Industry, others object to data retention

As feds begin talking about requiring ISPs and others to store data on customers, critics point to technical, security and privacy challenges.

Internet providers and telecommunications companies expressed concern on Wednesday about the feasibility of recording Americans' online activities, a proposal that Attorney General Alberto Gonzales has recently endorsed.

In a meeting Friday first reported by CNET, Gonzales and FBI Director Robert Mueller said the war on terror would be aided by two years' worth of data retention, a requirement industry representatives say would be accompanied by technical, security and privacy challenges.

"We have real reservations about data retention requirements because of the security and privacy risks attached to it," said Mark Uncapher, senior vice president of the Information Technology Association of America. ITAA's board members include representatives of AT&T, Sybase, Fujitsu and Unisys.

ISP snooping timeline

In events that were first reported by CNET, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the timeline:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation -- but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

A Justice Department representative said this week that the government is not seeking to require the retention of the content of communications, but did not elaborate. If the European Union's approach were adopted, Internet companies would be required to save logs showing the identities of e-mail and perhaps instant messaging correspondents in addition to data about which customer was assigned which Internet address.

That suggestion alarms many Internet providers, which worry about the cost and complexity of recording what their customers are doing online. In some cases, especially among libraries, coffee shops and universities, no records may be stored at all.

"In general, libraries only keep records on users to the extent required to provide their services," said Rick Weingarten, director of the American Library Association's Office for Information Technology Policy.

Based on the limited information that has been made public so far--including in a speech by Gonzales last month--Weingarten said the library association would not favor such a requirement. "Absolutely we have concerns about users' privacy," he said.

A second meeting at the Justice Department has been scheduled for Friday.

Snooping on Web-based e-mail
The Justice Department also proposed that Web sites such as e-mail providers be required to store data about their users' activities for future law enforcement and national security investigations, according to one industry representative familiar with last week's meeting.

That could create privacy and security complications for Microsoft's Hotmail, Google's Gmail, Yahoo Mail and numerous other e-mail services, industry representatives said privately.

In response to a query from CNET, Microsoft provided a statement that said it supported working with law enforcement to ensure Internet safety and protect children from online predators.

"But data retention is a complicated issue with implications not only for efforts to combat child pornography but also for security, privacy, safety and availability of low-cost or free Internet services," the statement said. (Click here to read the complete statement.)

Featured Video