Evidence for necessity of data retention in the EU
Table of Contents
How communications data are used
Overview of types of cases in which data are important
Consequences of absence of data retention
Cross-border aspects of data retention
Statistics and quantitative data
Limitations of quantitative data
Conceptual and methodological issues
Murder and manslaughter
Serious sexual offences and child abuse
Buying or offering online child pornography
Burglary, theft and organised trafficking
1. Introduction This document draws together evidence which has been supplied by Member States and Europol in order to demonstrate the value to criminal investigation and prosecution of communications data retained under the Directive 2006/24/EC (the Data Retention Directive or 'DRD'). It contains some general context on the role of historical data in various types of investigations, some observations on the available statistics, and a selection of individual case studies which have been provided by Member States. It is intended to provide further information on the question of the necessity of data retention; readers should also consult the evaluation report for the Commission's general evaluation of the DRD,1 which included (section 5.4) a number of the arguments which are developed in this document, along with a few illustrative examples, and other statements including replies to questions from the European Parliament2 concerning the role of communications data in the investigation and prosecution of the most serious crimes.
2. Context Crime in the EU3 is increasingly characterised by highly mobile and flexible groups operating in multiple jurisdictions and criminal sectors, and aided, in particular, by widespread illicit use of the internet. These groups focus their activities where they perceive the risks of detection to be low, like credit fraud and counterfeiting, which along with trafficking in weapons, drugs and human beings are also extensively used to finance terrorist activities. The EU furthermore is a key target for cybercrime, and the prevalence of internet technology has created a market for child abuse material.
Criminal exploitation of communications technologies mirrors general trends in consumer behaviour. In the 1990s a typical user might make 10-20 fixed line or mobile calls a day and send two or three SMS over a few networks; in the 2000s with increased volume and network coverage, a typical user might make 15-25 calls and send 5-15 emails and SMS, and also use online chat, browsing and 'voice over the internet' services.4 Internet protocol (IP) traffic volumes were estimated to have more than trebled between 2007 and 2010,5 and in the current decade the internet is the primary source of communication.
Criminals attempt to evade detection through the use of false identities or anonymous communications services. Investigators therefore need not only to be able to access traffic and location data and associated identification details, but also to be confident that these data cannot be fabricated or falsified. The access by and exchange between law enforcement authorities of these communications data is essential to the successful disruption of organised criminal networks.
COM(2011)225, 'Evaluation Report on the Data Retention Directive (Directive 2006/24/EC)' http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf E.g. E-004636/2012 See Commission Communication 'First Annual Report on the implementation of the EU Internal Security Strategy', COM(2011) 790 Internal Security Report; Europol: Organised Crime Threat Assessment (OCTA) 2011.
Analysys Mason, Europe's Digital Deficit: Revitalising the Market in Electronic Communications, 3 March 2010.
Source: Cisco Visual Networking Index.
Communications data which do not concern the ‘content’ (e.g. the conversation during the telephone call, the message in the email) but rather the 'envelope' or 'metadata', consist of information on the identity of subscribers or clients (i.e. service-associated information e.g. IP addresses), traffic data (i.e. communication-associated information e.g. logs of calls received and made), and data on the location of the user at the time of the communication.6 Such noncontent data were used before the adoption of the DRD in high-profile investigations including the murder of Irish journalist Veronica Guerin in 1996, the uncovering of a massive international drug trafficking ring centred around the 'Ndrangheta mafia organisation (known as operation IBISCO), the murder in 1998 of Corsican police prefect Claude Erignac, and the 2004 Madrid bombings.
The DRD was adopted on 15 March 2006 with the aim of ensuring that such data be retained for between six months and two years and be available for the purpose of the investigation, detection and prosecution of serious crime. It is in force in most Member States.7 The Commission’s evaluation report, published in April 2011,8 concluded that, given the objectives of the Internal Security Strategy9 and the Digital Agenda,10 the EU should continue to support and regulate the storage of, access to and use of communications data, but should improve EU rules to prevent the different types of operators facing unfair obstacles in the Internal Market and to ensure that high levels of respect for privacy and the protection of personal data are applied consistently.
3. How communications data are used During criminal investigations requests for communications data usually proceed - and often result in – the arrest of suspects, bringing of charges or the exclusion of people from investigation. Fewer data are used during prosecution proceedings in court. This may be because prosecuting authorities are unlikely to use information about individuals who have been investigated and then deemed to be of no further interest to the investigation, or because accused parties when confronted with evidence provided through communications data decide to enter guilty pleas which thus remove the need for the communications evidence to be adduced in court. Communications data are used to corroborate other evidence like witness statements and evidence of the association of suspects and location and chronology of event.
Some crimes may be dealt with through administrative means (e.g. a caution), and certain investigations may be unable to progress for various reasons. Consequently, more data tend to be acquired initially by the investigator than is later relied on in court. Defence counsel also obtain access to these data: one UK authority reported that there had been 204 such requests between April 2009 and March 2010.
These types of data are reflected in Article 5(1) of the DRD i.e. from whom (sub-article a)) and to whom (b) the communication was sent, when it was sent and how long it lasted (c), what sort of communication (d), how the communication was sent i.e. what equipment was used (e) and where the communication was sent (f). For definitions see ETSI Technical Standard 101 331.
The deadline for transposition was September 2007, with the option of postponing the implementation of retention of internet data until March 2009. Twenty-six Member States have transposed it, two (Belgium and Germany) have partially transposed it.
COM(2011)225, 'Evaluation Report on the data retention directive (Directive 2006/24/EC)' Commission Communication, 'The Internal security strategy in action: Five steps towards a more secure Europe,' COM(2010) 673.
Digital Agenda, COM(2010) 245 final/2.
4. Overview of types of cases in which data are important The importance of subscriber, traffic and location data is demonstrated by research and the practical experience in the EU. Since the adoption of data retention measures, Member States as well as Europol have provided a considerable number of case studies in which data have proven important or crucial in solving some of the most serious crimes. These data can be the only lead to identify a suspect or to identify his/her accomplices at the start of an investigation where eye witness accounts or confessions and other forensic evidence are unavailable, and to decide whether it is justified to use more intrusive surveillance tools like interception. They can help establish whether an offence was planned in advance. They are particularly valuable for cases where internet/communication services are used to commit a crime, such as grooming and uploading/downloading child pornography and identity theft: for example, where someone is detected in an internet chat room attempting to sell child pornography, investigators need first to find the IP address used to connect to the chat room, and then ask the internet service provider (ISP) to identify which individual user has been assigned that particular IP address. Similarly, where threats to commit suicide or attack others are placed on the internet (e.g. Sweden claims to have investigated 15 such threats to carry out massacres in schools over 12 months in 2009-10), police can only begin investigation through identifying the user of a particular IP address based on data held by the ISP.
While most data tends to be requested within a few months or even weeks of the communication taking place, there are four categories of criminal investigation for which older data tend to be needed.11 a. Terrorism and organised crime including severe types of financial crime which are often characterised by repetition or by a long period of preparation. Investigations often require time in order to establish a clear pattern and relationships between multiple events and so to expose not just individual suspects but whole criminal networks, especially where associates repeatedly exchange SIM cards to avoid detection. The gap between the moment the criminal offence is committed and the moment of its detection by law enforcement authorities, through the identification and seizure of servers containing evidence, can be several months or even years. Such
delays occur in cases of:
i. trafficking in human beings and drugs trafficking, where there is a complex division of labour among accomplices;12 ii. repeated extortion where victims are in a relationship with the offender and where the victim may only seek help months or even years after the exploitation started;
iii. tax fraud, serious cases of financial crime and corruption of public officials which may span several years. Such offences may only be detected after the end of a financial year, after audits have been carried out or on the basis of annual reports. Authorities may therefore need to examine data which are at See the Commission's evaluation report.
Prosecutors in Poland study traffic data in 70% of preparatory proceedings in drugs possession cases.
E.Kuźmicz, Z. Mielecka-Kubień, D. Wiszejko-Wierzicka (red.) Karanie za posiadanie. Artykuł 62 ustawy o przeciwdziałaniu narkomanii – koszty, czas, opinio. Raport z badań, Instytut Spraw Publicznych, Warsaw 2009, s.58.
least a year old, or several years old to investigate 'triangulation' structures involving false invoices or transactions which appear at first to be legal, especially across jurisdictions;
iv. repeat burglaries, where proof of involvement of the same gang often depends on mobile telephone location data which shows connected individuals to have been in the same area at suspicious times of day.
b. Serious sexual offences where the victim may not report the crime for months after the event. UK report that over half of communications data used in such investigations were six months old or over.
c. Substantiating previous intent to commit illegal activities, which is important within criminal and pre-criminal proceedings and to determine whether a homicide is a case of premeditated murder;
d. Large cross-border cases which may involve mutual legal assistance procedures, such as offences committed by travelling gangs or where several requests for data from different operators are often necessary. It is often only after months of investigation that all relevant facts are collated. Where servers are located in a foreign country data logs held on servers must be analysed to extract the IP addresses of computers used by persons suspected of accessing the child abuse images. Shorter data retention periods often make it impossible to obtain effective results. Rogatory letters take time to execute, and as a result IP addresses and telephone numbers may be identified for which subscriber data can no longer be requested.
5. Consequences of absence of data retention The crucial value of mandatory communications data retention as a measure, as distinct from communications data per se, is the guarantee that potentially valuable data will be available for a given amount of time. Other measures, such as rules on data preservation (or 'quick freeze'), whilst valuable in many ways, signally fail to provide such a guarantee, and as such rely wholly on the need or willingness of operators to store these data for their own commercial purposes, and to do so in such a way as to render these data accessible in time to be valuable to investigations and prosecution. Before the DRD entered into force, operators may have stored some data but not in an easily retrievable way: mobile telephony data might have been stored in a street-side cabinet or mobile telephone tower, while ISPs may not have logged IP addresses in many cases where they are switched frequently (in processes known as dynamic address allocation and load-balancing). However, according to data protection authorities and operators, certain data have minimal business value and are only stored in a retrievable form because of mandatory data retention. Such data include: (a) fixed/ mobile traffic data for flat-rate unlimited use contracts and pre-paid services;13 (b) source ID (i.e.
telephone number) for incoming calls; (c) unsuccessful call attempts; (d) IP addresses 14; (e) cell ID (i.e. location) data; and (f) email data. The absence of a guarantee of the availability of In Germany, the proportion of private internet users with such flat-rate plans rose from 18% in 2005 to 87% in
2009. The proportion of users of prepaid services varies, from about 20% in Finland to about 80% in Portugal.