Industry, others object to data retention

As feds begin talking about requiring ISPs and others to store data on customers, critics point to technical, security and privacy challenges.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read
Internet providers and telecommunications companies expressed concern on Wednesday about the feasibility of recording Americans' online activities, a proposal that Attorney General Alberto Gonzales has recently endorsed.

In a meeting Friday first reported by CNET News.com, Gonzales and FBI Director Robert Mueller said the war on terror would be aided by two years' worth of data retention, a requirement industry representatives say would be accompanied by technical, security and privacy challenges.

"We have real reservations about data retention requirements because of the security and privacy risks attached to it," said Mark Uncapher, senior vice president of the Information Technology Association of America. ITAA's board members include representatives of AT&T, Sybase, Fujitsu and Unisys.

ISP snooping timeline

In events that were first reported by CNET News.com, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the timeline:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation -- but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

A Justice Department representative said this week that the government is not seeking to require the retention of the content of communications, but did not elaborate. If the European Union's approach were adopted, Internet companies would be required to save logs showing the identities of e-mail and perhaps instant messaging correspondents in addition to data about which customer was assigned which Internet address.

That suggestion alarms many Internet providers, which worry about the cost and complexity of recording what their customers are doing online. In some cases, especially among libraries, coffee shops and universities, no records may be stored at all.

"In general, libraries only keep records on users to the extent required to provide their services," said Rick Weingarten, director of the American Library Association's Office for Information Technology Policy.

Based on the limited information that has been made public so far--including in a speech by Gonzales last month--Weingarten said the library association would not favor such a requirement. "Absolutely we have concerns about users' privacy," he said.

A second meeting at the Justice Department has been scheduled for Friday.

Snooping on Web-based e-mail
The Justice Department also proposed that Web sites such as e-mail providers be required to store data about their users' activities for future law enforcement and national security investigations, according to one industry representative familiar with last week's meeting.

That could create privacy and security complications for Microsoft's Hotmail, Google's Gmail, Yahoo Mail and numerous other e-mail services, industry representatives said privately.

In response to a query from CNET News.com, Microsoft provided a statement that said it supported working with law enforcement to ensure Internet safety and protect children from online predators.

"But data retention is a complicated issue with implications not only for efforts to combat child pornography but also for security, privacy, safety and availability of low-cost or free Internet services," the statement said. (Click here to read the complete statement.)

Google said it would continue in discussions with Justice Department officials about how to prevent child pornography and related crimes--and, like Microsoft, sounded a note of caution about sweeping data retention rules.

"We are aware of a number of proposals in the U.S. and Europe regarding data retention and data preservation requirements for Internet companies," Google said in a statement. "We believe these proposals deserve careful review and must consider the legitimate interests of individual users, law enforcement agencies and Internet companies."

A Yahoo representative said on Wednesday that the company was going to decline to comment until it had details about what the Justice Department wanted. AT&T spokesman Dave Pacholczyk said, "We will follow the law," and declined further comment.

"Cox remains committed to the privacy of our customers, maintains secured records for an appropriate amount of time--according to the applicable laws--and only provides access to customer information to law enforcement, to the courts or to other authorities when legally required to do so," said David Grabert, Cox Communications' director of media relations.

For his part, Gonzales said in a speech last month at the National Center for Missing and Exploited Children that Internet providers must retain records to aid investigations of criminals "abusing kids and sending images of the abuse around the world through the Internet." More recently, the Justice Department has invoked terrorism as the justification for data retention.

Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.

The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee, a close ally of President Bush. Sensenbrenner said through a representative earlier this month, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already."

"Preservation" versus "retention"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool, based on if a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding such reports to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.

CNET News.com's Anne Broache contributed to this report.