Data retention concerns resurfaces in Norway

The Norwegian government has proposed a series of changes to the Norwegian Electronic Communications Act in order to make it mandatory to store data connecting customers to IP addresses. EDRi member, EFN expresses serious concerns regarding these changes. Not only does this go against the principle of data minimisation, but the idea also goes against the presumption of innocence. In a democratic society we should never collect evidence in case someone may commit a crime, we collect evidence only if a crime has been committed.

Storing IP-addresses may not seem to be the most grievous intrusion into privacy, but since the adoption of IPv6 is so slow, the introduction of CGNAT means that according to Europol’s Internet Organised Crime Threat Assessment it is necessary to track a connection with source and destination address, and source port within a second. For all practical purposes this leads us into a regime akin to the Data Retention Directive, which was litigated by EDRi member Digital Rights Ireland, and found to be illegal.

A natural rebuttal is that it is very easy to circumvent this storage by using VPN or TOR and other means to prevent surveillance. While we strongly encourage the usage of privacy enhancing technologies, it should be noted that the people who need protection the most are not the people in a position to easily circumvent such a law, but people who for various reasons may find themselves in a precarious position. One such scenario became very evident in the case of Muetter Iliqud, an Uyghur political refugee living in Norway. After she wrote an anonymous article, her grandmother living in China was warned about her activities. This happened under the current regime, and increased surveillance can only make this worse.