Best TVs 'She-Hulk' Review Up to $1,000 Off Samsung Phones Best Streaming TV Shows Home Bistro Review 8 Great Exercises Amazon Back-to-School Sale Best Phones Under $500
Want CNET to notify you of price drops and the latest stories?
No, thank you

Terrorism invoked in ISP snooping proposal

Attorney general said Internet providers must retain records of Americans' activities to help in terrorism fight, CNET has learned.

In a radical departure from earlier statements, Attorney General Alberto Gonzales has said that requiring Internet service providers to save records of their customers' online activities is necessary in the fight against terrorism, CNET has learned.

Gonzales and FBI Director Robert Mueller privately met with representatives of AOL, Comcast, Google, Microsoft and Verizon last week and said that Internet providers--and perhaps search engines--must retain data for two years to aid in anti-terrorism prosecutions, according to multiple sources familiar with the discussion who spoke on condition of anonymity on Tuesday.

"We want this for terrorism," Gonzales said, according to one person familiar with the discussion.

Gonzales' earlier position had only emphasized how mandatory data retention would help thwart child exploitation.

In a speech last month at the National Center for Missing and Exploited Children, Gonzales said that Internet providers must retain records to aid investigations of criminals "abusing kids and sending images of the abuse around the world through the Internet."

If data retention becomes viewed primarily as an anti-terrorism measure, recent legal and political spats could complicate the Justice Department's efforts to make it standard practice.

Especially after recent reports that AT&T has opened its databases to the National Security Agency, Internet and telecommunications executives have become skittish about appearing to be cooperating too closely with the federal government's surveillance efforts.

In addition, the positive publicity that Google received during its legal dispute with the Justice Department over search terms has demonstrated to Internet companies the benefits of objecting to government requests on privacy grounds.

"A monumental data trove is a crazy thing from a privacy perspective," said one person familiar with Friday's discussions. "It's crazy that the U.S. government is going to retain more data than the Chinese government does."

Comcast said in a statement that "we fully share the attorney general's concern with the need to combat illegal use of the Internet for child pornography, terrorism and other illegal activities. We applaud the attorney general's initiative in convening an internal task force on this issue and look forward to continuing to cooperate with him and the FBI."

"The reasons for skepticism are growing," said Jim Harper, an analyst at the free-market Cato Institute and member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. He predicted the reaction among Internet and telecom companies will be "mildly unfavorable but people are not yet to the point where they'll say the emperor has no clothes."

ISP snooping time line

In events first reported by CNET, Bush administration officials have said Internet providers must keep track of what Americans are doing online. Here's the time line:

June 2005: Justice Department officials quietly propose data retention rules.

December 2005: European Parliament votes for data retention of up to two years.

April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.

April 20, 2006: Attorney General Gonzales says data retention "must be addressed."

April 28, 2006: Rep. DeGette proposes data retention amendment.

May 16, 2006: Rep. Sensenbrenner drafts data retention legislation, but backs away from it two days later.

May 26, 2006: Gonzales and FBI Director Mueller meet with Internet and telecommunications companies.

Details of the Justice Department's proposal remain murky. One possibility is requiring Internet providers to record the Internet addresses that their customers are temporarily assigned. A more extensive mandate would require them to keep track of the identities of Americans' e-mail and instant messaging correspondents and save the logs of Internet phone calls.

A Justice Department representative said Tuesday that the proposal would not require Internet providers to retain records of the actual contents of conversations and other Internet traffic.

Until Gonzales' public remarks last month, the Bush administration had generally opposed laws requiring data retention, saying it had "serious reservations" (click for PDF) about them. But after the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers, top administration officials began talking about it more favorably.

Two proposals to mandate data retention have surfaced in the U.S. Congress. One, backed by Rep. Diana DeGette, a Colorado Democrat, says that any Internet service that "enables users to access content" must permanently retain records that would permit police to identify each user. The records could be discarded only at least one year after the user's account was closed.

The other was drafted by aides to Wisconsin Rep. F. James Sensenbrenner, the chairman of the House Judiciary Committee and a close ally of President Bush. Sensenbrenner said through a spokesman earlier this month, though, that his proposal is on hold because "our committee's agenda is tremendously overcrowded already."

'Preservation' vs. 'retention'
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police agencies performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on if a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

When adopting its data retention rules, the European Parliament approved U.K.-backed requirements saying that communications providers in its 25 member countries--several of which had enacted their own data retention laws already--must retain customer data for a minimum of six months and a maximum of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and "location" data, including the identities of the customers' correspondents; the date, time, and duration of phone calls, VoIP calls, or e-mail messages; and the location of the device used for the communications. But the "content" of the communications is not supposed to be retained. The rules are expected to take effect in 2008.