Imagine a world in which your Internet service provider stores information that would make it trivial for every website you visit, every blog you read and each purchase you make online to be made available to the cops … just in case you commit a crime someday. This is no casual reference to the "Big Brother is Watching You" dystopian world of George Orwell's "1984;" it is the reality of H.R. 1981, a bill in Congress that orders Internet companies to build vast digital warehouses that record and store information that links your online activities to your name and address.
The data retention mandate of the bill is wrapped in the cloak of a politically tough-to-oppose framework: protecting kids from the worst online evils by enhancing law enforcement's investigative powers. The bill would require companies that offer electronic communications services for a fee, including Internet service providers (ISPs), hotels, coffee shops and others, to retain information that could be used to identify their customers when the government comes calling; whether for child protection or for any other investigative purpose.
Although it is always tough to fight a proposal claiming to "protect children," H.R. 1981 has garnered bi-partisan opposition. The Chairman of the House Subcommittee on Crime, Terrorism, and Homeland Security, Rep. James Sensenbrenner (R-Wisc.) said during the hearing he presided over that he will do whatever it takes to "kill the bill." Rep. Zoe Lofgren, (D-Calif.), left no doubt about her opposition when she offered an amendment to name the bill to the "Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act." Despite this unusual double-barreled political effort, the bill passed from committee on a 19-10 vote.
H.R. 1981 represents a dangerous expansion of government power, puts Americans' privacy rights at risk, and treats all law-abiding citizens as if they were suspected of committing heinous crimes. Yes, this bill begins to feel like it was pulled from the main plot point of the Tom Cruise movie "Minority Report," in which Cruise works for a special police division called "Precrime" and arrests people based on "evidence" of events that will most likely happen, but actually haven't.
Looking Forward By Looking Across the Pond
There's no need for a crystal ball or conjecture when talking about what the future will look like should this bill become law. All lawmakers have to do is look across the pond to the European Union's contentious history with data retention mandates. The EU's Data Retention Directive mandates that telecommunications service store up to two years worth of customer data. The data collected includes information about phone calls made and emails sent and received (more data than H.R. 1981 would in fact require companies to retain). Europeans have had a visceral reaction to the law; many countries and courts are now backing away from the directive. Three national courts have struck down their versions of the law on constitutional or human rights grounds, putting the directive's future on shaky ground.
As for the claim that this kind of data retention requirement will help law enforcement put more bad guys behind bars? A European group issued a report that claims collecting and storing so much data might actually hamper a law enforcement investigation.
Kate Dean, a representative of the US ISP Association, echoed that stance during congressional testimony. Back in January, Dean told a House Subcommittee that requiring service providers to collect and store large volumes of data might hinder law enforcement's ability to access the information it needs during a time critical investigation.
Here is part of what Dean said:
"Perhaps the biggest concern for both providers and law enforcement may be the risk [of] impairing provider response times for ordinary legal requests and, more importantly, that their ability to respond promptly in true emergencies could suffer. Those who work day-to-day with law enforcement know how important it is that a provider be able to call up data in seconds in cases involving an emergency where time is of the essence. Data from ISPs can be critical in emergencies, such as child abductions, and providers know that in such cases hours, even minutes, could mean the difference between a child returned home safely and one who never makes it home. For this reason, the longer search times that are likely to result from a data retention mandate are a grave concern."
Tap Dancing on our Rights
By mandating the collection and storage of highly personal information and requiring that Internet users' online activities remain associated with their true identities, data retention laws chill the right to anonymous speech and run counter to users' rights to privacy, free expression, and a presumption of innocence.
Law enforcement does have a legitimate need for access to Internet records during actual investigations of criminal acts. The argument against this bill has to be weighed in context with those legitimate law enforcement needs. However, a system that gives law enforcement access to Internet records of the suspects it has identified is already in place. Commonly known as data preservation, this policy permits law enforcement to require ISPs and other entities to collect and retain data for 90 days and to renew the period of preservation indefinitely in 90-day increments.
From a privacy and civil liberties perspective, the benefits of the data preservation approach are enormous. Under a data retention mandate, data about all individuals is retained, creating high compliance costs, violating the rights of all Internet users, and making it more difficult for ISPs and law enforcement to identify the data that they actually need. Under a data preservation regime, data about only the tiny fraction of individuals who have fallen under criminal suspicion is subject to a data preservation requirement. Everyone else would continue to enjoy the same level of privacy he or she would otherwise enjoy regardless of the law enforcement investigation. Under a data preservation regime, service providers can focus their attention and scarce resources on competition and innovation, rather than building tracking databases full of customer information.
Instead of trying to write a law that would require the collection and retention of more of our personal information, Congress should get busy updating laws to protect the data already stored in the digital landscape. Those laws are woefully inadequate.
The Electronic Communications Privacy Act (ECPA) was passed in 1986 to provide more protection for digital data from government access. ECPA was a fine bill—for a digital world circa 1986, when it passed. In 1986 most of the devices we now use to direct our daily lives didn't exist; today the law is outdated, leaving most of our personal data unprotected or protected inadequately. Currently there are no reliable guidelines for how ECPA should be applied to much of the data we generate, such as data stored in the cloud or to mobile location data.
The most immediate "fix" for this problem is reforming ECPA to require law enforcement officials to obtain a warrant based on probable cause before accessing such data.
One of our country's founding principles is that a person is presumed innocent unless a compelling case proves otherwise. The data retention mandates in this bill fly in the face of that presumption and put our cherished privacy and free speech rights at great risk. Let's hope Chairman Sensenbrenner's strong opposition wins the day and data retention disappears into legislative limbo.
Leslie Harris is President and CEO of the Center for Democracy & Technology.