Where's the case for data retention?

Google’s CEO Eric Schmidt announced today that he thinks the greatest danger to people’s privacy is not from leaks of people’s data as happened earlier this week to AOL users but rather from government snooping.

I have always worried the query stream is a fertile ground for governments to snoop on the people.

This is a very valid argument and it has to be said that it is definitely in Google’s best economic interest to ensure that no-one can access their massive databases of saved searches. The same cannot be said for Irish ISPs and telcos who are being tasked with keeping three years of log files on all their customers. There is almost no incentive for them to secure this data – it is nothing but a dead cost for them and one they wish would go away. This data will more than likely be leaked and sold time and time again by everyone from crooked Gardaí (the Irish police) to minimum wage call centre employees.

Having said that no lock is uncrackable and if someone wants to get at Google’s databases badly enough, they will find a way. The easiest way to thwart this is not to retain the data!

4 thoughts on “Where's the case for data retention?”

  1. Asking the government to look atfter your privcy is like asking a peepeing tom (no pun intended) to install your window binds

  2. “There is almost no incentive for them to secure this data”

    Besides the fact that before a law has even been drafted it’s already subject to the European Privacy Directive. Any legislation around data retention is going to have a security component, it’ll have penalties to ensure compliance, and even if it didn’t you can still sue people for privacy breaches. Litigation is a great reason to do a lot of things.

    Having said that no lock is uncrackable and if someone wants to get at Google’s databases badly enough, they will find a way. The easiest way to thwart this is not to retain the data!

    And the same can be said about financial records, medical records, and any other collection of information which might have to be referred to at any time. There are many technical solutions to these problems and while no lock is unbreakable some are significantly harder to break than others.

    The solution you’re proposing is one of killing the patient instead of administering a treatment.

  3. Litigation is a great reason to do a lot of things.

    Sure Mark, in an ideal world. Remind me again how many of those civil servants who sold Dolores McNamara’s personal details to the tabloids were ever sued? Or, for that matter, where’s the case against the Department of Social and Family Affairs for the same breaches? This is one of the country’s richest women, remember.

    while no lock is unbreakable some are significantly harder to break than others.

    True but it is also true that the more info that is in the database the more attractive it is to crack. Yet another reason why the governments three year data retention policy is very dangerous.

  4. And as the country’s richest women she had the resources to prosecute whatever case she felt was appropriate. She didn’t, and probably because the government came to some arrangement but that’s speculative.

    There are numerous safe guards an organisation can employ to prevent information being disclosed, both procedural and technological. The government had a procedural failure as if I recall they knew how many people had accessed that information and how often they had looked.

    True but it is also true that the more info that is in the database the more attractive it is to crack.

    It can be attractive but if it’s encrypted then it can become not viable. You can measure the amount of time it would take to decrypt a 256 Bit AES encrypted database in centuries so instead you’d have to acquire the key, and like any other secret there are ways of making acquiring such a thing ridiculously hard as they can be generated, deployed, and managed without an administrator or corporate officer ever seeing one.

    If someone is worried about how secure their ISP/telco retained information is then they should find out how secure that data is from their vendor. If they don’t like the answer then they should change vendors.

    Data Retention has been a reality in other industries for years, it’s a business issue and companies who don’t address it correctly are going to find themselves in court. If Ireland tacks on breach notification to our implementation of the legislation then you’re going to see an awful lot of organisations take a very public whipping.

Comments are closed.