Internet providers should keep logs for two years, says head of FBI's digital evidence section. But what about the practical and privacy issues?
Declan McCullaghFormer Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
WASHINGTON--The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes.
FBI Director Robert Mueller supports storing Internet users' "origin and destination information," a bureau attorney said at a federal task force meeting on Thursday.
As far back as a 2006 speech, Mueller had called for data retention on the part of Internet providers, and emphasized the point two years later when explicitly asking Congress to enact a law making it mandatory. But it had not been clear before that the FBI was asking companies to begin to keep logs of what Web sites are visited, which few if any currently do.
The FBI is not alone in renewing its push for data retention. As CNET reported earlier this week, a survey of state computer crime investigators found them to be nearly unanimous in supporting the idea. Matt Dunn, an Immigration and Customs Enforcement agent in the Department of Homeland Security, also expressed support for the idea during the task force meeting.
Greg Motta, the chief of the FBI's digital evidence section, said that the bureau was trying to preserve its existing ability to conduct criminal investigations. Federal regulations in place since at least 1986 require phone companies that offer toll service to "retain for a period of 18 months" records including "the name, address, and telephone number of the caller, telephone number called, date, time and length of the call."
At Thursday's meeting (PDF) of the Online Safety and Technology Working Group, which was created by Congress and organized by the U.S. Department of Commerce, Motta stressed that the bureau was not asking that content data, such as the text of e-mail messages, be retained.
"The question at least for the bureau has been about non-content transactional data to be preserved: transmission records, non-content records...addressing, routing, signaling of the communication," Motta said. Director Mueller recognizes, he added "there's going to be a balance of what industry can bear...He recommends origin and destination information for non-content data."
Motta pointed to a 2006 resolution from the International Association of Chiefs of Police, which called for the "retention of customer subscriber information, and source and destination information for a minimum specified reasonable period of time so that it will be available to the law enforcement community."
Recording what Web sites are visited, though, is likely to draw both practical and privacy objections.
"We're not set up to keep URL information anywhere in the network," said Drew Arena, Verizon's vice president and associate general counsel for law enforcement compliance.
And, Arena added, "if you were do to deep packet inspection to see all the URLs, you would arguably violate the Wiretap Act."
Another industry representative with knowledge of how Internet service providers work was unaware of any company keeping logs of what Web sites its customers visit.
If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant.
What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html.
While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States.
The technical challenges also may be formidable. John Seiver, an attorney at Davis Wright Tremaine who represents cable providers, said one of his clients had experience with a law enforcement request that required the logging of outbound URLs.
"Eighteen million hits an hour would have to have been logged," a staggering amount of data to sort through, Seiver said. The purpose of the FBI's request was to identify visitors to two URLs, "to try to find out...who's going to them."
A Justice Department representative said the department does not have an official position on data retention.
Disclosure: The author of this story participated in the meeting of the Online Safety and Technology Working Group, though after the law enforcement representatives spoke.