How Data Retention Legislation Impacts VPN Providers for the Better

finjanmobileBlog, Mobile Security

Data Retention and VPN

Virtual Private Networks or VPNs are often recommended to users of the internet and unsecured wireless networks, as a way of safeguarding their identities and information from the combined threats of snooping, hacking, and data interception.

VPN applications and subscription-based services have enjoyed moderate success, to date. But with the introduction or increased enforcement of data retention legislation in various parts of the globe, these utilities are seeing an upsurge in public interest – in a new environment of online privacy that could produce a significant improvement in the fortunes of their developers and providers.

What is Data Retention?

At its simplest, data retention is the process of recording and storing information so that it may be used or referred to, later. Every time you download a file for offline reading or save a note of something on your word processor, that’s data retention.

Commercial organizations engage in data retention on a routine basis – to store customer records for marketing, invoicing, and billing, or to have contact data, account details, or login credentials readily available when customers visit their sites.

So long as this information isn’t sold on to third parties, mishandled, or abused, data retention can be a good thing. But there are instances where data retention ceases to be a convenience measure and strays into the territory of invasion of privacy, covert surveillance, or infringements of civil liberties.

Mandatory Data Retention

Mandatory data retention may qualify for this last condition. It’s a law enforcement protocol which requires Internet Service Providers (ISPs) and telecommunications providers to store information on their consumers which may be released to the authorities on demand.

Under this protocol, all ISPs and telecoms providers are obligated to maintain a record of all their IP address allocations, within a given time period. This compensates for the fact that the IP address of nearly every user on the internet changes periodically, and enables law enforcement and government agencies to obtain information about the identity of anyone who uses a given IP, at any time.

Data Retention, Online Privacy, and the Potential for Abuse

There’s been a lot of debate and hubbub in the media recently about the US government’s moves to roll back Net Neutrality – and the policy of data retention is adding fuel to the fire. Data retention policies have the potential to enable governments to monitor and if necessary curtail the activities of their citizens – ostensibly in the name of crime prevention or the stopping of terrorist activity.

But there’s often a fine line between proactive law enforcement with constant vigilance and the tactics associated in the public mind with a “Big Brother” state. And the data retention issue isn’t limited to the United States.

Data Retention in the European Union (EU)

Authorities in the European Union (EU) declared the bulk retention of emails or other electronic data illegal for its member states, in December 2016. There’s an exception to this ruling, which applies in cases deemed a serious threat to public safety, for which data retention and surveillance measures may be called into play.

However, the person or group whose data is accessed in this way must be notified of the surveillance, once the investigation into their activities has reached a stage where revealing this won’t compromise the case. And once the investigation has concluded, all the data retained must be destroyed.

Data Retention in the United Kingdom (UK)

Once the UK leaves the European Union (the “Brexit” whose terms are still being negotiated), the Investigatory Powers Act may come into full effect. This law allows the online surveillance of large groups of people and requires ISPs to keep a year’s browsing history for all their users.

Data Retention in the USA

In the USA, the Stored Communications Act (SCA) of 1986 (issued as a part of the Electronic Communications Privacy Act) requires data storage up to 180 days on government demand. Providers are also at liberty to disclose private information in cases of emergency, where delays in such disclosure might put certain individuals or groups in actual danger.

Beyond these provisions, a court order is required for access to digital information. An administrative subpoena may be issued to gain access to specific data such as user names, addresses, telephone numbers, and call transcripts.

Data Retention in Australia

Matters have come to a head over data retention in Australia, as legislation came into full effect in April 2017 requiring Australian ISPs and telecommunications companies to collect six different kinds of “metadata” about their customers’ communications, including:

  1. Identifying data linked to subscriber accounts, like names, addresses, phone numbers, email and IP addresses obtained from billing information.
  2. The source of any communications (user names, phone numbers, email addresses, IP address, etc.) coming in to a subscriber.
  3. The destination of any communications – excluding an individual’s internet browsing histories.
  4. The date, time, duration or any details of a communication identifying a connection to an internet service (such as Wi-Fi or ADSL).
  5. The types of communications and internet services used by a subscriber – allowing behavior patterns (use of SMS, voice messages, chat, forum, etc. ) to be established.
  6. The physical origin of a communication (geo-location of a mobile device, building address linked to a fixed internet connection, etc.).

Data Retention in China

China’s Ministry of Industry and Information Technology (MIIT) recently issued a notice saying that all special cable and local VPN services are required to obtain government approval before commencing operations. This move apparently reflects an awareness on the government’s part that Virtual Private Networks represent an actual threat to any greater moves toward data retention and online surveillance.

Enter The VPNs…

A Virtual Private Network or VPN provides encryption for your internet connection, effectively masking the websites you visit, your activities online (including browser histories), and the content of your communications from prying eyes – including those of your ISP or telecoms company.

Without access to your metadata, the process of providing data retention records for the government /authorities becomes near-impossible – which is one reason why VPNs are the flavor of the moment, as far as online privacy is concerned.

A number of free and commercial VPN apps have been on offer for mobile users for some time, and both desktop and mobile subscribers have the option of signing up for a cloud-based VPN service. In the USA in particular, there’s been a rush to adopt one or more of these options.

But with Some Precautions…

Since you’re counting on your VPN to safeguard your privacy, it’s essential that the app vendor or service provider is actually doing what they promise to do, and handling your connection and data responsibly. This includes not keeping long-term records or logs.

Some applications and services have had a history of sluggish operation – mainly due to the inadequate provision of servers and bandwidth for their consumer base. With the upswing in VPN usage, consumers should expect the VPN providers to have to step up their game, to cope with the increase in network activity.

Recommendations for the Better

The positive impact on the VPN market brought about by data retention should exert market forces on the providers that spur the greater adoption of stable infrastructure, improved data handling, and best practices. Some trends to look for include:

  • “Always on” capability for VPN connections and applications: We’re already seeing this in mobile app deployments, where a VPN remains active whenever a device is online.
  • Enhanced tools for avoiding geo-locked content or geo-location features on applications and social media platforms.
  • Collection of the barest minimum of customer data by a VPN service (e.g., subscriber’s source IP address, VPN IP address generated for each session, start and stop time, and amount of data consumed)
  • Maximum time limits for retention of customer data such as billing information by the VPN provider.
  • More competitive pricing

Share this Post