January 24, 2011
Justice Department seeks mandatory data retention
by Declan McCullagh
Criminal investigations "are being frustrated" because no law currently exists to force Internet providers to keep track of what their customers are doing, the U.S. Department of Justice will announce tomorrow.
CNET obtained a copy of the department's position on mandatory data retention--saying Congress should strike a "more appropriate balance" between privacy and police concerns--that will be announced at a House of Representatives hearing tomorrow.
"Data retention is fundamental to the department's work in investigating and prosecuting almost every type of crime," Jason Weinstein, deputy assistant attorney general for the criminal division, will say, according to his written testimony. "The problem of investigations being stymied by a lack of data retention is growing worse." (See related article.)
The Bush Justice Department endorsed such proposals under Attorney General Alberto Gonzales. Tomorrow's announcement demonstrates that the Obama Justice Department is following suit and appears to be its first public statement embracing mandatory data retention.
That aligns the Justice Department with data retention's more aggressive supporters among House Republicans and places it at odds with privacy advocates, civil libertarians, and the Internet industry. Those groups have questioned the privacy, liability, cost, and scope, including whether businesses such as coffee shops would be required to identify and monitor whoever uses their wireless connections.
Rep. F. James Sensenbrenner (R-Wisc.), who is convening tomorrow's House crime subcommittee hearing, is a longtime supporter of forcing Internet providers to store additional data about their users. So is the new chairman of the full House Judiciary committee, Lamar Smith (R-Texas), who introduced a data retention bill in an earlier session of Congress.
As a Justice Department official in the 1990s, Attorney General Eric Holder touted the idea of mandatory data retention. In 1999, Holder said "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement."
Weinstein, who has previously testified (PDF) on intellectual property infringement and was chief of the violent crime section of the U.S. Attorney's office in Baltimore, stopped short of offering a specific proposal in his prepared remarks. While the lack of forced data retention can be "extremely harmful," he didn't provide details on duration or scope, including whether Web sites and social networking sites should be swept into any requirements.
Other excerpts from Weinstein's written testimony before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security:
• In one ongoing investigation involving social networking sites allegedly being used to share child porn images, the FBI and other agencies sent 172 requests to Internet service providers to learn the identities behind Internet Protocol (IP) addresses. Nineteen percent of the requests could not be fulfilled. (It's not clear, however, whether police simply moved too slowly and didn't send the requests in time.)
• Larger providers have "established policies about how long they retain this data." But smaller providers may not: one unnamed mid-size cell phone company reportedly does not retain any records, and another unnamed cable Internet provider does not keep track of the IP addresses it assigns to customers.
• Internet and cell phone companies' records are vital not just to federal police and prosecutors, but also their state and local counterparts. Those records can aid in investigations of a "wide array of crimes, including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy, computer hacking."
Also testifying tomorrow is John Douglass, the chief of police for Overland Park, Kansas, on behalf of the International Association of Chiefs of Police. In 2006, the IACP adopted a resolution (PDF) calling for a "uniform data retention mandate" for "customer subscriber information and source and destination information," which apparently means keeping track of what Web sites every Internet user visits. A representative of the IACP said today it continues to support the resolution.
Douglass will ask Congress for "clear guidance and regulations on data retention," according to a source familiar with the IACP's testimony. Like the Justice Department, the IACP will not offer specifics but instead will recount how criminal investigations have been hindered to date.
For now, the scope of any mandatory data retention law remains hazy. It could mean forcing companies to store data for two years about what Internet addresses are assigned to which customers. (Comcast said in 2006 that it would be retaining those records for six months.)
Or it could be more intrusive, sweeping in online service providers, and involve keeping track of e-mail and instant-messaging correspondence and what Web pages users visit. Some Democratic politicians have previously called for data retention laws to extend to domain name registries and Web hosting companies and even social-networking sites. An FBI attorney said last year that the bureau supports storing Internet users' "origin and destination information," meaning logs of which Web sites are visited.
AOL said today that "we are waiting to see the proposed legislation to understand what data needs to be retained and for what time period."
These concepts are not exactly new. In June 2005, CNET was the first to report that the Justice Department was quietly shopping around the idea, reversing the department's previous position that it had "serious reservations about broad mandatory data retention regimes." Despite support from FBI director Robert Mueller and the Bush Justice Department, however, the proposals languished amid worries about privacy and the cost of compliance.
"Retention" versus "preservation"
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)
In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.