As Dan Quayle put it: “I believe we are on an irreversible trend toward more freedom and democracy – but that could change.”
It’s a flattering self-image in Europe to play Greece against the American Rome: confronting the clumsy boot of American government power with humanistic values like privacy. Witness the outrage in Europe over the transfers from Europe to the US of airline passenger name records or financial wire transfer data. And it has become common knowledge in Europe that the US Patriot Act sacrificed privacy and other civil rights in favor of the “war on terror.” It’s time for us to take a look in the mirror: at Europe’s own reaction to the terrorism in Madrid and London, the Data Retention Directive.
The goals of privacy and the goals of law enforcement are often in conflict in the best of times. In the worst of times, like the aftermath of terrorist strikes, politicians have taken a new look at the balance, and chosen to shift it away from privacy and towards the goals of law enforcement. The shock of a terrorist act is asymmetrical, moving the balance in one direction. The slow erosion of civil liberties hardly generates the shocks to move the balance back.
The Patriot Act is a grab bag of disparate measures, mostly meant to make it easier for law enforcement to access data to help them investigate terrorism. It’s a clumsy law, at best, and it over-rides many longstanding procedural safeguards to protect people’s privacy from the State. But it’s not a data retention law. It makes it easier for American law enforcement to get their hands on data, but it doesn’t impose an obligation for companies to retain data, in case law enforcement should someday want access to it. The EU Data Retention Directive takes the opposite approach: it imposes massive data retention obligations on companies in Europe to keep mountains of data in case law enforcement should someday decide to ask for it. You may disagree, but in terms of privacy, I think the Data Retention Directive is far worse than the Patriot Act: a law that mandates that you collect and maintain mountains of data for law enforcement is worse than a law that makes it easier for law enforcement to access pre-existing databases.
I doubt most Europeans realize that the Data Retention Directive will require that telco’s and Internet “electronic communications service providers” (e.g., email providers) store all their traffic data for between 6 and 24 months. And do Europeans realize that some governments are trying to push the balance even further away from privacy towards the goals of law enforcement than required by the Directive? The German Ministry of Justice has drafted a law to mandate that email providers in Germany must verify the identity of their email customers, to stop the use of anonymous email accounts. The Netherlands Ministry of Justice has proposed a requirement to retain location data for 18 months, going far beyond the requirements of the Directive.
This massive invasion of privacy would be easier to swallow if the “bad guys” couldn’t easily evade being tracked anyway. Very simple technical measures allow anyone to use the Internet without leaving the tracks that the Directive would try to retain. In fact, it might be as easy as using non-European-based service providers. Today, Google does not verify the identity of its email users, and I can’t imagine it would start to do so, whatever the German law might say. I’m hardly alone in believing that users should be entitled to anonymous email accounts, for lots of reasons, ranging from a philosophic belief in the right to be anonymous online, to practical reasons, like trying to protect one’s account from spam.
If you have read the privacy news over the last few months, you would get the impression that the biggest threat to the privacy of EU citizens resulted from the transfer of pieces of their personal data to the US government, either when they fly to the US (those passenger name records) or when they do a financial wire transfer (using the “SWIFT” network of banks). If there is so much distrust in Europe about the US government getting its hands on such relatively minor pieces of data, why aren’t more people in Europe worried about their own governments getting access to vastly more data about them? Really, what’s more troubling: allowing the US government to see passenger information about the people on a flight from Amsterdam to New York, or allowing the government of The Netherlands to mandate that the location of every person in the country be tracked and stored for 18 months every time they use the Internet or the phone?
EU governments are required to implement the provisions of the Data Retention Directive into their national laws by 2009. They’re just getting started now, and the early indications are not good if you care about privacy.