Print

The old adage says that when America sneezes, Europe catches the cold. How true! In the wake of the 9/11 terrorist attacks, America went hysterical and overreacted by enacting the USA Patriot Act of 2001. Europe, always eager to emulate America’s silliest mistakes within a delay of a few years, adopted the European Data Retention Directive (2006/24/EC). Of course, this directive is currently being turned into national laws by barely resisting parliaments… and there is nothing we can do to stop this Orwellian madness, because even the staunchest champions of civil liberties, once in a position of power, are slowly caving in to the tremendous pro-surveillance pressure.

One tragic but perfect illustration of how Nineteeneightyfour is raising its ugly head even in the most adverse conditions, is the case of Germany’s current Federal Justice Minister Sabine Leutheusser-Schnarrenberger (FDP), a recognized and respected civil rights advocate, and definitely not a member of the Big Brother Brigade.

Who is Sabine Leutheusser-Schnarrenberger?

1951-born Sabine Leutheusser-Schnarrenberger is a German lawyer and politician. After completing her studies, she worked for the German Patent Office in Munich from 1979 to 1990, which she left as a managing director. Since 1997, she is a practicing lawyer in Munich.

Sabine Leutheusser-Schnarrenberger joined the liberal democratic party FDP in 1978, and became a member of its federal board in 1997. She is also head of the Bavarian branch of the FDP since 2000.

Leutheusser-Schnarrenberger served as Federal Minister of Justice in the Helmut Kohl CDU/FDP coalition government starting 1992. Unwilling to become complicit in the establishment of a general acoustic surveillance of the population (“Großer Lauschangriff” — the big listening attack), she resigned 1996, thus deservedly turning into the iconic figurehead of the German Civil Rights movement and a staunch advocate of privacy.

Since 2009, she is serving as Federal Minister of Justice in the Angela Merkel CDU/FDP coalition. And, once again, she is faced with the unpleasant prospect of having to implement wiretapping laws that would affect the whole population, i.e. EU directive 2006/24/EC, or hopefully, “merely” a watered down variation of it (as if even that was not bad enough!).

The FDP’s take on data retention laws

Unlike other major German political parties, the FDP was always a vocal opponent to wiretapping laws and strongly opposed the State from unduly intruding into the private lives of citizens. Despite all its shortcomings such as being a ruthless lobbying organization for a very narrow egoistic fringe of German society, and its lack of steadfastness when push comes to shove, the FDP’s role as a civil rights advocate can’t be overemphasized enough.

To give a glimpse of the FDP’s and Leutheusser-Schnarrenberger’s reputation w.r.t. resisting wiretapping and surveillance laws, let’s look at a foreign non-German, and therefore hopefully non-partisan, perspective. US Ambassador to Berlin Philip D. Murphy wrote in a leaked cable under the heading “Would the FDP be a reliable security partner?” just before Election Day:

8. (C) At election campaign rallies last week FDP Chairman Guido Westerwelle criticized the on-line surveillance measures contained in the BKA law and championed the FDP as the sole party committed to data privacy and protection issues. FDP parliamentarian Sabine Leutheusser-Schnarrenberger has been suggested as a possible Justice Minister in a CDU/CSU – FDP government, a job she previously held under Chancellor Helmut Kohl (CDU). Given that she resigned as Justice Minister in 1996 after failing to obtain support for her rejection of a CDU proposal to expand the state’s right to monitor private citizens, we would expect her to closely scrutinize all bilateral and U.S.-EU information sharing proposals. In particular, a FDP-led Justice Ministry could well complicate implementation of the bilateral Pruem-like agreement, prevent negotiations on a HSPD-6 terrorist screening data sharing arrangement, and raise objections to U.S.-EU information sharing initiatives.

Even though the subject of this cable isn’t quite data retention laws but the EU having to hand data of its citizens over to the US for inspection and screening, it becomes quite clear that even the US government is acknowledging the FDP’s, and in particular, Sabine Leutheusser-Schnarrenberger’s staunch anti-surveillance stance. I can hardly think of a better compliment as to her steadfastness and courage.

However, in the same cable, Murphy goes on to report an assessment of an official working at the German Ministry of Foreign Affairs that would prove prophetic just a couple of years later:

9. (C) An MFA official working in the counterterrorism office noted that one reason the FDP has been so vocal in opposing Germany’s counterterrorism legislative drafts, bilateral and U.S.-EU security initiatives is due to the fact that they are in the opposition. Pure political considerations dictate that the role of the opposition is to oppose the governing coalition’s proposals. Following this line of reasoning, were the FDP to join the CDU/CSU in a governing coalition, the responsibilities of power would perhaps convince them to take a more constructive approach to counterterrorism and security issues. Furthermore, given that the FDP would be the junior partner in the coalition, we hope that CDU/CSU leadership would ensure that German legal frameworks are adequate and that law enforcement and security officials continue our current close cooperation and robust information sharing on operational matters.

Again, they’re talking about a “close cooperation” and “robust information sharing”, not about data retention laws. But both matters are more closely related than one may think.

The First Quick Freeze Proposal

Because the German government is facing tremendous pressure from the European Commission (EC) to finally implement data retention directive 2006/24/EC, Federal Commissioner for Data Protection and Freedom of Information Peter Schaar submitted the Quick Freeze proposal in June 2010:

“Quick freeze” is a two-step procedure in order to secure telecommunications data which are necessary in the framework of criminal prosecution, in the case of copyright infringements or for adverting dangers.

In the first step providers of telecommunication services are obliged not to delete certain traffic data which are more explicitly denominated in the court order, such as data of a network node from which hacker attacks were launched, or data of a certain person who is suspected of having committed a criminal offence. Within a fixed period (in the US, it is a one-month fixed period which, upon request, may be extended for a further month) the law enforcement authorities have to provide evidence that the data retained have to be transferred to them according to the legal provisions in the course of preliminary proceedings. This information requires judicial approval. If no respective court order is rendered within this delay, the data have to be erased.

Basically, if I’m understanding this proposal correctly, ISPs would be forced to record for a limited time of a few weeks data facilitating traffic analysis, such as:

  • IP to account holder mappings. This will serve to answer the question: who owned a particular dynamic IP at a certain point in time — particularly useful for enforcing copyright against file sharers, but also to determine the identity of people unwittingly connecting to government-sponsored honeynets and honeypots, and of people writing critically of the government or some mega corporations on public forums even under pseudonyms.
  • Connection data, i.e. which other computers (IP addresses) are you connecting to, and which computers are connecting to you? The obvious questions to answer here are: What are your favorite web sites? Who are the friends you’re regularly talking to via VoIP? Which kind of countries are you particularly interested in (GeoIP)?
  • Time and traffic size data, i.e. when did you connect to which computers, and how much traffic do you regularly transmit? The intended use of this is classic traffic analysis to answer questions such as: When are you most active online? Are you pulling allnighters? Are you often using VPNs (a lot of data to a specific IP and very few connections outsite this IP is a strong red flag for this kind of still perfectly legal and legitimate activity)? Are you using anonymizing software like Freenet?

Those data points would be gathered by the ISPs, and should be automatically deleted after the data retention period expires… unless they are requested by a prosecutor in case of suspected criminal activity, or by a private rights holder suspecting copyright infringement, in which case they would be “quickly frozen”, and remain saved at the ISPs premises, until they can be subpoenaed by a judge (who would usually routinely rubberstamp such requests by the tens of thousands).

It is interesting to note that even without peeking inside the data being transmitted (i.e. it doesn’t matter if you encrypted everything with SSL or other strong end-to-end cryptographic algorithms), data traffic analysis would still be possible with those routinely to be saved data.

The Second Quick Freeze (Plus) Proposal

While Peter Schaar’s proposal was better than the extremely broad data retention directive of the European Union, it is still evil, because it stipulates that data has to be preemptively saved irrespective of any suspected criminal activity by Internet users. In fact, in his eyes, everyone is a potential law breaker and deserves to be watched closely by the traffic analysis machinery.

Peter Schaar’s Quick Freeze may not only be evil, it could very well run afoul of a verdict by the Federal Supreme Court that pronounced the data retention laws as being set by Leutheusser-Schnarrenberger’s predecessor Brigitte Zypries (SPD) unconstitutional.

Enters Sabine Leutheusser-Schnarrenberger’s Quick Freeze Plus proposal. The idea is the same as Peter Schaar’s version (a.k.a. “data retention light”), but with important changes, meant to be less intrusive and hoping to meet the severe critera imposed by the Federal Supreme Court. The main points are:

  • Except for the Internet, telecommunication companies (e.g. phone companies) are not required to keep any traffic data if they don’t need them for accounting and business purposes. In other words: if a telco doesn’t save the list of phone numbers you called (when and for how long) because you’re a flatrate user, under Quick Freeze Plus, they are not required to save them either (but they could if they wished). However, some data are routinely saved for a limited time, such as mobility profiles: these logs could very well be quick-frozen.
  • Regarding the Internet, ISPs would be required to save the IP to user account mapping just as in the Peter Schaar proposal, but for 7 days only. This is the most contentious point that raises the ire of us civil rights activists.
  • But, and Sabine Leutheusser-Schnarrenberger goes to great lenghts to insist on this very important restriction of her proposal, no other traffic data are to be saved. In particular, ISPs shouldn’t provide the list of websites people connect to (I assume this rules out IP-to-IP mappings in general not just websites, but who knows?), nor should they provide information about who writes emails to whom.

So, Quick Freeze Plus is indeed less harmful to basic civil rights than Quick Freeze. But it is still less desirable than a full opposition to any kind of recording and snooping.

Does Quick Freeze Plus make sense?

Basically, Quick Freeze Plus amounts to saving the IP address to account holder mapping for 7 days, to facilitate prosecution of criminal activity. For some classes of criminal activity, this indeed makes sense and could be helpful. Being able to track the identity of the account holder of a dynamic IP address from which a fraudulent order via credit card was placed could be extremely useful… as long as the victims and the authorities are quick enough to react within 7 days.

For other kinds of criminal activity, it is probably not sufficiant. E.g. tracking down cold calls of telemarketers and others who use the phone as a means of harrassment is impossible if the telco doesn’t save the according connection data in the case of flatrate subscribers. One has to file suit for harrassment first, and only then would the telco be ordered to tap the phone of the victim, hoping that further calls would arrive. Clearly too late for one-time hit-and-run scammers.

Unlike most civil rights advocates and net activists, I’m not fundamentalistically and dogmatically ignoring the potential benefits of the kind of data retention that Quick Freeze Plus would provide. Some benefits are rather shady and in my opinion deeply unethical, like enforcing the state-granted monopoly on knowledge we call “Copyright” on behalf of a content industry composed of huge anonymous multinational conglomerates who value their bottom line a lot more than the benefits of humanity to share knowlege freely. Others are more tangible and legitimate, like tracking down the criminals who cold call elderly, half senile people, inducing them to give them all their savings, and then disappearing in the mysts of anonymity.

However, I’m also acutely aware of the risks of data retention in general, and of the slippery slope of gradually breaking down the principle of untouchable individual privacy. It is all a matter of trust one is willing to put in the State. How sure can we be, that the surveillance infrastructure that was established today with the best of intentions won’t be used against us tomorrow, when democracies inevitably degenerate into tyranny?

My letter to Sabine Leutheusser-Schnarrenberger… and her reply

As soon as news broke about Leutheusser-Schnarrenberger supporting data retention light, if only in the less dangerous form of Quick Freeze Plus, I wrote her the following letter on January 17th:

Guten Tag Frau Leutheusser-Schnarrenberger.

Im Internet kursiert z.Zt. das Gerücht, Sie seien bei der Vorratsdatenspeicherung “umgefallen” und unterstützten nun das “Quick-Freeze-Plus” Modell:

http://www.heise.de/newsticker/meldung/Justizministerin-fuer-Vorratsdatenspeicherung-light-1170207.html

Stimmt es? Ausgerechnet Sie, unsere tapfere, unerschütterliche und stets zuverlässige Kämpferin für Freiheit und Bürgerrechte?

Mit Ihrer mutigen Einstellung schon unter Helmut Kohl gegen den Großen Lauschangriff waren Sie doch der Leuchtturm für freiheitliche Bürgerrechte… und für Viele der einzige Grund, die FDP (noch) zu wählen (ja, trotz Rössler & Co.).

Bitte verspielen Sie nicht Ihr (und der FDP) wichtigstes und wertvollstes politisches Kapital, indem Sie den anderen Parteien nachgeben, bloß weil es wieder einmal “trendy” ist. George Orwell hat “1984” nicht als Handlungsanweisung geschrieben, sondern als Warnung vor einer möglichen Dystopie. Tragen Sie bitte nicht dazu bei, daß diese Dystopie im Herzen Europas noch weiter um sich greift. Die Realität ist schon schlimm genug:

http://www.gerhart-baum.de/buergerrechte/36-buergerrechte/54-wir-sind-weit-ueber-orwell-hinaus.html

Die FDP, aber vor allem Sie, sind unsere letzte Hoffnung, daß Deutschland nicht (schon wieder!) zu einem Schnüffelstaat wird, von denen es leider immer noch viel zu viele auf der Welt gibt.

Bitte widerstehen Sie der Versuchung am Schlüsselloch der Bürger zu spähen: letzteres widerspricht nicht nur liberaler Tradition, es ist schlicht und einfach unanständig.

Mit besorgten Grüßen,

Farid Hajji
[Volle Adresse]

Translation:

Good day, Mrs. Leutheusser-Schnarrenberger.

On the Internet, rumors has it that you gave up your opposition of data retention, and that you’re now supporting the “Quick-Freeze-Plus” model:

[Link to a major IT technology site that reported the news as soon as it broke]

Is that true? [Of all politicians] has it to be you, our courageous, steadfast and always reliable fighter for freedom and civil rights?

With your courageous stance already under Helmut Kohl against the “Großen Lauschangriff” [big listening attack], you were the beacon light of liberal civil rights… and for many the only reason to (still) vote for the FDP (yes, despite Rössler & Co.).

Please don’t put your (and the FDP’s) most important and most valuable political credit in jeopardy by appeasing the other parties, just because it is “trendy” again to do so. George Orwell didn’t write “1984” as a manual to be implemented, but as a warning against a possible dystopia. Please don’t contribute in such a way that this dystopia spreads even further in the heart of Europe. The reality is already bad enough:

[Link to an interview by FDP’s Gerhart Baum, former Federal Minister of the Interior, former member of the Federal Supreme Court and best representative of the FDP’s civil rights wing, in which he asserts that we’re already way beyond Orwell]

The FDP, but especially you, are our last hope that Germany won’t (yet again!) morph into a surveillance state, of which there still are way too many in the world.

Please resist the temptation to peek at the keyholes of citizens… this being not only incompatible to liberal tradition, but also simply immoral.

With concerned greetings,

Farid Hajji
(Full address)

Well, I wrote using a somewhat naive tone, just like a simple relatively misinformed but concerned citizen would… hoping for but not really expecting a reply. And maybe it was this candid way of writing that provoked her to take the time to kindly write back today.

I won’t publish her long and very precise reply, because I have no (and didn’t seek) permission to do so, but the explanations I wrote above comparing the data retention proposals were more or less the gist of her answer… an answer that I think is rather satisfying as answer.

What shocked me the most was that she acknowledges that in her opinion, her proposal was necessary in the light of the European Data Retention Directive, despite that directive not having been implemented by seven countries so far, but ultimately will “have to be implemented;” and that EU Commissioner for Justice Viviane Reding is hailing Leutheusser-Schnarrenberger’s model as a “good proposal.”

What now?

On one hand, and to put it bluntly, there’s no hope. I expect Quick Freeze Plus to be eventually implemented (with perhaps 14 or 21 instead of 7 days of data retention to appease the other pro-surveillance hawks and parties, and the European Commission).

Perhaps it is not a surprise that the US DoJ is also seeking mandatory data retention for ISPs, using the very same pretexts of online child pornography (while in reality seeking much more draconian powers to enforce copyright to save their dying content industries’ business model). Is that Europe’s cold now coming back to the US in the form of a virulent flu?

Be it Europe or the US, there are quite obviously more sinister forces at work seeking to ban anonymity on the Net. I’m thinking here of the content industry multinationals, supported by big banks, as one possible source of mischief, and I’m afraid, of some cases of bought for specially tailored laws; but I can easily also imagine governments seeking to ban WikiLeaks-like anonymous whistleblowing (though the latter would prove impossible no matter how hard they try). In the light of such tremendous global pressures, there’s only that much civil rights friendly politicians like Sabine Leutheusser-Schnarrenberger could do. They won’t and can’t stop the tide, and we’ll slide deeper in Orwell’s dystopia.

As I’ve said, there’s nothing, absolutely nothing, we could do to prevent it… at least on the legal level. Technically we could resist it quite effectively, but that’s another story.

On the other hand, Quick Freeze Plus — though just the first step on the slippery slope towards a global Big Brother — is rather moot, because it is technically easily circomvented if need be. In the not too far future, people will be issued static / semi-permanent IPv6 addresses for everything anyway, be it computers, tablets, smart phones, fridges, TV sets, … The address space of IPv6 is so huge that we’ll likely see the death of the anachronistic dynamic IP allocation model currently in place: no more fiddling around with dynamic DNS services or SIP providers if you want to be reachable via VoIP, right? Anyway, Quick Freeze Plus would be de facto implemented, because IPv6 addresses would be permanently associated with people.

I’m not afraid of this kind of data logging. I’m more weary of control freaks in power overstepping their prerogatives in their thirst for even more power and control, like when then US President George W. Bush ordered the (i guess illegal) wiretapping of US citizens at home by the NSA. This kind of abuse of the State’s eavesdropping infrastructure is the real danger to freedom, and we should resist it as best as we can.