U.S. attorney general calls for 'reasonable' data retention

ALEXANDRIA, Va.--The failure of some Internet service providers to retain user logs for a "reasonable amount of time" is hampering investigations into gruesome online sex crimes, U.S. Attorney General Alberto Gonzales said Thursday, indicating that new data retention rules may be on the way.

"The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers," Gonzales said in a morning speech to staff at the National Center for Missing and Exploited Children headquarters here.

"Record retention by Internet service providers (that is) consistent with the legitimate privacy rights of Americans is an issue that must be addressed," he added.

CNET News.com was the first to report last June that the Justice Department was quietly shopping around the idea of legally required data retention. In a move that may have led to broader interest inside the United States, the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers.

Congress is now considering policy changes, as News.com reported last week. At least one U.S. House of Representatives leader indicated he is mulling legislation that would require data retention. The topic surfaced at two hearings--convened recently by a House subcommittee--about online sexual exploitation and child pornography. Investigators of Internet sex crimes said they would like to see at least several months--and ideally, a year or more--of mandatory records retention.

The Justice Department and the Federal Bureau of Investigation took heat from subcommittee politicians for failing to send representatives to either hearing. Gonzales' talk was likely an attempt to show that the Bush administration is serious about taking new steps to root out child pornography. His remarks focused largely on what he termed an "epidemic" in the movies and images depicting the sexual abuse of children, exacerbated by the Internet's ability to create an anonymous haven for pedophiles.

The attorney general didn't indicate how long of a data-retention period he would support or whether he favored new legislation enforcing such a requirement. He said he has asked Justice Department advisers to come up with recommendations and would "personally" call the CEOs of Internet service providers "to solicit their input and assistance."

Mandatory data retention remains a controversial topic. Privacy advocates generally fear that such a law would allow police to obtain records of e-mail chatter, Web browsing or chat-room activity that normally would have been discarded after a few months--or not kept in the first place. Right now, Internet service providers typically discard any log file they don't need for business purposes, such as network monitoring, fraud prevention or billing disputes.

Proposals for mandatory data retention tend to follow one of two paths. One approach would require businesses to record only the Internet address that is assigned to a customer at a specific time. The second version, which is closer to what Europe adopted, would call for retention of more information including telephone numbers dialed, contents of Web pages visited, and recipients of e-mail messages.

The idea has drawn concern from the Internet service providers themselves, which worry about costs associated with storing the massive amounts of data and argue that existing laws give police sufficient tools to conduct investigations.

A 1996 federal law called the Electronic Communication Transactional Records Act requires ISPs to retain any "record" in their possession for 90 days "upon the request of a governmental entity"--a practice known as "data preservation."

Another federal law requires Internet providers to report online child pornography to the National Center for Missing and Exploited Children's tip line, where analysts are charged with forwarding reports to the appropriate police agency. An ISP's failure to make such reports carries a steep fine, and the Justice Department is floating a proposal with Congress that would add criminal penalties.

"No one wants (the rules) to be cumbersome or burdensome for these businesses," Ernie Allen, head of the National Center for Missing and Exploited Children, told CNET News.com after Gonzales' speech. But at the same time, he said, the information they keep about their customers can be "the essence of what's required to investigate."

Kate Dean, director of the U.S. Internet Service Provider Association, said her member companies looked forward to discussing the matter with the Bush administration. But she said they remained uncertain as to what "added benefit" investigators would derive from data retention requirements. "It's not clear from the attorney general's statements this morning what kind of evidence (stored by ISPs) he's referencing," she said. "We'll need to get some clarification on that."

CNET News.com's Declan McCullagh contributed to this report.

[Methuss]

but where does it end?

No one wants pedophiles to have any place that they can hide, but what limits are there to this proposal? They are talking child pornography now but what is to stop them from tapping into that data for other things. Once they have the data retention requirements in place that data becomes fair game to any search the government wants. It would be there, just a matter of getting it. "Fishing expeditions" would become routine and we have already seen how our current president deals with those who criticize him in demonstrations. We would be taking one step closer to the Big Brother concept of Orwellian fame where we have to be careful what we say lest we be targetted for harassment by unscrupulous government officials.

[R. U. Sirius]

A real issue, but...

Okay, so I can support going after pervs who are exploiting kids. Good idea. We probably already have the tools we need to nail them, but if we need to do more, in a rational situation we would do more.

But, why are these guys even bothering with congress? Is this not the same AG who told Bush that it's okay to ignore FISA court oversight, and who says Bush has unlimited power as a unitary executive to do whatever he wants to do?

The main problem now is that the Bush administration no longer has any credibility. When they say they're restricted, it doesn't track with their behavior of breaking or ignoring laws for their own gain.

As the commenter above demonstrates, even when there is a reason for addressing real problems, such as with online predators, these guys in Washington are no longer trusted. And AG is one of the main reasons for this current dilemma.

[Methuss]

but where does it end?

No one wants pedophiles to have any place that they can hide, but what limits are there to this proposal? They are talking child pornography now but what is to stop them from tapping into that data for other things? Once they have the data retention requirements in place that data becomes fair game to any search the government wants. It would be there, just a matter of getting it. "Fishing expeditions" would become routine and we have already seen how our current president deals with those who criticize him in demonstrations. We would be taking one step closer to the Big Brother concept of Orwellian fame where we have to be careful what we say lest we be targetted for harassment by unscrupulous government officials.

[kg4giy]

Data, disk and dollars

I guess the first question this raises is how
much money is the federal government going to
set aside to hire programmers and data mining
experts to sift through the millions of
terabytes of useless junk for just one or two
key pieces of data? As a manager of a small
company (5000 employees) when asked to retrieve
the logs of an employee under investigation, it
would take hours of research to turn up the two
or three key files required to suit the case.
Here we are talking about data crossing dozens
of internet providers in dozens of countries.

Second question, as the ISPs rightly point out
is who is going to pay for the disk (media) to
store what is essentially junk. The Federal
government has a serious storage problem now -
with data already in the terabytes, they cannot
effectively begin to search their own archives
of mandated retained data, let alone the log
files. ISPs are another level again above that.
Then there is disaster recovery. Are ISPs
expected to provide disaster recovery of this
data? If so, that doubles the price again.

Finally, there is the issue of privacy and the
fishing that can conceivably be done without so
much as anyone knowing.

At the end of the day, this is an issue that the
non-technologists just do not comprehend. The
scope and costs alone are astronomical and the
value of data returned just does not justify the
cost.

[unknown unknown]

Won't do one bit of good

SSL proxy technology makes data retention by ISPs meaningless. The only information the ISP sees is the connection to the proxy and an encrypted stream. One doesn't have technically savvy to use it either as many proxy programs and sites offer to automaticly configure your browser or offer instructions on doing so.

After the NSA debacle I don't trust the DOJ to not abuse data rentention laws and not go on fishing expeditions.

[nhandler]

Sex criminals? Oh my.

Run for the hills, take your daughters with you, the sex criminals are on the loose and they're knocking on your door!

'Sex crime' has become the new buzzword to justify massive incursions on privacy and personal liberties, it's disgusting. No one will deny that sex crimes are bad, hence no one will deny the government nearly unlimited leeway to 'solve' this problem even if that solution happens to impact non-criminals immeasurably more. Will data retention decrease the incidence of sex crimes, most of which are spontaneous? I sincerely doubt it.

One thing is for sure: policing an alarmist population is EASY!

[Mystigo]

And They Won't Need A Warrant

And warrants are a thing of the past too. All they have to do is say
it's terrists, instead of sex creeminuls and they have carte blanche
to look for anything about anybody.

How long before people start "disappearing" in the night?

[dheighton]

Thought Criminals? Oh My.

Run for the hills, take your daughters and sons with you, the thought criminals are on the loose and they're knocking on your door with books!

'thought crime' has become the new buzzword to justify massive incursions on privacy and personal liberties, it's disgusting. No one will deny that thought crimes are bad, hence no one will deny the government nearly unlimited leeway to 'solve' this problem even if that solution happens to impact non-criminals immeasurably more. Will data retention decrease the incidence of thought crimes, most of which are spontaneous? I sincerely doubt it.

One thing is for sure: policing an alarmist population is EASY!

[markdoiron]

It's A Hook

If the "authorities" want to do something that a reasonable American would think of as unconstitutional or an unreasonable invasion of the privacy, tie it to sexual predation, child porn or terrorism. Typical Gonzales and Bush Administration tactic.

mark d.

[MisterFlibble]

Are you going to vote against the republicans yet?

What will it take for people to wake up! This is all about the GOP's agenda, the agenda of PNAC (Progress for the New American Century), to turn this nation into a perpetual police state... are people ready to stop voting agaisnt their own self interests, yet?

[R. U. Sirius]

Rigged Voting Machines?

Regarding people voting against their own interests, it brings up a couple of points I've been reading about lately.

First, I've seen reports that the e-machines made by Diebold and others are easily hacked and rigged. Even though organizations such as OASIS are working hard to push for transparent secure standards around e-voting, the Diebold model isn't anywhere close. In fact the Diebold model has *no* paper backup trail. So if the system is hacked, recounts are useless.

This topic would be a good one for Cnet to dig into.

Second, are reports of voter suppression and manipulation of voter rolls. This is mostly in conjunction with partisan secretary of state offices. Why aren't these overseen by independent bi-partisan commissions?

These are both disturbing developments, and would seem to me to be easily rectified if there were a concerted detail reporting done on it.

[Lily91]

Data Retention

Data retention is invasive and anti-Constitutional; how about making the penalties extremely punitive including mandatory prison time?

[Stan Kee]

Pointless. Won't stop child porn.

I fail to see how this will stop child porn. Yes it may stop them from publishing it on the net but it won't stop the act from taking place. Add this to the eroding freedom category.

At this point I see no difference between the US & China, it just a matter to what degree each goes. Both are looking to keep a closer watch on citizens.

Seems like every time I look up its:
--Business c/o the government eroding freedom
--"Protecting the kids/family" c/o the government eroding freedom
--Pushing of a groups religous beliefs c/o the government eroding freedom
--False patriotism c/o the government eroding freedom
--"Fighting Terrorism" c/o the government eroding freedom

At least in a repressive society you know what you are getting instead of this quasi-freedom they push on us in the US.

[hwallbanger1984]

Houston HS students sell porn disk

Students filmed a couple copulating at a HS dance and sold the disks... What happened? They fired the HS principal.

[booboo1243]

True data retention

REASONABLE DATA RENTENTION = NO DATA RETENTION!

[Bill Dautrive]

Is that like reasonable torture?

The governments orwellian desire to collect everything they want is beyond frightening.

That extreme fascists like Gonzales could even talk about what is reasonable and people believe him is even more firghtening.

The man belongs in jail, not in charge of the "justice" department.

[carwaterguide]

Try these sites if you want to waste some more time and money

http://RecordOnlineGuide.blogspot.com