[Infowarrior] - Congress may consider mandatory ISP snooping

Fri Apr 28 20:50:52 EDT 2006

CNET News.com    http://www.news.com/
Congress may consider mandatory ISP snooping

By Declan McCullagh
http://news.com.com/Congress+may+consider+mandatory+ISP+snooping/2100-1028_3
-6066608.html

Story last modified Fri Apr 28 17:27:52 PDT 2006

It didn't take long for the idea of forcing Internet providers to retain
records of their users' activities to gain traction in the U.S. Congress.

Last week, Attorney General Alberto Gonzales, a Republican, gave a speech
saying that data retention by Internet service providers is an "issue that
must be addressed." Child pornography investigations have been "hampered"
because data may be routinely deleted, Gonzales warned.

Now, in a demonstration of bipartisan unity, a Democratic member of the
Congressional Internet Caucus is preparing to introduce an
amendment--perhaps during a U.S. House of Representatives floor vote next
week--that would make such data deletion illegal.

Colorado Rep. Diana DeGette's proposal (click for PDF) says that any
Internet service that "enables users to access content" must permanently
retain records that would permit police to identify each user. The records
could not be discarded until at least one year after the user's account was
closed.

It's not clear whether that requirement would be limited only to e-mail
providers and Internet providers such as DSL (digital subscriber line) or
cable modems. An expansive reading of DeGette's measure would require every
Web site to retain those records. (Details would be left to the Federal
Communications Commission.)
DeGette Rep. Diana Rep. Diana DeGette

"We're still addressing some of the issues, and we will have those issues or
answers before we introduce this as either an amendment or a standalone
bill," Brandon MacGillis, a spokesman for DeGette, said in an interview on
Friday.

CNET News.com was the first to report last June that the Justice Department
was quietly shopping around the idea of legally required data retention. In
a move that may have led to broader interest inside the United States, the
European Parliament last December approved such a requirement for Internet,
telephone and voice over Internet Protocol (VoIP) providers.

U.S. politicians began talking publicly about mandatory data retention
during a series of House of Representatives hearings on child pornography
and in speeches, News.com reported earlier this month. Legislation similar
to DeGette's has been circulating in the Colorado legislature, and another
hearing on child exploitation is planned for next Wednesday.

The Bush administration's current position is an abrupt reversal of its
previous long-held belief that data retention is unnecessary and imposes an
unacceptable burden on Internet providers. In 2001, the Bush administration
expressed (PDF) "serious reservations about broad mandatory data retention
regimes."

DeGette said in a statement that her amendment was necessary because:
"America is the No. 1 global consumer of child pornography, the No. 2
producer. This is a plague we had nearly wiped out in the seventies, and
sadly the Internet, an entity that we practically worship for all the great
things it has brought to us, is being used to commit a crime against
humanity."

For their part, Internet providers say they have a long history of helping
law enforcement in child porn cases and point out that two federal laws
already require them to cooperate. It's also unclear that investigations are
really being hindered, according to Kate Dean, director of the U.S. Internet
Service Provider Association.

MacGillis, a spokesman for DeGette, said his boss is likely to introduce her
data retention proposal as a standalone measure or as an amendment to a
broad telecommunications bill that's moving rapidly through the House.

The bill (PDF)--best known for a debate this week over its Net neutrality
sections--was approved by a House committee on Thursday and is expected to
receive a floor vote next week. (DeGette had considered adding it as an
amendment during the committee vote but decided against it at the last
minute.)

"Our main concern on the bill is privacy, protecting the privacy of everyone
out there on the Internet, but also retention of those records so law
enforcement officials will have access to them, so we just need to really
tinker with the language," MacGillis said.

Child porn as surveillance excuse?
Critics of DeGette's proposal have said that while the justification for
Internet surveillance might be protecting children, the data would be
accessible to any local or state law enforcement official investigating
anything from drug possession to tax evasion. In addition, the one-year
retention is a minimum; the FCC would receive the authority to require
Internet companies to keep records "for not less than one year after a
subscriber ceases to subscribe to such services."

Jim Harper, director of information policy studies at the free-market Cato
Institute, said: "This is an unrestricted grant of authority to the FCC to
require surveillance."

"The FCC would be able to tell Internet service providers to monitor our
e-mails, monitor our Web surfing, monitor what we post on blogs or chat
rooms, and everything else under the sun," said Harper, a member of the
Department of Homeland Security's Data Privacy and Integrity Advisory
Committee. "We're seeing a kind of hysteria reminiscent of the McMartin
case. The result will be privacy that goes away and doesn't come back when
the foolishness is exposed."

The McMartin case was probably the most extreme example of the hysteria over
"Satanic ritual abuse"--a widespread scare in the 1980s that children were
molested, murdered and tortured, even though no evidence was found. In the
McMartin preschool case, a family was falsely accused of Satanic activities
and the charges were eventually dropped.

At the moment, Internet service providers typically discard any log file
that's no longer required for business reasons such as network monitoring,
fraud prevention or billing disputes. Companies do, however, alter that
general rule when contacted by police performing an investigation--a
practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records
Act regulates data preservation. It requires Internet providers to retain
any "record" in their possession for 90 days "upon the request of a
governmental entity."

In addition, Internet providers are required by another federal law to
report child pornography sightings to the National Center for Missing and
Exploited Children, which is in turn is charged with forwarding that report
to the appropriate police agency.

CNET News.com's Anne Broache contributed to this report.