What: Meeting about Traffic Data Retention (TDR) When: 29th of May, 2003. Where: Dept. of Justice, Stephen's Green Who: Andrew Barnes (SAGE-IE) Adrian Colley (SAGE-IE) Donal Cunningham (SAGE-IE) Paul Murray (DJELR) Therese Molyneux (DJELR) Why: To discuss the technical issues relating to TDR The DJELR personnel opened the meeting by explaining that they work for the Criminal Law Division of the DJELR, and that their Division would not have regular and well-established contacts with the Garda Siochana, unlike other sections within the DJELR. DJELR mentioned some of the groups with whom they had already met. DJELR noted that telcos are easier to meet than ISPs. DJELR has existing ISP contacts through the Internet Advisory Group for Internet abuse matters. It was suggested that the ISP Association of Ireland (ISPAI) may be helpful in this regard. DJELR said that the message that seemed to be coming through from these meetings was that while *full* Traffic Data Retention (TDR) was technically possible, it was not feasible to implement. Smaller ISPs had claimed that the costs of implementation would eliminate their profit margins, and that they would not be able to stay in business as a result. It was agreed that no-one wanted to damage competitiveness in either the ISP or telco markets. SAGE-IE brought up the issue of how a "public communications provider" is defined. In particular, the case where a home user with a broadband connection shares out bandwidth using a wireless ("Wifi") network in their neighbourhood. DJELR said that they accepted that the future of internet provision was broadband. As the introduction of similar legislation in the UK led to outcry over the expansion of the list of "authorised bodies", SAGE-IE was concerned that any list of "public communication providers" could be expanded (or the definition altered) to suit some future political need. There is already a limited TDR requirement under other legislation (Revenue investigations, banking, etc.). Mention was made of the lack of information (under the current legislation) on How many applications are made for traffic data? How many applications are refused? How many cases were successfully prosecuted as a result of obtaining traffic data? How many cases were dropped, even *with* traffic data? In particular, no information seems to be available on the periods of time which passed between a crime being committed and an application being made for traffic data in relation to the crime. DJELR recognised that it would appear that email traffic data was easier and less costly to retain than web traffic data. DJELR also indicated that email is an area of interest for TDR, more so than web traffic. However, it is desirable that TDR should be able to cover future advances in technology. SAGE-IE quantified the amount of logging information generated by: - an email message (one or two lines) - a SMS (text) message (several lines) and - a web page with embedded graphics (one line per graphic). SAGE-IE showed DJELR the U.K. Home Office's "Consultation Paper on a Code of Practice for Voluntary Retention of Communications Data", and the time periods it recommends, namely: - 12 months for Subscriber Information - 12 months for Telephony Data - 6 months for SMS/EMS/MMS Data - 6 months for Email Data - 6 months for ISP Access Data - 4 days for Web/Proxy Logs SAGE-IE mentioned that if pressed for a time period, they would recommend no more than three months for email data. SAGE-IE also mentioned that they would advocate that businesses not be asked to retain more traffic data than they are currently keeping in their log files. SAGE-IE also raised the issue of setting minimum and maximum retention periods. DJELR acknowledged that the technical issues involved were complex, and that both the complexities and the cost involved grew significantly as data retention periods increased. DJELR thanked SAGE-IE for the TDR Symposium which SAGE-IE held in March. SAGE-IE raised the issue of "sunset provisions" in future legislation. This sets time limits for reviews of effectiveness and possible expiry times for laws. DJELR said that this line of thought was being considered. Both parties talked about the reliability of TDR measures. It was agreed that TDR measures will only help in prosecuting persons below a certain level of technical nous: above this level, people will use anonymising services and secure/encrypted "tunnels" to hide their activities. It was further agreed that without reliable timestamps logs would be of limited use: mention was made of technologies such as NTP which are regarded as "best practice" in the System Administration community. The relative ease of "spoofing", or forging network and email addresses was also discussed. SAGE-IE asked how logs were to be presented: - A large stack of tapes? - EBCDIC text? - 306,000 CDs (AOL's estimate of a year's worth of traffic data in the UK) Mention was made of some log file "standards". The issue of cost also arose - will the Law Enforcement community help to pay for the TDR infrastructure that their alleged needs will mandate, as in the UK? The issue of Data Preservation ("We have applied for an order under law X and expect to receive it. Please start to preserve data until the ruling on the order is made") was discussed. Single Points Of Contact (SPOCs) for the Law Enforcement bodies were regarded as essential. However, this can be difficult to maintain as staff are moved between different departments. Lines of escalation were also discussed. As the meeting drew to a close, the issue of auditing was raised. When would figures relating to requests made under the proposed legislation be published? Could such publication be made mandatory? DJELR suggested that the supervisor for interception requests could also supervise access to retained data. Any data retained through TDR can currently be accessed by anyone will also be accessible to anyone currently authorised to make such requests, e.g. the Competition Authority (under the Competition Act, 2002) The current phase of consultation is finishing. DJELR will initiate another phase of consultation after the summer. It is possible that the EC may publish a document that may deal, inter alia, with data retention. It is possible that some *draft* heads of a Bill may be circulated.