Gonzales: ISPs must keep records on users

WASHINGTON--Attorney General Alberto Gonzales on Tuesday stepped up his efforts to lobby for federal laws requiring Internet providers to keep track of what their customers do online.

Gonzales asked senators to adopt "data retention" legislation that would likely force Internet providers to keep customer logs for at least a year or two. Those logs, often routinely discarded after a few months, are intended to be used by police investigating crimes.

ISP snooping time line

In events that were first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the time line:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation--but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

June 27, 2006: Rep. Barton, chair of a House committee, calls new child protection legislation a "highest priority."

"This is a national problem that requires federal legislation," Gonzales said during a Senate Banking Committee hearing. "We need to figure out a way to have ISPs retain data for a sufficient period of time that would allow us to go back and retrieve it."

As the November election approaches, politicians have been devoting an unprecedented amount of attention to the topic of children, pornography and the Internet: At least three committees are holding hearings on the subject this week alone.

One committee even enlisted an outside-the-Beltway celebrity, basketball icon Shaquille O'Neal. Shaq appeared on videotape before the Senate Commerce Committee, and said: "I've seen images that make me very sad, I've seen images that make me very mad...Yeah, I'm mad, very mad, senator." (O'Neal is a , a federally funded nonprofit group.)

It's unclear what the prospects are for mandatory data retention in Congress this year, or whether politicians will delay action until 2007. One senior House Republican drafted a bill (click for PDF) but then backed away from it, and a Democratic proposal (click for PDF) has not been voted on.

But with the Bush administration firmly behind the concept, and with state and local law enforcement lending a hand in the lobbying efforts and saying such mandates would help protect children, industry groups and privacy advocates may be hard-pressed to head off new regulations. During Tuesday morning's appearance, for instance, Gonzales favorably cited a June letter (click for PDF) endorsing mandatory data retention that was signed by 49 attorneys general. The letter said: "It is clear that something must be done to ensure that ISPs retain data for a reasonable period of time."

Myriad suggestions
Sen. John McCain, who presided over the afternoon hearing, scolded Internet companies who "were invited to participate and chose not to." He said he would talk to Sen. Ted Stevens, chairman of the Senate Commerce Committee, about scheduling an additional hearing during which the companies would be grilled.

Montana Sen. Conrad Burns, a Republican, used the hearing to tout a proposal, now tacked onto a mammoth communications bill and awaiting a vote, that would require all sexually explicit Web content to be labeled as such and home pages of all sites to be free of such content.

That measure, he said, "will help children from unwittingly stumbling across these words and images online."

Ernie Allen, president of the National Center for Missing and Exploited Children, echoed Gonzales' calls for ISPs to hang onto customer records. "Some companies have policies on retention, but they vary widely, are not implemented consistently, and frankly, most are too short to have meaningful prosecutorial value," he said.

Data retention legislation could follow one of two approaches, and it's not clear which is more likely.

One form could require Internet providers and perhaps social-networking sites and search engines to record for a year or two which IP address is used by which user. The other form would be far broader, requiring companies to record data such as the identities of e-mail correspondents, logs of who sent and received instant messages (but not the content of those communications), and the addresses of Web pages visited.

During a series of meetings that Justice Department officials have held with private companies--first reported by CNET News.com--officials have been ambiguous about how they want legislation worded, private-sector participants say. Companies involved have included AOL, Comcast, Google, Microsoft, Verizon Communications and trade associations.

Suggestions for congressional action at Tuesday afternoon's hearing didn't stop at data retention by private companies.

Sheriff Michael Brown, who heads an Internet Crimes Against Children task force in Bedford County, Va., called on Congress to ensure that any state, federal, local or educational institution that receives federal funding also conduct "appropriate transactional logging to allow the location of individuals that use that access in the exploitation of children." He said in his testimony (click for PDF) that the government could not, "in good conscience," make such demands of the private sector if it didn't also do the same.

That concept--restrictions slapped on using federal funds--echoes a 2000 federal law called the Children's Internet Protection Act. CIPA effectively forced schools and libraries to filter sexually explicit Web sites by tying that requirement to the receipt of federal funds, an approach the U.S. Supreme Court upheld as constitutional in 2003.

The concept of more federal laws was popular at Tuesday's pair of hearings. Sharon Cooper, an adjunct professor of pediatrics at the University of North Carolina, urged politicians to require that all public-school health classes, from elementary to high school, teach "child sexual abuse prevention strategies as well as online and communication technology safety strategies."

And Sen. Robert Bennett, a Utah Republican, suggested that the Justice Department create a successor to the widely criticized Meese Commission, a 1986 federal panel that claimed to document the harmful effects of pornography. "Isn't it time we revisited the creation of an attorney's general commission and update, if you will, the kind of things the Meese Commission prophesied would happen?" Bennett asked.

On Thursday, the U.S. House of Representatives will have its own hearing on the Internet and child pornography.

'Preservation' vs. 'retention'
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time.

An IP address is a unique 4-byte address used to communicate with a device on a computer network that relies on the Internet Protocol. An IP address associated with CNET.com, for instance, is 216.239.113.101. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.

[Pete Bardo]

Google was right not to hand over this info!

We've been lead to believe that privacy is a right. I guess we were wrong.

We can not preserve our freedom by allowing our government to take away any part of it--no matter how small.

First it's child porn, next it's terrorism. After that fails to produce results, maybe we'll investigate everyone who visits Muslim web sites. Or maybe we'll investigate visitors to Israeli sites--I'm sure Palestinians consider them to be terrorists.

The problem here is that once this door is opened, there is no way to close it.

[enigma.live]

Door has already been opened

I'm getting sick.

[pookie11]

Could the door be open already?

I hope not. What's wrong with getting a warrant to go after someone you think is up to something bad? Why go after the whole country?

[HecticDialectics]

The door is already opening!

Goodbye privacy! Hello government!

More Big Brother tactics by U.S. Govt

Now the govt is strongarming companies to hand over
http://www.teckmagazine.com/content/view/667/43/
data on citizens instead of fighting this war on "terrorism" or whatever you want to call that this week.

More Big Brother tactics by U.S. Govt

Instead of fighting this war with terrorists, the
http://www.teckmagazine.com/content/view/631/43/
U.S. govt is more interested in tracking its own citizens. Good one.

[JoeF2]

The real issue is spying on Americans

They are just using the child porn issue as a pretext to be able to spy on Americans. "Who could be against getting these molesters?" They could them if they would give the FBI modern tools, like modern computers. But that's not what they want.
They already listened in on phone calls without legal basis, and would like nothing better than being able to spy on every American.

[pookie11]

Spying on americans

If it's any consolation they're upfront about their request.

[morphwvutuba]

One word: NO.

GET. OUT.

Citizens should spy on their government, not the other way around. I want these neonazis out of existence for the farce they've been making of my country. This is America, dammit. We don't do this kind of crap and still get to be called the land of the free and the home of the brave.

<thinking of buying a gun...>

[Kostagh]

Yeap... you've got that right...

Than why not emigrate to Europe?!
:))

[bishop1641]

Hypocrisy

The hypocrisy of this government and that party that supports them knows no bounds. This is a great diversion method. They can't even keep the borders secure. Law enforcement has lots of power available to them. Less you have a hell of a good IDS system at home they can monitor you now with a warrant and you wouldn't even know it. It is typical to use the line "for the children." It seems to work for them everytime.

[enigma.live]

Just take alll our constitutional rights away in the name of children

The real abuse of children is these politicians using every law they sponsor and push to get through as some type of protection for children. It's a red herring. Don't believe this folks. Dateline is having no problem finding child predators, I hardly see how accessing or having available access to everyone's internet traffic activities is going to get you more child predators. Already ISP's keep this data for atleast 3 months, if you can't get the child predator in 3 montns, then how can this really be about protecting the children.

[qprize]

So Google moves it's data centers to Costa Rica

As does Yahoo!, AOL, et al. It's cheaper than having to try track
and store all this info for two years, and Costa Rica will give them
tax breaks to become the Data Center of the world.

Gonzales/Bush can always be relied on to propose the most
onerous regulations with the highest cost and least benefit to
everyone, except their ever-growing fanaticism and fascism.

[CancerMan2]

No, Try Iran Instead

I would say that you stand the best chance of data privacy by using a service that is based in Iran. It is highly unlikely they will cooperate with the likes of Mr. Gonzo-gales anytime soon.

[DryHeatDave]

It's time

to start figuring out how they make those burning effigies, I think.

I can't type what I am thinking because CNET will just censor it out - but consider it said - at length.

[gworley]

More of Bushie's invasion of privacy...

The Bush administration doesn't need to know where I go on the Internet. Plain and simple this is an invasion of privacy

[David Arbogast]

Think first....

You are incorrect.
This is NOT an invasion of privacy.

This is a law designed to specify a mandatory data-retention period. Your ISP has your data, and they can keep it for as long as they like. A court can issue a subponea for that data, and that is nothing new. There is no mandate for all ISP logs to be turned over to the federal government.

I think you are paranoid. Did you even read the article? The Bush administration doesn't give a rat's rear-end where you go on the Internet, and they don't want your data. What they want... is to give law enforcement the ability to legally collect evidence on criminals after a judge has granted approval. And there is nothing wrong with that.

[tttansy]

What happened to enforcing existing laws?

I am amazed that our political leaders consistently ignore their obligation to enforce existing laws (in this case, identifying suspected child pornographers---by googling them!, getting a subpoena, tracking down the culprits, and prosecuting them)in favor of creating new laws to "make everyone's job easier." The main thing these new laws do is erode the freedoms of law-abiding citizens. At this rate, "thought crime" is just around the corner.

[JayMonster]

You are missing an important fact...

Other than the fact that they are (once again) using "child protection" and "predators" as the reason for requesting these laws, it really has nothing to do with the matter.

The "child protection" is simply the red herring to distract you from yet another Bush Administration attempt to cull as much information about every person as they can.

[solrosenberg]

They're there somewhere

Come on folks, Bush needs to spy on all Internet communications to find where the WMD are hidden in Iraq! Give him a break.

[gmycyk191]

Where's Bin Laden?

Never mind spying on me, where the hell is the person responsible for 9/11? Why haven't we gotten him? Why doesn't boy George care? There has to be a reason. I mean, I forgot to pay a parking ticket once, and a summons was issued for my arrest.

Google? Google?s all about $$ advertising; nothing wrong with that, but they?re not a political group.

Child porn my ass. Why is it the government?s job to be parents to my kids? I?m the parent, it?s my responsibility where my kids go and what they do. It?s my responsibility what they watch, what they read, and who they associate with.

I?m not one of those who believe the government was complicit in 9/11, but make no mistake, it has been distorted into the neocon political wet dream. Massive defense spending, 2 wars, terror alerts, citizens afraid, diminishing privacy? I ask you, are the terrorists, at least politically, winning?

Funny, I was just watching Enemy of the state the other night. That movie was made before 9/11. We should all watch it again.

[gmycyk191]

I/Net Bush?

Bush doesn't use the Internet, in fact, he openly admits he doesn't read newspapers.

Who the hell voted for this boob anyway? To all of you that did, shame on you!

[gmycyk191]

Nice Job C|Net

I have to say, one of the better written and more detailed articles here. Very well done C|Net.

[zanzzz]

Big Brother Party Galvanizing Their Voters

What a sickening spectacle! The collection of right wing nut jobs known as the Republican Party is putting on quite a display for their perceived voting base in desperate hopes of clinging to the power they have so widely abused. Pedophiles, pornographers, and pro Islamists- oh my! Their fear mongering in hopes of creating the perfect police state of security has been fairly successful to date. Let's hope the majority of Americans that bother to vote this fall give these guys the pink slip. If you cherish liberty and a limited government then this group of profoundly misguided career politicians should be sent packing. Enough of the Big Brother Party!

[netgk5815]

Give me somebody to vote FOR...

and I will gladly vote out some of these Republicans. But if you think their Democratic oponents will give us less government and more freedom...
They may say they will to get elected, but...
We need electable independent candidates that have some common sense about the limitations of government our founding fathers intended. Then the federal government would concentrate on our borders and defense of the country and the states would take care of the criminals among our citizenry.
I don't see either Democrats or Republicans reducing the federal government that much.

[enigma.live]

Dear Mr. Politician-NO.NO.NO.!!!

I am sick of our government, this is becoming a fascist country people, wake up. You are losing your freedoms before your very eyes. Do not vote for any politiician that supports this. It's always this crap about, in the name of safety, protection for terrorism, protecting the children. Spare me. This is about elitist control of the masses, pure and simeple. By the way your government is watching your posts to CNET right now, they are being monitored and your opposition to this new law must mean you are a citizen with something to hide. God help us.

[enigma.live]

Hell Why Not Require Everyone to Monitor and Retain Data on Everyone

Geez, why stop at internet traffic data retention. Why not make a law requiring our neighbors to keep tabs of when we leave home and come back? Why not have every store or shop make record and retain this data of everytime we stop in, shop, or even when we just browse the store aisles. Why not require every library to record and retain data of everytime we ever walk through their doors? Why not require our cell phone providers to have gps tracking devices to record and retain our location whereabouts every minute of the day? Why not require public restrooms to record and retain everytime we enter them? Just attach all our activities to a unique identifier and we are monitored and watched like a piece of walmart inventory. Reminds me of those animals that are tagged in the wilderness by scientists watching everything they do. America is becoming a nation of sheeps. Do you people really want to live this way and allow the worlds only superpower to do this to you, how will you stop the bigger invasions of privacy if you can't stop the little ones?

[~Neo~]

We Already Have What You Said

GPS in your cell phones, in your car can be used unauthorized by finding how by using google.

RFID tags that will track everything from the time it leaves a store which Walmart plans on using to track your buying habits from the time its made to the time it ends up in a landfill.

Ohh that shiny new PC you just bought has a unique hardware identifier besides having a serial number embedded in the CPU which most people dont even know about.

Your Mac address and I know mine is being checked by my ISP as I type this.

Umm lets see what else... your passport has an RFID tag embedded in it.

Your soon to be nationalized ID which the feds require all states to comply with by 2008 I believe must be registered with the feds if states wish to continue receiving federal funding.

Ohh and while we're at it did you know that you satellite TV and cable box can record what you watch.

George Orwell had the facts right he just got the year wrong.

I guess I just have to enjoy what little annonymity I have at the moment... but wait ohh thats right they have satellites that can see through buildings. Guess I am just another ant on this rock we call earth

[David Arbogast]

This is NOT spying OR an infringement of rights.

As usual, we have fear, paranoia, and confusion among News.com's "first-responders." I should start by stating that I am not in favor of the proposed scenario, and believe that it is a parent's responsibility to keep their children safe online, NOT the government's.

However - what is being proposed is NOT spying, and does NOT infringe upon the rights of Americans.

<<Those logs, often routinely discarded after a few months, are intended to be used by police investigating crimes. >>

Currently, ISPs retain log files for a period of time that they choose. A police investigation can result in a subponea being issued for that data. This is NOTHING new.

The change being proposed, is a mandatory period for data retention. Meaning - ISPs would be forced to maintain their log files for a given period of time in case a subponea was issued for that data.

It is NOT a law requiring ISPs to voluntarially hand over all data to the government, as some of these folks would have you believe.

There are already laws in place to govern data retention for businesses, especially related to email. The difference in this case, is that the law would be far less vague - which would be good.

The PROBLEM... is not one of rights, or spying.... those arguments are clearly unsubstantiated. Rather, the burdon placed upon an already low-margin business will be unreasonable. Data collection and storage requirements are translated into a dollar-cost for ISPs, and that cost will be passed to the consumer... which means that the cost of Internet access will increase.

ISPs can already store all your data for as long as they'd like. What the government is trying to do, is to set a STANDARD for data retention. You'd think that some of these open-source fans who preach standards would understand this. With a standard in place - investigators would know ahead of time whether or not data is available for collection as evidence in a case against a criminal. Rather than obtaining a warrant only to later learn that the ISP didn't retain those records, investigators will know ahead of time whether or not the data will be there.

[umbrae]

Will Never Happen...

I used to work for a "small" ISP. 2 weeks of standard longs would end up being several terabytes. There just is not enough hard-drive space in the world to collect this for 1-2 "years". If this ever passed, ISPs would sue and win since even Google would have a hard time finding the money to keep up the storage necessary.

[declan00]

Spying or not?

Whether this is a good or a bad idea we can debate forever.

But I think you're mischaracterizing our article and quoting from it selectively.

One possibility that's been talked about is forcing ISPs to go further than recording IP address assignments and keep logs of email correspondents, etc. Also this would apply to search engines, social networking sites, etc.

This would not be a small change and does not deserve to be dismissed as such.

[HecticDialectics]

It IS spying actually

Just as the government isn't allowed to install tracking devices in everyone in America's cars, they should be able to install tracking devices in everyone in America's computers, either.

What ever happened to warrants? The Republicans are acting like that word never existed.

[enigma.live]

No it's not spying YET! Read more here.

It's the fact that the government wants to compel by force (law) that data be retained on private citizens. The government has no business and is violating the 4th amendment by pushing to get this law passed, which should be ruled a 4th amendment violation anyway. Look if somehow you are for this law and think it's ok, then why are you not asking for a new law for the post office to start opening all mail and photocopying it's contents before delivery and retaining it for future access by the government for a set number of years? If you are a logical person, then your logic would suggest that you would have no problem with that law, and of course don't forget if you decide to use the postal service, then based on your logic, you must be agreeing to this anyways. Those who agree with the law are IDIOTS!!!

[steeliecan]

are any of you parents? if you were..

you'd know why politicians in every country on earth use the line "but think of the children" when they want to take away your rights.

most parents (the good kind, anyway) would do ANYTHING for their children, including die for them. this fanatical defense of kids turns off every rational bone in a parent's body.

in fact, protecting their children is such an irrational thing that most parents would gladly KILL SOMEONE ELSE to protect their children, if forced to choose. those same parents will certainly vote to take every single right that YOU have, in order to satisfy their primal urge to protect THEIR children.

if these irrational parents would be perfectly happy to KILL YOU to think their kids are safer, what makes you think they won't pass every sort of draconian law imaginable if a politician scares them into thinking they have to?

that's why politicians will never stop exploiting people's children for political gain.

it's time we as a national stood up and said "Sorry, parents, but your kids are not worth me losing my constitutional rights. End of story- no exceptions."

[Methuss]

I'm a soon to be parent myself...

But I do not support this legislation. Why you may ask? Because it is absolutley worthless and unenforceable. Any person with half a brain wanting to do something sinister is going to run through an off-shore proxy server that is not within US jurisdiction and the records of what they do will only point to the proxy.

This sort of legislation is a red-herring in that it does not actually do anything to cure the problem. It does, however, open the door to abuse by government, lawyers, and law enforcement. If the information is collected under the pretense of protecting children, do you really think a judge will refuse to obtain information that is known to exist for other purposes? Of course not. If it exists at all it will be subject to subpeona for other purposes such as divorces and other civil suits.

It is just a bad idea all around, plain and simple.

[Methuss]

Gonzalez is an idiot...

Hasn't he ever heard of an off-shore proxy server?

Even if he gets his law, it's totally worthless as criminals will just use an off-shore proxy that is not subject to US subpeona authority. The only record they would have is the connection to the proxy.

Useless.

[corelogik]

I am a parent, and rational

I do not subscribe to the theory that children must be totally
safe at all times. I am of the opinion that children must grow and
adapt to the environment, not the environment adapt to the
child. That being said, I do beleive in protecting my daughter to
the extent possible. I am against child porn and child abuse.

I also make sure that my child does not use the computer or the
internet unless I know what she is doing with/on it. I do not
believe in taking away anyones rights, mine included, or
infringing on anyones rights, mine included. I can only take so
much Elmo, Disney and sugary sweet kids shows and sites.

Some may consider me a bad parent, I really don't care. My child
learns to deal with her environment and if that means that
sometimes she gets a scrape or a bump or a bruise, so be it.

Keep your damn government hands out of my privacy, I have
nothing that would interest you.

[scdecade]

My brother

My brother is the widowed father of 3 young boys, 6, 4 1/2, and 3 1/2. He has password protected his computer so that if the kids want to use it they need to ask him. He then watches what they're doing. Mostly, the 6 year old plays Yahoo! games or goes to Nickleodeon.

The federal government of the united states is completely and utterly corrupt.

[faust]

Big Government

Welcome to today's R party where its all about big government watching over you.

The party that favored less government activity in our lives is long dead.

hail hail hail King Bush and his smucks

[pookie11]

Big government

To be fair there are still a handful of republicans fighting very hard to preserve the constitution. We need to recognize them and give them the credit they deserve. We need to catch criminals but we must do it without infringing on the constitutional rights of the people.

[sabot96]

Big Brother

One more step for big brother. Gonzales you don't a crap about child porn. You want to add one more tool in controlling the population.

The answer is no!