The U.K. government is considering the mass surveillance and retention of all user communications on social-networking sites, including Facebook, MySpace, and Bebo.
Vernon Coaker the U.K. Home Office security minister, on Monday said the EU Data Retention Directive, under which Internet service providers must store communications data for 12 months, does not go far enough. Communications such as those on social-networking sites and via instant-messaging services could also be monitored, he said.
"Social-networking sites such as MySpace or Bebo are not covered by the directive," said Coaker, speaking at a meeting of the House of Commons Fourth Delegated Legislation Committee. "That is one reason why the government (is) looking at what we should do about the Intercept(ion) Modernisation Programme, because there are certain aspects of communications which are not covered by the directive."
Under the EU Data Retention Directive, from March 15, 2009, all U.K. ISPs are required to store customer traffic data for a year. The Interception Modernisation Programme, or IMP, is a government proposal, introduced last year, for legislation to use mass monitoring of traffic data as an antiterrorism tool.
The IMP has two objectives: that the government use deep-packet inspection to monitor the Web communications of all U.K. citizens; and that all of the traffic data relating to those communications are stored in a centralized government database.
The U.K. government has previously said communications interception is "vital" and has hinted that social-networking sites may be put under surveillance. And responding to a question from Liberal Democrat Parliament member Tom Brake, Coaker said all traffic data on social-networking sites and through instant-messaging services may be harvested and stored.
"The honorable member for Carshalton and Wallington will also know the controversy that currently surrounds the Intercept(ion) Modernisation Programme," Coaker said. "I look forward to his support when we present (IMP) proposals, which may include requiring the retention of data on Facebook, Bebo, MySpace, and all other similar sites."
Deep-packet inspection, the second strand of the IMP, involves intercepting and examining the contents of all data packets that flow over a network. In Monday's meeting, Coaker said the government still intends to have a consultation on whether to inspect and then store all Internet traffic data in a centralized government database.
"What is the point of having a consultation if, as the honorable gentleman implies, the government (has) already made up (its) mind to have a central database?" Coaker asked. "We have not made up our mind. We have said we will consult on a variety of options."
Opposition to the government's IMP proposal has been fierce. Cambridge University computer security expert Richard Clayton told ZDNet UK on Wednesday that the government proposal to monitor social-networking traffic was "extremely intrusive."
"The question is whether it's necessary or proportionate, and the short answer is no, it doesn't look that way," said Clayton. "If the government wants to make us safer, having a few more police on the electronic beat would be a good idea."
Clayton said the problem for the government is that the Data Retention Directive applies only to data held by Internet service providers, but that a large number of people don't use ISPs' systems to communicate, instead using online services such as Web mail and social-networking sites. Servers may be located in different jurisdictions, Clayton said, and data retention times may be short.
"The government wants to collect all of this data on everybody, just in case," Clayton said. "Suppose you use (an e-mail service based in Pakistan), and you blow up the Houses of Parliament. The government would have to persuade the Pakistani authorities to turn over the logs, which may then turn out only to have been retained for three days."
However, Clayton believes that the cost of harvesting this information, which would involve all U.K. Internet infrastructure providers and ISPs having "black boxes" to monitor data, would be prohibitively expensive. Clayton said taxpayers' money would be better spent on the police, who could target investigations to those they suspect of criminal activity, rather than on performing blanket surveillance of everybody.
"To deploy deep-packet inspection equipment isn't cheap--the word 'billion' is appropriate," Clayton said. "It took the Home Office the best part of a year to find 3 million pounds for the Police e-Crime Unit. That's what is wrong with this picture."
Web inventor Sir Tim Berners-Lee also opposes the use of deep-packet inspection to inspect people's data. Berners-Lee told ZDNet UK last week that the Internet should not be "snooped" upon.
"If (third parties) are using the data for political ends or commercial interest, there we have to draw the line," Berners-Lee said. "There's a gap between running a successful Internet service and looking inside data packets."
Tom Espiner of ZDNet UK reported from London.
Two new federal proposals that Republican supporters claim will protect children have alarmed Internet companies, who say the measures could make it a crime to provide e-mail.
The bills, each named the Internet Safety Act and announced at a press conference on Thursday, have mostly attracted attention for a sweeping requirement saying broadband providers and Wi-Fi access points must keep records on users for two years.
Another section of the legislation, however, is numbered 1960B. It says anyone employed at a provider who "knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography" will be fined and imprisoned for not more than 10 years.
For Internet firms, the quandary is this: The mere provision of e-mail, electronic storage, cloud-computing services, and social-networking sites could be viewed as an act that "facilitates access to" illegal content, especially if the provider knows that some users in the past have been less than law-abiding. (And the threat of arrest, indictment, and imprisonment makes them unwilling to hope prosecutors interpret the language conservatively.)
"The legislation, as currently drafted, appears to raise the specter of imputing criminal liability on ISPs and others for the provision of routine services, such as e-mail," said Kate Dean, executive director of the U.S. Internet Service Provider Association, or US ISPA.
US ISPA's members include Verizon, Comcast, AOL, AT&T, and EarthLink.
(The relevant text explicitly mentions e-mail: "Whoever, being an Internet content hosting provider or e-mail service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography...shall be fined under this title or imprisoned not more than 10 years, or both.")
The pair of Texas Republicans who announced the proposal at a press conference on Thursday--Rep. Lamar Smith, the ranking member on the House Judiciary Committee, and Sen. John Cornyn--said it's necessary to protect children online. The Internet's "limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," Cornyn said.
In an opinion article published in the Dallas Morning News on Thursday, Smith defended his legislation by saying, "How many times have we seen TV detectives seek call logs of a suspect in order to determine who he has been talking to? What if the telephone companies simply said to the detectives, 'Sorry, we get rid of that information after 24 hours?'"
Neither Smith nor Cornyn responded to repeated inquiries from CNET News on Friday.
Two bills have been introduced so far--S.436 in the Senate and HR 1076 in the House. Each of the bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.
If a new federal proposal announced this week requiring Internet providers and Wi-Fi access points to keep records on users for two years becomes law, police would not be the only ones to benefit.
So would individuals and companies bringing civil lawsuits, including the Recording Industry Association of America and other large copyright holders, many of which have lobbied for similar data retention laws in other countries.
When filing lawsuits over suspected online piracy, lawyers for the RIAA and other plaintiffs typically have an Internet Protocol address they hope to link with someone's identity. But if the network operator doesn't retain the logs, the lawsuit can be derailed.
Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., said the Internet Safety Act would "create new risk" for Internet users and expose them to "possible liability in civil suits and supboena fishing expeditions--it's a terrible idea."
The pair of Texas Republicans who announced the proposal at a press conference on Thursday--Rep. Lamar Smith, the ranking member on the House Judiciary Committee, and Sen. John Cornyn--said it's necessary to protect children online. The Internet's "limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," Cornyn said.
Large copyright holders that are members of the RIAA and the Motion Picture Association of America have supported similar data retention regulations in Europe. They wrote in a 2005 letter to a committee of the European Parliament that "it is essential that service providers retain the relevant data for a reasonable period and that the data can be disclosed for appropriate purposes."
The letter--which argued for a data retention period of at least six months and preferably longer--was signed by Time Warner, Universal Music Group, Walt Disney, Warner Music, Sony Pictures, Sony BMG, and EMI, along with the MPAA and IFPI, the RIAA's international affiliate.
The MPAA and RIAA did not immediately respond to a request for comment on Friday. The FBI referred calls to the Justice Department, which did not comment. Neither of the bill's sponsors, Smith or Cornyn, would comment.
Under the new House and Senate bills, one benefit to companies bringing copyright lawsuits is that universities, schools, libraries, and commercial broadband providers would have to keep records of who's using which IP address for at least two years.
Few universities, which have been targeted by the RIAA as part of their anti-file-sharing campaign, seem to do that. Cornell University's Web site says it "typically keeps these logs 6 months." The University of Nebraska-Lincoln, according to a local newspaper report, keeps logs for a month. When contacted for an earlier CNET News story, Georgetown University refused to disclose how long it kept logs.
In the past, at least, the RIAA has not always filed cases quickly, and would benefit from longer data retention durations. In one 2007 case, the suit was filed in September, even though the IP addresses listed as sources of piracy dated back to February. Another RIAA case against 21 "John Does" at Boston University was filed four months after the alleged infringing activity.
In addition, the millions of American homes with Wi-Fi networks or wired routers would have to keep logs.
Paul Levy, an attorney at the Ralph Nader-founded Public Citizen group who has litigated Internet anonymity cases, says: "I have a Wi-Fi network at home, and i would have no idea how to retain IP information."
"This has a chilling effect on speaking, the fact that your information remains around for such a long time," Levy said.
In an opinion article published in the Dallas Morning News on Thursday, Rep. Smith defended his legislation by saying: "How many times have we seen TV detectives seek call logs of a suspect in order to determine who he has been talking to? What if the telephone companies simply said to the detectives, 'Sorry, we get rid of that information after 24 hours?'"
Two bills have been introduced so far -- S 436 in the Senate and HR 1076 in the House. Each of the bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet SAFETY Act.
Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.
The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.
"While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," U.S. Sen. John Cornyn, a Texas Republican, said at a press conference on Thursday. "Keeping our children safe requires cooperation on the local, state, federal, and family level."
Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a measure would let "law enforcement stay ahead of the criminals."
Two bills have been introduced so far--S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.
Each contains the same language: "A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."
Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on--but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.)
"Everyone has to keep such information," says Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in this area of electronic privacy law.
The legal definition of electronic communication service is "any service which provides to users thereof the ability to send or receive wire or electronic communications." The U.S. Justice Department's position is that any service "that provides others with means of communicating electronically" qualifies.
That sweeps in not just public Wi-Fi access points, but password-protected ones too, and applies to individuals, small businesses, large corporations, libraries, schools, universities, and even government agencies. Voice over IP services may be covered too.
Under the Internet Safety Act, all of those would have to keep logs for at least two years. It "covers every employer that uses DHCP for its network," Gidari said. "It covers Aircell on airplanes--those little pico cells will have to store a lot of data for those in-the-air Internet users."
In the Bush administration, Attorney General Alberto Gonzales had called for a very similar proposal, saying that subscriber information and network data should be logged for two years.
Until Gonzales' remarks in 2006, the Bush administration had generally opposed laws requiring data retention, saying it had "serious reservations" about them. But after the European Parliament approved such a requirement for Internet, telephone and VoIP providers, top administration officials began talking about the practice more favorably.
After Gonzales left the Justice Department, the political will for data retention legislation seemed to ebb for a time, but then FBI Director Robert Mueller resumed lobbying efforts last spring.
This tends to be a bipartisan sentiment: Attorney General Eric Holder, a Democrat, said in 1999 that "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement." Rep. John Conyers, the Democratic chairman of the House Judiciary Committee, said that FBI proposals for data retention legislation "would be most welcome."
Smith, who sponsored the House version of the Internet Safety Act, had previously introduced a one-year requirement as part of a law-and-order agenda in 2007.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
The Internet Safety Act is broader than just data retention. Other portions add criminal penalties to other child pornography-related offenses, increase penalties for sexual exploitation of minors, and give the FBI an extra $30 million for the "Innocent Images National Initiative."
FBI director Robert Mueller calls for new federal data retention laws forcing Internet companies to keep records of what their customers are doing, but without providing details. Several politicians endorsed the idea during a hearing on Tuesday.
(Credit: Anne Broache/News.com)WASHINGTON--The FBI and multiple members of Congress said on Wednesday that Internet service providers must be legally required to keep records of their users' activities for later review by police.
Their suggestions for mandatory data retention revive a push for potentially sweeping federal laws--which civil libertarians oppose--that flagged last year after the resignation of Attorney General Alberto Gonzales, the idea's most prominent proponent.
FBI Director Robert Mueller told a House of Representatives committee that Internet service providers should be required to keep records of users' activities for two years.
"From the perspective of an investigator, having that backlog of records would be tremendously important if someone comes up on your screen now," Mueller said. "If those records are only kept 15 days or 30 days, you may lose the information you may need to bring that person to justice."
Also lending their support for data retention were Rep. Ric Keller, R-Fla., who said that Internet chat rooms were crammed with sexual predators, and Rep. Lamar Smith of Texas, the senior Republican on the House Judiciary committee and a previous data retention enthusiast. Rep. John Conyers, the senior Democrat and chairman, added that any proposed data retention legislation submitted by the FBI "would be most welcome."
ISP snooping time line
In a series of events first reported by CNET News.com, Bush administration officials have lobbied to force Internet providers to keep track of what Americans are doing online:
June 2005: Justice Department officials quietly propose data retention rules.
December 2005: European Parliament votes for data retention of up to two years.
April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.
April 20, 2006: Attorney General Gonzales says data retention "must be addressed."
April 28, 2006: Rep. DeGette proposes data retention amendment.
May 16, 2006: Rep. Sensenbrenner drafts data retention legislation, but backs away from it two days later.
May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.
February 6, 2007: Rep. Smith introduces bill that would give the Justice Department broad authority to write data retention rules.
"Records retention by ISPs would be tremendously helpful in giving us a historic basis to make a case on a number of child pornographers who use the Internet to push their pornography" or lure children, Mueller said.
Replied Smith: "I think a number of us may well follow up on that suggestion."
An aide to Rep. Smith said in response to questions from News.com that the congressman was offering no details and would not be commenting at this point.
Based on the statements at Wednesday's hearing and previous calls for new laws in this area, the scope of a mandatory data retention law remains fuzzy. It could mean forcing companies to store data for two years about what Internet addresses are assigned to which customers (Comcast said in 2006 that it would be retaining those records for six months).
Or it could be far more intrusive. It could mean keeping track of e-mail and instant-messaging correspondence and what Web pages users visit. Some Democratic politicians have called for data retention laws to extend to domain name registries and Web hosting companies and even social-networking sites. During private meetings with industry officials, FBI and Justice Department representatives have said it would be desirable to force search engines to keep logs--a proposal that could gain additional law enforcement support, but raise additional privacy concerns and potentially conflict with European laws.
Kate Dean, director of the U.S. Internet Service Provider Association, which counts as members AT&T, AOL, Comcast, and Verizon, said in an e-mail message:
Without specifics, it's hard to know what Director Mueller is looking for from industry. The idea of data retention is complex, and Congress will need to examine many issues including which providers would be covered by a retention regime, for what period of time would those organizations be required to keep the data, does the policy idea fit with the today's and tomorrow's technologies, and what are the effects on the consumer--what are the potential risks to subscriber privacy and security? US ISPA members have been at the forefront of child protection initiatives with the National Center for Missing and Exploited Children and law enforcement, so we welcome a continued dialogue.
As attorney general until last summer, Gonzales rarely passed up an opportunity to call for data retention. In April 2006, he said Internet providers must retain records for a "reasonable amount of time" and the issue "must be addressed." In September 2006, he added: "This is a national problem that requires federal legislation."
After Gonzales' departure, the Bush administration has been less vocal on lobbying for data retention legislation. During Wednesday's hearing, however, Mueller called for new laws at least three times.
Multiple proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, said that any Internet service that "enables users to access content" must indefinitely retain records that would permit police to identify each user. Another came from Wisconsin Rep. F. James Sensenbrenner, a close ally of President Bush, and a third was written by Rep. Smith, who endorsed the idea again on Wednesday.
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
News.com's Anne Broache reported from Washington, D.C.
- prev
- 1
- next
