News related to these ruminations on location data you posted

http://arstechnica.com/science/news/2010/02/cell-phones-show-human-movement-predictable-93-of-the-time.ars

Telcos and data locations….Europe…yes, mainly commercial and lawful interception uses, but other uses allowed by law

1. Commercial…informed previous consent…added value services, adverts based on location data…for instance, friends geotagging, daddy following kids on Saturday night ;-p

2. Lawful interception….interception and data retention…two similar, but different things

Differences:

a) interception is communications diversion to law enforcement agencies after subpoena; data retention is archiving of information given traffic and location data and handover to law enforcement agencies after subpoena

b) interception includes content -voice, text, images,…- plus traffic and location data of intercepted communications being diverted from telco network systems to law enforcement agencies -let´s say is on-line-; data retention does not include content, only traffic and location data

Similarities, resemblances:

a) Subpoena required for detection, investigation of serious crimes whatever this term means…there is legal definition but many doubts arise ;-p

b) Law enforcement agencies do not have access to telco systems…there are different interception and retained data handover interfaces designed by ETSI…have you seen Cryptome well know companies spy services for law enforcement agencies leaks, police accesing directly to data ;-p

Term for data retention varies from EU members to others…Directive allows a term in between 6-24 months…in Spain is 12 months…but after data should be maintained for addittional 3 years term applying access blocking, so only telco Security Manager has opportunity to access it in case users sue company in case of any privacy non-fulfilment

Recently, German Data Retention transposition law has been declared inconstitutional. Ireland is asking Court of Justice of European Union to validate Directive- But right now telcos are obeying national transposition laws.

Then, no related to location data, but to traffic data

a) Cell simulators, triggerfishers,… Scanners employed by law enforcement agencies, pretending to be a mobile cell tower around people and are stealing their IMSI, and after asking for subpoenas to make user identification available to them by telcos.

b) So called three strikes laws, after telcos are detecting you using P2P networks three times, they are obliged to cut your internet access. HADOPI law in France is the only baby so far. There is no Directive asking for it.

c) Deep Packet Inspection is the next battle for free speech, communications secrecy and private life

Other traffic and location data usages: invoicing, interconnection payments between operators, fraud detection, customer care, networks security -in terms of availability, SLAs and business continuity-.

And what about USA:

http://news.cnet.com/Gonzales-pressures-ISPs-on-data-retention/2100-1028_3-6077654.html?tag=st.nl

Data retention was an issue in the Obama-Hillary Clinton debates, but i did not follow since then.

A Spanish IT lawyer and infosec consultant grateful for your excellent work and blog.

Regards

Assuming we completely trust “the government” to always act benign, one cannot but observe that failures happen. The problem with disclosure failures, which makes them especially critical, is that they cannot be recovered from. Given sufficiently critical data, disclosure might be much worse than tainted or manipulated data. (I think secret services understood that part a long time ago.)

The main problem why I am arguing thus is, that privacy arguments are often brushed aside by assigning them the “conspiracy theory”-label. One may avoid being labeled in that way by avoiding questions of government/corporation-trust and sticking to the technical consequences. (Does anybody need to mention wikileaks as one operation that emphasizes the difficulty of getting the information-djinni back in his bottle?)

I’m not sure what the situation is in the U.S. The general rule is that Americans trust their government less than Europeans do but their corporations more. Since the purpose of mandatory telecom data retention is to help law enforcement, I would expect things to be much privacy friendly on this side of the pond.