DOJ, Net firms fail to agree on data retention

A meeting at the U.S. Justice Department on Friday to discuss forcing Internet providers to record Americans' online activities ended without reaching an agreement, according to multiple participants.

The meeting of about 15 industry representatives and 10 government officials followed an earlier one last Friday, first reported by CNET News.com, at which Attorney General Alberto Gonzales and FBI Director Robert Mueller pressed Internet and telecommunications companies to store data on their users for two years.

"They want to do something, but they don't have a proposal yet," said one industry representative. The participants in the two-hour meeting spoke to News.com afterward on condition of anonymity because of the sensitive nature of the negotiations. (Participants included AOL, Comcast, Google, Microsoft, Verizon Communications and trade associations.)

ISP snooping time line

In events that were first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the time line:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation -- but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

Another participant said it appeared as though the Justice Department wanted to require Internet providers to at least record their customers' Internet Protocol addresses, which are often temporarily assigned and the logs deleted after a few months during the routine course of business. It wasn't clear whether the requirement also would apply to Web sites such as search engines, which could be forced to record what keywords their users typed in for future investigations.

In general, Internet and telecommunications companies have been less than enthusiastic about mandatory data retention, a concept that the European Union has embraced and that is the subject of a legal challenge there. They cite security concerns, privacy worries, and, of course, the cost of creating or extending databases.

"They have to make sure they do this right, and it doesn't look like they're going about this the right way," said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies.

McClure, who could not attend Friday's meeting because he was traveling, said: "You have to figure out what information you want, specifically, how to format it so it's useful, how to pay for it, and how to get it past all the privacy people in Congress. I have difficulty understanding why they're flailing about with all these meetings rather than going through that procedure."

One participant at the meeting said the Justice Department and FBI officials who were present talked about having piles of old cases and being able to go back and find out who somebody was and what that person did on a certain date.

No date for a follow-up meeting has yet been set. One participant said this was likely to be a long-term process that would not likely be resolved anytime soon.

In a speech last month at the National Center for Missing and Exploited Children, Gonzales called on Internet providers to retain records to aid investigations of criminals "abusing kids and sending images of the abuse around the world through the Internet." More recently, the Justice Department has invoked terrorism as the justification for data retention.

Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.

'Preservation' vs. 'retention'
The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee and a close ally of President Bush. Sensenbrenner said through a spokesman last month, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already."

At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.

Also on Friday, the Center for Democracy and Technology--a civil liberties group in Washington that receives some money from corporations--released a four-page analysis critiquing data retention proposals (click for PDF).

It lists nine reasons why keeping track of Internet users' activities is a bad idea, including: "Data retention laws threaten personal privacy and pose a security risk, at the very time the public is justifiably concerned about security and privacy online."

[vamega]

Is this China

This is a democracy we are talking about. How can we be against china if the US is going to be forcing people to retain more data about their customer's than china is doing. I thought the US held privacy at a high level, Well i guess they to are turning communist

[techguy83]

no, not communist, but close

Facsist.

Welcome to the future United Fasctist States of Amerika.

I kid you not.

National ID card: Already passed and soon to be required by 2008. Although a state is not required to adopt this Id (there is a big Govt bonus for those that do), if a state chooses not to give in then that state's citizens will have to have a U.S. PASSPORT to drive or fly to another state in the Union.

This data retention: It will pass. Why? Because no one is going to risk their career when they scream that its for Terrorism.

Welcome to a world where freedom ends and govt rights over all citizens begin.

As Ben Franklin said: Those that give up essential Liberty to obtain a little temporary safety deserve neither Liberty nor Safety.

(I think thats the exact quote, but I may be wrong)

[VI Joker]

Slight difference...

... for the moment the government is not telling you what you can or cannot view or post online. However, I suspect that will come in time. Little by little the freedoms we hold dear will be taken in the name of protecting us from terrorists and child pornographers.

[connieabeln]

On a practical note...

I have a practical question?who will manage this data? Who will make sure it?s clean and usable, define its metadata, safeguard it, maintain its integrity, keep it when it?s part of an investigation or ongoing court case (we know those can take longer than 2 years!) and delete it at the end of its useful life? Will we have more data analysts working for the government, or will this work be outsourced to outside vendors, who may be outsourced to another country?