[Infowarrior] - Qwest calls for mandatory data retention laws

Tue Aug 22 17:30:14 EDT 2006

Qwest calls for mandatory data retention laws

By Declan McCullagh
http://news.com.com/Qwest+calls+for+mandatory+data+retention+laws/2100-1028_
3-6108279.html

Story last modified Tue Aug 22 13:46:11 PDT 2006

advertisement

ASPEN, Colo.--Broadband company Qwest Communications International on
Tuesday strongly endorsed federal legislation requiring Internet providers
to keep records of their customers' behavior, a move that could accelerate
efforts in Congress to enact new laws.

Jennifer Mardosz, Qwest's corporate counsel and chief privacy officer,
applauded efforts by politicians to force broadband providers to engage in
so-called "data retention," which Attorney General Alberto Gonzales said
will aid in investigations into terrorism and child exploitation. This
appears to be the first time a broadband provider has called for data
retention laws.

"We support legislation related to data retention," Mardosz said at the
Progress and Freedom Foundation's annual summit here. Mardosz said Qwest
"absolutely" endorses a measure (click for PDF) proposed in April by Rep.
Diana DeGette, a Colorado Democrat.

In a public flip-flop, the Bush administration now is lobbying for data
retention laws, even though it previously expressed "serious reservations
about broad mandatory data retention regimes." Rep. Joe Barton, the
influential chairman of the House Energy and Commerce Committee, has
endorsed data retention and is expected to introduce a bill after the panel
completes a series of hearings on child exploitation.

"We support legislation," Mardosz said Tuesday. "We want to be at the table.
We want to have these discussions. The main thing is what's reasonable and
balancing the interests of privacy and law enforcement." Qwest already keeps
logs for more than 99 percent of its services for one year, she said.

This is an unusual stand for Qwest, which defended its customers' privacy
rights when requiring the National Security Agency to obtain a court order
to conduct electronic surveillance, according to a USA Today article in May.
The Denver-based company has a market capitalization of $16.5 billion and
says it has 784,000 wireless customers and 1.7 million DSL (digital
subscriber line) customers.

Privacy groups have strongly opposed mandatory data retention, and many
Internet providers have been skeptical of new laws. The U.S. Internet
Industry Association has said current proposals aren't "going about this the
right way," and the Information Technology Association of America has raised
"real reservations" about legislation.

"Imposing broad data retention would be a significant change to U.S. law,
especially when it has not been shown that a narrower data preservation
approach will not work just as well," said Kate Dean, director of the U.S.
Internet Service Provider Association. "The proposal to store enormous
amounts of data on subscribers and keep it live for a lengthy period of time
raises serious technical, legal and security concerns." (The association's
members include AOL, AT&T, BellSouth, EarthLink and Verizon Communications.)

Qwest's enthusiastic endorsement of mandatory data retention could make it
politically easier for members of Congress to enact new laws even if other
companies remain staunchly opposed.

Details about the Bush administration's call for data retention remain
ambiguous. At the very least, administration officials want to compel
Internet providers to keep records of which Internet Protocol address a
customer is assigned.

But during private meetings with industry officials, FBI and Justice
Department officials have cited the desirability of also forcing search
engines to keep logs--a proposal that could gain additional law enforcement
support after AOL showed how useful such records could be in investigations.

Mardosz said that keeping records of what Web pages are visited (another
possible option) would go too far. "If you get along the lines of content,
there's going to be a lot pushback (and privacy concerns)," she said. "We
don't want to go there."

DeGette's proposed legislation says any Internet service that "enables users
to access content" must permanently retain records that would permit police
to identify each user. The records could only be discarded at least one year
after the user's account was closed.

Critics of DeGette's proposal have said that while the justification for
Internet surveillance might be protecting children, the data would be
accessible to any local or state law enforcement official investigating
anything from drug possession to tax evasion. In addition, the one-year
retention is a minimum; the Federal Communications Commission would receive
the authority to require Internet companies to keep records "for not less
than one year after a subscriber ceases to subscribe to such services."
At the moment, Internet service providers typically discard any log file
that's no longer required for business reasons such as network monitoring,
fraud prevention or billing disputes. Companies do, however, alter that
general rule when contacted by police performing an investigation--a
practice called data preservation.

Because Internet addresses remain a relatively scarce commodity, ISPs tend
to allocate them to customers from a pool based on whether a computer is in
use at the time. (Two standard techniques used are the Dynamic Host
Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to
report child pornography sightings to the National Center for Missing and
Exploited Children, which is in turn charged with forwarding that report to
the appropriate police agency.

When adopting its data retention rules, the European Parliament approved
U.K.-backed requirements saying that communications providers in its 25
member countries--several of which had enacted their own data retention laws
already--must retain customer data for a minimum of six months and a maximum
of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and
"location" data, including the identities of the customers' correspondents;
the date, time and duration of phone calls, voice over Internet Protocol
calls or e-mail messages; and the location of the device used for the
communications. But the "content" of the communications is not supposed to
be retained. The rules are expected to take effect in 2008.