Congress may make ISPs snoop on you

Proposed law targets bloggers, search engines, and Web sites that might "facilitate" access to unlawful pornography.

A prominent Republican on Capitol Hill has prepared legislation that would rewrite Internet privacy rules by requiring that logs of Americans' online activities be stored, CNET has learned.

The proposal comes just weeks after Attorney General Alberto Gonzales said Internet service providers should retain records of user activities for a "reasonable amount of time," a move that represented a dramatic shift in the Bush administration's views on privacy.

Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, is proposing that ISPs be required to record information about Americans' online activities so that police can more easily "conduct criminal investigations." Executives at companies that fail to comply would be fined and imprisoned for up to one year.

In addition, Sensenbrenner's legislation--expected to be announced as early as this week--also would create a federal felony targeted at bloggers, search engines, e-mail service providers and many other Web sites. It's aimed at any site that might have "reason to believe" it facilitates access to child pornography--through hyperlinks or a discussion forum, for instance.

Speaking to the National Center for Missing and Exploited Children last month, Gonzales warned of the dangers of pedophiles using the Internet anonymously and called for new laws from Congress. "At the most basic level, the Internet is used as a tool for sending and receiving large amounts of child pornography on a relatively anonymous basis," Gonzales said.

Rep. F. James Sensenbrenner, R-Wisc. Rep. F. James Sensenbrenner, R-Wisc.

Until Gonzales' speech, the Bush administration had explicitly opposed laws requiring data retention, saying it had "serious reservations" (click here for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers, top administration officials began talking about it more favorably.

The drafting of the data-retention proposal comes as Republicans are trying to do more to please their conservative supporters before the November election. One bill announced last week targets and other social networking sites. At a meeting last weekend, social conservatives called on the Bush administration to step up action against pornography, according to a New York Times report.

Sensenbrenner's proposal is likely to be controversial. It would substantially alter U.S. laws dealing with privacy protection of Americans' Web surfing habits and is sure to alarm Internet businesses that could be at risk for linking to illicit Web sites.

A spokesman for the House Judiciary Committee said the aide who drafted the legislation was not immediately available for an interview on Monday.

U.S. Justice Department spokesman Drew Wade said the agency generally doesn't comment on legislation, though it may "issue a letter of opinion" at a later date.

Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, called Sensenbrenner's measure an "open-ended obligation to collect information about all customers for all purposes. It opens the door to government fishing expeditions and unbounded data mining."

The National Security Agency has engaged in extensive data-mining about Americans' phone calling habits, USA Today reported last week, a revelation that could complicate Republicans' efforts to enact laws relating to mandatory data retention and data mining. Sen. John Sununu, a New Hampshire Republican, for instance, took a swipe at the program on Monday, and Democrats have been calling for a formal investigation.

Worries for Internet providers
One unusual aspect of Sensenbrenner's legislation--called the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act--or Internet Safety Act--is that it's relatively vague.

Instead of describing exactly what information Internet providers would be required to retain about their users, the Internet Safety Act gives the attorney general broad discretion in drafting regulations. At minimum, the proposal says, user names, physical addresses, Internet Protocol addresses and subscribers' phone numbers must be retained.

That generous wording could permit Gonzales to order Internet providers to retain records of e-mail correspondents, Web pages visited, and even the contents of communications.

"In the absence of clear privacy safeguards, Congress would be wise to remove this provision," Rotenberg said.

Sonia Arrison, director of technology studies at the free-market Pacific Research Institute in San Francisco, said the Internet Safety Act "follows in a long line of bad laws that are written in the name of protecting children."

Featured Video