Security considerations for ISPs complying with the European Union Data Retention Directive

Back in April of this year the UK Home Office announced that all ISPs must retain their internet-related communication data for law enforcement authorities (LEAs) to gain access to the information that would help with a criminal investigation. The law, based on the European Union Data Retention Directive (EU DRD) requires ISPs to retain the data for at least six months, but for no longer than two years.

The legislation was put in place in response to the London terrorist bombings in 2005, and the first stage of the directive covering all fixed and mobile communications data, has already been in place for three years. The second stage, covering all internet-related data was put in place this year due to the extra level of complexity in handling the information. UK ISPs are required to retain this data to ensure that it can be easily retrieved by an authorized organization. For both parts of the directive, it is not the content of the communication that is stored, but information about the communication that can identify the sender and recipient with the time and the means of communication by using information such as the IP sessions, FTP sessions, SMTP email transactions, POP and IMAP sessions, web proxy logs, radius logs and CRM history information.

A typical ISP can expect to retain between 1 and 100 billion transaction records, and even a small provider with a 100,000 subscriber base can expect to retain around 2 billion records, which could put a significant strain on its IT resources. ISPs have just 18 months to ensure they are up to speed with the directive and between now and then there are a number of issues they need to address to ensure they observe the ruling in the smoothest and most cost-effective way possible, whilst taking into account all the security considerations that must be applied in their response.

Security implications
As previously outlined, the purpose for retaining the communications data is to enable the disclosure of subscriber information to the appropriate law enforcement authority in the case of a criminal investigation. Therefore, it is essential that the data is kept secure, but is easily accessible to those with a legitimate purpose for viewing the information. These two aspects of complying with the EU DRD must be held in tandem and failure to observe security mandates could result in violation of data protection laws and put the service provider at risk of financial penalties.

For any implementation put in place to comply with the EU DRD, security is paramount and it is vital that the ISP’s customers are confident that their data will not end up in the wrong hands. Therefore, the data retained must be secured against unauthorized release, which requires a security framework that isolates retained data and provides controlled and audited user access. Retained data must be segregated according to its sensitivity so that any administrative users requiring direct access for operational or support purposes are only afforded access to data necessary for their function. In particular, the knowledge that information is being disclosed about a subscriber is significantly more sensitive than the actual information contained within the disclosure itself, so it is necessary to isolate and protect this information from any administrative users who may require legitimate access to recently deposited communications data to deal with any mediation anomalies.

Users involved in disclosing data to LEAs should be constrained to a role-based security model whereby they are assigned roles that dictate their realm of operations, accessible data and disclosure reports. It must not be possible for a disclosure user to execute ad-hoc queries or gather data outside of a specific investigative context.

It will be necessary for all users to successfully authenticate themselves by username and password or identity token to gain access to the application, which is not only essential to avoid uncontrolled release of information but necessary to maintain the evidential quality of the audit trail.

ISPs must ensure that they have a security model that ensures only appropriate information to the investigation is returned to authorities. In the UK, the RIPA legislation states which organizations can have access to specific types of data so ISPs need a security model to deal with this. The benefit of the legislation means that ISPs are released from having to decide what they need to release, which essentially works as a privilege matrix of everyone who could access this information, which is matched with what they can request. This also ties into the urgency of the request as certain officers can ask for urgent information.

Although requests can be made by email and fax, LEAs are increasingly looking to access ISP’s data through a web-based portal. Some operators may offer access over a CJX network which provides direct access to the system which allows requests to be submitted directly by the LEA but validated and constrained by the privilege and security model. The UK is well advanced in this area and the ETSI institute will soon put forward an XML-based standard to offer a consistent approach for LEAs that have to deal with many operators across Europe, so it is advisable that ISPs keep this in mind when deploying a system.

It is advisable to run a standalone dedicated system that is completely separate and physically ring fenced from the rest of the company’s servers.Given the volume of data stored, an ISP would ideally have a redundant system running in parallel as a backup. If the ISP is big enough then a remote disaster recovery approach based on a different geographical approach is recommended, but as most are quite small they will probably run the system on the same location.

To ensure that the data is kept secure, a web-based application should isolate the web server from the retention server to resist penetrative network attacks. Data in transit between the web server and the client should be encrypted to avoid snooping and disks used for retention should be physically secured or encrypted to prevent brute force attacks and information harvesting from decommissioned disks.

The solution should manage the lifecycle of retained communications data so that data falling beyond the legal retention period is automatically deleted to prevent accidental violation of data protection laws. Ideally, all data deleted should also be scrubbed to prevent snooping amongst free file system blocks.

To successfully and securely comply with the EU DRD, ISPs must be aware of the full implications of the directive and deploy an appropriate solution for their needs. Out-of-the-box systems are often the most cost effective, efficient, secure and easy to use options which take a considerable amount of the headache away from operators. The next 18 months are likely to be a challenging time for ISPs as they look to get up to speed with the directive, but with the right approach and strategy in place they should be on the right track to ensure that their customers’ data is protected, secure and only shared in the right way with organizations that need to see it.

Don't miss