The Danish Government Was Wise to Back Off ‘Session Logging’ – Here’s What It Should Do Instead

Denmark has taken a smart step back and has an opportunity to take an even smarter step forward.

The government’s plan to bring back “session logging” after ditching the practice in 2014 would have been a wasteful venture into mass surveillance with a justification that never made sense. Officials were wise to pause for a few months to consider the tech industry’s estimates that enacting this proposed spying regime would cost as much as one billion Krones.

Let’s take a look at the government’s case for capturing this avalanche of private data.

“Logging is a very essential tool for the police and PET [the Danish Security and Intelligence Service, ed.]. Therefore we need to have up-to-date logging rules, which we don’t today,” Justice Minister Søren Pind told local Danish media, earlier this year. “Today, information is kept on which telephone numbers have called each other and at which time, but if the parties used internet-based communications like Messenger, Skype or iMessage, the information isn’t logged. In today’s world, that doesn’t cut it.”

Pind recently insisted again that he believes this data should all be collected.

But his comparison of phone data to internet data immediately falls apart as soon as you think about the immense amount of communication that would be captured.

Some in the British government made similar suggestions considering the draft Investigatory Powers Bill — even though that suggestion becomes ridiculous when you consider the massive resources needed to both store and make any practical use of this nearly endless mush of data.

Creating these databases creates massive targets for hackers along with the profound economic risk of alienating high-tech companies that simply do not want to get into business with Big Brother watching over their shoulders.

And it’s simply not necessary, according to F-Secure’s cyber security advisor Erka Koivunen.

There’s a much more elegant solution that protects both citizens privacy and rights while providing law enforcement to access to data it needs to do its job of maintaining safety and order. And we can say for sure because it builds off steps the government has taken in Finland that maintain user privacy while giving law enforcement the ability to hone in on criminals.

“My suggestion effectively is to stop looking at the connections but instead ask the operators to secure NAT and DHCP logs that can be used to identify the subscriber — a household, a company, sometimes even a person — when there is time-stamped IP address that would need to be identified,” Koivunen explained.

To clarify: "NAT" is IPv4 address translation. Operators hide tens or hundreds of subscribers behind a single publicly facing IP address. "DHCP" is Dynamic IP address allocation in access networks. The operator assigns subscribers a new address for each new session, sometimes even mid-session.

No one but the operator has — nor should have — access to DHCP and NAT logs. With this data combined with the customer database, the operator can use DHCP and NAT logs to identify holder of an IP address at a given time without tracking what they are doing online.

The government can ask the companies to maintain such logs voluntarily or by government regulation, which most operators likely do anyway.

"It makes sense to encourage operators to retain identity information for not only Law Enforcement purposes but also for fault management purposes as well as for the purpose of information security incident investigations and victim notification," Erka said.

Once a person – or a device or an IP address – has become the subject of a law enforcement investigation, connection records could be obtained on a limited basis.

Finland utilizes these logs to run a national Victim Notification program called NCSC-FI Autoreporter (or CERT-FI Autoreporter). As a result, Finland has one of the lowest encounter rates of malware in the entire world.

"Full-scale session logging is simply mass surveillance," Erka said. "And it's overly expensive. We fail to see how the investment would help solve common information security problems."

It’s possible to be safe and smart while protecting both privacy rights and economic development. Denmark has made a smart move and can now continue that progress with a smarter next step.