In several countries, for example, the Federal Republic of Germany, data which may be related or which is related to individuals is stored by or for all locations during data preservation without the data being currently required. The purpose of such data preservation is intended to be an improved possibility of prevention and prosecution of crimes. For this, the data has to be stored over a certain time period in order to be available, for example, for the purpose of criminal prosecution. Usually, data preservation is carried out by the provider or service provider of a telecommunications service.
In order to ensure that the provider of the telecommunications service does not have unauthorized access to the traffic data of its customers in order to, for example, create personality profiles, it is known to store the traffic data in a secured environment, and to encrypt it prior to storing. The secured environment also is referred to as sealed infrastructure. The secured environment or sealed infrastructure thus prevents that neither the provider of the infrastructure nor the service provider of the telecommunications service or other third parties are able to access this data. Further, it is known to encrypt the telecommunications data or connection data with two different encryption keys, wherein either one of the two keys is deposited at a trustworthy instance, for example, a notary. Thereby, an unauthorized access to the connection or traffic data is prevented more efficiently, because for the access, the key being deposited at the trustworthy instance is required in any case.
In order to also prevent (payload)data exchanged between the subscribers of a telecommunications service, for example, electronic messages or electronic documents, from being accessed by the telecommunications service provider or other third parties without authorization, it is known to also encrypt the data received by a subscriber such that only those subscribers may access the data for whom the data is intended. The encryption keys as well as the decryption keys may be stored in the secured environment mentioned above. Thereby, it is ensured that neither the telecommunications service provider nor other third parties have access to the traffic data or to the payload. An unauthorized evaluation, for example, of traffic data in the course of a grid investigation, thereby, is efficiently prevented as far as, for example, no judicial order exists permitting the use of the key deposited at a trustworthy instance, as a notary.
This method for securing traffic data and payload known from prior art, however, has the disadvantage that even if the subscribers of a telecommunications service exchange data amongst them via secured, for example, encrypted communications connections, the telecommunications service provider has the possibility only from observing the data traffic, to deduce information on who communicates with whom. This information may be obtained by the telecommunications service provider even if the communication between the subscribers and the telecommunications service is carried out encrypted, because for the information on who communicates with whom, the content of the data being exchanged between the subscribers is not required.
Thus, it is possible to deduce from the comparison of the size of messages being received by the telecommunications service and then being transmitted further, the sender and recipient, even if sender and recipient cannot be derived together in the individual messages, because they are not comprised in the messages at all, or, for example, only in encrypted form. This will be explained by means of a simple example. If a first subscriber does not send an electronic document (first message) in encrypted form to a second subscriber directly to the second subscriber, but rather deposits it in an environment protected against external access, from where the document then is forwarded as second message to the second subscriber also in encrypted form, only by comparison of sizes of the messages being input in and being output from the secured environment, a certain assignment can be made, and from this, the sender and recipient of the messages can be deduced. Hereby, it does not help if, e.g., the recipient (second subscriber) is comprised in the first message only in encrypted form, and in the second message (first subscriber), only the sender is comprised in an encrypted manner.
Further, the problem described above gets worse, if, after receipt of a (first) message, for example, an electronic document, from a subscriber, the telecommunications service informs that subscriber for whom the message is designated on the existence of a message designated to him by means of a further message. Because the data exchange between the subscribers and the telecommunications service itself is always “visible” for the telecommunications service provider, the telecommunications service provider may deduce, as described above, from the fact that a message has been deposited for a certain subscriber by a subscriber, and the subscriber for whom the message was designated has been informed on the existence of the message, the information that the two subscribers communicate with each other, even if the data exchange takes place in an encrypted manner, and if the subscriber, for whom the message was designated, does not request it from the telecommunications service.
Thus, the methods for data preservation known from prior art, although fulfilling high security standards, are not sufficiently protected and secured so as efficiently prevent the possibility of an unauthorized evaluation of telecommunications traffic data.