U.S. attorney general calls for 'reasonable' data retention

He suggests that new rules may be necessary to ensure integrity of investigations into online sex crimes.

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
Anne Broache
4 min read
ALEXANDRIA, Va.--The failure of some Internet service providers to retain user logs for a "reasonable amount of time" is hampering investigations into gruesome online sex crimes, U.S. Attorney General Alberto Gonzales said Thursday, indicating that new data retention rules may be on the way.

"The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers," Gonzales said in a morning speech to staff at the National Center for Missing and Exploited Children headquarters here.

"Record retention by Internet service providers (that is) consistent with the legitimate privacy rights of Americans is an issue that must be addressed," he added.

CNET News.com was the first to report last June that the Justice Department was quietly shopping around the idea of legally required data retention. In a move that may have led to broader interest inside the United States, the European Parliament last December approved such a requirement for Internet, telephone and voice over Internet Protocol (VoIP) providers.

Congress is now considering policy changes, as News.com reported last week. At least one U.S. House of Representatives leader indicated he is mulling legislation that would require data retention. The topic surfaced at two hearings--convened recently by a House subcommittee--about online sexual exploitation and child pornography. Investigators of Internet sex crimes said they would like to see at least several months--and ideally, a year or more--of mandatory records retention.

The Justice Department and the Federal Bureau of Investigation took heat from subcommittee politicians for failing to send representatives to either hearing. Gonzales' talk was likely an attempt to show that the Bush administration is serious about taking new steps to root out child pornography. His remarks focused largely on what he termed an "epidemic" in the movies and images depicting the sexual abuse of children, exacerbated by the Internet's ability to create an anonymous haven for pedophiles.

The attorney general didn't indicate how long of a data-retention period he would support or whether he favored new legislation enforcing such a requirement. He said he has asked Justice Department advisers to come up with recommendations and would "personally" call the CEOs of Internet service providers "to solicit their input and assistance."

Mandatory data retention remains a controversial topic. Privacy advocates generally fear that such a law would allow police to obtain records of e-mail chatter, Web browsing or chat-room activity that normally would have been discarded after a few months--or not kept in the first place. Right now, Internet service providers typically discard any log file they don't need for business purposes, such as network monitoring, fraud prevention or billing disputes.

Proposals for mandatory data retention tend to follow one of two paths. One approach would require businesses to record only the Internet address that is assigned to a customer at a specific time. The second version, which is closer to what Europe adopted, would call for retention of more information including telephone numbers dialed, contents of Web pages visited, and recipients of e-mail messages.

The idea has drawn concern from the Internet service providers themselves, which worry about costs associated with storing the massive amounts of data and argue that existing laws give police sufficient tools to conduct investigations.

A 1996 federal law called the Electronic Communication Transactional Records Act requires ISPs to retain any "record" in their possession for 90 days "upon the request of a governmental entity"--a practice known as "data preservation."

Another federal law requires Internet providers to report online child pornography to the National Center for Missing and Exploited Children's tip line, where analysts are charged with forwarding reports to the appropriate police agency. An ISP's failure to make such reports carries a steep fine, and the Justice Department is floating a proposal with Congress that would add criminal penalties.

"No one wants (the rules) to be cumbersome or burdensome for these businesses," Ernie Allen, head of the National Center for Missing and Exploited Children, told CNET News.com after Gonzales' speech. But at the same time, he said, the information they keep about their customers can be "the essence of what's required to investigate."

Kate Dean, director of the U.S. Internet Service Provider Association, said her member companies looked forward to discussing the matter with the Bush administration. But she said they remained uncertain as to what "added benefit" investigators would derive from data retention requirements. "It's not clear from the attorney general's statements this morning what kind of evidence (stored by ISPs) he's referencing," she said. "We'll need to get some clarification on that."

CNET News.com's Declan McCullagh contributed to this report.