January 31, 2011
Government Wants ISPs to Retain User Information To Aid Law Enforcement
Last week Congress heard from the Justice Department and other law enforcement officials on the proposal to require ISPs to keep detailed records on its customers' activities on the Internet for about two years. This comes up from time to time, most recently before this in 2006 when then Attorney General Alberto Gozales pushed the proposal. The purpose would allow law enforcement authorities to have a detailed online history for anyone who caught their interest. The main justification at the time was to aid investigation into child pornography offenses. Congress listened and did not enact a law to that effect. That hasn't changed with the current hearing, titled "Data Retention as a Tool for Investigating Internet Child Pornography and Other Internet Crimes."
There was push back at the time of the 2006 hearing from various civil liberties groups on how citizen privacy would be affected by such a law (like a lot). There was also push back from ISPs, as keeping detailed records which the government wanted costs more money than the standard billing record retention. The current practice for storing minimal information would be anywhere from one to six months depending on provider. The government answered that one by offering to subsidize the ISPs, to some extent, for the extra overhead.
The legislator pushing the current proposal is the same on who pushed it the last time, Rep. James Sensenbrenner (R-WI). He is reported to have backed away from actually submitting the bill shortly after he proposed it in 2006. We'll have to see if history repeats itself. The issues on both sides of proposed law haven't changed much, if at all, in two years.
Jason M. Weinstein, Deputy Assistant Attorney General leads off his testimony with examples of heart-wrenching cases of child abuse that could have been solved if data retention requirements were in place. He notes other cases that were solved with "lick" that the records were there. His argument is that data retention is all over the place with respect to the time an ISP would keep it. His second argument is that those with privacy concerns should be heartened by this type of legislation, as it will help law enforcement go after those who violate privacy. He notes that though there may be large amounts of information kept by ISPs, the government would still need to use standard procedures to gain access to it. Though he advocates for the legislation, he doesn't offer specific proposals:
In offering this testimony, our goal is explain the nature of the public safety interest in data retention by providers. We do not attempt to discuss appropriate solutions, evaluate cross-cutting considerations, or evaluate the proper balance between data retention and other concerns. We look forward to continuing the dialog on these important issues with Congress, industry, and other interested organizations.
Weinstein's positions are supported by Chief John M. Douglass, Chair of the Mid-Sized Cities Section, International Association of Chiefs of Police. His testimony extols the use of tracking information in solving Internet related crimes. His case examples are all successful, though ironically under existing law. More tracking information is wonderful and welcome.
What's missing from both of these presentations is context. Nothing in what they say conveys any sense of how the lack of available data has impaired past investigations. In other words, how many cases are there that were not successfully prosecuted because of a lack of Internet tracking data compared to successful prosecutions. Wouldn't that determine the need for formal retention requirements? And just as important, wouldn't that information help identify what kinds of data retention should be in place?
The other side is represented by Kate Dean, Executive Director of the U.S. Internet Service Provider Association, and John B Morris, Jr., General Counsel of the Center for Democracy and Technology. Dean's testimony focuses on how her members work with law enforcement to track down child pornographers and others through voluntary cooperation, the burden that would be placed on her members from mandated retention, and the lack of specifics (at this stage) of what retention means. Current law works well, she says, and that her organizations members work with law enforcement constantly to identify and prosecute predators. Congress should identify where the system in place doesn't work before considering changes. She raises the point that potential transactions to record can number in the billions, which may actually slow down the ability to provide timely information to law enforcement.
Morris' testimony covers the impact a retention law would have on an individual's privacy, the increased risk to identity theft, and the chilling effect on First Amendment rights. Although he didn't say it, the government's track record when it comes to laws involving the Internet that implicate the First Amendment is low. Any law passed by Congress would be up for a challenge. Morris makes the point that everyone would be subjected to the law, though not everyone has criminal intent in using online access. Echoing Dean, there are more possibilities for data breaches when there are more records in more databases. I can understand the concern. How many secure databases have been breached and private data either winding up online or sold by criminal elements? I think the best example is the Wikileaks breach. Wasn't the stream of diplomatic cables supposed to be secure? Can private industry do better than the government when it comes to keeping a secret?
I tend to agree that creating open-ended data collection is a bad idea. One of the points raised in the 2006 hearing is the concept of mission creep. Data collection begins with storing IP addresses. Then, wouldn't it be interesting to see where that IP address went? Let's store addresses. Then, wouldn't it be interesting to store copies of those pages in case that IP address is the target of a criminal investigation? Internet content changes all the time, after all. Wouldn't it be a good thing if we made all of that available to intellectual properties holders and other civil plaintiffs who are enforcing property rights? It may be a parade of horribles, as the courts say. Some of them were plausible enough the first time around for this idea.
Any change in the law should be justified on the basis of where it doesn't work, not on the basis of what law enforcement could do if they knew everything about everybody. Saying that the Department of Justice could have caught one more horrible individual should not be enough to put the entire Internet population under a microscope. Existing laws didn't stop the FBI from swooping down on a few individuals in conjunction with the DDOS attacks against Visa et al.
On one hand, the goverment seems concerned about what marketers know about us, and to what detail, by proposing laws or regulations that give consumers the right to opt out of tracking. On the other, it wants to exempt itself from those same concerns. Right now, I think I would trust Google, Yahoo, or even Microsoft before I would trust the government to get this right. [MG]