By law Dutch ISPs and phone companies are required to store all phone and internet traffic metadata to hand over to the police or secret service (AIVD) on request. That is, every phonecall you make, SMS you sent or internet connection you established is logged, stored and handed over to the police whenever they ask for it. Which is bad enough, but now it turns out at least two phone companies, Vodafone and T-Mobile went slightly too far in their zeal to assist the police, handing over not just the metadata on certain SMS messages, but the messages themselves. According to them, it was technically impossible to separate the “traffic data” from the message, so they had no choice but to hand over the whole thing. After this came to light Vodafone immediately acknowledged their error while T-Mobile denied it, but the AIVD declared that it could not and would not delete these SMS messages it had recieved.
Now, as The Netherlands’ best known IT lawyer, Arnoud Engelfriet explains (Dutch) what Vodafone and T-Mobile (allegedly) did is actually illegal under Artikel 273d Wetboek van Strafrecht. Which means their customers could file criminal charges against them…
The 60,000 euro question now is how many other phone companies have done this.
Alex
June 3, 2009 at 4:29 pmSMS are basically network signalling messages – SS7 ISUP – with a text field for the 160 chars. So the easiest way to recover SMS metadata would be to pull data from the network management or billing systems attached to the MSC. As it happens, telco data management is really poor, even when they are trying to make money out of it.