House ISP-logging proposal would exempt wireless

Forthcoming data retention bill would require Internet service providers to store customer information but appears to exempt wireless carriers, CNET has learned.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read

A top House Republican is planning to propose that Internet service providers be required to store information about their customers to aid police in criminal investigations, CNET has learned.

But a recent draft has one huge exception: wireless companies aren't included.

That appears to be the result of lobbying from wireless providers, which don't want to have to comply with any new governmental mandates. But the exemption has already drawn the ire of the U.S. Justice Department, which says it doesn't go far enough and is likely to attract strong opposition from cable and DSL providers that would be the ones singled out for regulation.

CTIA, the wireless trade association, declined to answer questions about its involvement in drafting the exception, saying through a spokesman only that "we are committed to working with the committee on the legislation."

The committee preparing the bill is the House Judiciary Committee, headed by Rep. Lamar Smith of Texas, who has previously expressed support for mandatory requirements governing the retention of user data. The bill will be part of a larger measure dealing with strengthening criminal sanctions against child pornography.

A spokeswoman for Smith declined to answer questions about the legislation yesterday, saying his office would discuss it and distribute the final text only "when we are ready for introduction."

The mobile exemption represents a new twist in the debate over data retention requirements, which has been simmering since the Justice Department pushed the topic in 2005, a development that was first reported by CNET. Proposals publicly surfaced in the U.S. Congress the following year, and President Bush's attorney general, Alberto Gonzales said it's an issue that "must be addressed." So, eventually, did FBI director Robert Mueller.

In January 2011, CNET reported that the Obama Justice Department was following suit. On Monday, Jason Weinstein, the deputy assistant attorney general for the criminal division, warned that wireless providers must be included because "when this information is not stored, it may be impossible for law enforcement to collect essential evidence."

An Democratic congressional staffer, who spoke on condition of anonymity, said his office had seen summaries and drafts of the legislation but would not be supporting it because of privacy concerns.

The draft bill says that any "temporarily assigned network address" should be retained for 18 months except if the address is assigned wirelessly, one source says.

That would appear to exempt coffee shops, but could sweep in hotels, universities, schools, and businesses that offer wired network connection, as well as traditional broadband providers.

Smith introduced a broadly similar bill in 2007, without the wireless exemption, calling it a necessary anti-cybercrime measure. "The legislation introduced today will give law enforcement the tools it needs to find and prosecute criminals," he said in a statement at the time.

"Retention" vs. "preservation"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider that "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.