Backer of ISP snooping slams industry
Congresswoman expresses frustration with ISPs resisting legislation that would require record retention.
Rep. Diana DeGette, a Colorado Democrat, said at a House of Representatives hearing that new laws were necessary to thwart child pornographers and other Internet predators. Investigations into illicit behavior have been hampered because data may be routinely deleted in the normal course of business, DeGette and other data retention proponents claim.
"This created havoc among the Internet service provider community," DeGette said, referring to her proposed legislation announced last week (click here for PDF). "I am horrified that the provider community is not working with us on this, because it seems to me to be a very simple piece of legislation, and I'm going to continue to fight for it."
She added that the committee plans to grill ISP representatives at another hearing that may occur as soon as next week.
That happens to be a bipartisan view. CNET News.com was the first to report last June that the U.S. Justice Department was quietly shopping around the idea of mandatory data retention. In a move that may have led to broader interest among U.S. politicians, the European Parliament in December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers.
Then, two weeks ago, Attorney General Alberto Gonzales, a Republican, gave a speech saying that data retention by Internet service providers is an "issue that must be addressed." Child pornography investigations have been "hampered" because data may be routinely deleted, Gonzales warned.
A panel of experts within the agency has already begun meeting to discuss the topic, Alice Fisher, assistant attorney general for the Justice Department's criminal division, told the politicians at Wednesday's hearing. The department also met recently with several Internet service providers, one of which was AOL, and learned that the data retention issue "is a very complex one," Fisher said.
Fisher never endorsed DeGette's proposal but said, "I think the data retention issue that was raised by the congresswoman is a very important one because law enforcement does need data...to track down some of these perpetrators."
At one point, DeGette asked Fisher and her three fellow panelists, all FBI officials, whether they thought a data retention requirement would be "helpful" to investigators.
"The more information we have, the more helpful it is to the investigation," replied Raul Roldan, chief of the FBI's cybercrime division. He noted that obtaining a suspected criminal's IP address provides an important path to locating the physical machine where the illegal activity was occurring.
DeGette's proposal says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.
"We're not saying that Internet service providers should keep all of the communications," DeGette said. "That would be burdensome. All we're saying is that they should have to keep the (Internet) addresses of their subscribers."
That requirement is "simple legislation," DeGette said. "We're also not saying we want anyone to violate folks' privacy rights."
It's not clear whether the DeGette language would be limited only to commercial e-mail providers and ISPs and places like coffeehouses, bookstores, or home users that provide Wi-Fi access at no charge. Also, an expansive reading of DeGette's measure would require every Web site to retain those records. (Details would be left to the Federal Communications Commission.)
For their part, ISPs say they have a long history of helping law enforcement in child porn cases and point out that two federal laws already require them to cooperate. It's also unclear that investigations are really being hindered, said Kate Dean, director of the U.S. Internet Service Provider Association.
At the moment, ISPs typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires ISPs to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
In addition, ISPs are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.