Gonzales: ISPs must keep records on users

Attorney general, other witnesses ask Congress to force Internet service providers to follow customers' activities.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read
WASHINGTON--Attorney General Alberto Gonzales on Tuesday stepped up his efforts to lobby for federal laws requiring Internet providers to keep track of what their customers do online.

Gonzales asked senators to adopt "data retention" legislation that would likely force Internet providers to keep customer logs for at least a year or two. Those logs, often routinely discarded after a few months, are intended to be used by police investigating crimes.

ISP snooping time line

In events that were first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the time line:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation--but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

June 27, 2006: Rep. Barton, chair of a House committee, calls new child protection legislation a "highest priority."

"This is a national problem that requires federal legislation," Gonzales said during a Senate Banking Committee hearing. "We need to figure out a way to have ISPs retain data for a sufficient period of time that would allow us to go back and retrieve it."

As the November election approaches, politicians have been devoting an unprecedented amount of attention to the topic of children, pornography and the Internet: At least three committees are holding hearings on the subject this week alone.

One committee even enlisted an outside-the-Beltway celebrity, basketball icon Shaquille O'Neal. Shaq appeared on videotape before the Senate Commerce Committee, and said: "I've seen images that make me very sad, I've seen images that make me very mad...Yeah, I'm mad, very mad, senator." (O'Neal is a spokesman">spokesman for the Safe Surfin' Foundation, a federally funded nonprofit group.)

It's unclear what the prospects are for mandatory data retention in Congress this year, or whether politicians will delay action until 2007. One senior House Republican drafted a bill (click for PDF) but then backed away from it, and a Democratic proposal (click for PDF) has not been voted on.

But with the Bush administration firmly behind the concept, and with state and local law enforcement lending a hand in the lobbying efforts and saying such mandates would help protect children, industry groups and privacy advocates may be hard-pressed to head off new regulations. During Tuesday morning's appearance, for instance, Gonzales favorably cited a June letter (click for PDF) endorsing mandatory data retention that was signed by 49 attorneys general. The letter said: "It is clear that something must be done to ensure that ISPs retain data for a reasonable period of time."

Myriad suggestions
Sen. John McCain, who presided over the afternoon hearing, scolded Internet companies who "were invited to participate and chose not to." He said he would talk to Sen. Ted Stevens, chairman of the Senate Commerce Committee, about scheduling an additional hearing during which the companies would be grilled.

Montana Sen. Conrad Burns, a Republican, used the hearing to tout a proposal, now tacked onto a mammoth communications bill and awaiting a vote, that would require all sexually explicit Web content to be labeled as such and home pages of all sites to be free of such content.

That measure, he said, "will help children from unwittingly stumbling across these words and images online."

Ernie Allen, president of the National Center for Missing and Exploited Children, echoed Gonzales' calls for ISPs to hang onto customer records. "Some companies have policies on retention, but they vary widely, are not implemented consistently, and frankly, most are too short to have meaningful prosecutorial value," he said.

Data retention legislation could follow one of two approaches, and it's not clear which is more likely.

One form could require Internet providers and perhaps social-networking sites and search engines to record for a year or two which IP address is used by which user. The other form would be far broader, requiring companies to record data such as the identities of e-mail correspondents, logs of who sent and received instant messages (but not the content of those communications), and the addresses of Web pages visited.

During a series of meetings that Justice Department officials have held with private companies--first reported by CNET News.com--officials have been ambiguous about how they want legislation worded, private-sector participants say. Companies involved have included AOL, Comcast, Google, Microsoft, Verizon Communications and trade associations.

Suggestions for congressional action at Tuesday afternoon's hearing didn't stop at data retention by private companies.

Sheriff Michael Brown, who heads an Internet Crimes Against Children task force in Bedford County, Va., called on Congress to ensure that any state, federal, local or educational institution that receives federal funding also conduct "appropriate transactional logging to allow the location of individuals that use that access in the exploitation of children." He said in his testimony (click for PDF) that the government could not, "in good conscience," make such demands of the private sector if it didn't also do the same.

That concept--restrictions slapped on using federal funds--echoes a 2000 federal law called the Children's Internet Protection Act. CIPA effectively forced schools and libraries to filter sexually explicit Web sites by tying that requirement to the receipt of federal funds, an approach the U.S. Supreme Court upheld as constitutional in 2003.

The concept of more federal laws was popular at Tuesday's pair of hearings. Sharon Cooper, an adjunct professor of pediatrics at the University of North Carolina, urged politicians to require that all public-school health classes, from elementary to high school, teach "child sexual abuse prevention strategies as well as online and communication technology safety strategies."

And Sen. Robert Bennett, a Utah Republican, suggested that the Justice Department create a successor to the widely criticized Meese Commission, a 1986 federal panel that claimed to document the harmful effects of pornography. "Isn't it time we revisited the creation of an attorney's general commission and update, if you will, the kind of things the Meese Commission prophesied would happen?" Bennett asked.

On Thursday, the U.S. House of Representatives will have its own hearing on the Internet and child pornography.

'Preservation' vs. 'retention'
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time.

An IP address is a unique 4-byte address used to communicate with a device on a computer network that relies on the Internet Protocol. An IP address associated with CNET.com, for instance, is (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.