X

Wireless providers exempted from data-logging plan

New bill, first reported by CNET, says wireless providers won't have to comply with extensive data-logging requirements backed by law enforcement.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

Wireless providers won't have to comply with extensive requirements in a new bill that would force Internet companies to log data about their customers.

CNET was the first to report this exemption for wireless carriers in an article a few weeks ago. That legislation was publicly announced today by U.S. Reps. Lamar Smith (R-Texas), the head of the House Judiciary Committee, and Debbie Wasserman Schultz (D-Fla.).

That appears to be the result of lobbying from wireless providers, which don't want to have to comply with any new governmental mandates. But the exemption has already drawn the ire of the U.S. Justice Department, and is likely to attract strong opposition from cable and DSL providers who would be the ones singled out for regulation.

CTIA, the wireless trade association, did not respond to a request for comment today. Previously it said through a spokesman only that "we are committed to working with the committee on the legislation."

"Investigators need the assistance of Internet Service Providers to identify users and distributors of online child pornography," Smith said in a statement today. "This bill requires ISPs to retain subscriber records, similar to records retained by telephone companies, to aid law enforcement officials in their fight against child sexual exploitation." The logged data, however, could be used to investigate any type of crime.

A Republican aide to the House Judiciary committee, who did not want to be identified, said the bill exempts wireless providers because their networks are designed in such a way that IP addresses are assigned to multiple users or accounts and they are "not technologically capable of retaining the type of data that law enforcement needs because that's not how their system works."

Smith's bill, called the Protecting Children From Internet Pornographers Act of 2011 (PDF), requires Internet providers to "retain for a period of at least 18 months the temporarily assigned network addresses the service assigns to each account, unless that address is transmitted by radio communication."

It also enhances penalties for possession of child pornography, which is defined in federal law as the "lascivious" exhibition of the genitals.

The mobile exemption represents a new twist in the debate over data retention requirements, which has been simmering since the Justice Department pushed the topic in 2005, a development that was first reported by CNET. Proposals publicly surfaced in the U.S. Congress the following year, and Bush administration Attorney General Alberto Gonzales said it was an issue that "must be addressed." So, eventually, did FBI director Robert Mueller.

In January, CNET reported that the Obama Justice Department was following suit. Earlier this month, Jason Weinstein, the deputy assistant attorney general for the criminal division, warned that wireless providers must be included because "when this information is not stored, it may be impossible for law enforcement to collect essential evidence."

The definitions in Smith's bill could sweep in coffee shops that offer wired connections to their customers, as well as hotels, universities, schools, and businesses that offer wired network connections, plus traditional broadband providers.

Smith introduced a broadly similar bill in 2007, without the wireless exemption, calling it a necessary anti-cybercrime measure. "The legislation introduced today will give law enforcement the tools it needs to find and prosecute criminals," he said in a statement at the time.

"Retention" vs. "preservation"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.