Police: Internet providers must keep user logs

CNET has learned the National Sheriffs' Association is leaping into a political fray by saying ISPs must be required to log customer activity.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

Law enforcement representatives are planning to endorse a proposed federal law that would require Internet service providers to store logs about their customers for 18 months, CNET has learned.

The National Sheriffs' Association will say it "strongly supports" mandatory data retention during Tuesday's U.S. House of Representatives hearing on the topic.

Michael Brown, sheriff in Bedford County, Va., and a board member and executive committee member of the National Sheriffs' Association, is planning to argue that a new law is necessary because Internet providers do not store customer records long enough.

"The limited data retention time and lack of uniformity among retention from company to company significantly hinders law enforcement's ability to identify predators when they come across child pornography," according to a copy of Brown's remarks. Any stored logs could, however, be used to prosecute any type of crime.

The association's endorsement comes nearly two months after Reps. Lamar Smith (R-Texas), the head of the House Judiciary Committee, and Debbie Wasserman Schultz (D-Fla.) introduced legislation that would force Internet companies to log data about their customers. It says they must store for "at least 18 months the temporarily assigned network addresses the service assigns to each account, unless that address is transmitted by radio communication"--language that amounts to a huge and unusual exception for wireless carriers.

Related stories:
Wireless providers exempted from data-logging plan
DOJ wants wireless providers to store user info
White House undecided about data retention law

In January, the U.S. Department of Justice also called for some sort of legislation in this area, but the White House has not taken a public position and the department has pointedly declined to elaborate on what it wants. No Justice Department representative is scheduled to testify tomorrow. The International Association of Chiefs of Police applauded (PDF) data retention requirements five years ago but did not endorse specific legislation.

Brown declined a request from CNET to discuss his testimony.

The Republican backers of the bill--it was the GOP's first major tech initiative after taking over the House in January--hope Brown's endorsement will provide a welcome boost to their proposal's prospects.

Similar bills have been introduced starting in early 2006, but privacy and civil liberty concerns have kept them from even receiving a floor vote. So has the scope: industry representatives have been wary ever since Justice Department representatives were talking privately about whether social-networking sites should be required to keep track of what Internet address uploaded what photograph.

According to Brown's testimony:

Unmasking child pornographers on the Internet is a painstaking and complex process for law enforcement officers and typically requires assistance from Internet Service Providers (ISPs) to accurately identify the perpetrator. However, some ISPs only retain their clients' records for a short period of time. It could be hours. It could be days. It could be weeks. It could be months. And it varies from ISP to ISP. As such, the limited data retention time and lack of uniformity among retention from company to company significantly hinders law enforcement's ability to identify predators when they come across child pornography.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, is planning to suggest during tomorrow's hearing that the committee rewrite the measure by eliding the most incendiary sections. In an e-mail Monday afternoon, Rotenberg said he also has concerns that the language ignores reasonable data minimization procedures and doesn't envision how bad a data breach could be.

The definitions in Smith's bill could sweep in coffee shops that offer wired connections to their customers, as well as hotels, universities, schools, and businesses that offer wired network connections, on top of traditional broadband providers.

Smith introduced a broadly similar bill in 2007, without the wireless exemption, calling it a necessary anti-cybercrime measure. "The legislation introduced today will give law enforcement the tools it needs to find and prosecute criminals," he said in a statement at the time.

These concepts are not exactly new. In June 2005, CNET was the first to report that the Justice Department was quietly shopping around the idea, reversing the department's previous position that it had "serious reservations about broad mandatory data retention regimes." Despite support from FBI director Robert Mueller and the Bush Justice Department, however, the proposals languished amid worries about privacy and the cost of compliance.

"Retention" vs. "preservation"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.