Danish authorities look set to bring back mandatory internet session logging despite an EU ruling last year that blanket data retention is illegal.
Last May the European Court of Justice (ECJ) concluded that the EU Data Retention Directive was “a particularly serious interference with fundamental rights”, meaning countries across the EU were forced to re-evaluate their national laws on data retention.
In Denmark, however, the country's Justice Ministry took a different view and maintained the Danish data retention law.
It did, however, repeal the most draconian element, the so-called “session logging” obligation, after it was shown to be largely ineffective. The uniquely Danish rule, in force from 2007 to 2014, required telco providers to store information on users’ source and destination IP addresses, port numbers, session type (e.g. TCP or UDP) and timestamp.
Now the Danish Parliament looks set to reintroduce the obligation, despite an evaluation of its effectiveness showing only one case out of around 24 trillion registrations where it had actually helped police: a breach at an online bank. That it proved ineffective is probably not surprising since any cyber-criminal worth his salt knows how to use a VPN.
The Danish Parliament has said it will evaluate and possibly revise the Danish data retention law before the summer. According to Danish national newspaper Berlingske, leaked documents show that session logging is on its way back in (in Danish).
“The changes proposed to session-logging [in the leaked documents] are minimal, and they are not going to address the inherent problems - mainly because they cannot be addressed in a meaningful way,” said Jesper Lund of internet freedom activists IT-Pol Association Denmark.
Danish justice minister Mette Frederiksen has said that because “criminals often use phones and the internet to organise crime”, police also need digital tools to track them. However, she added that no firm decision on the future of the data retention law has been made.
Under the old law, telcos were required to log every 500th packet, meaning smartphone users with push notifications could be very easily tracked. Pointing to the ECJ ruling of last year, IT-Pol says this is a real breach of civil liberties. ®