Governments all over the world are hugely interested in tracking what citizens do online. This kind of digital surveillance allows the authorities to gain unprecedented levels of information about their citizens – even if those people have done nothing wrong.
The most efficient way to access this kind of habitual information, including details about which websites people visit and who they choose to communicate with, is to force Internet Service Providers (ISPs) and telecommunications companies to harvest that data and store it on their behalf.
In many countries, this kind of data retention is enforced using legislation that forces all ISPs to collect and store these activity records for a certain period – usually between 6 months and two years. These are known as mandatory data retention directives.
Why is mandatory data retention problematic?
For citizens going about their daily lives without ever engaging in illegal activities, this kind of mass surveillance creates a serious invasion of privacy.
It leads to mass surveillance that infringes on people's ability to communicate freely and without being tracked. And, in the long term, it can lead to highly concerning changes in social behaviors that directly impact people's human rights and freedom of speech.
Ultimately, this kind of mass data surveillance provides the opportunity for governments to single out individuals with opposing political beliefs and ideologies. It is the kind of tactic used by oppressive regimes to single out and silence citizens who dare to oppose them.
It is because of the overreaching power that constant surveillance gives governments, and the way it can be exploited to entrench and prop up undesirable political systems, that it is problematic.
Before the rise of the internet, the privacy one could achieve in their home by closing their doors and pulling their curtains was enough to prevent a constant invasion of privacy. Now, cyberspace provides an all-encompassing window into people's lives, who they are, who they know, and what they know or believe.
By allowing governments to constantly access this sensitive personal information about citizens, civil society is allowing important privacy rights that were fought for by our ancestors since the times of the Magna Carta to be rapidly eroded away.
Once those rights have been stripped away from us, there is a very real danger that we may never get them back.
I have nothing to hide
While many people use this argument to legitimize mass surveillance at the hands of government agencies, it is vital to understand why this is a backward way of thinking.
After all, it is because you have nothing to hide – and have done nothing wrong – that the government should not be monitoring you in the first place!
This is the very essence of privacy, and it is why we exist in a society where the police must have genuine suspicion (and reasonable evidence for a warrant) before they can enter your home to perform a search.
Ultimately, the opportunity to exist in the private sanctuary of your home without being constantly intruded upon by the authorities is central to the tenets of liberty and freedom.
Without these rights, we couldn't prevent the authorities from demanding that they come into our homes. This would open the door for severe human rights abuses, and the ability for the authorities to act with impunity.
A web of data – the new paradigm
Unfortunately, in a world where citizens constantly use mobile devices and computers to communicate online, the authorities no longer need to physically enter your home to see what you are doing.
The internet provides an all-encompassing window into who you are and what you are doing. As a result, the government can know you far more intimately by monitoring your online habits than it ever could using a traditional house search.
In other words, by accepting data retention and mass surveillance, we are allowing big brother to watch over us constantly. In the end, this is no different from allowing government snoops to live right alongside us in our homes.
What your data says about you
The important thing to remember is that the things you do online can be leveraged to deduce frighteningly precise things about you.
Data and privacy experts often warn consumers that seemingly trivial and disparate data sets can be used to figure out alarmingly precise secondary inferences about them.
Due to emerging technologies such as Machine Learning Algorithms, big data can be pieced together to produce incredibly invasive results that almost completely destroy your privacy. This makes data retention hugely problematic because it can lead to decision making that causes prejudice and discrimination.
What's more, by constantly monitoring who people communicate with, the government creates an environment that is naturally conducive to exclusion, and where people lose freedom of association for fear that invoking those rights may lead to judgments against them.
As a result, this kind of oppressive surveillance always leads to heightened levels of self-censorship and division in countries where it is present.
What kind of information does data retention involve?
Data retention generally involves any persistent data archiving undergone by a data processor for the purposes of meeting legal or business requirements.
This data retention is usually governed by a data retention policy that permits the retention of consumer data while also ensuring adherence to any laws and regulations that concern them.
Where government-mandated data retention by ISPs and telecommunications companies is concerned, this pertains to data that must be stored so that it can be made available to government agencies when requested.
This includes invasive metadata that allows the government to analyze exactly who you communicate with and when, as well as the details of the websites you choose to visit:
- Call detail records (telephone calls made and received)
- Email records (sent and received)
- Location data
- Web visits and history
Which countries have mandatory data retention directives?
- Australia. Two-year data retention period for browsing histories and telecommunications metadata accessible by the government without a warrant.
- United Kingdom. 12-month data retention period for internet and telecommunications records that can be accessed without a warrant by a large number of government bodies including the police, local councils, the NHS, and the tax office.
- Bulgaria. Six-month data retention period for telcos and ISPs that can be extended to 12 months if the provider is asked to.
- Cyprus. Six-month data retention period accessible only with a warrant.
- Czech Republic. Mandatory data retention of telecommunication metadata and bowsing histories for between 6 and 12 months.
- Ireland. Two years for telecommunication and one year for internet data
- Italy. ISPs must retain internet histories and metadata for 12 months. Internet cafes and Wi-Fi hotspots must also harvest and retain data about their customers.
- Denmark. ISPs must retain records and logs of all sessions and metadata for 12 months.
- France. 12-month data retention period for web histories and communications metadata (accessible only with a warrant).
- Spain. One year mandatory data retention period for telecoms and ISPs. Accessible only with a warrant.
- Sweden. ISPs must retain browsing histories and metadata for 6 months
- Germany. ISPs must retain browsing histories and metadata for 10 weeks
- Hungary. 12-month data retention period for all communications metadata
- Malta. One year for telecommunication and six months for internet-based data.
- Poland. Mandatory data retention for 12 months (metadata and web browsing histories as well as the use of electronic services)
- Slovakia. Web histories and internet communication metadata is stored for 6 months, all other telecommunications metadata is retained for 12 months.
- Russia. Yarovaya law forces all ISPs and telecoms providers to store all phone call, text, and email metadata, as well as voice recordings for up to 6 months.
- Norway. EU's data retention directive enforced since 2014. Requires all telecom providers and ISPs to retain all communications metadata for a minimum of 6 months.
- Serbia. 12-month data retention period for all electronic communications metadata
- Switzerland. Mobile phone communications and email metadata must be stored for 6 months by any communications providers that make more than 100 million CHF in annual Swiss-sourced revenue. ProtonMail is exempt.
- USA. No mandatory data retention directives. However, the NSA is known to engage in mass data retention of all communications and can enforce warrants and gag orders on any company to access all data held on file. In addition, ISPs are permitted to retain all web history and metadata indefinitely in order to create a revenue stream from that information, those companies are known to comply with NSA data requests regularly.
Corporate data retention
In addition to the mandatory data retention forced on ISPs and telecommunications companies by governments, it is also worth noting that businesses and organizations do engage in data retention practices.
This type of consumer surveillance is a form of data retention that is hugely problematic, and is the reason why more and more countries are introducing data privacy regulations like the EU's GDPR.
This kind of legislation ensures that companies must have consent before harvesting and processing personal information about their users. It also requires those companies to have a legal basis for acquiring consumer data.
Data privacy regulations also provide each data subject with rights (such as the right to find out what data is being held on file about them, and the right to erasure).
When companies engage in data retention about their users, it is often referred to as Surveillance Capitalism.
Data captured for the purposes of surveillance capitalism is immensely valuable because companies can use it to deduce things about their users, and to create secondary revenue streams.
According to data experts, personal data is so useful and valuable that it should be considered a type of currency. This is actually why so many online platforms and services are available without payment. Those platforms use your data to make a profit, and for this reason, you are paying for the service with your data rather than with money.
The problem with this kind of structure is that without any limitations on how consumer data can be used, it is possible that companies may not just retain the data - but also sell it on to third parties. As a result, surveillance capitalism can be like a runaway train in which your data keeps being passed around, retained, and exploited by a growing number of businesses and organizations.
It is, for this reason, that data privacy regulations like the EU's GDPR, and California's CCPA are so important. They create legal limits on how personal data can be exploited and ensure that any data harvested and retained by companies cannot be used in an unlimited capacity.