Aggregate data and Italian Data Protection Authority

An Italian Data Protection Authority decision issued on June, 25, 2009 set the deadline of Sept. 30, 2009 for telco operators and ISPs that must notify the Data Protection Authority the list of their mining activities executed on customers’ aggregate data (such as traffic volumes, paths and so on.) The aim of this decision is to spot illegal (at least, under Data Protection Authority opinion) data handling “masked” by activities performed to keep the infrastructure running

The Data Protection Authority, after having received the information, will decide what can be still done without informing the customer, what can be done AFTER having informed the customer and obtained his approval and what cannot be done at all. Furthermore, the Data Protection Authority will release a set of technical and management rules to ensure the concerned subjects’ compliance.

If these new set of rules will mimic those recently established for data-retention purposes and system administrators, telcos and ISPs will face again a mayhem of useless bureaucracy so hard to understand that the Data Protection Authority itself did release a FAQ to explain what these regulation actually meant (and we’re still waiting for the FAQ interpretation.)

Although the decision is limited to the Internet and telephony world, it is clear that in the near future it will affects too energy firms, banks, insurance companies and, in general, everybody who relies upon aggregate data to tweak its supply chain of services.

Once again, the Italian Data Protection Authority is proved to be one of the biggest blocking factor of Italian telco market, while not granting citizens some sort of protection.

Italy To Enforce A Global Censorship Legislation?

a contribution to European Digital Rights Intiative‘s bulletin, EDRI-Gram

The Italian Senate approved – and the Camera dei deputati (Italian “Low Chamber”) is ready to finally pass – draft law 733 named Pacchetto sicurezza – “Security Package”, a series of (supposely) coordinated provisions aimed at improving, whatever that means, police bodies and public prosecutors powers.
Of course, the law wouldn’t have been complete without “taking care” of the Internet, and legislators didn’t lose the chance. Under sect. 50 bis of this forthcoming law, if a public prosecutor has “serious circumstantial evidence” of a criminal online activity (to be specific: inciting crime) he can ask the Minister of Home Affairs to issue a “shut down” order. This order, aimed at ISPs, simply shut down the “concerned” network resource with no trial. ISPs refusal to comply with Minister’s order should be fined with a penalty up to 250 000 Euros.
The provision is clearly flawed from a constitutional standpoint. The basis of every western democracy, indeed, is the separation of power, thus is not legally possible to have such a cross-jurisdiction mess between the public prosecutor (the judiciary power) and a Ministership (the executive power). Furthermore, there would have been a double trial for the same fact, one of which (the Home Affair Ministership one), done without the legal guarantee of a criminal trial (fair process, etc.).
But this is only the tip of the iceberg. Crime-inciting wrongdoing is very difficult to handle, since the border between free-speech and law violation is often blurred (would a website supporting freedom fighter of a country be – per se – inciting to commit crimes?). Furthermore, if ISP’s must prevent access to a network resource located outside their network (abroad, for instance) this would mean that the result will be achieved through deep-packet inspection, or similar, privacy threathning techniques. Thus – with the excuse of “protecting” Italian citizens – the D’Alia amendment (named after the MP that proposed it) is likely to be the first step toward a global censorship system. A Cassinelli amendment (again, from the MP name of its author) that followed the D’Alia one, tried to circumvent the above mentioned problems, but with no real changes in the substance of the matter and the political, net-phobic approach.
Italy had a “sound” tradition in trying to enforce citizen’s global surveillance systems through ISPs and telco operators, adopting every sort of justifications (from copyright, to child pornography, to online gambling and now to crime-inciting actions). Oddly enough, nevertheless, these “good intentions” fell always on innocent citizens’ shoulders, while true criminals stay absolutely free. Or, to put it straight: to (maybe) catch a few criminals, the whole nation network usage will be subjected to “third parties” – namely, ISPs – systematic scrutiny.

So long, human rights.

Data Retention in Italy. The state of the art

This table summarizes the new Italian Data Retention Regulation.

Data Retention timeframe
(italian version taken from Interlex)

Data and Retention scope Retention Duration Provision
Traffic-related data not included in Sect. 123 para I and II Data protection code Anonnymized or deleted when no more necessary Sect. 123, Para I
Traffic data strictly needed for billing purposes, and/or support customer claims 6 mpnths, or more, in case of legal action Sect. 123, Para 2
Traffic data for marketing purposes, or Value Added Serice purposes As needed, only if the customer opted-in Sect. 132, Para 3
Traffic data (voice) for criminal investigation purposes 24 months Sect. 132, Para 1
Traffic data (digital) for criminal investigation 12 months Sect. 132, Para 1
Unanswered call-related data 30 days Sect. 132, Para 1-bis
Network related Traffic Data – upon concerned authorities order, for preemptive investigation and/or prosecute specific crimes – From 90 Days, up to six months Art. 132, c. 1-quater