Mr Stefaan De Clerck , the Belgian Justice Minister announced a new plan to fight (cyber-)criminals. Belgian ISP’s could be asked forced to keep a trace of all communications via e-mail for two years. Read the article on the RTBF website in French (or via Google Translate). The main reason invoked by the Minister is to help judges to track criminals and send official requests to the Internet Service Providers. My opinion is that the problem is taken the wrong side: Is two years a relevant delay to treat a file? A wise choice would be to give more resources to the Belgian justice and reduce this amount of time!
A few remarks now… By “communications via e-mail”, the Justice Minister means everything required to “track” who sent an e-mail to who, when and via which IP address. Luckily, the content of the e-mails is not concerned (right now?).
On a radio station, I heard that only e-mail addresses with .be domain names will be concerned by this measure. Big free e-mail providers like Google or Yahoo! don’t have to be afraid. Keep cool guys! A major question is: where Internet Providers will collect their data?
- At MTA (Mail Transfer Agent) level? They will simply keep SMTP servers log files for a longer period.
- At IP (layer 4 is the ISO model) level? They will sniff all the traffic passing thru port TCP/25?
I suppose it should be the first case: Almost all providers already filter traffic on port 25 and force their users to use their SMTP relays (to reduce spam). Webmail interfaces are also very common today and use HTTP(S) traffic.
Other reflexions on the flight… Are Belgian authorities certain that criminals use skynet.be or telenet.be e-mail addresses? Do they even still use e-mail services? The ex-top-one application is more and more replaced by real-time communications like Instant Messenging or micro-blogging like Twitter. Is it relevant to keep for two years e-mail sent between a student at the university and his parents?
Second point, Am I an ISP? I own my own domains (some of them in the .be top-level domain), my own servers and I manage my own e-mail addresses. Do I need to keep a trace of all my e-mail communications? A lot of .be e-mail addresses are hosted in foreign countries (MX records pointing to hosts outside Belgium). What about them?
The Belgian Internet Provider Association (ISPA) already gave a negative feedback about this project of law. The biggest issue for them will be the huge costs (in term of storage capacity) to keep a log of all customers activity. Even worse, Internet Providers could be forced to adapt their prices to cover the required investments. From my point of view, I clearly do NOT agree to pay an extra fee to my ISP to keep logs of a service that I do NOT use! I never used and I will never use the e-mail address linked to my access.
Once again, like for the Great Firewall of Belgium project, only “the average Joe” user will be tracked by this law, real-criminals already have the tools to keep their communications safe.
The idea is that tomorrow the Belgian State could sell SPAM gateways or white-lists to cut into the public debt.