New Bill Proposes ISPs Retain Data for 2 Years!
I know this is a bit old, and if you are involved in the issue you have probably read no less than a dozen stories on the issue, but it’s still worth talking about. I needed a little time to soak it in.
Here’s the gist: Two Texas Republicans, Senator John Cornyn and senior Republican on the House Judiciary Committee Lamar Smith, have proposed legislation that would make it federal law and require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.
Two bills have been introduced so far–S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act.
Each contains the same language: “A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”
OK, where to begin. Let’s start with the obvious – umm, did these guys have any sort of IT consultant when writing this bill? Did they contemplate the costs and storage associated with this bill? It would be staggering – for everyone involved.
Past that – if you don’t see what this mean, let me lay it out for you. Your privacy online is now 100% gone. From now on, everything you do online will be traced and traceable back to you.
While I can understand what they were going after, a way to make investigations of online predators a bit easier for law enforcement, this proposal is so far off the deep end in so many places that it is astounding.
The bottom line is that the best place for internet safety to reign supreme is not in the minds and halls of the government, where there seems to be very little knowledge of the vast scope of the way things work. Internet safety needs to be practiced by parents in the home first.
You know, we wouldn’t need to keep data on Internet predators and child pornographers if all parents were monitoring their kids’ internet activity and doing their job in not letting their kids become victims of the predators to begin with.
We are NEVER going to be able to arrest and police our way out of the internet predator problem, but we can do one heck of a job keeping our kids safe if parents are using computer monitoring software programs like our PC Pandora. If parents KNOW who their kids are talking to and what they are doing online, there is almost zero chance they will become victims. (Of course, unless it is the parent or guardian abusing the child, in which case that is a whole separate issue).
This bill would require me, as a private person, as a work-at-home employee, and as an owner of 4 PCs, retain all records of everything that happens on my internet connection: all because I have a Wi-Fi in my house. It’s absurd.
Instead, let’s make a bill that makes it a law that parents start doing a better job. Give grants to small companies like ours so we can hand out free software to families that need it, but either can’t afford it or simply don’t realize how badly they do need it (the majority, sadly).
So, below I pasted two articles on the topic from two of my favorite tech sources: CNET News and PCMag.com. Check them out and please feel free to discuss and send me your thoughts on the issue.
February 19, 2009
Bill proposes ISPs, Wi-Fi keep logs for police
By Declan McCullagh, cnetnews.comRepublican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.
The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.
“While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children,” U.S. Sen. John Cornyn, a Texas Republican, said at a press conference on Thursday. “Keeping our children safe requires cooperation on the local, state, federal, and family level.”
Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a measure would let “law enforcement stay ahead of the criminals.”
Two bills have been introduced so far–S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act,” or Internet Safety Act.
Each contains the same language: “A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.”
Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on–but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.)
“Everyone has to keep such information,” says Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in this area of electronic privacy law.
The legal definition of electronic communication service is “any service which provides to users thereof the ability to send or receive wire or electronic communications.” The U.S. Justice Department’s position is that any service “that provides others with means of communicating electronically” qualifies.
That sweeps in not just public Wi-Fi access points, but password-protected ones too, and applies to individuals, small businesses, large corporations, libraries, schools, universities, and even government agencies. Voice over IP services may be covered too.
Under the Internet Safety Act, all of those would have to keep logs for at least two years. It “covers every employer that uses DHCP for its network,” Gidari said. “It covers Aircell on airplanes–those little pico cells will have to store a lot of data for those in-the-air Internet users.”
In the Bush administration, Attorney General Alberto Gonzales had called for a very similar proposal, saying that subscriber information and network data should be logged for two years.
Until Gonzales’ remarks in 2006, the Bush administration had generally opposed laws requiring data retention, saying it had “serious reservations” about them. But after the European Parliament approved such a requirement for Internet, telephone and VoIP providers, top administration officials began talking about the practice more favorably.
After Gonzales left the Justice Department, the political will for data retention legislation seemed to ebb for a time, but then FBI Director Robert Mueller resumed lobbying efforts last spring.
This tends to be a bipartisan sentiment: Attorney General Eric Holder, a Democrat, said in 1999 that “certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement.” Rep. John Conyers, the Democratic chairman of the House Judiciary Committee, said that FBI proposals for data retention legislation “would be most welcome.”
Smith, who sponsored the House version of the Internet Safety Act, had previously introduced a one-year requirement as part of a law-and-order agenda in 2007.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any “record” in their possession for 90 days “upon the request of a governmental entity.”
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
The Internet Safety Act is broader than just data retention. Other portions add criminal penalties to other child pornography-related offenses, increase penalties for sexual exploitation of minors, and give the FBI an extra $30 million for the “Innocent Images National Initiative.”
February 20, 2009
Bill Would Require ISPs to Retain Data for Two Years
By Chloe Albanesius, PCMag.comIn an effort to more easily identify those who upload and view child pornography, two lawmakers this week introduced a bill that would require Internet service providers to retain subscriber information for up to two years.
The Internet Safety Act, introduced by Rep. Lamar Smith and Sen. John Cornyn, both Texas Republicans, would also create new federal crimes for those who facilitate the transfer of child porn over the Internet. People who set up servers hosting child porn could face up to 10 years in jail, while those who fund these activities could get 20 years.
In addition, the bill increases funding for the FBI’s Innocent Images National Initiative by $30 million – double the funds FBI agents currently have to investigate online child porn and child sexual exploitation.
“Of the nearly 600,000 images of graphic child pornography found online and reported to law enforcement officials, only 2,100 of these children have been identified and rescued,” Rep. Smith said in a statement. “Federal, state and local law enforcement officials have reached a digital dead end in their battle against the online sexual exploitation of children.”
ISP’s should be held to the same data retention standards as phone companies, according to Smith. “How many times have we seen TV detectives seek call logs of a suspect in order to determine who he has been talking to?” Smith wrote in a Thursday editorial for The Dallas Morning News. “What if the telephone companies simply said to the detectives, ‘Sorry, we get rid of that information after 24 hours?’”
The U.S. Internet Service Provider Association (USISPA), – whose members include AOL, AT&T, Comcast, EarthLink, Microsoft, Verizon, and Yahoo – said the bill is unclear about what records the government wants the industry to retain.
“Congress will need to examine many tough issues when legislating a mandatory data retention scheme,” said Kate Dean, executive director of USISPA. “Among other considerations, Congress will need to decide which providers and what information is covered, reconcile how such a requirement will comport with today’s and tomorrow’s technologies, and determine the effect on consumers, their privacy and their online security, not to mention the financial impact on companies in this uncertain economy.”
Dean was also concerned that the bill “appears to raise the specter of imputing criminal liability on ISPs and others for the provision of routine services, such as e-mail.”
Smith and Cornyn said the bill would target “those who deliberately endanger our children – not those Internet service providers who work with law enforcement to protect them.”
“With sexual predators increasingly using new technology to prey upon children, it is critical that law enforcement stay ahead of the criminals,” Texas Attorney General Greg Abbott said in a statement.
Data retention was a big issue in Congress last year, but most lawmakers were calling for Internet companies to reduce the amount of time they retain data.
Companies like NebuAd, for example, took some heat over its practice of tracking users’ online behavior in order to serve up more relevant advertisements. NebuAd later dropped out of the ISP business.
In December, Yahoo announced that it would anonymize its user log after three months. A week earlier, Microsoft had said that it would anonymize its data after six months – but only if its rivals followed suit. Its current policy anonymizes that data after 18 months. Google announced in September that it would anonymize its data after nine months.
Comcast said on Friday that it only retains IP address assignment information for 180 days. “We do not retain any additional information unless compelled to do so by valid legal process,” a spokeswoman said.
“It’s premature for us to comment on this specific bill since we have not studied it fully,” said a Cox Communications spokesman. However, the company has a longstanding policy of maintaining IP assignment logs for six months, he said.
AOL said its data retention policies vary according to business needs and requirements.
“In terms of the specific legislation proposed, I also wanted to point out that AOL has a long-standing relationship with law enforcement and other organizations such as the National Center for Missing and Exploited Children (NCMEC) focused on fighting the problem of online child exploitation,” an AOL spokeswoman said. “We are also committed to working very closely with Congress and industry organizations to develop the best solutions for addressing this issue.”
AT&T said it is reviewing the bill.
