Congressman endorses data retention law, then backs away

A key Republican politician alarmed lobbyists trying to update a 1986 electronic privacy law by suggesting a data retention requirement should be attached. Then his aides said he misspoke.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
5 min read
Rep. F. James Sensenbrenner, a Wisconsin Republican, says mandatory data retention is part of a "balancing act" that would not give either law enforcement or industry representatives everything they want.
Rep. F. James Sensenbrenner, a Wisconsin Republican, said mandatory data retention should be part of a "balancing act" that would not give either law enforcement or industry representatives everything they want. A few hours later, his aides said he misspoke. Getty Images

A historic lobbying effort today to update U.S. privacy laws for the 21st century seemed to be in danger of derailment by a law enforcement-backed proposal to require Internet companies and e-mail providers to keep records of what their users are doing online.

Rep. F. James Sensenbrenner, the chairman of a key House of Representatives subcommittee, said this morning that it was time to resuscitate the idea of the government mandating data retention. Sensenbrenner, a Wisconsin Republican, had drafted a mandatory logging proposal seven years ago that included prison terms for company executives who failed to comply. A law enforcement representative said today some form of data retention should be attached to the privacy bill.

A time line of ISP snooping

In events that were first reported by CNET, law enforcement has been lobbying for logs of what Americans do online. Here's the timeline:

June 2005: Justice Department officials quietly propose data retention rules.

April 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 2006: Attorney General Gonzales says data retention "must be addressed."

April 2006: Rep. DeGette proposes data retention amendment.

May 2006: Rep. Sensenbrenner drafts data retention legislation--but backs away from it two days later.

May 2006: Gonzales and FBI Director Mueller meet with Internet and telecom companies.

February 2009: Two data retention bills target ISPs, hotels, coffee shops

February 2009: Copyright holders would benefit from data retention

January 2011: Obama Justice Department calls for data retention

February 2011: White House undecided on data retention

May 2011: Wireless providers exempted from Rep. Smith's bill

July 2011: National Sheriffs' Association endorses data retention

December 2012: Law enforcement wants SMS data retention

March 2013: Tennessee Bureau of Investigation renews call for SMS data retention

"I'd like to ask you ... what time do you think we ought to have in terms of requiring a service provider or somebody who stores e-mails in the clouds to retain that material?" Sensenbrenner asked law enforcement representatives during an exchange that lasted about five minutes. The response from a representative of the Tennessee Bureau of Investigation: It depends, but "six months or a year" would be reasonable. (Here's the hearing video.)

Sensenbrenner indicated that he intended to glue a data retention requirement, which had been endorsed by the U.S. Department of Justice and other law enforcement organizations, onto a landmark privacy bill to rewrite the 1986 Electronic Communications Privacy Act (ECPA). At the moment, Americans enjoy more privacy rights if they store data on their hard drives or under their mattresses, a legal hiccup that tech companies fear could slow the shift to cloud-based services unless the law is updated.

"We're going to need to have a balancing act, which means that neither law enforcement nor the service community are going to get everything they want," Sensenbrenner said.

But a few hours later, in response to queries from CNET asking about the details of the proposal, aides to Sensenbrenner said that their boss had misspoke and was talking about data preservation in response to law enforcement requests -- not about a new data retention proposal. One source close to the situation, who spoke on condition of anonymity, said that the public policy reversal had come in response to pressure from lobbyists supporting ECPA reform.

In a subsequent statement, Sensenbrenner said: "I have long opposed data retention and do not believe that any ECPA reform package should include such a mandate. Data retention requires a provider to retain information about the Internet use of all of its customers. A data retention mandate raises privacy concerns because it affects all users, not just bad actors."

Sensenbrenner's statement earlier in the day had alarmed some members of a coalition, which includes representatives from Apple, Twitter, Facebook, and Google. The group has been lobbying for years to update the law in this area. Their concern: If the data retention mandate is attached to the ECPA reform bill, it will amount to a poison pill that will doom the legislation. (They want to require police to obtain a search warrant signed by a judge before law enforcement can peruse a citizen's e-mail correspondence, which is not currently the case in all circumstances.)

"CDT wouldn't support a bill with a data retention mandate," says Mark Stanley, a spokesman for the Center for Democracy and Technology, a member of the Digital Due Process coalition.

Chris Calabrese, legislative counsel for the American Civil Liberties Union, said: "The ACLU has always opposed mandatory data retention. We have no plans to revisit that policy."

Previous proposals have included extending mandatory data retention laws to domain name registries, Web-hosting companies, social-networking sites, and other "destinations" that Internet users visit. During private meetings with industry executives, FBI and Justice Department representatives have said in the past that it would be desirable to force search engines to keep logs as well. In December, law enforcement groups representing U.S. district attorneys and sheriffs said records of SMS messages should be stored for at least two years.

Sensenbrenner opposed one measure in 2011, approved by the House Judiciary committee, that was aimed only at Internet providers and would have forced them to keep logs of their customers' activities for one year. Finding legislation that "allows law enforcement to do their job, particularly against people who use the Internet for criminal purposes, is kind of going to be a tough nut to crack," he said today. "We tried it in the last Congress and we weren't able to get the ball over the goal line."

Nate Cardozo, a staff attorney at the Electronic Frontier Foundation in San Francisco, Calif., said:

Data retention isn't ECPA reform and shouldn't be in consideration as such. ECPA reform is about bringing the statute into line with the Fourth Amendment, and there's no reason to trade retention requirements in exchange for ensuring existing constitutional rights.

As a practical matter, the ECPA reform coalition doesn't need Congress as much as it did when the group was formed in 2010. That's because it has been having some luck in the courts by making constitutional arguments: In 2010, a federal appeals court ruled that police must obtain a search warrant from a judge before accessing e-mail. As a result, Google, Microsoft, Yahoo, and Facebook now require search warrants for e-mail.

Internet service providers typically discard any log file that's no longer required for business reasons, such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation -- a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.

An ECPA reform bill that the Senate Judiciary committee approved in November does not include data retention requirements.

Last updated at 12:18 p.m. PT