G8 GOVERNMENT-PRIVATE SECTOR HIGH-LEVEL MEETING ON HIGH-TECH CRIME
TOKYO, MAY, 22-24, 2001

Report for Workshop 1: Data Retention

Potential Consequences for Data Retention of Various Business Models
Characterizing Internet Service Providers

• The Internet can be both the target of criminal activity and the conduit for the commission of traditional and new crimes.
• Where available, traffic¹ and subscriber-related data² may be highly relevant to law enforcement investigations.
• However, data retention³ is a very complex and sensitive issue. The group discussed current practices and issues related to data retention in order to develop a balanced set of options for data retention. More specifically, the group discussed the impact of data retention on business models of different internet service providers⁴, privacy and data protection implications, technical feasibility, law enforcement and consumer interests.

Observations

• The retention of certain traffic and subscriber-related data may support lawful computer investigations and enable the tracing of criminals and terrorists on the Internet. (A provisional list of log details related to some services that may be available through an Internet service is attached at Annex A. This list was originally developed at the October, 2000 Berlin Workshop to identify what was potentially technically available)
• Data preservation⁵ can only operate if data already exists.
• Law enforcement efforts to prevent, detect and combat high-tech crime often require the assistance of service providers.
• Service providers experience is that the collection and retention of personal information erodes consumers' confidence in doing business on the Internet due to privacy concerns.
• Both parties are committed to finding solutions that respect human rights.
• There exists a high degree of variability in what data, if any, service providers collect and retain based on various business models. Service providers run different services with different logging capabilities configured for each service.
• Depending on how the service provider's network is configured, different logs could be stored on many different systems, controlled by different entities in different jurisdictions.
• Some law enforcement requirements may be met by existing internet service provider practices in the areas of network management, security and network accounting.
• Information that is available in current business models may change in the future because of advances in technology and services offered.
• Retention practices can be constrained by domestic and other laws regarding data protection or privacy. Any information related to an identified or identifiable person qualifies as personal data and is likely to have varying degrees of protection (depending on the sensitivity of data retained) under respective national privacy and data protection laws. Aggregation of information also raises privacy concerns.
• Improving mechanisms to prevent and detect criminal use will also increase consumer confidence.
• Quantification of costs is difficult given the different business models and the lack of specificity regarding potential data retention requirements. The cost implications for industry may be significant, especially based on different business sizes and models.
• Given the complexity of the above noted issues, blanket solutions to data retention will likely not be feasible.

(Note)

1. Many definitions for traffic data exist. For the purposes of our dialogue we understood that traffic data did not include content of the communication.
2. Subscriber-related data may include information such as subscriber name, account name, e-mail address, telephone number (dial-up services), billing records, type of service and length of service.
3. To retain data means to keep data, which is currently being generated, in one's possession into the future. Data retention connotes the accumulation of data in the present and the keeping or possession of it into a future time period - (13) Explanatory Memorandum to the Draft Cybercrime Convention of the Council of Europe.
4. Internet service provider business models include small, national, high-speed connections, multi-national, multi-jurisdictional, virtual, cyber-cafe, free, anonymous/pseudonymous and business services.
5. To preserve data means to keep data, which already exists in a stored form, protected from anything that would cause its current quality or condition to deteriorate.

Guidelines

• To achieve a balanced approach, we suggest G8 member countries to fully consider the following:
  • Privacy and human rights must be protected including the protection of personal data and users' freedom of choice;
  • Victims of crime have a right to protection. Law enforcement agencies need to maintain lawful investigative capabilities in light of emerging technologies;
  • The promotion and support for the advancement of technology and electronic commerce is essential for the development and continued health of national economies and to secure consumer confidence in doing business on the Internet; and
  • Data retention should not impose unreasonable operational and financial burdens on industry.

Considerations

• Based on the Paris Conference, the Berlin and Tokyo Workshops and recognizing the need for a balanced approach to data retention taking into account privacy, data protection, industry and law enforcement needs, the working group suggests the following considerations as the basis of further study.
  • Data collection and retention practices should be developed at the domestic level recognizing the need for international cooperation.
  • A consistent, clear and transparent process, in the framework of privacy legislation, is required for effective industry and law enforcement cooperation to occur. The potential liability of service providers arising from data retention practices should be limited.
  • We suggest G-8 member countries continue consultations with data protection authorities, privacy, industry, law enforcement agencies, users and others to develop a balanced approach towards data retention.
  • We suggest G-8 member countries continue to study the conditions, if any, under which data retention may take place for legitimate purposes in line with privacy principles.
  • We recognize solutions may have potentially significant cost implications for industry based on different business sizes and models. We encourage consideration of mechanisms to address this issue.

Appendix A to Report of Workshop 1a

The following is a list of log details related to some services that may be available to an Internet service. It should be noted that the content of these logs might be subject to relevant business, technical and legal conditions; not all of the following data elements will be available in all logs.

(1) Network Access Systems (NAS)
- access logs specific to authentication and authorization servers such as TACACS+ or RADIUS (Remote Authentication Dial in User Service) used to control access to IP routers or network access servers.

- date and time of connection of client to server¹
- userid
- assigned IP address
- NAS IP address
- Number of bytes transmitted and received
- Caller Line Identification (CLI)²

(2) Email servers
- SMTP (Simple Mail Transfer Protocol) log

- date and time of connection of client to server
   - IP address of sending computer
   - Message ID (msgid)
   - sender (login@domain);
   - receiver (login@domain)
   - status indicator

POP (Post Office Protocol) log or IMAP (Internet Message Access Protocol) log

- date and time of connection of client to server
- IP address of client connected to server
- Userid
- In some cases identifying information of email retrieved

(3) File upload and download servers
- FTP (File Transfer Protocol) log

- date and time of connection of client to server
- IP source address
- userid
- path and filename of data object uploaded or downloaded

(4) Web servers
- HTTP (HyperText Transfer Protocol) log

- date and time of connection of client to server
- IP source address
- operation (i.e., GET command)
- path of the operation (to retrieve html page or image file)
- "last visited page"
- response codes

(5) Usenet
- NNTP (Network News Transfer Protocol) log

- date and time of connection of client to server
- protocol process ID (nnrpd[NNN...N])
- hostname (DNS name of assigned dynamic IP address)
- basic client activity (no content)
- posted message ID

(6) Internet Relay Chat
- IRC log

- date and time of connection of client to server
- duration of session
- nickname used during IRC connection
- hostname and/or IP address

(Note)

1. Reliable time records among different computers and networks is essential for investigation and prosecution. The use of the Network Time Protocol (NTP) for synchronization should be an ISP Best Practice.
2. CLI provides the number from which a telephone call is made and may or may not be available to ISPs. CLI retrieval is specific to the given combination of software and hardware.
   See "LINX Best Current Practice - Traceability", section 10.2.