April 14, 2006 4:03 AM PDT
ISP snooping gaining support
- Related Stories
EU data retention directive gets final nodFebruary 22, 2006
Europe passes tough new data retention lawsDecember 14, 2005
Your ISP as Net watchdogJune 16, 2005
Europe to push ahead with ISP snooping lawJune 9, 2005
Europe likely to opt for biometric passportsOctober 27, 2004
FBI adds to wiretap wish listMarch 12, 2004
My (brief) career as an ISPOctober 10, 2003
FBI targets Net phoningJuly 29, 2003
Perspective: Privacy lessons from EuropeOctober 23, 2002
(continued from previous page)
Waters said that Comcast was unable to help police in an investigation dealing with the rape of a 2-year-old child because logs are routinely deleted as is standard business practice. "We'd like to see one year minimum" for data retention, Waters said. "Two years would be even better."
The amendment, sponsored by state Sen. Ron Tupa, a Democrat, requires Internet providers to "maintain, for at least 180 days after assignment, a record of the Internet protocol address" assigned to each customer. Violations can be punished by fines of up to $10,000 per incident.
"Preservation" vs. "Retention"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
That pair of laws--coupled with Internet providers' willingness to cooperate when a child is being harmed--has created a system that works today, says Kate Dean, director of the U.S. Internet Service Provider Association.
"Law enforcement has not demonstrated that the absence of mandatory data retention is detrimental to the public interest," said Dean, whose board members include representatives of AOL, Verizon, BellSouth and EarthLink.
Dean said she's not sure whether U.S. data retention proposals being discussed are likely to mandate mere address recording or also require the storage of the contents of e-mail messages and Web pages visited. A representative of one large Internet provider who did not want to be quoted expressed concern that content could be swept up into legislation--and cited the privacy and security risks of having such a massive data warehouse available.
Michigan Rep. Bart Stupak, who's the senior Democrat on the House oversight and investigations subcommittee, expressed skepticism about forcible data retention requirements in an interview on Thursday. He said he would not "be in a rush to support" data retention requirements and would rather see the private sector come up with a better solution.
"I'm against this child porn stuff, but at the same time, let's not further erode the rights of the American people," Stupak said. "That's what I'll be looking for. I'll be looking at (proposed laws) with a very close, constitutional eye as to the validity of the proposals... and I'd like to hear from private industry what they can do."
The European precedent
One question is how closely U.S. proposals will follow those that Europe already has adopted. In December, the European Parliament approved a U.K.-backed requirement saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.
The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time, and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.
According to a memo accompanying the proposed rules (click here for PDF), European politicians approved the rules because not all operators of Internet and communications services were storing information about citizens' activities to the extent necessary for law enforcement and national security.
"These developments are making it much harder for public authorities to fulfill their duties in preventing and combating organised crime and terrorism, and easier for criminals to communicate with each other without the fear that their communications data can be used by law enforcement authorities to thwart them," the memo said.
Some U.S. companies are so alarmed by this requirement that they've talked about scaling back their operations in Ireland, which boasts some of the region's most aggressive data retention laws. Joe Macri, managing director of Microsoft Ireland, told the Irish Times last month: "Irish legislation is going beyond what is required from an EU perspective and is going to put significant additional costs on businesses...While we respect and understand the needs and concerns of the law enforcement agencies, there is also a need to take personal privacy concerns and the broader needs of business into consideration."
Jim Harper, director of information policy studies at the free-market Cato Institute, was the member of the Homeland Security's Data Privacy and Integrity Advisory Committee who asked Chertoff about data retention last month.
In an interview this week, Harper warned that mandatory data retention may cause more harm than good. "The true criminals will go and use random Wi-Fi nodes where you can get anonymous access," he said. "You haven't done anything but increase surveillance of law-abiding citizens."
CNET News.com's Anne Broache contributed to this report.
100 commentsJoin the conversation! Add your comment