Back in 2009, German Green Party politician Malte Spitz sued his wireless carrier T-Mobile in an attempt to get six months worth of metadata from his cell phone that the company had collected and stored.
Under the European Data Retention Directive, telecommunications service companies are required to store clients' personal data for a period of between six months and two years as follows:
“7) The Conclusions of the Justice and Home Affairs Council of 19 December 2002 underline that, because of the significant growth in the possibilities afforded by electronic communications, data relating to the use of electronic communications are particularly important and therefore a valuable tool in the prevention, investigation, detection and prosecution of criminal offences, in particular organised crime.
(8) The Declaration on Combating Terrorism adopted by the European Council on 25 March 2004 instructed the Council to examine measures for establishing rules on the retention of communications traffic data by service providers.
(9) Under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), everyone has the right to respect for his private life and his correspondence. Public authorities may interfere with the exercise of that right only in accordance with the law and where necessary in a democratic society, inter alia, in the interests of national security or public safety, for the prevention of disorder or crime, or for the protection of the rights and freedoms of others. Because retention of data has proved to be such a necessary and effective investigative tool for law enforcement in several Member States, and in particular concerning serious matters such as organised crime and terrorism, it is necessary to ensure that retained data are made available to law enforcement authorities for a certain period, subject to the conditions provided for in this Directive. The adoption of an instrument on data retention that complies with the requirements of Article 8 of the ECHR is therefore a necessary measure.”
Even though the directive is supposed to protect the clients' right to privacy, telecom companies are required to collect data that will identify the users and details of phone calls and emails sent but not the actual content of those emails (i.e. collecting the metadata). This information is to be provided to law enforcement authorities upon their request.
Unfortunately for Europe, each nation within the EU has its own set of regulations making data collection an unlevel playing field for both consumers and service providers as shown on this country-by-country chart for the year 2010:
This is what the same data availability looked like two short years earlier (noting that Germany collected metadata at that point in time):
If you don't think too deeply about it, the collection of metadata sounds rather harmless, doesn't it? After all, if they aren't tracking exactly what you are saying, what's the harm?
To answer the last question, let's go back to Mr. Spitz. After getting 6 months worth of metadata (35,830 pieces of data all told) from his cell phone, he published the data on the weekly German Zeit Online website with the information posted on a map on a minute by minute basis. Here is an example of one day's worth of data including the number of incoming and outgoing calls and messages and the total time that he was connected to the internet:
While one day's data looks rather innocuous, when you hit the play button on the graphic, you can track Mr. Spitz's travels throughout Germany and see the time that he's outside the country and exactly where he is on a very detailed basis:
If you happen to want even more detail on where he spent six months, here is a link to the Google Docs showing the raw information.
Recalling that we are being assured that the NSA has only been collecting metadata (more than a trillion records over a five year period) and not the actual contents of our emails and conversations, do you feel better about what you retain of your privacy now that you've seen how metadata can be used?