Computer crime detection, logging and personal privacy

One of the most important ways to catch network criminals (virus distributors, mail bombers, ping bombers, crackers,, distributors of racial agitation, etc.) is logging. By logging information on the traffic on the Internet, it is possible, after the fact, to find out who sent the illegal information.

Technically, it is not possible to log everything, in particular, routers cannot log all traffic passing them. Useful would then be to be able to switch partial logging on temporarily when a suspected crime is being committed. Since network crimes often take a few hours, and since they are sometimes observed immediately, there is time to switch on partical logging. And net criminals, like many other criminals, tend to repeat similar crimes more than once. It is then possible, the second time, to log what was done the previous time in order to catch the criminal.

It is therefore interesting if such logging is legal or not. The Swedish Data Inspection Board publishes an article on this in the latest issue of their official newsletter "Direkt från Datainspektionen" No. 2/2000. The full text is available from them in Swedish.

Here is a translation to English of a passage from the paper in their newsletter:

Every year, the directors of data protection agencies in the European countries and some of their employees meet to discuss issues of common interest.

<snip>

During the last day of the conference, the participants agreed on a common declaration against unnecessary logging of information regarding Internet traffic. In the statement, the directors of data protection express their concern regarding requirements to request that ISPs should be obliged to log information during a longer time, for example because police might need the information in their investigations. The group said that traffic data should only be logged if this is needed for the ISP to perform, for example, invoicing. The data protection directors call attention to the fact that long time storage of traffic data is incompatible with article eight in the European convetion on human rights, which guarantees the rights to protection of privacy.

In Sweden, this is regulated by the telecommunications act, which specifies that ISPs must erase traffic data as soon as the traffic stops. There are certain exceptions, among others information needed for invoicing can be saved until the invoice has been paid or time-barred. With permission from the customer, the information can also be used in marketing.

My comments:

  1. As usual, the data inspection board is vague. Phrases like "unnecessary" and "for example" and "among others" indicate that they do not forbid all logging, but rather wants power to control what kind of logging is done.

  2. There is no discussion at all in the statement about computer crime and how to combat computer crime. This is interesting, because the data inspection board has instigated police investigations and prosecutions in several cases where information was published on the Internet in ways they find illegal. It would be interesting to know if they would forbid the logging necessary to investigate crimes which they themselves have started. Or is these exceptions covered by the terms "unnecessary". This is particularly interesting, since the data inspection board has in previous statements shown that they interpret the European data directive very widely, so widely that it is, for example, not permitted to criticize people on the Internet without permission from the criticized person. Does the data inspection board mean that police are not allowed to investigate crimes, which the board itself has requested investigation of?

  3. The statement by the data inspection board directors seem to indicate that logging in order to investigate computer crimes would be illegal. Why would this be more illegal than other police methods, for example searching for fingerprints or DNA analysis? Searching for fingerprints and DNA analysis can certainly be misused just as much as logging on the Internet. And computer crime costs billions of dollars each year. Should really police not be allowed to use logging in order to investigate such crimes? Would it not be a better solution to specify in the law exactly which kinds of criminal investigations are allowed to use such logging? In the same way as there is legal control of who may perform wiretapping, which is only allowed for investigation of certain crimes (according to Swedish law).

By Jacob Palme <jpalme@dsv.su.se> 2nd July 2000