April 2010


I am celebrating a prime birthday today, enjoying my 41 years on earth.  The importance of prime numbers is often underestimated.  Prime numbers serve as the privacy valves (and security valves) of the Internet.  A prime number is a natural number that has exactly two distinct natural number divisors: 1 and itself. Or to use a somewhat sloppier wording: a prime cannot be divided.

I am prime.  This implies that I cannot be divided, so stop the chain saws.  My attention will be divided as usual, and that argues for my attention not being prime. There are infinitely many prime numbers.

Public-key cryptography is what we wrap all things secret in, the ultimate secure wrapping of our on-line lifes.  Public key cryptography makes use of the difficulty of factoring large numbers into their prime factors, which is why we love our primes.  The fact that it is easy to do a calculation from components, but really really hard to go the other way, makes it possible to keep secrets (since the calculation of the crypto secrets cannot be reversed).  And girls keep secrets in the strangest ways.  Some of us use crypto.

Today was the last chance to give comments to the EU Data Retention Directive implementation into Norwegian law.  The Norwegian Data Protection Agency has, like all privacy protection agencies and ombudsman in Europe, voiced serious concerns about the increased logging and longer storage time for traffic data. The proposal is the retain data for one year, the same as the other Nordic countries.

The Ombudsman for Children in Norway states that privacy is important for children, and the intention of preventing sexual crimes is not a valid excuse for violating privacy, especially in a situation where the police does not take seriously the digital evidence they have access to today.  Several politicians and institutions have voiced the opinion that preventing one sexual crime is valid reason to store information about us all, and to dispense with the probable cause and charging specific persons before getting access to traffic patterns.

My own union, Tekna, decided to come out in favor of the Data Retention Directive, even if their members are strongly divided on the issue, with the most of the IT industry strongly against the proposed implementation. I should not talk about the embarrassing use of surveillance that happened during the cold war, it probably suffices to say that unions are normally not in favor of extended surveillance (with the exception of the largest one who kept an eye on the commies when needed).

My employer is not party to the regulations set out, since Uninett is a closed network for education and research, and is not open to the general public.  The Directive applies to public networks, including all public ISPs, phone and mobile suppliers.  These are in the current proposed national implementation required to cover their own cost for storing information, whereas the information access will be paid for by the relevant authority accessing the information.

It has been pointed out that 30% of international phone calls are based on Skype, which is not party to the Data Retention Directive.  Even if one would want to store the information for the time period indicated in the Directive, the requirements seems to be technologically outdated, and growing more outdated by the day.  Information about email traffic should be logged for a year (6-24 months is the Directive requirement), but for example Gmail and Yahoo  are outside the regulations.

On the other hand, The Norwegian Police Security Service (PST) promises more terror in Norway if we do not implement the Data Retention Directive ASAP.  We have not implemented it yet, and the number of terrorist acts have been significantly lower than in the UK or France where the directive is implemented. That is probably irrelevant facts, when seen from the police side.

To be fair with the politicians, it is rather difficult to say no the the EU directives given the current state of the EEZ (EØS) treaty.  Sometimes difficult things need doing.