Data retention bill expected next week

Proposal expected to require Internet providers to keep customer information for a year for police convenience.

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
Anne Broache
4 min read
WASHINGTON--A Democratic member of the U.S. House of Representatives said Thursday that she plans to introduce legislation next week that would force Internet providers to record customer information for one year.

Rep. Diana DeGette of Colorado said that she is working with Republicans Reps. Ed Whitfield, chairman of the House Energy and Commerce oversight and investigations subcommittee, and Joe Barton, chairman of the full committee, to finalize language mandating a controversial practice known as data retention.

ISP snooping timeline

In events that were first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the timeline:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation -- but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

June 27, 2006: Rep. Barton, chair of a House committee, calls new child protection legislation a "highest priority"

"Internet service providers across the board do retain this data for some period of time right now, so all were doing in this legislation is requiring a standard in the industry," DeGette said at a morning hearing here on online child pornography, which was at least the sixth event dealing with online child exploitation in the House this year.

The data retention requirement is necessary because members of Congress have "learned that Internet service providers and social networking sites have information that law enforcement needs when investigating pedophiles online, and that is the IP address on a particular date and time that will help identify those involved," said Whitfield, a Kentucky Republican who is also heading a probe into Hewlett-Packard's boardroom scandal.

Privacy groups and industry groups have generally opposed mandatory data retention, with some companies such as Comcast voluntarily agreeing to retain user data for longer periods. Also, under an earlier proposal described by DeGette, the information would be available not only to police but to civil litigants as well, including divorce lawyers hoping to track someone down or employers embroiled in a lawsuit with a former employee.

Plans to enact the Bush administration's data retention proposal--reiterated this week by Attorney General Alberto Gonzales--have been brewing in Congress for months but have received increased attention as the November elections draw near.

DeGette, for her part, planned this spring to introduce such a proposal (click for PDF) as an amendment to a House telecommunications bill but ultimately dropped those plans. A senior House Republican also drafted a bill this year (click for PDF) but then backed away from it.

DeGette's bill is expected to be consistent with repeated calls for mandatory data retention in recent months from Gonzales and from 49 state attorneys general (click for PDF).

The two law enforcement officials at Thursday's hearing, representing the cybercrimes division of Homeland Security's Immigrations and Customs Enforcement bureau and the U.S. attorney's office in New Jersey, also offered endorsements.

"We need more and more information, and we need it as quickly as we can possibly get it," said Christopher Christie, U.S. Attorney in New Jersey.

Details on data retention
In general, data retention legislation could follow one of two approaches.

One form could require Internet providers and perhaps social networking sites and search engines to record for a year or two which IP address is used by which user. The other form would be far broader, requiring companies to record data such as the identities of e-mail correspondents, logs of who sent and received instant messages (but not the content of those communications), and the addresses of Web pages visited.

During a series of meetings with Internet companies hosted by the Justice Department--first reported by CNET News.com--officials have been ambiguous about how they want legislation worded, private-sector participants say. Those involved have included AOL, Comcast, Google, Microsoft, Verizon Communications and trade associations.

DeGette said Thursday that her proposal would not require retention of the communications themselves, but would identify data so that law enforcement officials--if they had probable cause to believe a crime has been committed--could go in and get a subpoena and subpoena these IP addresses.

An IP address is a unique four-byte address used to communicate with a device on a computer network that relies on the Internet Protocol. An IP address associated with CNET.com, for instance, is

Ernie Allen, president of the National Center for Missing and Exploited Children, said he liked that DeGette's proposal was not focused on retaining content. "Obviously this is a real dilemma for the Internet service providers for a host of reasons, and I think there is an appropriate time frame that can be established," he said. "But overwhelmingly, we support (data retention mandates)."

DeGette sought to allay concerns raised by privacy advocates about the approach, adding, "I'm concerned about privacy considerations, too, especially in light of what I believe to be illegal surveillance of telephone records by this administration."