Euro Cybersecurity Solution Falls Through Cracks

Policies put into place after controversial data retention laws passed in Europe over a year ago have yet to be implemented effectively, European technology experts told

With the Europeans in disarray, any concern that such data retention laws might influence United States policy-making has virtually fizzled over the last 12 months.

"The Europeans realize they have a lack of consistency on the issue. They realize they have a patchwork of policies," said Tim Lordan, staff director for the Internet Caucus Advisory Committee (search) on Capitol Hill, which hosted several members from the European Union in a series of Internet technology briefings this month.

European policies were designed to force Internet service providers to save every e-mail, password and other personal data moving across their servers, but they have proven to be much more difficult in practice than in theory.

"It's a mess," said Gus Hosein, a fellow at Privacy International (search) in London, an Internet technology think tank. "Companies are saying it's unfeasible, too expensive. Then you have the civil libertarian concerns."

In May 2002, the European Parliament (search) passed a resolution urging its 15 member states to create laws that would require private ISPs to store all electronic communications on its servers. The directive was sought to beef up intelligence-gathering efforts in the wake of the Sept.11 attacks and during the global war on terror.

Spain, Germany, France and Belgium were the first to pass laws requiring their ISPs to save everything from personal passwords, e-mail addresses and Web activity, as well as cell phone numbers, for as long as seven years in some cases. Since then, Finland, the United Kingdom, Denmark and Luxembourg have followed suit — crafting a range of different policies dealing with the timeframe of data storage to the content being targeted. Some of those policies are still being amended.

What has resulted is a hodgepodge of measures — many of which are still in debate — with little or none of the laws in effective practice today.

Advocates say it is important for law enforcement across borders to have access to electronic communications in order to track potential terrorists and suspects in ongoing terrorist investigations. But as in the United States, since Sept. 11, 2001, greater emphasis has been put on information gathering and sharing by government agencies.

American and European participants at this month's meetings emphasized finding ways to get tough on unwanted "spam" e-mail, protecting intellectual property rights and the European efforts to build their own cybersecurity department. Less attention was paid to data retention, Internet surveillance methods and the privacy issues relating to them, Lordan said.

Any growing concern that the U.S. government may consider a data retention scheme similar to the European directive has diminished over the past year, Lordan and other policy experts who attended the meetings said. Government officials say they have heard no such plans, and those keeping an eye on emerging electronic surveillance as it pertains to national security say they have bigger fish to fry these days.

"We're taking the Patriot Act (search) apart one step at a time," to see how it affects citizens and personal privacy, said Lisa Dean, a fellow at the Electronic Frontier Foundation (search), referring to the new federal intelligence-gathering laws passed in the wake of Sept. 11.

Data retention, though a concern, is so far not a part of the labyrinth of federal surveillance policies, and therefore falls under the radar of urgency, she said.

"We're still in the questioning stage, and there are no answers to data retention right now," Dean said, noting that as long as the Europeans are mired in the challenges of implementing data retention, the Americans are likely unwilling to step into that minefield right now.

But that does not mean that the issue does not continue to be a major point of contention among EU members. Data retention, particularly its practical implementation and talk of an EU-mandated uniform policy, is a volatile subject, said Marco Cappato, an Italian member of the European Parliament.

Cappato opposes imposing on EU members any mandatory schemes related to data retention.  No formal proposals signaling mandatory retention have emerged, though rumors about it abound.

"Some of these countries that want to have data retention are hoping the EU will step in and say you must have data retention laws," for uniformity, noted Hosein.

Meanwhile, private ISPs and some European leaders are already calling for the dismantling of the voluntary directive.

"Privacy advocates worry about it everyday," said Hosein. If mandatory retention does become reality, "all hell will break loose."