The Belgian SIEM… wounds my heart with a monotonous languor!

Belgian Log FileLot of Belgian newspapers and sites reported today (Example of  article – in French) that a project of law will be discussed soon (deriving from the EU Data Retention Directive) to request providers of telecommunications (Internet – Mobile services) to keep a trace of electronic communications. Wait, the article should say “will be discussed again soon“, Belgium being very slow to address this topic. I’m not a lawyer but I tought there was already such law in place. The EU directive was adopted in 2006 and there was already huge debates in Belgium in 2010 about this topic (status here). I also wrote a blog post about this. If anybody has more information, please share! Is the text of the law available somewhere? Why did the Belgian government decided to put this project again on the table? After the stories around PRISM or the French DGSE, maybe they would like to be transparent?

According to the news, the retention of data was already implemented for telecommunications (fixed & mobile calls) but the ISP’s are now included in the game. What changed? Not much. The article is very fuzzy and says “The Belgian government will request ISP’s to keep a trace of all communications passing by their servers“. A few paragraphs later, the journalist speaks about emails only. Immediately the following questions pop up:

  • If ISP’s need to keep trace of communications passing by their “servers“, do they include their backbone? Personally, I never used the email address provided by my ISP and I even don’t use their SMTP relays. How to track people using webmails?
  • If they keep traces of all SMTP/POP/IMAP traffic, they are tapping the customer’s connection. How to be sure that other protocols are monitored?

So, nothing new… IMHO, the excuse of “fighting cyber-crime” is not relevant… only if the tapping of users’ communications is implemented. Think about the French resistants during the 2nd world war. Messages were broadcasted from London with very specific words (Remember the famous “Blessent mon cœur d’une langueur monotone” in June 1944). The exact same sentence could be used today to announce an imminent bomb explosion against the USA during an Obama‘s meeting in Boston (Sorry, I could not resist). Government agencies should not only intercept data but understand them. And to achieve this, tools won’t be enough!

Ok, to be able to analyze this, the content of messages must be parsed and “they” certify us that only the metadata are processed… Are we living in the cloud cuckoo land? I see only one positive fact to this Belgian SIEM project: we won’t need to store our logs locally, they will process them for us! There is even a business model: to ask a few EURs per search request!


  1. Not only would they need to do deep packet inspection to extract information from mail traffic between customers and servers not under their control, they’d have to somehow decrypt the traffic in real-time without knowing the keys… Yeah. Not very likely.

  2. The ISP I work for handles something like 40Gig of traffic every second. That’s 1.5e17 bytes per year. Let’s imagine we only extract a single byte over a 1000 byte packet, that’s 1.5e14 or 150 petabytes. per year. Not going to happen any time soon…

  3. It will be interesting to see how this plays out. When will an organization be considered as an Internet Provider ? Example: a company offers IT services to companies using a shared internet connection. The ISP’s logs wont be sufficient since everything will be NATed behind the single IT of the company. So to be able to do something usefull with all that log data, that company (customer of the ISP) also needs to keep the logs.

    For this to be effective, logs should be kept on every “link” in the chain. It will be interesting to see whether the law takes this into account. Somehow I have the feeling we will end up with some half measure that cost a lot of money and misses its objective (Belgium style).

  4. Thanks for your feedback Tom! In the mean while, I’ve read an article on where they gave more info about this project of law (link: It seems that all email providers (ex: Google) having a foot in .be will have to collaborate (like any other organization which must follow the local laws). They also mentioned the source IP + port! This is a sign that carrier-grade NAT has still a long life in Belgium…

  5. I made an inquiry with the Belgian Federal Computer Crime Unit on this subject about a year ago. (Since they are often requesting such logs, they should know the legal framework right ?). They confirmed the absence of a legal framework. There is a draft law but it was never voted on in parliament.

    The person from FCCU advised to store connection information (e.g. netflow) for a period of 12 months, but it is currently not a mandatory legal requirement in Belgium.

Leave a Reply

Your email address will not be published. Required fields are marked *