Your ISP as Net watchdog: Feds mull having Internet service providers retain rec

[Guest guest]

D

Thu, 16 Jun 2005 11:19:36 -0500

Your ISP as Net watchdog

 

 

 

http://news.com.com/Your+ISP+as+Net+watchdog/2100-1028-5748649.html?part=dht & tag\

=ntop & tag=nl.e703

 

 

Your ISP as Net watchdog

Feds mull having Internet service providers retain records of their

customers' online activities.

 

By Declan McCullagh

 

Staff Writer, CNET News.com

 

Thu Jun 16 04:00:00 PDT 2005 |

 

 

The U.S. Department of Justice is quietly shopping around the

explosive idea of requiring Internet service providers to retain

records of their customers' online activities.

 

Data retention rules could permit police to obtain records of e-mail

chatter, Web browsing or chat-room activity months after Internet

providers ordinarily would have deleted the logs--that is, if logs

were ever kept in the first place. No U.S. law currently mandates that

such logs be kept.

 

In theory, at least, data retention could permit successful criminal

and terrorism prosecutions that otherwise would have failed because of

insufficient evidence. But privacy worries and questions about the

practicality of assembling massive databases of customer behavior have

caused a similar proposal to stall in Europe and could engender stiff

opposition domestically.

 

In Europe, the Council of Justice and Home Affairs ministers say logs

must be kept for between one and three years. One U.S. industry

representative, who spoke on condition of anonymity, said the Justice

Department is interested in at least a two-month requirement.

 

Justice Department officials endorsed the concept at a private meeting

with Internet service providers and the National Center for Missing

and Exploited Children, according to interviews with multiple people

who were present. The meeting took place on April 27 at the Holiday

Inn Select in Alexandria, Va.

 

" It was raised not once but several times in the meeting, very

emphatically, " said Dave McClure, president of the U.S. Internet

Industry Association, which represents small to midsize companies. " We

were told, 'You're going to have to start thinking about data

retention if you don't want people to think you're soft on child porn.' "

 

McClure said that while the Justice Department representatives argued

that Internet service providers should cooperate voluntarily, they

also raised the " possibility that we should create by law a standard

period of data retention. " McClure added that " my sense was that this

is something that they've been working on for a long time. "

 

This represents an abrupt shift in the Justice Department's long-held

position that data retention is unnecessary and imposes an

unacceptable burden on Internet providers. In 2001, the Bush

administration expressed " serious reservations about broad mandatory

data retention regimes. "

 

The current proposal appears to originate with the Justice

Department's Child Exploitation and Obscenity Section, which enforces

federal child pornography laws. But once mandated by law, the logs

likely would be mined during terrorism, copyright infringement and

even routine criminal investigations. (The Justice Department did not

respond to a request for comment on Wednesday.)

 

" Preservation " vs. " Retention "

At the moment, Internet service providers typically discard any log

file that's no longer required for business reasons such as network

monitoring, fraud prevention or billing disputes. Companies do,

however, alter that general rule when contacted by police performing

an investigation--a practice called data preservation.

 

A 1996 federal law called the Electronic Communication Transactional

Records Act regulates data preservation. It requires Internet

providers to retain any " record " in their possession for 90 days " upon

the request of a governmental entity. "

 

Child protection advocates say that this process can lead police to

dead ends if they don't move quickly enough and log files are

discarded automatically. Also, many Internet service providers don't

record information about instant-messaging conversations or Web sites

visited--data that would prove vital to an investigation.

 

" Law enforcement agencies are often having 20 reports referred to them

a week by the National Center, " said Michelle Collins, director of the

exploited child unit for the National Center for Missing and Exploited

Children. " By the time legal process is drafted, it could be 10, 15,

20 days. They're completely dependent on information from the ISPs to

trace back an individual offender. "

 

Collins, who participated in the April meeting, said that she had not

reached a conclusion about how long log files should be retained.

" There are so many various business models...I don't know that there's

going to be a clear-cut answer to what would be the optimum amount of

time for a company to maintain information, " she said.

 

McClure, from the U.S. Internet Industry Association, said he

counter-proposed the idea of police agencies establishing their own

 

guidelines that would require them to seek logs soon after receiving

tips.

 

Marc Rotenberg, director of the Electronic Privacy Information Center,

compared the Justice Department's idea to the since-abandoned Clipper

Chip, a brainchild of the Clinton and first Bush White House.

Initially the Clipper Chip--an encryption system with a backdoor for

the federal government--was supposed to be voluntary, but declassified

documents show that backdoors were supposed to become mandatory.

 

" Even if your concern is chasing after child pornographers, the

packets don't come pre-labeled that way, " Rotenberg said. " What

effectively happens is that all ISP customers, when that data is

presented to the government, become potential targets of subsequent

investigations. "

 

A divided Europe

The Justice Department's proposal could import a debate that's been

simmering in Europe for years.

 

In Europe, a data retention proposal prepared by four nations said

that all telecommunications providers must retain generalized logs of

phone calls, SMS messages, e-mail communications and other " Internet

protocols " for at least one year. Logs would include the addresses of

Internet sites and identities of the correspondents but not

necessarily the full content of the communication.

 

Even after the Sept. 11, 2001, terrorist attacks, the Bush

administration criticized that approach. In November 2001, Mark

Richard from the Justice Department's criminal division said in a

speech in Brussels, Belgium, that the U.S. method offers Internet

providers the flexibility " to retain or destroy the records they

generate based upon individual assessments of resources, architectural

limitations, security and other business needs. "

 

France, the United Kingdom, Ireland and Sweden jointly submitted their

data retention proposal to the European Parliament in April 2004. Such

mandatory logging was necessary, they argued, " for the purpose of

prevention, investigation, detection and prosecution of crime or

criminal offenses including terrorism. "

 

But a report prepared this year by Alexander Alvaro on behalf of the

Parliament's civil liberties and home affairs committee slammed the

idea, saying it may violate the European Convention on Human Rights.

 

Also, Alvaro wrote: " Given the volume of data to be retained,

particularly Internet data, it is unlikely that an appropriate

analysis of the data will be at all possible. Individuals involved in

organized crime and terrorism will easily find a way to prevent their

data from being traced. " He calculated that if an Internet provider

were to retain all traffic data, the database would swell to a size of

20,000 to 40,000 terabytes--too large to search using existing technology.

 

On June 7, the European Parliament voted by a show of hands to adopt

Alvaro's report and effectively snub the mandatory data retention

plan. But the vote may turn out to have been largely symbolic: The

Council of Justice and Home Affairs ministers have vowed to press

ahead with their data retention requirement.

 

 

Published: June 16, 2005, 4:00 AM PDT