SERIES A : GUIDANCE DOCUMENTS. Document Nr 3

Transcription

1 DATRET/EXPGRP (2009) 3 - FINAL EXPERTS GROUP "THE PLATFORM FOR ELECTRONIC DATA RETENTION FOR THE INVESTIGATION, DETECTION AND PROSECUTION OF SERIOUS CRIME" ESTABLISHED BY COMMISSION DECISION 2008/324/EC SERIES A : GUIDANCE DOCUMENTS Document Nr 3 Closer understanding of the term Transit Providers in relation to its application in Directive 2006/24/EC version 3 December final Scope This paper examines which provider needs to retain Internet data according to Directive 2006/24/EC, and especially which the obligations are of transit providers to retain such data on the basis of the rules that apply to providers of electronic communications services. N.B. Not in the scope of this paper are providers which carry out measures that disguise the origin of the transported data (e.g. so- called anonymizers) whose liability will be the object of further examination. Date and Status This document was unanimously endorsed by the meeting of the Expert Group of 3 December A disclaimer applies (see at the end of the document) Aspects of Directive 2006/24/EC covered in this paper Article 1 - Scope: the application of the Directive to communications data only, and not to content; Recital 13 and 23: these recitals state that providers are only expected to retain data relating to their own services; Recital 13: the statement that it is intended that data is only retained once, rather than requiring copies to be retained by each provider. Page 1 of 12

2 Key Observations Discussions in some Member States concerning the application of the Data Retention Directive have sought to clarify which electronic communications service providers must comply with the obligation to retain data. This paper seeks to explain why certain service providers should not be obliged to retain data, on the basis that (i) it is technically impossible or disproportionately difficult to do so, and/or (ii) other providers are already obliged to retain the relevant data, or are the appropriate providers to do so in accordance with the Directive. In this context, this document also seeks to provide a practical interpretation of the term retention of data "generated or processed in connection with publicly available services or networks. Recommendations In respect of data relating to Internet access, the provider which must retain data is the Internet access provider; In respect of data, the provider which must retain data is the provider of the service (where this is a provider of publicly available electronic communications networks or services); Entities that simply carry Internet data across networks but that do neither provide access to the Internet, nor to , nor to VoIP services (i.e. transit providers ), are not required to retain data under the Directive because they do not have the necessary data to correlate logs to a specific user. Page 2 of 12

3 Appendix A: Interpretation of the Data Retention Directive: which type of provider must retain Internet data? Executive Summary The Data Retention Directive requires providers of publicly available electronic communications services and networks to retain certain data that are generated or processed by them. Since many providers are connected and involved in providing Internet access and use, the question arises as to which provider is required to retain what type of data. The Directive provides three main aids to interpreting which provider feels the burden of its requirements: the scoping provision in Article 1, that says that it only applies to communications data, and not to content; Recital 13 and 23 state that providers are only expected to retain data relating to their own services; and a statement in Recital 13 that it is intended that data is only retained once, rather than requiring copies to be retained by each provider. Applying these interpretive aids it can be seen that in respect of data relating to Internet access, the provider that must retain data is the Internet access provider; in respect of data, the provider that needs to retain data is the provider of the service (where this is a provider of publicly available electronic communications networks or services); Entities that simply carry Internet data across networks but that do neither provide access to the Internet, nor to , nor to VoIP services (i.e. transit providers ), are not required to retain data under the Directive because they do not have the necessary data to correlate logs to a specific user. The non-application of the Directive to transit providers is consistent with Articles 12 and 15 of the Electronic Commerce Directive (2000/31/EC), which prohibits that Member States impose requirements on them that are similar to those incumbent on service and network providers. Page 3 of 12

4 Typology of Network and Service Providers For reasons of convenience and ease of reference, this paper uses the following typology to describe the network and service providers it considers. EXPRESSION DEFINITION Internet Service Providers (ISP) Access providers Gateways A service provider that uses Internet Protocol to route data That subset of ISP that controls access to the Internet, by authenticating the user against their customer list That subset of ISP that provides a point of interconnection between the publicly routable Internet and a network with an alternative protocol or addressing scheme. This includes both gateways between the Internet and private, non-routable IP address space (e.g.10.x.x.x) and gateways to non- Internet Protocol networks (e.g. PSTN, X25) relay An operator of an server that receives at an address and retransmits it to a separate e- mail address or addresses. Transit provider That subset of ISP that simply carries data transmitted to it by another party, without alteration of the data or selection of the ultimate recipient, and is (with respect to a particular communications, neither an Access Provider nor a Gateway, nor an relay. Vi t l id Th t b t f id th t li thi d NB: as a point of clarification, it should be noted that while it is stated above that access providers and transit providers are subsets of the ISP, in many cases the ISP, access provider and transit provider are different organisations/companies. Also should be noted, that those providers which - without operating a gateway - carry out measures that disguise the origin of the transported data (e.g. so called anonymizers) do not fall under the scope of this typology. Note: this typology refers to the role that an organisation plays with regard to a particular communication or class of communications. For example, a particular organisation might be an Access Provider and also an Relay for certain communications, while at the same time being only an Access Provider for others. Page 4 of 12

5 Scope of the Directive The Directive covers Public Electronic Communications Networks and Public Electronic Communications Services; these are terms defined by the EU regulatory framework for electronic communications, and are defined in the Framework Directive 1. Entities that do not come under the definition of those terms are therefore also outside of the scope of the Data Retention Directive. This paper builds on those definitions and their inherent limitations. Introduction Data Retention Directive (2006/24/EC) provides that: Member States shall adopt measures to ensure that the data specified in Article 5 of this Directive are retained in accordance with the provisions thereof, to the extent that those data are generated or processed by providers of publicly available electronic communications services or of a public communications network within their jurisdiction in the process of supplying the communications services concerned. The obligation to retain data falls on providers of publicly available electronic communications services or of a public communications network. As many providers are involved in the transmission of many communications over the Internet, the question arises as to which provider or providers are bound by this obligation. Article 1 of the Directive states: 1 This Directive aims to harmonise Member States' provisions concerning the obligations of the providers of publicly available electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed by them, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law. 2. This Directive shall apply to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network. 1 Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive). Page 5 of 12

6 Recital 13 of the Directive states: This Directive relates only to data generated or processed as a consequence of a communication or a communication service and does not relate to data that are the content of the information communicated. Data should be retained in such a way as to avoid their being retained more than once [ ] In particular, as regards the retention of data relating to Internet and Internet telephony, the obligation to retain data may apply only in respect of data from the providers or the network providers own services. Recital 23 of the Directive states: Given that the obligations on providers of electronic communications services should be proportionate, this Directive requires that they retain only such data as are generated or processed in the process of supplying their communications services. To the extent that such data are not generated or processed by those providers, there is no obligation to retain them [...]. From this it can be understood that the obligation does not necessarily fall on every network or service provider that might be involved in some way in a communication. Occasions when a provider will not be required to retain data relating to a communication include: When the data is the content of the communication, rather than communications data such as traffic and location data; or When the data relates to a communication that is not part of that provider s service. This paper offers examples of cases where this will apply, by reference to common Internet usage. Internet access A commercial provider of Internet access will invariably restrict access to their service to their own customers, and those who obtain access through their customers. In practice, this means that the access provider will demand a user name and password - or equivalent credentials - at the point of access. These credentials link the user to the customer account. In order to make use of Internet access a user needs to be assigned an Internet Protocol address ( IP address ). All communications on the Internet are sent using the IP address as the destination, and so use of an IP address is integral to Internet access. By recording which users were assigned which IP address at any given moment, the access provider performs a critical function in ensuring the traceability of Internet communications. Page 6 of 12

7 Figure 1 - Illustration of a common case of Internet access Page 7 of 12

8 A consumer on a laptop (labelled 1) connects over a wireless link to a combined wireless access point and router (labelled 3). The customer router connects to an Internet Access Provider s entry point over a communications link (labelled 4), which might be DSL line or a cable network. The Access Provider s entry point (labelled 5) verifies the customer identity with the Access Provider s database of customer records (labelled 6), before assigning the customer router an IP address. This is commonly done by asking the customer router for a password, which is checked against the customer database. Once an IP address has been assigned the entry point (labelled 5) will route Internet traffic from the customer (labelled: 3), to a second ISP (labelled 7) over the Internet (labelled: 8), so that it may ultimately reach another its destination (labelled 10). This destination could be (e.g.) a web server or another individual. The first Access Provider, which knows the identity of its customers, can record the IP address at the point of assignment. The second ISP, in cases where it is also an Access Provider, can for its part do the same with respect to its customer. Since each communication must necessarily have a destination IP address, law enforcement can trace the recipient of communications, by asking the ISP which IP address was assigned to which customer at the time the communication was made. The Access Providers are obliged to retain this data, which is identified in Article 5 of the Directive. Note that each Access Provider only knows the identity of its own customer. This may sometimes directly implicate a user who is directly connected (e.g. the user at labelled: 10). However if the customer runs a network, the Access Provider will not be able to distinguish between individual users (labelled 1 and 2): in a domestic situation, this is usually sufficient. Virtual Access Providers There is a variant of the above case known as the Virtual Access provider. This is similar to the above, except that while the Virtual Access provider holds the customer relationship and authenticates the customer to authorise the commencement of a network session, it relies on a third party to provide the network session to the customer. In this case two entities combine to fulfil the role of Access provider. Where the Access provider role is split in such a fashion, the availability of data may be split between them. An example of a common architecture would be as follows: The Virtual Access provider does not assign the customer with an IP address itself, and so does not have the record of assignments available to it; The network access service provider may not have access to the customer account records. Page 8 of 12

9 In such a case, when the Virtual Access provider may not assign the customer with an IP address itself, it will instead identifies the customer to the network access service provider that will provide the network session, for example by providing the customer with a User ID (session token). Reseller ISPs In contrast to the situation described as a Virtual Access provider, stands the case where an entity, which may be termed a Reseller, acts solely as a reseller of an Access providers services; having sold the customer the service, it transfers all the relevant data to the Access provider, which is responsible for fulfilling the sale. Such a reseller is not considered an Access Provider for the purposes of this analysis. Transit providers The commercial service provided by an Access Provider is to route traffic between its customers and other Internet users across the Internet. In doing so, they may make use of intermediary networks known as Transit Providers. A Transit Provider is (normally) a public electronic communications network. Its only function with regard to the communication is to route it onwards towards the final destination, which is identified by the IP address attached to each packet. If the Transit Provider does more than this (such as routing the communication over a non-internet network such as the PSTN) then, for these purposes, they are no longer considered a Transit Providers. Transit providers, which in figure 1 are contained within the cloud labelled 8, have no access to the customer databases (labelled 6 and 11) and cannot therefore retain that data. Recital 13 of Directive 2006/24/EC acknowledges that there is no obligation in this case, saying: Data generated or processed when supplying the communications services concerned refers to data which are accessible. Gateways An ISP that connects the public Internet to another network that is not publicly routable is said to be operating a Gateway to that network. Some examples of gateways include: X25 gateways. X25 is an alternative network protocol to Internet Protocol. Although largely superseded by the Internet Protocol in most markets, it is still in use in some public sector and large corporate networks. A PSTN gateway. A voice call between a publicly routable Internet address and the public telephone system must pass through a gateway that provides interconnection between these diverse networks. That gateway Page 9 of 12

10 will provide translation between the IP addresses used on the Internet and the E.164 addresses used on the PSTN. Network Address Translation (NAT). An Internet Access Provider may assign its users non-routable private IP address space, as described in RFC1918. In such cases, in order to provide connectivity between its local network and the public Internet it must operate a NAT gateway which is connect to Internet transit using a public address. As traffic passes from its local network to the Internet through the gateway, the source address in each packet is translated on the fly from the private addresses to the public address(es). The gateway tracks basic data about each active connection (particularly the destination address and port). When a reply returns to the gateway, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply. An ISP that operates a Gateway is not merely a Transit Provider. Note however that this definition of a Gateway only refers to a point where publicly routable Internet networks are connected to other types of networks: this distinguishes the Gateway from a Transit Provider or an Internet Exchange Point, which connect two or more publicly routable Internet networks. Who needs to retain data? The above shows that the service provider that must retain records of the provision of access to the network is the organisation that provides the customer with access. This is in accord with the assertion in Recital 13 that states that the obligation to retain data may apply only in respect of data from the providers or the network providers own services The service of the Access Provider is providing access to the Internet, and customer sign-on details and account records are data that are "generated and processed" in the context of that service. Whether the Access Provider is a unified entity or not, or consists of a network provider and a virtual access provider, does not alter the fact that the obligations of the Directive to retain data are exclusively on the Access Provider. In each case, from the perspective of the transit provider, that provides a separate and independent service, all relevant data is data [ ] in respect of the provider's own services. When data relating to Article 5 of the Directive is physically unavailable to the transit provider, he is not required to retain that data under the terms of the Directive. Transit providers and Article 1 of the Directive states: This Directive shall apply to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the Page 10 of 12

11 subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network. In transmitting across the Internet, may pass across the networks of one or more intermediary transit providers before it reaches the recipient mail server. A transit provider is (normally) a public electronic communications network. Its only function with regard to the communication is, by definition, to route it onwards towards the final destination, which is identified by the IP address attached to each packet. The IP address used as routing information therefore could fall within the scope of Article addresses (and for that matter VoIP identifiers and E-164 addresses) are solely an application-level function. From the perspective of a transit provider, data relating to or VoIP, beyond the bare destination IP-address constitutes content: it forms no part of the transit provider s service, would normally be unknown to the transit provider, and can indeed be made completely unavailable to the transit provider if the user chooses to employ encryption. Article 1 of the Directive states that the Directive does not apply to the content of communications passing over the network, which provides a further reason why a transit provider is outside the scope of the Directive. A similar legislative approach can be seen in Article 15 of the Electronic Commerce Directive, which protects such intermediary providers from having any general duty to monitor the traffic that passes over their networks imposed by Member States. Taken together, these Directives show a consistent view of the limited role of intermediary networks, which provides further support for this interpretation of Article 1. It can therefore be seen that under Article 1 transit providers are not required to retain data related to by sole virtue of being a transit provider. Activities beyond pure transit provision An ISP that operates end-point services, rather than merely carrying Internet traffic, goes beyond the status of a transit provider with regard to those services, for the purpose of this analysis. An important relevant example of this would be where the ISP operates a mail server that receives the , and retransmits it to a new address or addresses. Such an ISP will be considered an Relay with respect to such a communication. An relay is not considered a Transit Provider for the purposes of this analysis, and in the case of will incur additional obligations under the Directive. 2 It is outside the scope of this document to consider how the retention obligation is to be discharged by the Access Provider when that role is split between more than one entity. Page 11 of 12

12 Disclaimer The views and opinions expressed in this document are not necessarily shared by all Members of the Expert Group "the Platform for Electronic Data Retention for the investigation, detection and prosecution of serious crime" and do not constitute legal advice. For details about the origin and status of the guidance contained in this document refer to the accompanying document "Introduction to the Series". The opinions expressed in this document do not necessarily reflect the views of the European Commission which accepts no responsibility or liability whatsoever with regard to its contents. Page 12 of 12