- The storage and disclosure of traffic and connection data by providers is based on clear legal foundations (FADP, TCA, FADP) and is subject to judicial authorization.
- Technical and organizational security obligations should prevent unauthorized access; data forwarding to authorities only for approved applications and limited to marginal data.
Question Hess (03.1069): E‑Post monitoring
Done
Submitted text
As a result of the Ordinance on the Interception of Postal and Telecommunications Traffic of October 31, 2001, all telecommunications service providers, including Internet service providers, will be forced to store all connection data for at least six months as of January 1, 2003.
In this context, the following questions suggest themselves:
1. on the basis of which legal basis may private-law organizations (Internet providers, etc.) retain digital data of their customers at all?
2) Doesn’t the storage of all e‑mail and Internet data provide an optimal platform for modern industrial espionage, in that stored databases and data volumes of this magnitude virtually encourage the pre-selection of targets or the evaluation of economic relationship networks?
3. how will it be ensured that only authorized persons have access to this digital data?
4. is the Federal Council aware that a majority of private and commercial internet users cannot create their own encryption programs, but rely on purchasable programs that lack security against professional espionage?
5) Does the government know that in the case of encryption in US programs, the relevant codes are known to the US authorities, or does the Federal Council consider encryption to be an absolute means of protecting data?
6. these measures are directed in particular against organized crime and terrorist activities. In other words, against professionals! But how does the Federal Council want to prevent that also blameless persons are not unnecessarily involved in investigations during evaluations of the police, especially when real addresses of blameless citizens are used as cover addresses?
7. how high are the costs of this measure? Won’t the providers simply present the bill for this monitoring to the user in the end?
8. does the basic attitude of this surveillance measure not testify to the fact that anyone could be a criminal and therefore must be monitored permanently as a precaution?
Response of the Federal Council
The obligation of providers to make certain data available to law enforcement authorities upon request arises, on the one hand, from the Federal Act on Data Protection (FADP; SR 235.1; Art. 13 para. 1 let. A) and, on the other hand, from the Federal Act on the Surveillance of Postal and Telecommunications Traffic of 6 October 2000 (BÜPF; SR 780.1; Art. 15 para. 3). In contrast, the associated Ordinance on the Surveillance of Postal and Telecommunications Traffic of 31 October 2001 (VÜPF; SR 780.11) only contains the corresponding implementing provisions. The obligation to keep certain data available applies to all providers, i.e. both telecommunications providers (TSP) and Internet service providers (ISP).
Basically, a distinction must be made between the data that the providers store and the data that the providers transmit to the Service for Special Tasks (DBA) and that is temporarily stored there. Depending on the area (TSP and ISP or DBA) under consideration, the scope, content, intended use and duration of data storage as well as the legal basis differ.
1 The authorization to store data is derived from the Data Protection Act (Art. 4 FADP; SR 235.1), the Telecommunications Act (Art. 43 TCA; SR 784.10) and the Interception of Personal Data Act. Art. 4 of the Data Protection Act states that personal data may only be obtained lawfully. The lawfulness of the storage of telecommunications traffic data results from Article 43 TCA. This states that all data that is (necessarily) exchanged during telecommunications communication is subject to telecommunications secrecy. The exception to this telecommunications secrecy is enshrined in law in the BÜPF.
2. any storage of data also creates the possibility of unauthorized access to such data. It is the responsibility of the person who sets up and operates a database to prevent unauthorized access.
Telecommunications communication is not possible without setting up and operating databases. Insofar as databases are (or have to be) set up, the providers are subject to telecommunications secrecy and are thus obliged to protect their data against unauthorized access. The DBA has set up a comprehensive technical and organizational security concept for the data it receives from the providers in individual cases, which prevents unauthorized access to the data.
It should be noted that the data under discussion here (especially the so-called edge data from communications traffic, i.e., who communicated when with whom and for how long) has only limited value for industrial espionage.
3 As already mentioned, it is the responsibility of the providers to prevent unauthorized access to their databases. An operational and organizational security concept exists for those data that the DBA receives. For obvious reasons, it is not possible to go into details. The cornerstones of the concept are, on the one hand, the technical shielding of the system (e.g. firewall) and, on the other hand, organizational measures (e.g. user administration).
4 The Federal Council is aware that Internet users do not generally create and use their own encryption programs, but purchase them. However, it is the responsibility of Internet users or participants in e‑mail traffic either to provide highly sensitive data with their own keys or to use other communication channels for the transmission of data.
5. there is no absolute protection through encryption; any encryption can be decrypted. The decisive factor for the quality of the security of a particular encryption program is the amount of computer time that has to be spent on decrypting it. However, research has shown that often the cause of inadequate encryption is not its quality, but the user’s incorrect use of the technology. Moreover, very often data is only sensitive for a certain period of time, i.e., after a certain point in time it is deliberately made public by the data owner himself or it has lost its significance. As a rule, therefore, absolute protection against decryption is not necessary, but relative protection is sufficient.
6. interception of telecommunications always relates to a specific person who is already an urgent suspect or to a specific connection that can be assigned to a suspect. The telecommunications data of a blameless citizen are only recorded within the scope of interception of telecommunications traffic if he or she communicates with a suspect or uses his or her connection.
However, the instrument of telecommunications surveillance is only one tool that law enforcement authorities can use in the course of their investigations. During an investigation, it is readily apparent whose data from telecommunications traffic was collected only by chance – because he is a blameless citizen in contact with a suspect – and is not relevant to the criminal proceedings. The processing of such data is precisely regulated in the BÜPF. The same applies to cover addresses whose function is sooner or later recognized in the course of criminal prosecution. In the case of these addresses, it is incidentally also in the interest of the person whose address is misused that this misuse is uncovered in the course of criminal proceedings.
7. the costs of the measures consist of the investment and operating costs of the DBA and the providers. In accordance with the statutory provisions, the DBA – like any other administrative unit – applies a fee tariff which must ensure that the DBA’s operations cover its costs. The providers have to bear the investment costs themselves and are to be adequately compensated for their service in each individual case.
With regard to the investment costs at the DTA, no distinction can be made between the investment costs for e‑mail monitoring and the investment costs for the other measures for monitoring telecommunications traffic. The same hardware and software is used for all measures. Currently, the DBA is being reorganized technically and operationally. The investment costs for the new technology amount to approximately CHF 7 to 10 million, spread over 5 years.
Based on the fee tariff, the DBA charges between 20 and 200 francs to cover the operating costs, depending on the measure taken in the area of e‑mail monitoring (cf. Fee and Compensation Tariff, Annex to the VÜPF).
The providers’ investment costs depend on the size or customer base of the company and are estimated to be around 80,000 to 100,000 francs per provider. Compensation for the individual service is also based on the above-mentioned tariff and ranges from 20 to 750 francs.
Whether a provider passes on or can pass on costs that are not already covered by the aforementioned compensation is likely to depend primarily on the market situation.
8 The obligation to store marginal data on e‑mail traffic arises from Article 15 (3) BÜPF and is an analogous regulation, as it also applies to providers of other telecommunications services (e.g. telephony). Data from communications traffic is only forwarded by providers to the DTA if there is a request from a law enforcement agency that has been approved by a judge. These requests relate to specific participants in telecommunications traffic or to specific connections and specific data from telecommunications traffic that are precisely defined by the legislator.
If this data – most of which is required for billing purposes – were only stored by the providers once a specific request has been made, the instrument of telecommunications surveillance would be worthless for the law enforcement authorities in many cases. The concern for data protection is taken into account by ensuring that data is only forwarded to the law enforcement authorities if the aforementioned authorization procedure has been carried out and the forwarding is also limited to six months retrospectively. In addition, the retroactive transfer only applies to the so-called marginal data (time, duration and participants in the communication), but not to e‑mail content.