HolidayBuyer's Guide

Congress may make ISPs snoop on you

Proposed law targets bloggers, search engines, and Web sites that might "facilitate" access to unlawful pornography.

A prominent Republican on Capitol Hill has prepared legislation that would rewrite Internet privacy rules by requiring that logs of Americans' online activities be stored, CNET News.com has learned.

The proposal comes just weeks after Attorney General Alberto Gonzales said Internet service providers should retain records of user activities for a "reasonable amount of time," a move that represented a dramatic shift in the Bush administration's views on privacy.

Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, is proposing that ISPs be required to record information about Americans' online activities so that police can more easily "conduct criminal investigations." Executives at companies that fail to comply would be fined and imprisoned for up to one year.

In addition, Sensenbrenner's legislation--expected to be announced as early as this week--also would create a federal felony targeted at bloggers, search engines, e-mail service providers and many other Web sites. It's aimed at any site that might have "reason to believe" it facilitates access to child pornography--through hyperlinks or a discussion forum, for instance.

Speaking to the National Center for Missing and Exploited Children last month, Gonzales warned of the dangers of pedophiles using the Internet anonymously and called for new laws from Congress. "At the most basic level, the Internet is used as a tool for sending and receiving large amounts of child pornography on a relatively anonymous basis," Gonzales said.

Rep. F. James Sensenbrenner, R-Wisc. Rep. F. James Sensenbrenner, R-Wisc.

Until Gonzales' speech, the Bush administration had explicitly opposed laws requiring data retention, saying it had "serious reservations" (click here for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers, top administration officials began talking about it more favorably.

The drafting of the data-retention proposal comes as Republicans are trying to do more to please their conservative supporters before the November election. One bill announced last week targets MySpace.com and other social networking sites. At a meeting last weekend, social conservatives called on the Bush administration to step up action against pornography, according to a New York Times report.

Sensenbrenner's proposal is likely to be controversial. It would substantially alter U.S. laws dealing with privacy protection of Americans' Web surfing habits and is sure to alarm Internet businesses that could be at risk for linking to illicit Web sites.

A spokesman for the House Judiciary Committee said the aide who drafted the legislation was not immediately available for an interview on Monday.

U.S. Justice Department spokesman Drew Wade said the agency generally doesn't comment on legislation, though it may "issue a letter of opinion" at a later date.

Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, called Sensenbrenner's measure an "open-ended obligation to collect information about all customers for all purposes. It opens the door to government fishing expeditions and unbounded data mining."

The National Security Agency has engaged in extensive data-mining about Americans' phone calling habits, USA Today reported last week, a revelation that could complicate Republicans' efforts to enact laws relating to mandatory data retention and data mining. Sen. John Sununu, a New Hampshire Republican, for instance, took a swipe at the program on Monday, and Democrats have been calling for a formal investigation.

Worries for Internet providers
One unusual aspect of Sensenbrenner's legislation--called the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act--or Internet Safety Act--is that it's relatively vague.

Instead of describing exactly what information Internet providers would be required to retain about their users, the Internet Safety Act gives the attorney general broad discretion in drafting regulations. At minimum, the proposal says, user names, physical addresses, Internet Protocol addresses and subscribers' phone numbers must be retained.

That generous wording could permit Gonzales to order Internet providers to retain records of e-mail correspondents, Web pages visited, and even the contents of communications.

"In the absence of clear privacy safeguards, Congress would be wise to remove this provision," Rotenberg said.

Sonia Arrison, director of technology studies at the free-market Pacific Research Institute in San Francisco, said the Internet Safety Act "follows in a long line of bad laws that are written in the name of protecting children."

Complicating the outlook for the Internet Safety Act is the uncertain political terrain of Capitol Hill. Rep. Diana DeGette, a Colorado Democrat, announced legislation (click for PDF) last month--which could be appended to a telecommunications bill--that would require Internet providers to store records that would permit police to identify each user.

The head of the Energy and Commerce Committee, Rep. Joe Barton of Texas, has expressed support for DeGette's plan. That could lead to a renewal of a turf battle between the two committees, one of which has jurisdiction over Internet providers, while the other is responsible for federal criminal law.

"We're still evaluating things," said Terry Lane, a spokesman for the House Energy and Commerce Committee. "We haven't really laid out exactly yet what kind of proposals we would support and what kind of proposals would be necessary."

New Internet felonies proposed

Following are excerpts from Rep. Sensenbrenner's Internet Safety Act:

"Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography shall be fined under this title or imprisoned not more than 10 years, or both.

"'Internet content hosting provider' means a service that (A) stores, through electromagnetic or other means, electronic data, including the content of web pages, electronic mail, documents, images, audio and video files, online discussion boards, and weblogs; and (B) makes such data available via the Internet"

"Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user (and what) user identification or telephone number was assigned..."

Federal politicians also are being lobbied by state law enforcement agencies, which say strict data retention laws will help them investigate crimes that have taken place a while ago.

Sgt. Frank Kardasz, head of Arizona's Internet Crimes Against Children Task Force, surveyed his colleagues in other states earlier this year asking them what new law would help them do their jobs. "The most frequent response involved data retention by Internet service providers," or ISPs, Kardasz told News.com last month.

"Preservation" vs. "Retention"
At the moment, ISPs typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, ISPs are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.

According to a memo accompanying the proposed rules (click here for PDF), European politicians approved the rules because not all operators of Internet and communications services were storing information about citizens' activities to the extent necessary for law enforcement and national security.

In addition to mandating data retention for ISPs and liability for Web site operators, Sensenbrenner's Internet Safety Act also would:

• Make it a crime for financial institutions to "facilitate access" to child pornography, for instance by processing credit card payments.

• Increase penalties for registered sex offenders who commit another felony involving a child.

•  Create an Office on Sexual Violence and Crimes against Children inside the Justice Department.

CNET News.com's Anne Broache contributed to this report.

Close
Drag