Politicos mull data retention by Web hosts, registrars
Broadening their inquiry beyond ISPs, they ponder mandates for storage of user records to aid child porn investigators.
At a hearing here convened by a U.S. House of Representatives subcommittee on oversight and investigations, Michigan Rep. Bart Stupak, the panel's top-ranking Democrat, asked company representatives how they would feel about being subject to a law in the works that would require Internet service providers to retain customer records for one year.
"If we do compel data retention, is there any reason Web hosting sites should be treated differently than ISPs?" Stupak asked the general counsel for GoDaddy.com, which bills itself as the largest domain name registrar in the world, and the CEO of Blue Gravity Communications, a New Jersey-based Web hosting firm. Both executives were participants on a panel at the latest in a series of hearings on the topic of online child exploitation.
"A year might be a little long," replied Thomas Krwawecz, Blue Gravity's CEO, later adding: "It would be something we would definitely be open to if there were some guidelines for maintaining that data for a specific period of time."
Christine Jones, general counsel for GoDaddy, said requirements to maintain particular customer data for hosting companies and ISPs alike would be "productive" for law enforcement. But the data, she added, should be limited to identifying information about subscribers, such as IP addresses and credit card numbers, and should not include the content of their communications.
Privacy and industry groups have generally voiced opposition to calls for mandatory data retention, which have become a fixture on the congressional agenda ever since Attorney General Alberto Gonzales touted the practice's necessity earlier this year.
Opponents to the mandate argue that existing laws already provide law enforcement with ample tools. For instance, a 1996 federal law called the Electronic Communication Transactional Records Act requires a practice known as "data preservation"--that is, Internet providers must retain any "record" in their possession for 90 days "upon the request of a governmental entity." Another federal law requires Internet service providers to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.
Some companies, such as Comcast, already voluntarily retain user data for longer periods. Blue Gravity, which hosts primarily adult pornography sites, retains data for seven to 14 days but plans to increase that window to 30 days to keep up with prevailing industry practices, Krwawecz said.
Last week, Rep. Diana DeGette, a Colorado Democrat, said she hoped to introduce by the end of this week a proposal that would require Internet service companies to retain customer records for a period of one year. She described the proposal, whose language is still not finalized, as requiring maintenance only of information useful in locating a customer, such as an IP address, and not about the content of his or her communications.
A DeGette spokesman said Tuesday that the congresswoman continues to negotiate the language with Republican Reps. Joe Barton and Ed Whitfield. He could not predict exactly when the bill would be introduced or what its precise language would be.
At least two possibilities could be in play. One form of data retention legislation could require Internet providers and perhaps social networking sites and search engines to record for a year or two which IP address is used by which user. The other form would be far broader, requiring companies to record data such as the identities of e-mail correspondents, logs of who sent and received instant messages (but not the content of those communications), and the addresses of Web pages visited.
With or without such a mandate, the hosting and domain name firms should conduct more self-policing of the sites that live on their servers, said Whitfield, chairman of the oversight and investigations subcommittee. "Is there any kind of technology to monitor (for child pornography sites) that would be available for either GoDaddy or Blue Gravity?" he asked. "Is there technology you could acquire to do this in a more proactive manner?"
"If I had a staff of 1,000 people that could go and review all of our hosted pages every day, we would," said GoDaddy's Jones, adding that the company did investigate nearly 2,000 customers over allegations of child pornography or inappropriate child modeling Web sites in the last year. "But at $1.99 per month for a hosting account, the economics are not really there for us to do that."