DATA RETENTION REPORT

Transcription

1 DATA RETENTION REPORT 12 February

2 TABLE OF CONTENTS I. INTRODUCTION... 3 Overview of national legislation... 3 Methodology followed... 5 Adoption of the data retention executive act... 6 II. ANALYSIS... 7 Retained Data... 7 General overview of adopted solutions... 8 Security of Information Technologies (IT)... 8 Submittal of Traffic Data... 9 Logical Protection Authentication/Authorization Records Cryptography Fixed and mobile security at the workstation Conveyance, transmission protocols Physical protection Backup and Disaster Recovery Systems III. CONCLUSIONS IV. ANNEX (facultative)

3 I. INTRODUCTION Overview of national legislation The provisions on Data Retention Directive have been implemented in our Electronic Communications Act (ECA 1 ). In accordance with the relevant provisions of ECA, the provider is obliged to keep the retention data for the purposes of: - providing data on traffic in electronic communication network, provided by Criminal Procedure Act; - ensuring national security and constitutional order and ensuring security, political and economical interests of Slovenia, as provided by Slovene Intelligence and Security Agency Act; - defence, as provided by Defence Act. The authorities responsible for application of the Directive 2006/24/EC in Slovenia are: National Regulatory Authority Post and Electronic Communications Agency of the Republic of Slovenia (APEK: and The Information Commissioner of the Republic of Slovenia ( Art. 112(2) of ECA provides that the Information Commissioner performs supervision over retained data (user, traffic and location data, which are acquired or processed in relation to provision of public communications networks or services in accordance with the Art. 107a -107e of ECA). The Information Commissioner supervises whether the data are retained, secured and used in accordance with the law. Electronic communications market in Slovenia is largely dominated by a couple of large providers and a long-tail of small providers. Total number of providers of electronic communications (hereinafter: providers) is 131 according to the 2008 Annual report of the NRA. Several of them provide a number of different services: 1 Unofficial translation available at: -upb1_unofficial_translation_english.pdf 3

4 ISPs: 64 Mobile operators: 3 (plus 3 service providers with their own network) Cable operators: 73 Telephone fixed: 22 In terms of mobile telephony the market-share distribution is rather concentrated between two major providers: 4

5 Similar situation with somewhat larger competition may be observed in broadband market: Methodology followed The Information Commissioner has introduces the data retenion audits in its annual ex-ufficio inspection plan. Insofar we have taken a two-stage process. First there is the documentation phase, where the relevant documents are obtained from the providers and checked at our offices. For this phase the common Questionnaire to telecom providers and ISPs, developed by Enforcement Subgroup of the Article 29 Working party was translated and sent to 10 selected providers. Providers were selected in a way that covers the majority of markets in the services that are covered by the Data Retention Directive. Given the competition structure in these markets the selected providers cover more than 90% of market share in all respective markets. Having received the replies from the providers in the second phase the inspection is performed in situ, to establish whether the documented procedures are also performed in practice. Given the resources available at the Information Commissioner 5 in situ-audits were carried out in 2009 and it 5

6 was decided that the in-situ data retention audits continue throughout 2010 being a part of the 2010 Annual ex-ufficio audit plan. The Information Commissioner is currently considering an introduction of a third phase that would consist of a purely technical inspection of the technical solutions for data retention that are most commonly used on our market. This effectively represents two or three providers (or resellers) of data retention technical solutions that have set up their systems as a contractual service to the electronic communication providers. Adoption of the data retention executive act Given the general observation that the requirements for data retention are rather broad and vague and that several providers have opted for unsecure means for storing the data required by the law and subsequent problems in terms of supervision, the National Regulatory Agency and the Information Commissioner decided to draft an implementing measure (an executive act under the ECA), which should set more concrete requirements for data retention in terms of security, quality, integrity and confidentiality of stored data. The draft executive act was put into public debate and comments from providers were allowed, received, processed and reflected in the final text of the act. The executive act was adopted on 31 December 2008 and published in the Official Gazette of the Republic of Slovenia (No. 126/2008). We also need to point out that the provisions on data retention for internet traffic data entered into force on 15 March The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data (unofficial translation) is available in Slovenian at this link: In brief, the act consists of two major parts. The first part is orientated towards adoption ob best practice measures for ensuring confidentiality, security and availability of data such as the approach taken by the ISO/IEC standard on management of information security. Generally speaking the Executive Act obliges the providers to adopt an ISMS-like system for management of information security including management reviews, document management, review and improvement of the ISMS and similar. Providers need to inform 6

7 the National Regulatory Agency and the Information Commissioner about the management review of the ISMS. The second part of the Executive act focuses on the security requirements for secure storage of data retention data. In general the operators need to adopt measures that enable fully authentic audit trails of any access to retained data, the retained data may only be stored in a separated information system that does not allow any kind of subsequent change or manipulation with retained data, providers need to produce effective back-up copies and so on. II. ANALYSIS The Questionnaire was sent to selected providers on 24 th March 2009 with a deadline of 30 th April All of the selected providers replied in due time. Overall, the responses of the questionnaire already reflected the requirements set by the The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data, since majority of the inspected providers have already taken care of meeting up the requirements of the Executive Act. Retained Data In terms of the array of stored data the analysis of the replies to the questionnaire and the in-situ audits did not detect any major irregularities. The written replies to the questionnaire usually referred to the data categories that were specifically mentioned or required by the ECA, whereas the in-situ audits confirmed substantial deflections in one case. One of inspected providers of cable internet access, and VoIP has obviously not taken the requirement of the ECA and the Executive Act seriously enough. Irregularities in terms of security of data were substantial for example the provider has actually lost a portion of its data due to inappropriate backup procedures due to disk failure. Furthermore, there were some irregularities around integrity of audit trails and inconsistent access rights do retained data, which were not retained in a separate information system, but were rather stored using the same equipment as for billing purposes. Such substantial 7

8 irregularities however were not detected at other providers who have all taken up concrete measures for security of retained data. General overview of adopted solutions Given the rather strict requirements of the The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data at least the large market-share holders have taken the data retention requirements seriously and have already adopted the Information Security Management Systems or are in the process of finalizing the drafts. The requirements of the Executive Act have therefore had huge improvements in ensuring confidentiality, integrity and availability of data. The situation, however, might be different with providers that occupy small market shares and do not have enough human or financial resources to introduce an ISMS or to opt for advanced technical solutions for data retention. In site-audits that will be carried out later will probably affirm this prediction. Security of Information Technologies (IT) Audited providers have given the Information Commissioner access to their Information Security Management Systems documentation, including risk assessments, risk management procedures, password and back-up policies etc, where only minor deficiencies were observed. Majority of providers have dedicated security officers or CISO that oversee also the data retention part. Apart from already mentioned provider with poor security findings, other selected providers have set up Information Security Management Systems and have opted for contractual providers of specialized data storage/retention solutions. Two major players in this market have thus covered the majority of large providers and they offer dedicated solutions from world-wide storage solution providers such as EMC/IBM and Sun Microsystems. More specifically EMC/IBM Centera CAS-type solution was introduced with 7 major electronic communication providers in our market, whereas one provider chose Sun Microsystems Coppereye storage solution. All of the mentioned solutions employ state-of the art technology for secure storage and handling with retained data including: 8

9 Write-once-read-many (WORM) - once written data cannot be duplicated modified or deleted until retention period has expired Access to source data only achieved by running predefined queries Protection against o accidental or unlawful destruction o accidental loss o alteration o unauthorized or unlawful storage, processing, access or disclosure Accessed by authorized personnel only Encyrpted storage Destroyed at the end of the period of retention Support for secure erasure standards (DoD STD). One of the providers of data retention solutions, who also covered the majority of large electronic communication providers, has received an ISO/IEC certificate. The employed architecture usually combines traffic data sources (various mediation devices and traffic data servers) with subscriber data and sends them do dedicated storage device which is physically and logically separated from other information systems (such as billing) within the provider. Retention period and deletion is enforced automatically and cannot be altered once set. In all cases data is stored in Slovenia. Submittal of Traffic Data The number of received requests for retained data differs significantly between inspected providers ranging from one per month to 5-6 per day. The majority of request refers to data from mobile and fixed telephony, whereas the number of requests concerning internet related data is much lower. The competent authorities for requests are in accordance with ECA the National intelligence Agency, the Courts and Ministry of Defence. The majority of requests is submitted by law enforcement under the provisions of Criminal Procedure Act. In some cases the Information Commissioner has noted also 9

10 requests by the police without the necessary court order probably due to inappropriate interpretation of ECA by some police stations and their competencies. Logical Protection Audited providers have stated that external contractual parties do not have access to retained data, which includes the contractual supplier of data retention solution. Request for new users need to be put forward by the provider, and contractual parties only have access to the data retention system within the premises of the provider under the provider s supervision. Providers employ all the usual logical access control systems such as firewalls, IDS/IPS systems and similar. Mobile or remote access to date retention system is not permitted in majority of cases. Authentication/Authorization In most of the cases, the dedicated data retention solutions have built in authentication/authorization requirements, whereas the list of allowed users is documented and updated by the provider. In most cases there are not more than one to five users that have the privileges to access the retained data and fulfil the received requests for retained data. Password policies that were audited usually reflect the standard requirements in terms of length, strength, expiry and so on. Records Audit trails are provided by the dedicated data retention solutions themselves. All of the access to the system are recorded, including the actions of administrators, in non-changeable and reliable manner and stored in the system. As explained above, the situation was different with one provider who did not opt out for a dedicated data retention solution. Cryptography Dedicated data retention solutions store data in encrypted manner. 10

11 Fixed and mobile security at the workstation In general the providers employ standard workstation security features, such as MS WSUS servers, Active Directory control and so on. Workstation maintenance and provisioning is usually covered in the ISMS documentation. Conveyance, transmission protocols Each provider conveys information on traffic data to the competent authorities differently according to their requests. Some use dedicated encrypted accounts to receive requests (usually for law enforcement). National Intelligence Agency requests usually arrive by courier and are also executed in this manner. Documents are classified in accordance with ECA, however some providers report about some inconsistencies in applying the confidentiality level by competent authorities. Data are usually still not conveyed in a fully electronically manner but rather on paper or portable electronic media. Several providers have expressed their support for implementation of the ETSI standard for secure electronic delivery of data. Physical protection Providers employ different measures for physical protection, data retention solutions are usually physically separated from other information systems and equipment. Magnetic card access control, fire alarms, technical security personnel and video surveillance systems are the most commonly used features. Physical security is usually managed as a part of ISMS. Backup and Disaster Recovery Systems There are some providers that do not have Disaster Recovery systems in operation, whereas others have such solutions on distant locations. Dedicated data retention solution offer the possibility of disaster recovery on separated locations but not all the providers have decided for such options. In these cases they rely to mirror copies/servers within the same location. 11

12 III. CONCLUSIONS General impression after the performed investigation is that the The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data has brought huge benefits in terms of confidentiality and security of retained data, as well as in terms of overall security procedures within providers, since it demands the establishment of an Information Security Management System. In general, larger operators have ensured compliance with the ECA and the Executive Act, the situation might however be different with small-scale providers that do not have the necessary legal, human nor financial resources, but on the other hand only cover minor portions of the electronic communications market. Dedicated data retention solutions adequately address various information security aspects, which is also reflected in this report. In general providers will not be sanctioned by the information Commissioner except in one case, where severe security flaws were identified. It has to be noted that ECA has been amended and the most important changes that were introduced are the reductions of retention periods form previously 24 months for both types of data to 14 months for telephony data and 8 months for internet related data. The amendment of the ECA was adopted by the Parliament on 29 th December 2009 and the provisions entered into force on 28 th January The amendments do not have any transitional provisions therefore the shortened period applies also to older data. IV. ANNEX (facultative) The Executive Act on Secrecy, Confidentiality, Security of Electronic Communications and Retained Data (in Slovenian): 12