Danish government wants to postpone the evaluation of the data retention law for the third time

The Danish law implementing the data retention directive (2006/24/EC) took effect in September 2007. Denmark has chosen a one-year retention period which is within the limits of the directive.

The Danish data retention law is the most comprehensive in Europe

The Danish law exceeds the requirements of the data retention directive in several respects, especially as far as internet logging is concerned. The Danish law contains a requirement for session logging which is data about every internet packet being transmitted. Specifically, the following information must be retained: source and destination IP address, source and destination port number, transmission protocol (like TCP and UDP), and timestamps. Ideally, this should done for the first and last packet of a "session" (which is not precisely defined in the law), but if this is not technically possible, the ISP can register every 500th packet instead.

The Danish session logging has been described in an EDRi-gram from January 2008

It is currently estimated that the Danish data retention law produces 400 registrations per citizen per day, and about 90 percent of these come from the internet session logging. The privacy implications are quite invasive. The contents of the internet packets are not being logged, but the IP addresses will contain information about visits to websites of political parties (that is, in effect, registration of political preferences) and the online news services that the citizen reads.

This goes far beyond the data retention directive which, for internet traffic, only requires that the IP address allocated to the subscriber is logged, so that the source of an internet communication can be identified.

There have not been any constitutional challenges to the Danish data retention law. Such procedures are extremely difficult and very expensive in Denmark, and they will have to go through the regular court system. It is standard practice for the Danish government to file a counterclaim that the citizens have no "legal interest" in trying a particular law before the court, and opposing this counterclaim will take years.

Evaluation and revision of the data retention law 2007-2012

The Danish data retention law contains an evaluation and revision clause. In 2010, the Danish parliament voted to postpone the evaluation for two years in order to coordinate with the evaluation by the EU Commission. The EU Commission published its evaluation report in April 2011, about a year later than originally anticipated.

By 2012, there had been a change of government in Denmark from conservative-liberal to a center-left government led by the Danish Social Democrats. The new government also proposed a two-year postponement, citing again the desire to wait for any changes in the data retention directive at the EU level.

This time, a majority in the Danish parliament objected to a two-year postponement. The members of parliament wanted to examine the extent of the Danish over-implementation of the directive, in particular internet session logging. During the parliamentary debate in the Spring of 2012, the government submitted a report to parliament describing ten police cases where information obtained from the data retention law had played a critical role. This report had previously been submitted to the EU Commission for their evaluation of the data retention directive.

Of the ten police cases, only one used internet logging, and the information being used was only the subscriber identity behind an IP address, not the invasive session logging. The other nine cases involved telephone logging, in particular location data from cellular phones, which the Danish police has used in several cases. Most of the nine telephone logging cases involved serious and violent crimes such as murder, attempted murder, armed residential robberies (when residents were at home) and organized narcotics smuggling. The single case with internet logging was about fraudulent use of an internet payment system for online poker and some credit card fraud.

In the end (May 2012), the parliament voted for a one-year postponement, and the Danish government was instructed to produce a report about the Danish over-implementation of the directive as well as an evaluation of the use of internet session logging in police investigations.

Current situation as of February 2013

In December 2012, the Danish center-left government proposed a two-year postponement of the evaluation clause, citing again the desire to wait for any changes in the directive at the EU level. The proposal was a complete copy-paste of last year's proposal. The first parliamentary debate of the new law proposal is on 22nd February.

In December 2012, the Danish government also produced a report describing the Danish over-implementation of the data retention directive, and as requested by parliament, there was a contribution from the Danish police with cases involving internet logging, both according to the requirements of the directive and the special Danish session logging requirements.

The report is available here in PDF format (the report is in Danish, but the text can be extracted from the PDF file so Google translate might work)

There are three police cases involving internet logging. The first example is the online payment systems and credit cards fraud case from the Spring 2012 report. According the the claims by the Ministry of Justice, the other two cases use session logging, and one case is about a series of armed robberies (violent crime).

However, on closer examination the case with armed robberies is really about telephone logging since the information being used is location data from cellular networks. Apparently, one of the two robbers had a smartphone which communicated with various internet servers at regular intervals, and for each such communication the location of the cell phone is logged. The Ministry of Justice claims that this is session logging, but it is not. The relevant section of the Danish data retention law is about mobile telephone logging, where "data calls" receive the same treatment as "voice calls" (the directive has provisions about this type of logging, but the Danish law requires more location logging than the directive). The session logging requirements do not, in any way, include location data of a mobile device, but the Ministry of Justice is making this claim, presumably in an attempt to find cases where session logging is useful to the police.

This leaves one case where internet session logging is actually used by the Danish police. This case is also about economic fraud. A bank customer claims that his internet banking account is hacked, and 100,000 Danish kroner is stolen from the account. Since the transaction originates from the customer's own computer, he is suspected of fraud. The Danish police obtains the internet session logging data with a court order (or consent of the customer, this is not entirely clear), and they find a suspicious connection attempt from a foreign IP address known to be associated with economic crimes (fraud) on the internet. The case isn't really solved but the Danish customer is cleared of further suspicion, a conclusion that the police would probably have reached through their normal police work without session logging, for example by following the money trail. In any case, it is more than doubtful that the session logging made a substantial difference to the case since the customer clearly wouldn't have been convicted of fraud just because the transaction apparently was done from his computer. The man-in-the-browser attack against internet banking is well-known, and any competent defence lawyer would have pointed this out to the police.

To summarize, the December 2012 report contains two police cases where internet logging and session logging have been used by the Danish police. Both cases involve fraud on a relatively minor scale, not exactly the type of crime that was used as motivation when the data retention law was originally passed in Danish parliament.

The total cost of the internet session logging so far has been about 250 million Danish kroner.

In the final part of the December 2012 report, The Danish Ministry of Justice makes various largely unsubstantiated claims about why the use of internet logging, and in particular session logging, has been fairly minimal. The Danish police has a history of mismanaging IT systems development, and this has also affected their ability to receive and analyze internet logging data obtained from the Danish ISPs with a court order. Given the vast amount of data retained under the session logging requirements, this is obviously a problem for the Danish police.

Quite interestingly, the Ministry of Justice formally states in the report that session logging was implemented in a way that made it useless for the police (the implementation is according the requirements of the law). Now, the natural conclusion would be to scrap session logging altogether, but the Ministry of Justice desperately wants to keep this part of the Danish data retention law.

Before September 2007, the Danish ISPs repeatedly warned the Ministry of Justice that session logging would be useless for the police.

Selected media coverage (all in Danish, our English translation of article titles)

Information, 8th February, Five years internet surveillance have been largely useless

Danmarks Radio, 10th February, Danish Police rejects the claim that internet surveillance is useless

Danmarks Radio, 8th February, Surveillance: Everything that you do on the internet is registered by the police and secret service (PET)

Version2, 11th February, ISP professionals warned the Danish police about useless internet logging

Version2, 11th February, Danish Police: useless logging data are valuable to us

Version2, 8th February, Danish ISPs: the police bears the responsibility for the useless logging data

Version2, 8th February, Five years of internet logging data are useless: the police cannot read the data format

Computerworld, 11th February, Telecommunication industry explains why internet logging is useless