January 24, 2011 CNET News
Justice Department seeks mandatory data retention
by Declan McCullagh <http://www.cnet.com/profile/declan00/>
Criminal investigations "are being frustrated" because no law currently
exists to force Internet providers to keep track of what their customers are
doing, the U.S. Department of Justice will announce tomorrow.
CNET obtained a copy of the department's position on mandatory data
retention--saying Congress should strike a "more appropriate balance"
between privacy and police concerns--that will be announced at a House of
Representatives hearing tomorrow.
"Data retention is fundamental to the department's work in investigating and
prosecuting almost every type of crime," Jason Weinstein, deputy assistant
attorney general for the criminal division, will say, according to his
written testimony. "The problem of investigations being stymied by a lack of
data retention is growing worse." (See related article
<http://news.cnet.com/8301-31921_3-20029393-281.html> .)
The Bush Justice Department endorsed
<http://news.cnet.com/Gonzales-pressures-ISPs-on-data-retention/2100-1028_3-
6077654.html> such proposals under Attorney General Alberto Gonzales.
Tomorrow's announcement demonstrates that the Obama Justice Department is
following suit and appears to be its first public statement embracing
mandatory data retention.
That aligns the Justice Department with data retention's more aggressive
supporters among House Republicans and places it at odds with privacy
advocates, civil libertarians, and the Internet industry. Those groups have
questioned the privacy, liability, cost, and scope, including whether
businesses such as coffee shops would be required to identify and monitor
whoever uses their wireless connections.
Rep. F. James Sensenbrenner <http://sensenbrenner.house.gov/> (R-Wisc.),
who is convening tomorrow's House crime subcommittee hearing, is a longtime
supporter
<http://news.cnet.com/Congress-may-make-ISPs-snoop-on-you/2100-1028_3-607260
1.html> of forcing Internet providers to store additional data about their
users. So is the new chairman of the full House Judiciary committee, Lamar
Smith (R-Texas), who introduced a data retention
<http://news.cnet.com/2100-1028_3-6156948.html> bill in an earlier session
of Congress.
As a Justice Department official in the 1990s, Attorney General Eric Holder
touted <http://news.cnet.com/8301-13578_3-10110922-38.html> the idea of
mandatory data retention. In 1999, Holder said
<http://www.justice.gov/criminal/cybercrime/dagceos.html> "certain data
must be retained by ISPs for reasonable periods of time so that it can be
accessible to law enforcement."
Weinstein, who has previously testified (PDF
<http://www.justice.gov/criminal/cybercrime/11-09-09_DAAG-WEINSTEIN-TESTIMON
Y.pdf> ) on intellectual property infringement and was chief of the violent
crime section of the U.S. Attorney's office in Baltimore, stopped short of
offering a specific proposal in his prepared remarks. While the lack of
forced data retention can be "extremely harmful," he didn't provide details
on duration or scope, including whether Web sites and social networking
sites
<http://news.cnet.com/Congress-targets-social-networking-sites/2100-1028_3-6
089574.html> should be swept into any requirements.
Other excerpts from Weinstein's written testimony before the House Judiciary
Subcommittee on Crime, Terrorism, and Homeland Security:
. In one ongoing investigation involving social networking sites allegedly
being used to share child porn images, the FBI and other agencies sent 172
requests to Internet service providers to learn the identities behind
Internet Protocol (IP) addresses. Nineteen percent of the requests could not
be fulfilled. (It's not clear, however, whether police simply moved too
slowly and didn't send the requests in time.)
. Larger providers have "established policies about how long they retain
this data." But smaller providers may not: one unnamed mid-size cell phone
company reportedly does not retain any records, and another unnamed cable
Internet provider does not keep track of the IP addresses it assigns to
customers.
. Internet and cell phone companies' records are vital not just to federal
police and prosecutors, but also their state and local counterparts. Those
records can aid in investigations of a "wide array of crimes, including
child exploitation, violent crime, fraud, terrorism, public corruption, drug
trafficking, online piracy, computer hacking."
Also testifying tomorrow is John Douglass, the chief of police for Overland
Park, Kansas, on behalf of the International Association of Chiefs of
Police. In 2006, the IACP adopted a resolution
<http://www.theiacp.org/resolution/2006Resolutions.pdf> (PDF) calling for a
"uniform data retention mandate" for "customer subscriber information and
source and destination information," which apparently means keeping track of
what Web sites every Internet user visits. A representative of the IACP said
today it continues to support the resolution.
Douglass will ask Congress for "clear guidance and regulations on data
retention," according to a source familiar with the IACP's testimony. Like
the Justice Department, the IACP will not offer specifics but instead will
recount how criminal investigations have been hindered to date.
For now, the scope of any mandatory data retention law remains hazy. It
could mean forcing companies to store data for two years about what Internet
addresses are assigned to which customers. (Comcast said in 2006
<http://news.cnet.com/Congress-targets-social-networking-sites/2100-1028_3-6
089574.html> that it would be retaining those records for six months.)
Or it could be more intrusive, sweeping in online service providers, and
involve keeping track of e-mail and instant-messaging correspondence and
what Web pages users visit. Some Democratic politicians have previously
called for data retention laws to extend
<http://news.cnet.com/Politicos-mull-data-retention-by-Web-hosts%2C-registra
rs/2100-1028_3-6119878.html> to domain name registries and Web hosting
companies and even social-networking sites
<http://news.cnet.com/Congress-targets-social-networking-sites/2100-1028_3-6
089574.html> . An FBI attorney said last year
<http://news.cnet.com/8301-13578_3-10448060-38.html> that the bureau
supports storing Internet users' "origin and destination information,"
meaning logs of which Web sites are visited.
AOL said today that "we are waiting to see the proposed legislation to
understand what data needs to be retained and for what time period."
These concepts are not exactly new. In June 2005, CNET was the first to
report
<http://news.cnet.com/Your-ISP-as-Net-watchdog/2100-1028_3-5748649.html>
that the Justice Department was quietly shopping around the idea, reversing
the department's previous position that it had "serious reservations about
broad mandatory data retention regimes." Despite support from FBI director
Robert Mueller and the Bush Justice Department, however, the proposals
languished amid worries about privacy and the cost of compliance.
"Retention" versus "preservation"
At the moment, Internet service providers typically discard any log file
that's no longer required for business reasons such as network monitoring,
fraud prevention or billing disputes. Companies do, however, alter that
general rule when contacted by police performing an investigation--a
practice called data preservation.
A 1996 federal law <http://www.usdoj.gov/criminal/cybercrime/2703_CSEA.htm>
called the Electronic Communication Transactional Records Act regulates data
preservation. It requires
<http://news.cnet.com/My-brief-career-as-an-ISP/2010-7355_3-5089267.html>
Internet providers to retain any "record" in their possession for 90 days
"upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend
to allocate them to customers from a pool based on whether a computer is in
use at the time. (Two standard techniques used are the Dynamic Host
Configuration Protocol
<http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol> and
Point-to-Point Protocol over Ethernet
<http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet> .)
In addition, an existing law called the Protect Our Children Act of 2008
<http://thomas.loc.gov/cgi-bin/bdquery/z?d110:S.1738:> requires any
Internet provider who "obtains actual knowledge" of possible child
pornography transmissions to "make a report of such facts or circumstances."
Companies that knowingly fail to comply can be fined up to $150,000 for the
first offense and up to $300,000 for each subsequent offense.
<http://news.cnet.com/8301-31921_3-20029423-281.html#ixzz1CgPxQMUR>
http://news.cnet.com/8301-31921_3-20029423-281.html
Received on Tue Feb 1 00:45:40 2011
This archive was generated by hypermail 2.1.8 : Mon Sep 19 2011 - 18:55:05 EDT