The government's plan for a data storage directive has a number of weaknesses and shortcomings. That’s the opinion of experts in quality and security in data communication from NTNU’s Faculty of Information Technology, Mathematics and Electrical Engineering (IME). The academic staff say that the government lacks a clear and credible plan for data protection, and warns against adopting the directive as Norwegian law.
NTNU's experts, who are at the forefront of computer security research, are much more critical of the plan than NTNU’s Rector Torbjørn Digernes was in the university’s official comments on the data storage directive (DLD). The deadline for comments on the controversial directive to be incorporated into the EEA Agreement expired last week, and debate continues to run high. NTNU's submission is based on IME’s input.
Brief and pointless
“We were surprised that NTNU’s comments ended up quite brief and pointless. It was hard to see evidence of what we actually said. NTNU should have been much clearer on this.”
So says Professor Svein Knapskog, who led the working group that was appointed to provide IME’s input to the rector. Knapskog is also head of the faculty’s Centre for Quantifiable Quality of Service in Communication Systems (Q2S), which is a Norwegian Centre of Excellence.
Restrictive attitudes
NTNU has a restrictive policy in terms of taking a position on current political issues. That's why the university has not taken clear position for or against DLD, according to Rector Torbjørn Digernes.
The Rector believes that NTNU's comments point out weaknesses in the proposed directive, and that the university has raised issues that have not been a part of the debate to date. He emphasizes that every employee, of course, is free to promote his or her own views and contribute with different perspectives to the debate.
"This is a difficult political issue in which different social considerations are being weighed against each other. We have contributed with views from the technological expertise we have in the area. It has not been difficult to spot the problematic aspects of the DLD,” said Digernes.
An insurmountable security job
IME’s experts have commented on the technical aspects of the approach that was chosen. They have evaluated the risk that stored data might be misused - which they point out is the biggest threat. The group also pointed out several existing examples of stored information that is sensitive, along with systems that are supposed to be secret, which are not adequately secured – not from untrustworthy workers, virus attacks, eavesdropping or data burglary.
“It will be an almost insurmountable challenge, both technologically and from an economic standpoint, to securely store the enormous amounts of data we’re talking about here. If there were unlimited resources, maybe we could get very close. But to declare this to be 100 per cent safe doesn’t come naturally to researchers who work with the subject, " Knapskog says, adding that the directive will cost more than it is worth.
Adding to the burden
Even though security experts have made strong technological arguments against DLD, Knapskog says his biggest concern is privacy.
“DLD isn’t a dramatic new approach. In practice, we monitor almost one hundred per cent of the time through technological trails. DLD is just more of the same, a new turn of the screw - or as many perceive it – adding to the burden.”
Knapskog explains that it will be the smallest operators, of which there have been an increasing number, who will have the heaviest financial burden from complying with the directive. The likelihood of data leakage, or even sales, will be great.
“The list of players who would be willing to pay for information is long. To believe there will be no abuse is naive,” says Knapskog. “Players in this market come and go. Some are shut down, some get bought up, some crash and are revived.”
A risk at many levels
“Here’s another risk. Who is responsible for the data? Who cleans up afterwards?” asks the computer professor.
He recommends waiting with the directive until all of the solutions are in place and the technological, administrative and financial issues that are found are fixed. He finds it very problematic that the government has no good plan for security.
Improve or stop the storage
The work group that the professor leads advises the government to start working to improve the protection of data being stored now, or stop storing it. This should happen regardless of what happens with the DLD, the group says.
“As far as I know, today there is no systematic check to see that the current storage methods are adequately secured, for example through the documentation requirements from the business / system owner that the standard rules are followed,” said Knapskog.
A mistake to ignore the US
The working group believes the government's consultative paper says very little about what the police actually need, what benefit it will have and why. Another weakness is that the paper does not take into account developments in the US, and the fact that the US conditions will affect developments in Norway. More and more US-based providers will come in and compete on the Norwegian market, the group notes.
Of limited interest
The DLD covers an ever-decreasing share of electronic communication. More and more is conducted through online communities such as Facebook and Twitter, and through popular services such as Skype, Google's Gmail and Microsoft Messenger.
“Unless the directive is expanded to include all electronic communications, the DLD is limited interest. The directive, as proposed, will force organized crime away from using Norwegian-based telecommunications networks for verbal communication,” according to the IME-appointed working group's input.
Torbjørn Digernes is Rector at NTNU.Arkiv. Elin Fugelsnes/NTNU Info
