Data Retention, Again

I suppose pages and pages are yet to be written concerning this. Expanding telecommunications data retention periods is a well meaning, but ultimately pointless idea that re-surfaces periodically, and that has now (predictably) followed the 7th's gruesome events.

Allow me to point out a few obvious facts:

  • There is no assurance evildoers will use technology in the first place.
  • Making this a public initiative at the EU level has probably made it 100% sure that they will not do so. These people are fanatics, not idiots.
  • Even if they used technology, there is ample leeway for fudging identities, locations, addresses, etc. Whoever believes otherwise has never signed up for Hotmail, gotten a free GSM prepaid card as part of a promotion, etc.
  • Storing anything beyond a weeks's worth of records will probably bankrupt your average margin-to-the-bone ISP.
  • Six month's worth of data (even if it's only call records or e-mail logs) translates into a humungous amount of data that will take ages to search. It will also make it nearly impossible to correlate events.

But I still think the first point is the most obvious one - there is nothing to prevent people from planning things months (maybe years) in advance, resorting to the age old way of swapping a few innocuous sentences inside plain old (paper) envelopes.

Somehow, I don't see law enforcement being able to intercept all of those, or being able to discern hidden meanings in colloquial Farsi or Urdu (assuming, of course, that these people don't use some other means of communication).

But I digress. Anyone who proposes this sort of legislation should read Schneier's books and essays, and learn to consider security in terms of trade-offs.

That's real security thinking. This will merely translate into a lot of wasted money and a feeling of false security.

And, of course, it will escalate the first time it fails.

See Also: