Translation of NetzKinder: Die Vorratsdatenspeicherung in Österreich
Since there is little fact in the text about data retention in Austria, we provide a brief overview on the topic and we have composed for ourselves a summary of data retention in Austria with a focus on its implementation. Thanks to Max for having taken his time with me to prepare this summary and to Christoph Tschohl and all other people who have read and reviewed the article.
What is data retention?
Data retention is the continuously collecting and storing of records documenting connection data of ordinary users. The investigative tool was originated in Austria from the EU Data Retention Directive 2006/24/EC and has been in effect since 1 April 2012.
What data is saved?
- Mobile devices with SIM card (mobile phones, pads, usb sticks, etc.): Location (ID of the radio cell where the connection is established)
- Telephony: Device and SIM card serial number of both conversation participants, timing, duration and location
- SMS: Device and SIM card serial number of the sender and recipient, date and location
- E-mail: e-mail addresses and IP of the sender & receiver, and the date
- Mobile Internet: IP, dial-up date, time and location at the start of the connection
- Fixed-line Internet connection: IP, dial-up date and time
The storage of this data is done without exception (unless the provider is subject to an obligation to collect and store, see “Who collects and stores?” below).
But beware: providers and website owners have the possibility to store data of their users, going way beyond this list. But this is only allowed when there is an objectively verifiable operational justification for the retention of such data, eg for billing or troubleshooting.
What is NOT collected and stored?
Apparently, only location and connection information, but no content is collected and stored. This applies to all Internet activity such as referring web addresses, web forms, search, chat conversations, etc. This means – except for the above listed e-mail data – that nothing of what happens after dialing into the Internet is stored.
Data retention only applies to Austrian services, or services of countries that have implemented this law already. A call from abroad is generally stored only on the receiver side, and vice versa. The use of a foreign e-mail provider is in principle not subject to the retention, and when you write to an e-mail address that is provided by an Austrian provider (eg @chello.at, @ aon.at, etc.) the communication is logged at the receiver end.
How long is it stored?
All data is stored for six months and may be stored longer in case a user is a suspect.
Who collects and stores?
Once a provider is required due to its size (especially: annual sales amount) to make a financial contribution to broadcasting and telecommunications regulation (RTR), it also needs to store this data. This applies to all major providers such as UPC A1, etc.
The data is stored directly on the servers of the provider.
Unfortunately, there is no official list of providers required to store data by the authorities. According to the RTR there are currently more than 140 vendors who are committed to retention in Austria. For an impression check the following lists:
Update: The bmvit now offers an official list of providers required to store and collect online data.
When is the data retrieved and used?
Once you are suspected of having committed an offense, and the maximum punishment for the offense exceeds one year’s imprisonment – that is, in plain language, with maximum sentences of 2 years imprisonment or more. The access must always be sought by prosecutors and approved by judges. For information as to who a particular IP address was assigned to on a specific date, a warrant is not required. This information can be requested by the prosecution itself and by the police (without going through the prosecutor’s office).
The ECJ (EuGH) has given a ruling that allows the use of traffic data (including IP addresses) for smaller offenses, especially for copyright infringement. There has been some recent press releases with misinterpretations of this decision. The ruling does not allow the use of the collected and stored data! Rather, the ECJ (EuGH) ruling expressly stated that the issue is not in the scope of the VDS. It was “only” data that the provider was already legitimately saving for operational purposes only. The decision of the Court holds only that each EU Member State is free to enact a statutory scheme under which operationally acceptable data stored must be published in relation to any copyright infringement. However, there is no obligation on Member States to adopt such regulations. The legal situation in Austria can not at present allow such information.
This issue is very clearly and accurately stated under lehofer.at or on the German AKVorrat site.
How does the transfer of data work?
The Federal Data Center established a “pass point” (DLS), from which the authorities must request the data. The provider then sends the data through the “pass point”.
When it comes to defending from a specific threat (not for the investigation of an already committed crime), in time critical circumstances (that is, if the request would be too slow on the DLS for defending from the danger) the DLS may be bypassed and the data requested directly from the provider. This affects “only” IP addresses and the location data for the last communication (call or SMS). In the event of a provider responding to an unsolicited message from a lead agency, this unnecessary puncture of the otherwise seamless logging of information processes could thus be counteracted by a directly made ruling. Some of the major providers have already stated they will do so in the future.
Rumours run rampant that content such as SMS messages are stored indefinitely by some information providers. There are no official statements as to whether that’s true or not.
Even Martin Balluch writes in his blog that the police has access to SMS content.