ISP data-retention bill rankles privacy advocates

Opponents of the bill say it wouldn't substantially aid in the enforcement of child exploitation laws, but would be a new and valuable target for hackers

A proposed law designed to fight child pornography has rankled privacy advocates because it would require Internet service providers to keep 12-month logs of customers' names, credit card information and other identifying information that are tied to temporarily assigned network addresses.

Opponents say the law wouldn't markedly help lock up child pornographers and pedophiles, but rather would treat all Americans as criminals so that if law enforcement feels it has a need to find out who visited a website or posted a particular bit of content online, it can.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

The Electronic Frontier Foundation notes that the same data could become available to civil litigants in private lawsuits -- whether it's the recording industry trying to identify downloaders, a company trying to uncover and retaliate against an anonymous critic, or a divorce lawyer looking for dirty laundry. The group, which is asking people to contact lawmakers about the issue, also says that the database created would be a new and valuable target for hackers.

"Essentially what this bill is attempting to do is make it such that you can never post anything online without there being a record indicating that you posted it," said Kevin Bankston, senior staff attorney with the EFF.

H.R. 1981 passed through the House Judiciary Committee on Thursday.

Bankston said it doesn't appear the bill would substantially aid in the enforcement of child exploitation laws, which is its stated purpose.

Rather, he said, it would "drive those exploiters to places that offer free Internet service such as your coffee shop or your library because [the bill] only applies to those who provide Internet access for a fee."

Gregory Nojeim, director of the Project and Freedom Security and Technology at the Center for Democracy and Technology, also doesn't see that the bill, if eventually made into law, would markedly help catch criminals involved in child pornography.

"It's likely that child pornography cases will be a teeny tiny percentage of the cases in which law enforcement uses data that is retained under the mandate in this bill," he said.

Instead, he thinks government and law enforcement entities will use the data to investigate other things such as criminal drug activity or for intelligence investigations.

Nojeim said tens of thousands of national security letters are issued every year. Most of them go to the Internet service providers and they request information that includes IP address information as well as email and other electronic communications information that is not content, he said.

The American Civil Liberties Union has a lot to say about those NSLs on its website. Among other things, it says the Justice Department's Inspector General has reported that between 2003 and 2006, the FBI issued nearly 200,000 NSLs. The inspector General has also found serious FBI abuses of the NSL power, the ACLU says.

So while it appears the government has been asking ISPs for online information for a while, it's also not clear exactly what information all ISPs are currently tracking.

"It depends on what ISP you're talking about but not all ISPs [currently] log network address assignment," said Bankston. "For example, T-Mobile does not log IP address assignments through its mobile devices [and] based on testimony in an earlier data retention hearing there's at least one major cable internet provider that does not log IP address assignments."

There's also a question of how long the ISPs track data.

"It may be that companies log these assignments for a short period of time but not for the full year that the bill would require," he added. "But if you're asking what exactly are the practices of all the major ISPs, I think that at this point it is an unanswered question and one that's worth getting answered, particularly to the extent that it might mitigate a need for such legislation."

From here, the bill is headed to the floor of the House of Representatives.

What are its chances for staying alive once Congress gets to it after dealing with the testy debt ceiling debate?

"Some key Republicans opposed the bill and some key Democrats supported it so this is one of those bills that tends to come up late in a session because it's controversial. I think that its prospects will be determined in part by whether Tea Party Republicans see it as a power grab by the government," Nojeim said.

This story, "ISP data-retention bill rankles privacy advocates" was originally published by PCWorld .

Join the discussion
Be the first to comment on this article. Our Commenting Policies