DOJ, Net firms fail to agree on data retention

The meeting of about 15 industry representatives and 10 government officials followed an earlier one last Friday, first reported by CNET News.com, at which Attorney General Alberto Gonzales and FBI Director Robert Mueller pressed Internet and telecommunications companies to store data on their users for two years.

"They want to do something, but they don't have a proposal yet," said one industry representative. The participants in the two-hour meeting spoke to News.com afterward on condition of anonymity because of the sensitive nature of the negotiations. (Participants included AOL, Comcast, Google, Microsoft, Verizon Communications and trade associations.)

Another participant said it appeared as though the Justice Department wanted to require Internet providers to at least record their customers' Internet Protocol addresses, which are often temporarily assigned and the logs deleted after a few months during the routine course of business. It wasn't clear whether the requirement also would apply to Web sites such as search engines, which could be forced to record what keywords their users typed in for future investigations.

In general, Internet and telecommunications companies have been less than enthusiastic about mandatory data retention, a concept that the European Union has embraced and that is the subject of a legal challenge there. They cite security concerns, privacy worries, and, of course, the cost of creating or extending databases.

"They have to make sure they do this right, and it doesn't look like they're going about this the right way," said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies.

McClure, who could not attend Friday's meeting because he was traveling, said: "You have to figure out what information you want, specifically, how to format it so it's useful, how to pay for it, and how to get it past all the privacy people in Congress. I have difficulty understanding why they're flailing about with all these meetings rather than going through that procedure."

One participant at the meeting said the Justice Department and FBI officials who were present talked about having piles of old cases and being able to go back and find out who somebody was and what that person did on a certain date.

No date for a follow-up meeting has yet been set. One participant said this was likely to be a long-term process that would not likely be resolved anytime soon.

In a speech last month at the National Center for Missing and Exploited Children, Gonzales called on Internet providers to retain records to aid investigations of criminals "abusing kids and sending images of the abuse around the world through the Internet." More recently, the Justice Department has invoked terrorism as the justification for data retention.

Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.

'Preservation' vs. 'retention'
The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee and a close ally of President Bush. Sensenbrenner said through a spokesman last month, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already."

At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.

Also on Friday, the Center for Democracy and Technology--a civil liberties group in Washington that receives some money from corporations--released a four-page analysis critiquing data retention proposals (click for PDF).

It lists nine reasons why keeping track of Internet users' activities is a bad idea, including: "Data retention laws threaten personal privacy and pose a security risk, at the very time the public is justifiably concerned about security and privacy online."