me at 'em.
, ,

Anonymous August 14, 2005 at 5:37 am

Is data retention even posible?
For example: Validation is a big problem.
How can independently be proven that any of the data is even true? How are mistakes cleaned up? Are we assuming that there will never be any bit-flip in so much data? How do we know when untrue data is added or true data changed? Where are the checks and balances? Is it technological even posible to be done right?
Even if it could be done, which I doubt very much, I am reminded of what my parents told me: “Just because you can, does not mean you may or should.”
This is true in the case of data retention: We are asked to trust that this, and every future government, will never abuse this information or treat it carelessly. Do we trust every future government?
Our Intellectual Freedom (IF) is at stake if we proceed on this road without first having answered these questions.

Anonymous August 14, 2005 at 7:27 am

The first problem is the government that makes the rules. This is because the prime directive of every government — every government — is to perpetuate and extend itself. Therefore when there are opportunities (like 11 September, or 07 July) then government rolls out ways to capture and retain more data … in the name off national security most likely. But then it has perpetuated and extended itself into keeping track of more and more of the populace as its 'regular function'.
The second problem is the private sector. Once data accumulation and retention techonolgy is available, private companies put the technology to use. They are also sometimes aided by things like September 11 and 7 July. In the wake of the World Trade Center disaster one of the big data collection and mining companies in the US suggested to the government that they do a project on facial recognition from airport cameras, got the contract, and funded themselves to becoming THE biggest data collection and mining source … ChoicePoint.
But once data exists in these huge, minable databases, the data seems to get stolen, lost, or simply misused. Then millions of people are at risk of all kinds of harm. And how did it happen … because the techology was there and the government allowed and maybe encouraged it.
In Sweden they used to have a Data Privacy Commission that would visit companies to audit and make sure each company was only keeping on people the data that was necessary to keep, and that it was being kept safely without excessive risk of loss or misuse.
In other countries there may be more of a laissez faire approach, that anyone in the private sector ought to be able to collect and keep whatever they want, and sell it to whomever they want. (Wouldn't you like to see the client list that Google sell to! Government intelligence agencies, foreign governments, and the like included.)
The question is what to do about it … allow anyone and everyone to freely accumulate, mine, and sell whatever data they wish … or follow the old Swedish plan and restrict it severely. It is a thorny question, and a dialog that will be continuing for years. Good for you, Suw, for being in the middle of it at the leading edge of the issues. Have you considered having an advert agency join the cause and prepare a marketing campaign to help raise money?

Anonymous August 14, 2005 at 8:29 am

One of the problems with this stuff is explaining it to uninterested people in terms they can understand so it's not just us who are freaked out about it. This is a problem I have with Lessig's approach of talking about remixing. It's just too subtle compared with “pirate”. We need the sound bite because the opposition are sound bite masters.
Nothing to do with data retention, but I've been explaining the EFF fight in terms of VCR time shifting and skipping past the adverts. This is something that *everyone* sees as a basic right because everyone has done it even if their VCR still blinks 12:00. Now explain that their next VCR works just like their current one except that one day it refuses to record Lost or 24 or ER. Or when they do record it, it refuses to skip the ads. Or the quality is really bad until they spend another 1000 quid on a new plasma screen. Or the CD they buy won't work in the car. Or the music they thought they bought is dead because they upgraded to a new laptop or the supplier went out of business. And on and on.
In terms of data retention, we need to fight with real world examples that people can relate to. Otherwise you get the sort of response that says “I wouldn't mind having an ID card, I've already got 4 in my wallet, what's one more? The government already knows everything about me, what's the problem? If it's going to stop bombings on the subway/immigrants taking my job/ID theft/benefit scroungers/teenage drunkenness/hoody hooligans/Chavs I'm all for it”.

Anonymous August 14, 2005 at 8:58 am

You're right, validation is a huge issue. But even if we could answer satisfactorily all those questions, I do not believe that we should walk the data retention path. It's open to too many abuses. But great questions that you've brought up there. Thanks!

Anonymous August 14, 2005 at 9:06 am

Thanks for the comment – some great points also.
We aren't at the moment talking to any advertising agencies or similar, but we do have a couple of people we are talking to, whom we hope will accept either board or advisory positions who are very experienced with fundraising. We also have a number of people involved already who are pretty good at gathering publicity, but if there are any marketing gurus out there who want to volunteer, then I'd love to hear from them.

Anonymous August 14, 2005 at 9:16 am

The EDRI have done a lot of coverage on data retention, part of the problem seems to be EDRI-Gram doesn't get a big enough readership. Not by people in the UK at least it seems. Maybe it's the Euro-centricity? People feel they don't have time to read about what's going on in Norway or Finland. I think the EDRI are really getting it right on the data retention issue though. Maybe it's not that nobody reads about these things, but there just isn't the same sort of reaction on the “blogosphere” as there is for American legislation. For exampe, look at all of Edward Felten's writings on the INDUCE act, other than software patents which come close, I can't think of any piece of EU or UK legislation that's had a similarly large reaction (but you could argue easily I'm sure, and I'm probably not thinking of some things). I suppose I'm talking about quality here too. The heartening thing is Edward Felten is just one guy, look at the resources one person can create, the discussion and debate that can be induced (hah, what a pun). Obviously the EFF's campaign played a big part, I just found Edward Felten's coverage very impressive.
Getting back to data retention, the EDRi seems to be getting it right with a wiki and the petition. They've also got a mailing list (haven't signed up an can't see how active it is because the archives are for members only). The UK digital rights organisation is much needed, this is an exciting time for digital rights in the UK.

Anonymous August 14, 2005 at 9:25 am

As much as I hate to reply to myself, I felt like linking to this petition count showing how much can be achieved. The Netherlands can get 7657 signatures compared to the UK's 415. That's over 18 times more, and their population is less than a third of ours, and the ratio of population to signatures is probably even more impressive with Finland.

Anonymous August 14, 2005 at 9:32 am

Yes, EDRI is certainly doing a good job, but I agree that there's not enough talk in the UK blogosphere or press about these issues. It's something that really needs addressing.
My view is that with issues like this the blogosphere relies heavily on information provided by the press and organisations such as the EFF (either agreeing with it or pushing back on it because it's wrong). Now, of course, we don't have an EFF which is why we are setting up this new organisation, and I hope we'll be able to provide the facts in a way that people will be able to understand – people won't blog about stuff if they don't get it.

Anonymous August 14, 2005 at 9:37 am

Julian, I couldn't agree more. That's why I'm spending some time trying to get my head round the ramifications of data retention, not just so that I can explain what's wrong with the proposals, but also how it would affect individuals such as ourselves.
I've years of experience of translating from various dialects of geek into English, starting with turning eprom input/output tables into user manuals when I was a teenager. Finding ways to explain this stuff clearly is right at the top of my agenda.

Anonymous August 14, 2005 at 11:10 am

Here's a thought, which links rather neatly to your post on being an employee : What rights have you as an employee, when your company is running spyware in the workplace? By this I mean keyloggers, retention of email, remote control applications etc? Shouldn't you, as an employee, have a right to see what they are logging? For example, suppose you log into your bank account via your work internet connection, because you've had a last-minute call about something and need to transfer some money. This means your company now has a copy of your passwords, and someone could then use that password. What rights would you have in this case?

Anonymous August 14, 2005 at 11:17 am

Good questions, which I currenlty can't answer.
But you see what I mean about the maggots appearing, don't you?

Anonymous August 14, 2005 at 9:28 pm

Suw wrote:> “… we do have a couple of people we are talking to…”
I'd suggest as a guide for these people, Seth Godine's latest book called “All Marketers Are Liars”. His thesis is that great marketing needs to do certain things:
First, isolate what is the 'story' to be put forth. A story is a message that people choose to believe, and so choose because they think it will make them feel better to believe it.
Second, identify the target market to whom the story is to be put to. The thing required of the target folk is that they have a way of thinking already that includes a 'frame' that will accept the story. If they don't already have such a frame, if the story doesn't resonate with something they already believe, then they simply won't pay much attention to the story and certainly won't move on to step three.
Third, in the most successful marketing, the story is of such a nature that when it is hooked into a frame of reference in the targeted population, many of those will not only choose to accept and keep telling themselves the story, they will also SPREAD the story to others. It is this second iteration of the delivery of the message or story that is the most important for the success of the marketing effort, because the people who do the spreading are opinion leaders talking to friends who do not necessarily have the same pre-existing frame of reference to hang the story on. But as opinion leaders, they can CHANGE the thinking of their friends they repeat the story to, a task which the original organization could NOT do with the friends in the second iteration, and could not even do with the opinion leaders in the first iteration.
So if you analyse what the RIAA say about pirates and etc., you can see that they already have selected their story, their target market for the first generation, and they have identified what frame of reference must be present in the first iteration recipients in order for them to buy the story and keep telling it to themselves and then to their friends.
Again, this is a serious recommendation: Give earnest study to Seth Godine's book. It contains the sort of tools that can infuse ordinary ideas with dynamite power.

Anonymous August 14, 2005 at 10:16 pm

Well, Seth's really good at communicating concepts like Lakovian frames, positioning and messaging, but that's all just basic marketing 101.
But whilst we're talking about books, that reminds me. I really must re-read Rules for Radicals by Saul Alinsky. And a mate of mine just sent me Nonzero by Robert Wright, which should be interesting. Gah, too many books, too little time.

Anonymous August 15, 2005 at 1:56 am

You do have a right to see data collected about you, under the Data Protection Act. And email, IM conversations, and Web access come under the Interception of Communications, which has fairly tight rules about what your employer can do:
IANAL, but in a nutshell, they can really only monitor what's necessary to run their systems (and to prevent crime, etc), or what you've freely consented to have recorded.
Redress is another matter, of course.

Anonymous August 15, 2005 at 2:28 pm

One of the really badly communicated things, in my opinion, is that the traditional police state measures as surveilance, data collection, the data retention ideas you refer to, can't and won't work on the current and future internet, if somebody wants to trap information, which the 'bad guys' want to keep secret.
The fact remains that there are widely available military stregth ciphers, anonimizing technologies, various p2p tools, should I continue counting, which make it virtually impossible to gather intelligence grade information in operational time.
Ask yourself the question, why hasn't the agencies, at least it is not known publicly, tracked down any script kiddie controlling his zombies via botnet? Why all virus writers who were apprehended, were caught, because someone grassed them to the old bill, or their duch colleagues?
IMO, it is good that technology has already made futile the intelligence measures proposed. With risk of being seen as a conspiracy theory geek, I would just ask – what is it which drives the propositions like the data retention. Is it incompetece? Is it the “Let us be seen doing something” mentality? Is it a genuine will for going towards a police society? Is it naivety?
Maybe salad of those and more. It is a pity, that things like that need be even discussed.

Anonymous August 16, 2005 at 8:26 am

The silly bit is that data retention is of minimal use to track criminals, terrorists and similar. There are military stregth encryption technologies as well anonymiser tools freely available and accessible. Just think how hard it would be track who is who on botnet.
This leaves the wiff of conspiracy theories – like why do they want to watch us. Who is going to benefit from that, how much is it going to really cost us. Not only as government spending but ISP or company resources as well.

Comments on this entry are closed.

Previous post:

Next post: