DOJ pressed for details on Internet tracking plan

Republicans and Democrats push Justice Department for details on what it wants from mandatory data retention, with committee chairman describing Internet as "virtual playground for sex predators."

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

Members of Congress chided the U.S. Department of Justice today for suggesting a new law requiring Internet companies to keep records of user activity, but not disclosing details on how it should be crafted to aid criminal investigations.

At a House of Representatives hearing, as CNET was the first to report, the Justice Department endorsed the concept of forcing Internet companies to collect and store data about their customers that they would not normally retain. This echoes the Bush administration's position under Attorney General Alberto Gonzales.

Justice Department's Jason Weinstein wanted data retention legislation but offered few details.
The Justice Department's Jason Weinstein wants data retention legislation but offers few details.

But Jason Weinstein, deputy assistant attorney general for the criminal division, irked the committee members by saying "the government doesn't have a specific proposal" at this time.

"When are you going to get a specific proposal?" said Rep. John Conyers, the senior Democrat on the House Judiciary committee. "How many years is this going to take?" Apparently recalling that mandatory data retention proposals have been circulating since 2005, Conyers added: "I'm going to call (attorney general) Eric Holder right after this hearing and see if we can get this moving...I don't think we need a whole lot of time."

Rep. Debbie Wasserman Schultz (D-Fla.) said mandatory data retention would help law enforcement "connect the dots" in criminal investigations. "I'm really not understanding why you don't have a specific proposal," she said.

So did Rep. Louie Gohmert (R-Tex.), a former judge, who used the lack of specifics to question whether the Justice Department really needed a new law. In court, Gohmert said, "if people don't want to get specific, it's not legitimate testimony that will come into evidence."

This is an odd situation: when the Justice Department asks Congress for a new law, it typically provides draft legislation, or at the very least, an unequivocal endorsement. In 2004, the department explicitly endorsed a pair of copyright bills backed by the entertainment industry. It did not equivocate when lending its support to a proposal to give life sentences to certain hackers in 2002 or a 2007 proposal outlawing "attempted" copyright infringement.

At today's House hearing, subcommittee members chided the Justice Department for not disclosing details on what it wants in mandatory data retention legislation.
At today's House hearing, subcommittee members chided the Justice Department for not disclosing more about what it wants in mandatory data retention legislation.

Weinstein did say that the Justice Department was not interested in forcing companies to retain "content information" such as the text of e-mail, text, or SMS messages. He added, in response to questions, that up to two years of data retention "would be a useful starting point," which echoes what FBI director Robert Mueller told Congress in 2008. (Ideally, to help law enforcement the most, "I'd think the statute of limitations would be the place to start the discussion" in terms of retention periods, he said.)

But he did not address the scope of the law, including whether social network sites and image-uploading sites would be required to record user activities--a proposal that surfaced inside the department four years ago.

"A minimum of six months would be advantageous, more like a year would be best," said John Douglass, the chief of police for Overland Park, Kansas, who was testifying on behalf of the International Association of Chiefs of Police. In 2006, the IACP adopted a resolution (PDF) calling for a "uniform data retention mandate" for "customer subscriber information and source and destination information," which apparently means keeping track of what Web sites every Internet user visits. A representative of the IACP said yesterday that the group continues to support the resolution.

Weinstein also took a swipe at the Electronic Frontier Foundation's June 2008 "best practices" guide for Internet companies, which recommends that they store the "minimum amount" of data necessary for the "minimum time necessary," and obfuscate, aggregate, or delete unneeded user information.

That represents the "best argument for Congress to intervene," Weinstein said. "Providers are being guided to conduct themselves" in way that minimizes information available to law enforcement.

Perhaps the most telling comments, though, came from the new chairman of the House Judiciary committee, Rep. Lamar Smith (R-Tex.). He introduced a data retention bill in an earlier session of Congress and is now in a position to push any legislation through the chamber this year.

Smith said that the Internet has become a "virtual playground for sex predators and pedophiles," and "more robust data retention will certainly assist law enforcement" in tracking down criminals.

Rep. F. James Sensenbrenner (R-Wis.), chairman of the House Judiciary crime subcommittee, told Kate Dean, executive director of the U.S. Internet Service Provider Association, that the industry must develop voluntary standards or risk being thwapped with the "stick" of federal legislation. "If you aren't a good rabbit and don't start eating the carrot, I'm afraid we're all going to be throwing the stick at you," he said.

It's not that surprising that the Obama Justice Department, like its predecessor, prefers the stick. As a department official in the 1990s, Attorney General Eric Holder touted the idea of mandatory data retention. In 1999, Holder said that "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement."

For now, the scope of any mandatory data retention law remains hazy. It could mean forcing companies to store data for two years about what Internet addresses are assigned to which customers. (Comcast said in 2006 that it would be retaining those records for six months.)

Or it could be more intrusive, sweeping in online service providers, and involve keeping track of e-mail and instant-messaging correspondence and what Web pages users visit. Some Democratic politicians have previously called for data retention laws to extend to domain name registries and Web hosting companies and even social-networking sites. An FBI attorney said last year that the bureau supports storing Internet users' "origin and destination information," meaning logs of which Web sites are visited.

Kate Dean of the U.S. Internet Service Provider Association, was told by subcommittee chairman F. James Sensenbrenner that industry must develop standards or get hit with a regulatory "stick."
Kate Dean of the U.S. Internet Service Provider Association, was told by subcommittee chairman F. James Sensenbrenner that industry must develop standards or get hit with a regulatory "stick."

John Morris, general counsel at the Center for Democracy and Technology, said mandatory data retention could "harm Americans' privacy rights, aggravate the problem of identity theft, and jeopardize Americans' First Amendment right to speak anonymously on the Internet.

Retention vs. preservation
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.