[Infowarrior] - FBI wants records kept of Web sites visited

Richard Forno rforno at infowarrior.org
Fri Feb 5 18:22:24 UTC 2010 

  February 5, 2010 9:16 AM PST
FBI wants records kept of Web sites visited
by Declan McCullagh

http://news.cnet.com/8301-13578_3-10448060-38.html?part=rss&subj=news&tag=2547-1_3-0-20
The FBI is pressing Internet service providers to record which Web  
sites customers visit and retain those logs for two years, a  
requirement that law enforcement believes could help it in  
investigations of child pornography and other serious crimes.

FBI Director Robert Mueller supports storing Internet users' "origin  
and destination information," a bureau attorney said at a federal task  
force meeting on Thursday.

As far back as a 2006 speech, Mueller had called for data retention on  
the part of Internet providers, and emphasized the point two years  
later when explicitly asking Congress to enact a law making it  
mandatory. But it had not been clear before that the FBI was asking  
companies to begin to keep logs of what Web sites are visited, which  
few if any currently do.

The FBI is not alone in renewing its push for data retention. As CNET  
reported earlier this week, a survey of state computer crime  
investigators found them to be nearly unanimous in supporting the  
idea. Matt Dunn, an Immigration and Customs Enforcement agent in the  
Department of Homeland  Security, also expressed support for the idea  
during the task force meeting.

Greg Motta, the chief of the FBI's digital evidence section, said that  
the bureau was trying to preserve its existing ability to conduct  
criminal investigations. Federal regulations in place since at least  
1986 require phone companies that offer toll service to "retain for a  
period of 18 months" records including "the name, address, and  
telephone number of the caller, telephone number called, date, time  
and length of the call."

At Thursday's meeting (PDF) of the Online Safety and Technology  
Working Group, which was created by Congress and organized by the U.S.  
Department of Commerce, Motta stressed that the bureau was not asking  
that content data, such as the text of e-mail messages, be retained.

"The question at least for the bureau has been about non-content  
transactional data to be preserved: transmission records, non-content  
records...addressing, routing, signaling of the communication," Motta  
said. Director Mueller recognizes, he added "there's going to be a  
balance of what industry can bear...He recommends origin and  
destination information for non-content data."

Motta pointed to a 2006 resolution from the International Association  
of Chiefs of Police, which called for the "retention of customer  
subscriber information, and source and destination information for a  
minimum specified reasonable period of time so that it will be  
available to the law enforcement community."

Recording what Web sites are visited, though, is likely to draw both  
practical and privacy objections.

"We're not set up to keep URL information anywhere in the network,"  
said Drew Arena, Verizon's vice president and associate general  
counsel for law enforcement compliance.

And, Arena added, "if you were do to deep packet inspection to see all  
the URLs, you would arguably violate the Wiretap Act."

Another industry representative with knowledge of how Internet service  
providers work was unaware of any company keeping logs of what Web  
sites its customers visit.

If logs of Web sites visited began to be kept, they would be available  
only to local, state, and federal police with legal authorization such  
as a subpoena or search warrant.

What remains unclear are the details of what the FBI is proposing. The  
possibilities include requiring an Internet provider to log the  
Internet protocol (IP) address of a Web site visited, or the domain  
name such as cnet.com, a host name such as news.cnet.com, or the  
actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html.

While the first three categories could be logged without doing deep  
packet inspection, the fourth category would require it. That could  
run up against opposition in Congress, which lambasted the concept in  
a series of hearings in 2008, causing the demise of a company, NebuAd,  
which pioneered it inside the United States.

The technical challenges also may be formidable. John Seiver, an  
attorney at Davis Wright Tremaine who represents cable providers, said  
one of his clients had experience with a law enforcement request that  
required the logging of outbound URLs.

"Eighteen million hits an hour would have to have been logged," a  
staggering amount of data to sort through, Seiver said. The purpose of  
the FBI's request was to identify visitors to two URLs, "to try to  
find out...who's going to them."

A Justice Department representative said the department does not have  
an official position on data retention.

Disclosure: The author of this story participated in the meeting of  
the Online Safety and Technology Working Group, though after the law  
enforcement representatives spoke.


  Declan McCullagh is a contributor to CNET News and a correspondent  
for CBSNews.com who has covered the intersection of politics and  
technology for over a decade. Declan writes a regular feature called  
Taking Liberties, focused on individual and economic rights; you can  
bookmark his CBS News Taking Liberties site, or subscribe to the RSS  
feed. You can e-mail Declan at declan at cbsnews.com.

More information about the Infowarrior mailing list