ISP snooping gaining support

Politicians embrace idea of requiring Net providers to record what subscribers do online.

The explosive idea of forcing Internet providers to record their customers' online activities for future police access is gaining ground in state capitols and in Washington, D.C.

Top Bush administration officials have endorsed the concept, and some members of the U.S. Congress have said federal legislation is needed to aid law enforcement investigations into child pornography. A bill is already pending in the Colorado State Senate.

Mandatory data retention requirements worry privacy advocates because they permit police to obtain records of e-mail chatter, Web browsing or chat-room activity that normally would have been discarded after a few months. And some proposals would require providers to retain data that ordinarily never would have been kept at all.

CNET was the first to report last June that the U.S. Department of Justice was quietly shopping around the idea of legally required data retention. But it was the European Parliament's vote in December for a data retention requirement that seems to have attracted broader interest inside the United States.

At a hearing last week, Rep. Ed Whitfield, a Kentucky Republican who heads a House oversight and investigations subcommittee, suggested that data retention laws would be useful to police investigating crimes against children.

"I absolutely think that that is an idea that is worth pursuing," an aide to Whitfield said in an interview on Thursday. "If those files were retained for a longer period of time, it would help in the uncovering and prosecution of these crimes." Another hearing is planned for April 27.

Internet providers generally offer three reasons why they are skeptical of mandatory data retention: first, it is not clear who will be able to access records of someone's online behavior; second, it's not clear who will pay for the data warehouses to be constructed; and third, it's not clear that police are hindered by current law as long as they move swiftly in investigations.

"What we haven't seen is any evidence where the data would have been helpful, where the problem was not caused by law enforcement taking too long when they knew a problem existed," said Dave McClure, president of the U.S. Internet Industry Association, which represents small to midsize companies.

McClure said that while data retention aficionados cite child pornography, the stored data would be open to any type of investigation--including, for instance, those focused on drug crimes, tax fraud, or terrorism prosecutions. "The agenda behind this doesn't appear to be legitimate," he said.

Proposals for mandatory data retention tend to adhere to one of two models: Address storage or some kind of content storage. In the first model, businesses must record only which Internet address is assigned to a customer at a specific time. In the second, which is closer to what Europe adopted, more types of information must be retained--including telephone numbers dialed, contents of Web pages visited, recipients of e-mail messages and so on.

Without saying what model he favored, Homeland Security Secretary Michael Chertoff broadly endorsed data retention at a meeting of a departmental privacy panel last month. In response to a question, Chertoff said that federal police should be permitted to run queries against data repositories created and maintained by businesses for a set time.

"That might be a model for some kind of data retention issue," Chertoff said. "It might be one that would say the government, instead of holding the data itself, will allow it to remain in the private sector, provided the private sector retains it for a period of time so we can ping against it."

FBI Director Robert Mueller was more blunt. He was quoted by the Financial Times in January as saying: "There can be standardized regulations and rules relating to data retention and secondly a mechanism for the swift exchange of information." The remarks, made at the Davos economic forum, were part of Mueller's support of harmonizing national laws dealing with computer crime.

Neither the FBI nor Homeland Security responded to a request for comment on Thursday.

Agitation by state investigators
Federal politicians also are being lobbied by state law enforcement agencies, which say strict data retention laws will help them investigate crimes that have taken place a while ago.

Sgt. Frank Kardasz, head of Arizona's Internet Crimes Against Children Task Force, surveyed his colleagues in other states last month asking them what new law would help them do their jobs. "The most frequent response involved data retention by Internet service providers," or ISPs, Kardasz told in an e-mail message on Thursday.

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on when the connection is actually in use. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

Police typically rely on subpoenas to find which customer was assigned which Internet address. "When subscriber information is not preserved by the ISPs the investigation dead-ends," said Kardaz, who has testified before Whitfield's subcommittee. "Ideally, we would like to have ISPs preserve subscriber information for one year."

Flint Waters, head of the Wyoming's Internet Crimes Against Children task force, also is pressing for federal data retention laws. He's interested in mandating records of who used what Internet address--not content such as chat conversations, e-mail messages, and so on.

"Individuals will activate their Webcam when they're abusing a child and they'll record the sexual assault live, and it may be 45 days before law enforcement finally gets notified," Waters said. "We reach out to service providers and they say they don't maintain those records, so the child remains in that environment, and there's nothing we can do to help them."

Featured Video