[Infowarrior] - Gonzales pressures ISPs on data retention

[Richard Forno]

CNET News.com    http://www.news.com/
Gonzales pressures ISPs on data retention

By Declan McCullagh
http://news.com.com/Gonzales+pressures+ISPs+on+data+retention/2100-1028_3-60
77654.html

Story last modified Fri May 26 18:15:43 PDT 2006


U.S. Attorney General Alberto Gonzales and FBI Director Robert Mueller on
Friday urged telecommunications officials to record their customers'
Internet activities, CNET News.com has learned.

In a private meeting with industry representatives, Gonzales, Mueller and
other senior members of the Justice Department said Internet service
providers should retain subscriber information and network data for two
years, according to two sources familiar with the discussion who spoke on
condition of anonymity.

The closed-door meeting at the Justice Department, which Gonzales had
requested, according to the sources, comes as the idea of legally mandated
data retention has become popular on Capitol Hill and inside the Bush
administration. Supporters of the idea say it will help prosecutions of
child pornography because in many cases, logs are deleted during the routine
course of business.
Alberto Gonzales
Credit: Anne Broache
Attorney General Alberto Gonzales

In a speech last month at the National Center for Missing and Exploited
Children, Gonzales said that Internet providers must retain records for a
"reasonable amount of time."

"I will reach out personally to the CEOs of the leading service providers
and to other industry leaders," Gonzales said. "Record retention by Internet
service providers consistent with the legitimate privacy rights of Americans
is an issue that must be addressed."

Until Gonzales' speech, the Bush administration had generally opposed laws
requiring data retention, saying it had "serious reservations" (click for
PDF) about them. But after the European Parliament last December approved
such a requirement for Internet, telephone and voice over Internet Protocol
providers, top administration officials began talking about the practice
more favorably.

During Friday's meeting, Justice Department officials passed around
pixellated (that is, slightly obscured) photographs of child pornography to
emphasize the lurid nature of the crimes police are trying to prevent,
according to one source.

A Justice Department spokesman familiar with the administration's stand on
data retention was in meetings on Friday and unavailable for comment, a
department representative said.

Privacy advocates have been alarmed by the idea of legally mandated data
retention, saying that, while child exploitation may be the justification
today, those records would be available in all kinds of criminal and civil
suits--including terrorism, tax evasion, drug, and even divorce cases.

It was not immediately clear what Gonzales and Mueller meant by suggesting
that network data be retained. One possibility is requiring Internet
providers to record the Internet addresses their customers are temporarily
assigned. A more extensive mandate would require companies to keep track of
e-mail messages sent, Web pages visited and perhaps even instant-messaging
correspondents.

'Preservation' vs. 'retention'
Two proposals to mandate data retention have surfaced in the U.S. Congress.
One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any
Internet service that "enables users to access content" must permanently
retain records that would permit police to identify each user. The records
could only be discarded at least one year after the user's account was
closed.

The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the
chairman of the House Judiciary Committee, a close ally of President Bush.
Sensenbrenner said through a spokesman last week, though, that his proposal
is on hold because "our committee's agenda is tremendously overcrowded
already."

At the moment, Internet service providers typically discard any log file
that's no longer required for business reasons such as network monitoring,
fraud prevention or billing disputes. Companies do, however, alter that
general rule when contacted by police performing an investigation--a
practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records
Act regulates data preservation. It requires Internet providers to retain
any "record" in their possession for 90 days "upon the request of a
governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend
to allocate them to customers from a pool based on whether a computer is in
use at the time. (Two standard techniques used are the Dynamic Host
Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to
report child pornography sightings to the National Center for Missing and
Exploited Children, which is in turn charged with forwarding that report to
the appropriate police agency.

When adopting its data retention rules, the European Parliament approved
U.K.-backed requirements, saying that communications providers in its 25
member countries--several of which had enacted their own data retention laws
already--must retain customer data for a minimum of six months and a maximum
of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and
"location" data, including the identities of the customers' correspondents;
the date, time and duration of phone calls, voice over Internet Protocol
calls or e-mail messages; and the location of the device used for the
communications. But the "content" of the communications is not supposed to
be retained. The rules are expected to take effect in 2008.