Telcos to tap Web surfing

E.U. anti-terrorist directive adds Web browsing to the data retention list

The European Union Directive 2006/24/EC will take data retention for telecommunications a step beyond where governments have ever gone before.

I learned of this directive by way of a press release from Hewlett-Packard announcing that its Dragon solution “leverages 30 years of experience in telecom networks and 10 years of experience in the retention of call detail records” to make it all happen.

The point of the E.U. directive is to prevent and detect major criminal activity, as defined by each member of the E.U. individually.

I suppose there is no immediate worry that this data might be misused or that mistakes might be made. Consider that one of the first countries to implement a version of the program using Dragon is that bastion of democracy, Turkey.

Essentially the directive will require E.U. members to retain CDRs (customer data records) for six months to a two years, again up to the individual country.

A CDR in the old days included data on when a call was placed, from what number to what number. Also recorded — all for billing purposes — was the duration of the call. As technology progresses it now includes unanswered calls, such as messages left on voice mail or even calls that triggered call-waiting but were not picked up. For mobile telecommunications, the E.U. directive will require location information as well.

Similarly, under the Community Assistance to Law Enforcement Act and the Patriot Act, the U.S. also requires its carriers to retain CDRs for all of the above as well as VoIP calls.

The goal, according to John Pescatore, senior vice president at Gartner and a former member of the FBI and NSA, is to monitor communications. However, a net cannot be thrown over all the data allowing law enforcement agencies to fish for suspicious patterns. Agencies must have a specific caller/criminal in mind and then use the retained data on that person to look for patterns in his or her communications activities.

Of course, the net can get pretty wide, Pescatore says. If you have someone in mind and you monitor that person’s incoming and outgoing calls, say from 25 callers, then you can take it to the next level and see who those 25 callers also called. I don’t know how far the net can be cast before the courts — if the courts are asked — say you can’t go there.

Where the E.U. directive takes an additional step is in monitoring all IP traffic. That includes SMS (short message service) and MMS (multimedia message service) messaging and Web browsing. European telcos will be required to retain the IP address, as well as when a user logged on and logged off every site. All the information apart from the content will be retained.

My first question is, Is Web browsing really a form of communication? It is now.

Another question one might ask is, Do universities fall under the law for data retention as if they were a telco, assuming they provide students with VoIP services on campus? That could get quite expensive for the university.

Certainly, HP has got a good business going on here. Nigel Upton, the Dragon general manager, told me in a trial HP helped a telco in Italy retain more than 450 million CDRs per day. If stored for 12 months that comes to 35TB of data. The Dragon system runs from $1 million to $5 million, depending on the size of the market.

“It is a $1 billion market in Europe just for the telephony piece,” Upton said.

Can the system be misused? Pescatore says his biggest worry is that some politically motivated but authorized entity will decide to use this against its enemies.

“How to prevent it being used for political purposes is the problem,” Pescatore told me.

Is the next step data retention of the actual content of calls? Barring another major terrorist attack, Pescatore doubts it. Well, that’s a load off my mind.

Notice that the question of content is irrelevant when it comes to Web browsing because to have the URL is to know the content.

For me, a person who enjoys and admires technology, all of this lacks one key component. Yes, technology is extremely powerful and can do almost anything you want it to do. However, it is without a conscience. It is up to users of technology to add that one missing ingredient.