[Infowarrior] - HOT: Congress may make ISPs snoop on you

Tue May 16 07:13:42 EDT 2006

Congress may make ISPs snoop on you

By Declan McCullagh
http://news.com.com/Congress+may+make+ISPs+snoop+on+you/2100-1028_3-6072601.
html

Story last modified Tue May 16 04:00:08 PDT 2006

A prominent Republican on Capitol Hill has prepared legislation that would
rewrite Internet privacy rules by requiring that logs of Americans' online
activities be stored, CNET News.com has learned.

The proposal comes just weeks after Attorney General Alberto Gonzales said
Internet service providers should retain records of user activities for a
"reasonable amount of time," a move that represented a dramatic shift in the
Bush administration's views on privacy.

Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary
Committee, is proposing that ISPs be required to record information about
Americans' online activities so that police can more easily "conduct
criminal investigations." Executives at companies that fail to comply would
be fined and imprisoned for up to one year.

In addition, Sensenbrenner's legislation--expected to be announced as early
as this week--also would create a federal felony targeted at bloggers,
search engines, e-mail service providers and many other Web sites. It's
aimed at any site that might have "reason to believe" it facilitates access
to child pornography--through hyperlinks or a discussion forum, for
instance.

Speaking to the National Center for Missing and Exploited Children last
month, Gonzales warned of the dangers of pedophiles using the Internet
anonymously and called for new laws from Congress. "At the most basic level,
the Internet is used as a tool for sending and receiving large amounts of
child pornography on a relatively anonymous basis," Gonzales said.
Rep. F. James Sensenbrenner, R-Wisc. Rep. F. James Sensenbrenner, R-Wisc.

Until Gonzales' speech, the Bush administration had explicitly opposed laws
requiring data retention, saying it had "serious reservations" (click here
for PDF) about them. But after the European Parliament last December
approved such a requirement for Internet, telephone and voice over Internet
Protocol (VoIP) providers, top administration officials began talking about
it more favorably.

The drafting of the data-retention proposal comes as Republicans are trying
to do more to please their conservative supporters before the November
election. One bill announced last week targets MySpace.com and other social
networking sites. At a meeting last weekend, social conservatives called on
the Bush administration to step up action against pornography, according to
a New York Times report.

Sensenbrenner's proposal is likely to be controversial. It would
substantially alter U.S. laws dealing with privacy protection of Americans'
Web surfing habits and is sure to alarm Internet businesses that could be at
risk for linking to illicit Web sites.

A spokesman for the House Judiciary Committee said the aide who drafted the
legislation was not immediately available for an interview on Monday.

U.S. Justice Department spokesman Drew Wade said the agency generally
doesn't comment on legislation, though it may "issue a letter of opinion" at
a later date.

Marc Rotenberg, executive director of the Electronic Privacy Information
Center in Washington, called Sensenbrenner's measure an "open-ended
obligation to collect information about all customers for all purposes. It
opens the door to government fishing expeditions and unbounded data mining."

The National Security Agency has engaged in extensive data-mining about
Americans' phone calling habits, USA Today reported last week, a revelation
that could complicate Republicans' efforts to enact laws relating to
mandatory data retention and data mining. Sen. John Sununu, a New Hampshire
Republican, for instance, took a swipe at the program on Monday, and
Democrats have been calling for a formal investigation.

Worries for Internet providers
One unusual aspect of Sensenbrenner's legislation--called the Internet
Stopping Adults Facilitating the Exploitation of Today's Youth Act--or
Internet Safety Act--is that it's relatively vague.

Instead of describing exactly what information Internet providers would be
required to retain about their users, the Internet Safety Act gives the
attorney general broad discretion in drafting regulations. At minimum, the
proposal says, user names, physical addresses, Internet Protocol addresses
and subscribers' phone numbers must be retained.

That generous wording could permit Gonzales to order Internet providers to
retain records of e-mail correspondents, Web pages visited, and even the
contents of communications.

"In the absence of clear privacy safeguards, Congress would be wise to
remove this provision," Rotenberg said.

Sonia Arrison, director of technology studies at the free-market Pacific
Research Institute in San Francisco, said the Internet Safety Act "follows
in a long line of bad laws that are written in the name of protecting
children."

Complicating the outlook for the Internet Safety Act is the uncertain
political terrain of Capitol Hill. Rep. Diana DeGette, a Colorado Democrat,
announced legislation (click for PDF) last month--which could be appended to
a telecommunications bill--that would require Internet providers to store
records that would permit police to identify each user.

The head of the Energy and Commerce Committee, Rep. Joe Barton of Texas, has
expressed support for DeGette's plan. That could lead to a renewal of a turf
battle between the two committees, one of which has jurisdiction over
Internet providers, while the other is responsible for federal criminal law.

"We're still evaluating things," said Terry Lane, a spokesman for the House
Energy and Commerce Committee. "We haven't really laid out exactly yet what
kind of proposals we would support and what kind of proposals would be
necessary."

New Internet felonies proposed

Following are excerpts from Rep. Sensenbrenner's Internet Safety Act:

"Whoever, being an Internet content hosting provider or email service
provider, knowingly engages in any conduct the provider knows or has reason
to believe facilitates access to, or the possession of, child pornography
shall be fined under this title or imprisoned not more than 10 years, or
both.

"'Internet content hosting provider' means a service that (A) stores,
through electromagnetic or other means, electronic data, including the
content of web pages, electronic mail, documents, images, audio and video
files, online discussion boards, and weblogs; and (B) makes such data
available via the Internet"

"Not later than 90 days after the date of the enactment of this section, the
Attorney General shall issue regulations governing the retention of records
by Internet Service Providers. Such regulations shall, at a minimum, require
retention of records, such as the name and address of the subscriber or
registered user (and what) user identification or telephone number was
assigned..."

Federal politicians also are being lobbied by state law enforcement
agencies, which say strict data retention laws will help them investigate
crimes that have taken place a while ago.

Sgt. Frank Kardasz, head of Arizona's Internet Crimes Against Children Task
Force, surveyed his colleagues in other states earlier this year asking them
what new law would help them do their jobs. "The most frequent response
involved data retention by Internet service providers," or ISPs, Kardasz
told News.com last month.

"Preservation" vs. "Retention"
At the moment, ISPs typically discard any log file that's no longer required
for business reasons such as network monitoring, fraud prevention or billing
disputes. Companies do, however, alter that general rule when contacted by
police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records
Act regulates data preservation. It requires Internet providers to retain
any "record" in their possession for 90 days "upon the request of a
governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend
to allocate them to customers from a pool based on whether a computer is in
use at the time. (Two standard techniques used are the Dynamic Host
Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, ISPs are required by another federal law to report child
pornography sightings to the National Center for Missing and Exploited
Children, which is in turn charged with forwarding that report to the
appropriate police agency.

When adopting its data retention rules, the European Parliament approved
U.K.-backed requirements saying that communications providers in its 25
member countries--several of which had enacted their own data retention laws
already--must retain customer data for a minimum of six months and a maximum
of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and
"location" data, including the identities of the customers' correspondents;
the date, time and duration of phone calls, voice over Internet Protocol
calls, or e-mail messages; and the location of the device used for the
communications. But the "content" of the communications is not supposed to
be retained. The rules are expected to take effect in 2008.

According to a memo accompanying the proposed rules (click here for PDF),
European politicians approved the rules because not all operators of
Internet and communications services were storing information about
citizens' activities to the extent necessary for law enforcement and
national security.

In addition to mandating data retention for ISPs and liability for Web site
operators, Sensenbrenner's Internet Safety Act also would:

€ Make it a crime for financial institutions to "facilitate access" to child
pornography, for instance by processing credit card payments.

€ Increase penalties for registered sex offenders who commit another felony
involving a child.

€  Create an Office on Sexual Violence and Crimes against Children inside
the Justice Department.

CNET News.com's Anne Broache contributed to this report.