Employees of any Internet provider who fail to store that information face fines and prison terms of up to one year, the bill says. The U.S. Justice Department could order the companies to store those records forever.
Rep. Lamar Smith of Texas, the top Republican on the House Judiciary Committee, called it a necessary anti-cybercrime measure. "The legislation introduced today will give law enforcement the tools it needs to find and prosecute criminals," he said in a statement.
A second requirement, also embedded in Smith's so-dubbed Safety Act (PDF), requires owners of sexually explicit Web sites to post warning labels on their pages or face imprisonment. This echoes, nearly word for word, a that was approved by a Senate committee but .
Even though both requirements are central to a Republican-led effort, neither data retention nor Web labeling are that partisan. A Senate committeethat included Web labeling by a 15-7 vote in June. And Rep. Diana DeGette, a Colorado Democrat, has been the most in the entire Congress.
Other bills in the Republicans' "law and order" agenda are related to terrorism, the death penalty, gangs, and drug trafficking.
ISP snooping timeline
In events that were first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the timeline:
: Justice Department officials quietly propose data retention rules.
: European Parliament votes for data retention of up to two years.
: Data retention proposals surface in Colorado and the U.S. Congress.
: Attorney General Alberto Gonzales says data retention "must be addressed."
: Democrat proposes data retention amendment.
: Rep. Jim Sensenbrenner drafts data retention legislation but two days later.
: Gonzales and FBI Director Robert Mueller meet with Internet and telecom companies.
: FBI director calls for data retention.
: Bush administration says it will approach Congress for data retention laws.
The legislative fusillade marks the renewal of a political tussle that began in earnest last April, when Attorney General Alberto Gonzalesto target Internet providers with new regulations, which have been generally opposed by telecommunications companies and civil liberties organizations. CNET News.com was the first to report that the for such a rule privately since mid-2005.
Until this week, however, no formal bill had been introduced in the U.S. Congress.
Supporters of the proposal say it's necessary to help track criminals if police don't respond immediately to reports of illegal activity and the relevant logs are deleted by Internet providers. They cite cases of child molestation, for instance. Industry representatives respond by saying there's no evidence that Internet providers have dragged their feet when responding to subpoenas from law enforcement.
Details about data retention requirements would be left to Gonzales. At a minimum, the bill says, the regulations must require storing records "such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders."
Because there is no limit on how broad the rules can be, Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, or e-mail conversations indefinitely. (The bill does not, however, explicitly cover or , which officials have talked about before as targets of regulation.)
That broad wording also would permit the records to be obtained by private litigants in noncriminal cases, such as divorces and employment disputes. That raises additional privacy concerns, civil libertarians say.
The American Civil Liberties Union is skeptical of data retention and Web labeling. "It's going to be very difficult for Web sites to know whether they fit into this," said ACLU legislative counsel Marv Johnson, referring to the labeling rules. "And then when you throw in the 'sexually explicit materials' definition, does that include safe-sex Web sites?"
"Preservation" vs. "Retention"
Currently, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. Itfor 90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on if a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.
The Europe-wide requirement, expected to take effect next year, applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time, and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained.