Bargains for Under $25 HP Envy 34 All-in-One PC Review Best Fitbits T-Mobile Data Breach Settlement ExpressVPN Review Best Buy Anniversary Sale Healthy Meal Delivery Orville 'Out Star Treks' Star Trek
Want CNET to notify you of price drops and the latest stories?
No, thank you

Qwest calls for mandatory data retention laws

Broadband provider becomes first to embrace federal proposal to keep track of what its own customers are doing online.

ASPEN, Colo.--Broadband company Qwest Communications International on Tuesday strongly endorsed federal legislation requiring Internet providers to keep records of their customers' behavior, a move that could accelerate efforts in Congress to enact new laws.

Jennifer Mardosz, Qwest's corporate counsel and chief privacy officer, applauded efforts by politicians to force broadband providers to engage in so-called "data retention," which Attorney General Alberto Gonzales said will aid in investigations into terrorism and child exploitation. This appears to be the first time a broadband provider has called for data retention laws.

"We support legislation related to data retention," Mardosz said at the Progress and Freedom Foundation's annual summit here. Mardosz said Qwest "absolutely" endorses a measure (click for PDF) proposed in April by Rep. Diana DeGette, a Colorado Democrat.

In a public flip-flop, the Bush administration now is lobbying for data retention laws, even though it previously expressed "serious reservations about broad mandatory data retention regimes." Rep. Joe Barton, the influential chairman of the House Energy and Commerce Committee, has endorsed data retention and is expected to introduce a bill after the panel completes a series of hearings on child exploitation.

"We support legislation," Mardosz said Tuesday. "We want to be at the table. We want to have these discussions. The main thing is what's reasonable and balancing the interests of privacy and law enforcement." Qwest already keeps logs for more than 99 percent of its services for one year, she said.

This is an unusual stand for Qwest, which defended its customers' privacy rights when requiring the National Security Agency to obtain a court order to conduct electronic surveillance, according to a USA Today article in May. The Denver-based company has a market capitalization of $16.5 billion and says it has 784,000 wireless customers and 1.7 million DSL (digital subscriber line) customers.

Privacy groups have strongly opposed mandatory data retention, and many Internet providers have been skeptical of new laws. The U.S. Internet Industry Association has said current proposals aren't "going about this the right way," and the Information Technology Association of America has raised "real reservations" about legislation.

ISP snooping timeline

In events that were first reported by CNET, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the timeline:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. F. James Sensenbrenner drafts data retention legislation--but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Robert Mueller meet with Internet and telecommunications companies.

June 27, 2006: Rep. Joe Barton, chair of a House committee, calls new child protection legislation a "highest priority."

"Imposing broad data retention would be a significant change to U.S. law, especially when it has not been shown that a narrower data preservation approach will not work just as well," said Kate Dean, director of the U.S. Internet Service Provider Association. "The proposal to store enormous amounts of data on subscribers and keep it live for a lengthy period of time raises serious technical, legal and security concerns." (The association's members include AOL, AT&T, BellSouth, EarthLink and Verizon Communications.)

Qwest's enthusiastic endorsement of mandatory data retention could make it politically easier for members of Congress to enact new laws even if other companies remain staunchly opposed.

Details about the Bush administration's call for data retention remain ambiguous. At the very least, administration officials want to compel Internet providers to keep records of which Internet Protocol address a customer is assigned.

But during private meetings with industry officials, FBI and Justice Department officials have cited the desirability of also forcing search engines to keep logs--a proposal that could gain additional law enforcement support after AOL showed how useful such records could be in investigations.

Mardosz said that keeping records of what Web pages are visited (another possible option) would go too far. "If you get along the lines of content, there's going to be a lot pushback (and privacy concerns)," she said. "We don't want to go there."

DeGette's proposed legislation says any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could only be discarded at least one year after the user's account was closed.

Critics of DeGette's proposal have said that while the justification for Internet surveillance might be protecting children, the data would be accessible to any local or state law enforcement official investigating anything from drug possession to tax evasion. In addition, the one-year retention is a minimum; the Federal Communications Commission would receive the authority to require Internet companies to keep records "for not less than one year after a subscriber ceases to subscribe to such services."

At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Jennifer Mardosz
Jennifer Mardosz (center)

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time and duration of phone calls, voice over Internet Protocol calls or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.

UPDATE: Qwest's Mardosz said Wednesday that she misspoke a day earlier. Click here for details.