[Infowarrior] - Now it's "terrorism" invoked in ISP snooping proposal

Tue May 30 23:02:15 EDT 2006

Terrorism invoked in ISP snooping proposal

By Declan McCullagh
http://news.com.com/Terrorism+invoked+in+ISP+snooping+proposal/2100-1028_3-6
078229.html

Story last modified Tue May 30 18:59:06 PDT 2006

In a radical departure from earlier statements, Attorney General Alberto
Gonzales has said that requiring Internet service providers to save records
of their customers' online activities is necessary in the fight against
terrorism, CNET News.com has learned.

Gonzales and FBI Director Robert Mueller privately met with representatives
of AOL, Comcast, Google, Microsoft and Verizon last week and said that
Internet providers--and perhaps search engines--must retain data for two
years to aid in anti-terrorism prosecutions, according to multiple sources
familiar with the discussion who spoke on condition of anonymity on Tuesday.

"We want this for terrorism," Gonzales said, according to one person
familiar with the discussion.

Gonzales' earlier position had only emphasized how mandatory data retention
would help thwart child exploitation.

In a speech last month at the National Center for Missing and Exploited
Children, Gonzales said that Internet providers must retain records to aid
investigations of criminals "abusing kids and sending images of the abuse
around the world through the Internet."

If data retention becomes viewed primarily as an anti-terrorism measure,
recent legal and political spats could complicate the Justice Department's
efforts to make it standard practice.

Especially after recent reports that AT&T has opened its databases to the
National Security Agency, Internet and telecommunications executives have
become skittish about appearing to be cooperating too closely with the
federal government's surveillance efforts.

In addition, the positive publicity that Google received during its legal
dispute with the Justice Department over search terms has demonstrated to
Internet companies the benefits of objecting to government requests on
privacy grounds.

"A monumental data trove is a crazy thing from a privacy perspective," said
one person familiar with Friday's discussions. "It's crazy that the U.S.
government is going to retain more data than the Chinese government does."

Comcast said in a statement that "we fully share the attorney general's
concern with the need to combat illegal use of the Internet for child
pornography, terrorism and other illegal activities. We applaud the attorney
general's initiative in convening an internal task force on this issue and
look forward to continuing to cooperate with him and the FBI."
ISP snooping time line

In events first reported by CNET News.com, Bush administration officials
have said Internet providers must keep track of what Americans are doing
online. Here's the time line:

June 2005: Justice Department officials quietly propose data retention
rules.

December 2005: European Parliament votes for data retention of up to two
years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S.
Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be
addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation, but
backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and
telecommunications companies.

Details of the Justice Department's proposal remain murky. One possibility
is requiring Internet providers to record the Internet addresses that their
customers are temporarily assigned. A more extensive mandate would require
them to keep track of the identities of Americans' e-mail and instant
messaging correspondents and save the logs of Internet phone calls.

A Justice Department representative said Tuesday that the proposal would not
require Internet providers to retain records of the actual contents of
conversations and other Internet traffic.

Until Gonzales' public remarks last month, the Bush administration had
generally opposed laws requiring data retention, saying it had "serious
reservations" (click for PDF) about them. But after the European Parliament
last December approved such a requirement for Internet, telephone and voice
over Internet Protocol (VoIP) providers, top administration officials began
talking about it more favorably.

Two proposals to mandate data retention have surfaced in the U.S. Congress.
One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any
Internet service that "enables users to access content" must permanently
retain records that would permit police to identify each user. The records
could be discarded only at least one year after the user's account was
closed.

The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the
chairman of the House Judiciary Committee and a close ally of President
Bush. Sensenbrenner said through a spokesman earlier this month, though,
that his proposal is on hold because "our committee's agenda is tremendously
overcrowded already."

'Preservation' vs. 'retention'
At the moment, Internet service providers typically discard any log file
that's no longer required for business reasons such as network monitoring,
fraud prevention or billing disputes. Companies do, however, alter that
general rule when contacted by police agencies performing an
investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records
Act regulates data preservation. It requires Internet providers to retain
any "record" in their possession for 90 days "upon the request of a
governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend
to allocate them to customers from a pool based on if a computer is in use
at the time. (Two standard techniques used are the Dynamic Host
Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to
report child pornography sightings to the National Center for Missing and
Exploited Children, which is in turn charged with forwarding that report to
the appropriate police agency.

When adopting its data retention rules, the European Parliament approved
U.K.-backed requirements saying that communications providers in its 25
member countries--several of which had enacted their own data retention laws
already--must retain customer data for a minimum of six months and a maximum
of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and
"location" data, including the identities of the customers' correspondents;
the date, time, and duration of phone calls, VoIP calls, or e-mail messages;
and the location of the device used for the communications. But the
"content" of the communications is not supposed to be retained. The rules
are expected to take effect in 2008.