How data retention enforces surveillance and invasive laws
Data retention represents a strategy that companies adopt for dealing with clients’ data. While businesses might tweak such policies to address individual needs, federal or state laws impose particular requirements, too. Thus, companies cannot freely compose guidelines for storing and managing data. One possibility is that certain governments will impose mandatory data collection and retention. Therefore, dozens of telecom and Internet Service Providers comply with bills passed to surveil citizens and their online actions.
What is data retention?
Data retention lives up to its name. It is the practice of managing and storing data for a designated period of time. Mainly all entities online operate with data retention policies in place. For instance, web-hosting services, social networks, blogging platforms, and online stores should have valid guidelines documenting this practice.
Here are the statements on data retention from well-known providers:
- Facebook. It stores information for as long as it is necessary to provide users with services or until account deletion. However, the retention might vary depending on the nature of the data and its purpose. The company offers an example of queries made within Facebook’s search. Such information gets deleted after 6 months.
- Google. With the abundance of data collected by Google, it might be challenging to keep track. It stores specific details for a predetermined period, like the browser width and height for up to 9 months. The company also anonymizes certain information with time. For instance, it does it to advertising data in server logs by eliminating IP addresses after 9 months. Details on cookies get removed after 18 months.
- WhatsApp. The service also claims to retain information for as long as it is necessary to provide services. Additionally, the retention might occur to comply with legal obligations or platform policies.
What does a data retention policy cover?
Data retention is an elaborate and strategic plan. This validated document within an organization describes how it retains data and why. Thus, its purpose is to identify which information is relevant for future reference and which is not. In the latter case, a proper and secure deletion process is also necessary.
Disposal of data should follow a specific route. For instance, some services might choose to encrypt information and delete the decryption keys. Others might opt for a more straightforward deletion process.
The policies must adhere to the laws applicable and might represent particular standards in the industry. Some decisions that a data retention policy explains are as follows:
- The predetermined period of time for keeping certain records.
- Their accessibility and form. The retention policy should discuss who will have access to data.
- Reasons for retaining certain records longer than others.
- The procedure for removing data (both in online and offline storage).
When governments enforce data retention
Governments can and do mandate obligatory data retention laws. It is one of the causes actively confronted by the Electronic Frontier Foundation.
For instance, law enforcement agencies advocate for intrusive laws. These entities might compel telecommunication companies and Internet Service Providers to store certain records. The latter information might reveal logs on clients’ online activities and other digital patterns. Such data-storing practices are detrimental to users’ privacy, freedom of expression, and anonymity.
Additionally, the data harvested by ISPs or telecom providers is usually accessible by the government or law enforcement. There might be procedures governing the data extraction. However, the chances are that specific regimes give investigators a smoother path to obtaining necessary records.
There might be two opinions on such data collection and retention:
- More invasive laws help capture criminals or prevent harmful acts from taking place. Investigators might stop perpetrators in their tracks with the help of ISPs and their logs.
- Data retention and retrieval pose a severe risk to activists, independent journalists, and human rights advocates. Regimes can control and surveil their citizens, silencing opposing voices and movements.
Thus, mandatory data retention might seem like a necessary evil to suppress criminal behavior. Sadly, if logs assist in tracking individuals fighting for human rights or free expression, it becomes an oppressive practice.
Data retention laws worldwide
Governments might govern data retention as they see fit and as long as it does not violate other applicable laws. Thus, review some of the provisions in different regions.
In 2015, Australia enacted a controversial data retention law. According to it, ISPs and telecom companies must retain users’ metadata for 2 years. The latter refers to timestamps of conversations, receivers, and senders. However, the law did not allow the retention of the actual content of emails or text messages.
Many entities belittle the significance of metadata. Thus, they claim that its collection and retention are harmless. After all, it does not give away details on the content exchanged. However, timestamps and the parties participating in email correspondence can be details users wish to keep private. In other cases, governments might interpret metadata differently due to the greyness in its definition.
In 2019, The Guardian reported that Australian federal police admitted to accessing journalists’ metadata 58 times. This surveillance happened in the timeframe of 2017-18. Typically, certain agencies do not need warrants to access users’ metadata. However, agencies must supply a warrant approved by an issuing government authority when it comes to journalists.
The warrant provision came only after public distress led to certain amendments to the bill. Sadly, many privacy advocates claim that law enforcement agencies will rarely struggle to obtain necessary warrants. Thus, the amendments might not be the adequate safeguard truly meant to protect journalists.
Nonetheless, the Australian government claimed the bill aids security services fighting domestic terrorism and other illegal activities. And while it might spark new leads for investigators, mandatory data retention remains questionable to this day.
The GDPR (General Data Protection Regulation) includes strict provisions on data collection and consent. However, data retention is a subject receiving little attention and clear-cut limitations. The general requirement is that data should identify certain users only until it is necessary to provide the intended goal.
For the most part, companies operating or serving clients in the EU follow these guidelines:
- Companies set data retention periods following their individual preferences and needs.
- The primary condition is that entities must justify the reason behind specific retention deadlines and practices. Thus, a data retention policy might differ depending on the provided services. In other cases, it might address legal obligations for preserving records.
- Retaining data on a “just in case” basis is not a valid reason.
- No data should identify users after it is no longer necessary.
- Entities need to anonymize or erase records that are no longer in use.
In 2020, the European Court did rule against bulk data retention by European law enforcement agencies. These institutions had collected and retained metadata from telecommunication providers for years. Now, bulk data retention is not something these agencies can implement per the law. After all, a broad collection of metadata can reveal rather sensitive details even without the actual contents.
Russia has taken mandatory data retention a step further. Instead of focusing on metadata, the Big Brother law obliges telecom providers to preserve more extensive records. It means that companies retain the contents of communications in addition to timestamps, recipients, and senders for 6 months. Dozens of experts and privacy activists deem Big Brother as an unjustifiable violation of users’ rights.
Officially, the law is an attempt to combat terrorism and other illegal activities. However, specialists fear that it is just a way for the government to keep tabs on citizens.
Besides being invasive, the law is also costly. Storing the metadata of each client is already expensive. A mobile operator Megafon had provided calculations on how much the operation might cost in Russia: between $557m and $636m over the next five years. Thus, it is not only a violation of human rights but a misuse of resources.
Data retention necessity and downsides
We cannot escape data retention. Even the most respectable companies and institutions will retain certain records. For instance, app providers like us do need your billing information to supply our services. However, keeping specific data for longer than necessary is not a healthy digital practice.
Additionally, mandatory data retention frequently gives oppressive regimes a way to surveil their citizens. Governments might monitor human rights activists, journalists, and certain political figures by justifying their actions with crime prevention. As a result, it damages users’ privacy and free expression online.
Atlas VPN aims to help anyone alarmed by the invasive laws. You can choose to encrypt your internet traffic, giving fewer insights about your activities to ISPs. Additionally, Atlas VPN will mask your IP address, making it harder for entities to pinpoint your location. After all, a certain level of privacy is a must for anyone, be it concerned netizens, whistle-blowers, or journalists.
Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.