Congress may consider mandatory ISP snooping

House Democrat joins Bush administration in supporting a mandate that Net firms store records about consumers' activities.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
It didn't take long for the idea of forcing Internet providers to retain records of their users' activities to gain traction in the U.S. Congress.

Last week, Attorney General Alberto Gonzales, a Republican, gave a speech saying that data retention by Internet service providers is an "issue that must be addressed." Child pornography investigations have been "hampered" because data may be routinely deleted, Gonzales warned.

Now, in a demonstration of bipartisan unity, a Democratic member of the Congressional Internet Caucus is preparing to introduce an amendment--perhaps during a U.S. House of Representatives floor vote next week--that would make such data deletion illegal.

Colorado Rep. Diana DeGette's proposal (click for PDF) says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could not be discarded until at least one year after the user's account was closed.

It's not clear whether that requirement would be limited only to e-mail providers and Internet providers such as DSL (digital subscriber line) or cable modem services. An expansive reading of DeGette's measure would require every Web site to retain those records. (Details would be left to the Federal Communications Commission.)

DeGette Rep. Diana Rep. Diana DeGette

"We're still addressing some of the issues, and we will have those issues or answers before we introduce this as either an amendment or a standalone bill," Brandon MacGillis, a spokesman for DeGette, said in an interview on Friday.

CNET News.com was the first to report last June that the Justice Department was quietly shopping around the idea of legally required data retention. In a move that may have led to broader interest inside the United States, the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers.

U.S. politicians began talking publicly about mandatory data retention during a series of House of Representatives hearings on child pornography and in speeches, News.com reported earlier this month. Legislation similar to DeGette's has been circulating in the Colorado legislature, and another hearing on child exploitation is planned for next Wednesday.

The Bush administration's current position is an abrupt reversal of its previous long-held belief that data retention is unnecessary and imposes an unacceptable burden on Internet providers. In 2001, the Bush administration expressed (click for PDF) "serious reservations about broad mandatory data retention regimes."

DeGette said in a statement that her amendment was necessary because: "America is the No. 1 global consumer of child pornography, the No. 2 producer. This is a plague we had nearly wiped out in the seventies, and sadly the Internet, an entity that we practically worship for all the great things it has brought to us, is being used to commit a crime against humanity."

For their part, Internet providers say they have a long history of helping law enforcement in child porn cases and point out that two federal laws already require them to cooperate. It's also unclear that investigations are really being hindered, according to Kate Dean, director of the U.S. Internet Service Provider Association.

MacGillis, a spokesman for DeGette, said his boss is likely to introduce her data retention proposal as a standalone measure or as an amendment to a broad telecommunications bill that's moving rapidly through the House.

The bill (click for PDF)--best known for a debate this week over its Net neutrality sections--was approved by a House committee on Thursday and is expected to receive a floor vote next week. (DeGette had considered adding it as an amendment during the committee vote but decided against it at the last minute.)

"Our main concern on the bill is privacy, protecting the privacy of everyone out there on the Internet, but also retention of those records so law enforcement officials will have access to them, so we just need to really tinker with the language," MacGillis said.

Child porn as surveillance excuse?
Critics of DeGette's proposal have said that, while the justification for Internet surveillance might be protecting children, the data would be accessible to any local or state law enforcement official investigating anything from drug possession to tax evasion. In addition, the one-year retention is a minimum; the FCC would receive the authority to require Internet companies to keep records "for not less than one year after a subscriber ceases to subscribe to such services."

Jim Harper, director of information policy studies at the free-market Cato Institute, said: "This is an unrestricted grant of authority to the FCC to require surveillance."

"The FCC would be able to tell Internet service providers to monitor our e-mails, monitor our Web surfing, monitor what we post on blogs or chat rooms, and everything else under the sun," said Harper, a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. "We're seeing a kind of hysteria reminiscent of the McMartin case. The result will be privacy that goes away and doesn't come back when the foolishness is exposed."

The McMartin case was probably the most extreme example of the hysteria over "Satanic ritual abuse"--a widespread scare in the 1980s that children were molested, murdered and tortured, even though no evidence was found. In the McMartin preschool case, a family was falsely accused of Satanic activities and the charges were eventually dropped.

At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn is charged with forwarding that report to the appropriate police agency.

CNET News.com's Anne Broache contributed to this report.