Danish government postpones plans to re-introduce session logging
When the EU data retention Directive was transposed into national law after its adoption in 2006, Denmark implemented one of the most excessive transpositions into national law. Danish Internet service providers (ISPs) were required to retain session information (source and destination IP addresses, port numbers, session type e.g. TCP or UDP, and timestamp) for every 500th internet packet. In June 2014, the response of the Danish government to the data retention judgment of the Court of Justice of the European Union (CJEU) was to uphold the national data retention law, but rules on session logging were repealed. The Ministry of Justice could no longer argue for the necessity of session logging when, after seven years of collecting detailed information about internet usage for the entire population, the Danish Police could only point to a single case, involving web banking fraud on a minor scale, where this information had been useful.
The Ministry of Justice and the Danish Police were quite careful in putting the official blame for the failure of session logging on the specific implementation chosen by the ISPs. In June 2014, it was clearly suggested that session logging could come back if the effectiveness could somehow be improved. It only took seven months for the first rumours about this to surface, and a year later, on 29 January 2016, the Danish Telecom Industry Association and civil society organisations (including IT-Pol Denmark) were summoned, at short notice, to a meeting at the Ministry of Justice where the intention to re-introduce session logging was announced.
The new session logging scheme was outlined at the meeting. Apparently, the Ministry of Justice and the Danish Police held a secret internal evaluation of the previous failed session logging scheme, and the new proposal seems to be based entirely on this analysis. However, this internal evaluation has not been subjected to any public scrutiny. An analysis by IT-Pol Denmark identified several flaws in the arguments used by the Ministry of Justice and the Danish Police, and the IT-Pol analysis concludes that very little new information (if any at all) is offered.
A statutory evaluation of the Danish data retention law is long overdue, after the evaluation was postponed four times by the Danish Parliament. Access to documents requests about the internal evaluation were denied by the Ministry of Justice using various exemptions in the Danish Freedom of Information Act. Rather ironically, the most detailed evaluation of Danish session logging that is currently publicly available has been produced by the British Home Office. The Investigatory Powers Bill (IP Bill), presented to the British Parliament in November 2015, also contains provisions for sessions logging, which are called Internet connection records (ICRs) in the IP Bill. The Danish and UK proposals are surprisingly similar, and both proposals come with unsubstantiated claims that they will not repeat the prior Danish failure with session logging.
While serious doubts about effectiveness remained unresolved, it quickly became clear that the new Danish session logging proposal would be extremely expensive. After a couple of weeks, the Danish Telecom Industry Association estimated that the investment in equipment alone would be 135 million euros plus unspecified annual operating costs. Compared to the previous session logging scheme, the cost increase was more than 10-fold, and the amount of data retained every day would increase 20-fold. The Danish government initially claimed that this cost estimate was too high, and an independent cost assessment report from Ernst & Young was commissioned.
On 17 March 2016, the Danish situation took a surprising turn when the Minister of Justice Søren Pind announced that the plans to re-introduce session logging had been put on hold. The cost assessment report from Ernst & Young confirms the estimates made by the Danish ISPs, and this price tag is simply too expensive for the Minister of Justice. This also solves a potential inconvenience for the Danish government since there has been some internal debate within the government party as to whether session logging is reasonable and proportionate.
For the time being, there will be no mass surveillance of Danish Internet users through session logging. While this is clearly positive, it is also disconcerting that the decision by the Minister of Justice is based entirely on cost. In the public debate after 29 January, the Minister of Justice has refused to even discuss the notion that collecting information about every Internet session is surveillance, even though paragraph 37 of the CJEU judgment clearly says that data retention is surveillance and a particularly serious interference with articles 7 and 8 of the Charter of Fundamental Rights (right to privacy and data protection). The Minister of Justice has even complained (in a Facebook post) that Danish media is not taking the threat of terrorism seriously enough in its reporting of the public debate on session logging.
Session logging has become a true zombie in Danish surveillance politics. Having been abandoned twice now, a new proposal could still resurface in 6-12 months as the Ministry of Justice will now consult with the Danish ISPs about a cheaper compromise solution for session logging. However, it is highly questionable that a technical solution can be found which, on one hand, has reasonable financial costs (whatever that means) and, on the other hand, is sufficiently distinct from the failed session logging scheme that was in place between 2007 and 2014. Needless to say, civil society is not invited to take part in this dialogue, as privacy concerns of Danish citizens seem to be completely ignored by the Ministry of Justice.
In the coming weeks, it will be interesting to see whether the surprise Danish developments have any effect on the British parliamentary debate about ICRs in the IP Bill. The Joint Committee for the Draft IP Bill looked closely at the prior Danish experiences with session logging (IT-Pol gave written and oral evidence to the Joint Committee), and the most recent Danish cost assessment strongly suggests that ICR collection will be much more expensive than the British government has anticipated. Under the IP Bill, the Home Office will pay the financial costs of data retention, but for ICRs the Home Office has only budgeted with 175 million pounds over a 10-year period.
EDRi-gram: Danish government plans to re-introduce session logging (14.01.2015)
Comparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation, Home Office of British government (29.02.2016)
Note from IT-Pol Denmark about the new and old session logging scheme (only in Danish, 04.03.2016)
Britain to pay billions for monster internet surveillance network, Computerweekly.com (21.03.2016)
(Contribution by: Jesper Lund, IT-Pol)