Data retention plan hits Capitol Hill snag

Controversial legislation to require Internet providers to store logs about their customers for 18 months has run into an unexpected obstacle: a former supporter.

"This bill needs a lot of fixing up," Rep. F. James Sensenbrenner, a Wisconsin Republican and previous chairman of the House Judiciary committee, said at a hearing today. "It's not ready for prime time."

The bill in question is H.R. 1981, which says Internet providers must store for "at least 18 months the temporarily assigned network addresses the service assigns to each account," unless it's a wireless provider like AT&T, T-Mobile, or Verizon.

Sensenbrenner's concerns are noteworthy because he has been a prominent sponsor of data retention legislation before. In 2006, CNET was the first to report that he had drafted legislation that would require Internet providers to store whatever records the attorney general deems reasonable--or face jail time. As recently as January, Sensenbrenner convened a hearing to resuscitate the idea.

As CNET first reported yesterday, the National Sheriffs' Association announced it "strongly supports" H.R. 1981. The National Center for Missing and Exploited Children likes it too.

But during today's hearing before Sensenbrenner's crime subcommittee, even the sponsor of H.R. 1981, current Judiciary chairman Lamar Smith (R-Tex.) acknowledged that there were problems with the legislation.

We want to "figure out a way so that we do not exempt wireless providers," Smith said. That exemption apparently came about after lobbying from wireless companies, and has already drawn sharp criticism from the Justice Department.

Michigan Rep. John Conyers, the Judiciary committee's senior Democrat, said his concern about the bill is that--although it's called the Protecting Children From Internet Pornographers Act of 2011--the mandatory logs could be used to prosecute all sorts of crimes, not only ones dealing with child safety.

"The bill's title, Protecting Children From Internet Pornographers Act, is a misnomer because the legislation is really not about those types of crimes at all," Conyers said. "Because if it were, it would certainly not contain a broad exemption for the largest Internet service providers such as AT&T, and it would target child exploitation."

Ernie Allen, president of the National Center for Missing and Exploited Children, said that both FBI Director Robert Mueller and Attorney General Eric Holder want broad data retention requirement for more than child exploitation prosecutions. Unless the bill is modified, of course, the logs could be accessed by state and local law enforcement and civil litigants in divorce or insurance cases as well.

Similar bills have been introduced starting in early 2006, but privacy and civil liberty concerns have kept them from even receiving a floor vote. So has the scope: industry representatives have been wary ever since Justice Department representatives began proposing that social networking-sites should be required to keep track of what Internet address uploaded what photograph.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, suggested (PDF) that the committee rewrite the measure:

Although this data retention requirement has been introduced as part of a bill focused on child sexual exploitation, there is no evidence to suggest that the majority of law enforcement requests for customer subscriber information relate to child protection cases. Congress showed great wisdom in the past by requiring the creation of annual reports that detail the use of wiretap authorities.

Child pornography is certainly a substantial and difficult issue. But the data retention solution proposed in this bill is overly expansive and invasive. This collection of user data will, in fact, create a new threat for millions of internet users: the threat of dragnet law enforcement and data breaches. The experience with Europe is telling.

The definitions in Smith's bill could sweep in coffee shops that offer connections to their customers, as well as hotels, universities, schools, and businesses that provide network connections, and of course traditional broadband providers too.

"Retention" vs. "preservation"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.