Europol’s FOIA on Data Retention with Carrier Grade NAT

Most telecommunication operators doing CGNAT (Carrier Grade Network Address Translation), in order to comply with data retention regulation, end-up logging each and all of our internet activity.

On 13th October 2017, Europol and the Presidency of Council of European Union,  organized a workshop with 35 policy-makers e Law Enforcement officials from all around europe, in order to discuss about the “increasing problem of non-crime attribution associated with the widespread use of Carrier Grade Network Address Translation (CGN) technologies by companies that provide access to the internet”.

In Italy we’ve appealed to the Data Protection Authority asking for inspection across all telecommunication operators in order to verify in great details which are the exact information elements logged to comply with data retention laws.

Below we publish in full the Europol answer including all the attachment obtained as a way to foster public debate, research and investigation on the topic by the data protection community.

 

Dear Mr Coluccini,

Europol has assessed your request and has identified the following 17 documents as falling into its scope:

1) Invitation Letter

2) Agenda

3) Press Release

4) Concept paper for the workshop on 13 October 2017

5) Supporting material 1

6) Supporting material 2

7) Introductory presentation – “Workshop on CGN and Online Crime Attribution”

8) Presentation by the Data Protection Function

9) Presentation “CGN cases in Estonia”

10) Presentation “Why CGNs are a temporary fix used by Service Providers?”

11) Presentation “Why Massive CGN is not needed: Better ways to deploy IPv6”

12) Presentation “CGN and identification of cyber-attackers – the case of Belgium”

13) Presentation “CGN and Source Port Logging”

14) Presentation “IPv6 in Slovenia and RIPE-554”

15) Presentation “CGN: about IPv4 prolonging misery”

16) Presentation “Project SIRIUS” by EC3

17) Video on logging source ports by MEGA

We are pleased to inform you that full access to Documents 1 and 16 is granted, herewith enclosed, as the disclosure of the information in them would not undermine any of the interests protected in Article 4 of the Management Board Decision laying down the rules for applying Regulation 1049/2001 with regard to Europol documents. Documents 3, 5 and 6 are publicly available documents, so please find them also attached.

We are also pleased to inform you that partial access to Documents 2, 4, 7, 8, 10, 11, 13, 14, and 15 can be granted, herewith enclosed as well. Redactions have been made to a minor extent in Documents 4, 7, 8 and 10 (indicated throughout the text in the four documents in black shapes ‘[…]’) by deleting the sensitive information, the disclosure of which would undermine the protection of the public interest as regards public security, such as the proper fulfilment of Europol’s tasks pursuant to Article 4(1)(a) of the abovementioned Management Board Decision. The redacted information relates to certain technical solutions to the CGN online crime attribution problem, specific case examples of law enforcement investigations affected by the use of CGN and internal analyses of recent case law relating to data retention possibilities. The disclosure of such information would hinder Europol’s ability to effectively perform its tasks by undermining Europol partners’ trust and mutual cooperation. Redactions have also been applied in the same manner in Documents 2, 8, 10, 11, 13, 14, and 15 by deleting the personal data and private information to protect the privacy and integrity of the individuals therein mentioned, pursuant to Article 4(1)(b) of the Management Board Decision.

We regret to inform you that Europol has decided to refuse access to Documents 9, 12, and 17 on the basis of Article 4(1)(a) of the Management Board Decision as their disclosure would undermine the protection of the public interest as regards public security, such as the proper fulfilment of Europol’s tasks. The documents contain among others specific case details and operational information, as well as examples of technical solutions and tools in relation to CGN, the disclosure of which would undermine Europol partners’ trust and endanger their mutual cooperation, which is essential to Europol’s activities, and would consequently hinder Europol’s ability to effectively perform its tasks in this domain.

You may make a confirmatory application asking Europol to reconsider its position within 15 working days of receiving Europol’s reply, in accordance with Article 5(4) of the Management Board Decision.

Kind Regards,

G24 – EU & International Law

 

The documents are available here: https://www.documentcloud.org/search/projectid:37909-Carrier-Grade-NAT-workshop-by-EUROPOL