March 12, 2009 -- Lawmakers recently called for a new federal law that would require any provider of Internet access to keep records related to the identity of anyone using its computer networks -- for up to two years.
That means all Internet service providers, businesses providing employees with Internet access, coffee shops and restaurants offering WiFi connections, libraries, and other Internet-enabled places would, at a minimum, be required to maintain records of who used a particular computer to access the Internet and when.
This requirement is problematic enough, but the ambiguity of a key provision in the bill, dubbed the Internet Safety Act, which requires retention of "all records or other information pertaining to the identity of a user" -- even if that usage is temporary -- could sweep in far more sensitive information.
In addition, the data retention requirements might be construed to apply not only to commercial providers but also to any household that has a broadband connection.
Intended to help law enforcement track and prosecute criminals who use the Internet to traffic child pornography, the legislation would in effect require ISPs to keep track of anyone who uses their Internet access.
Painting a Bull's Eye on Our Private Files
We know that one of the best ways to protect our online privacy is to keep the amount of information we share and store on the Internet at a minimum.
Asking AOL, Comcast or Verizon to store details of our online activity in a giant database for two years would not only undermine the less-is-best principle, but also would subject a large stockpile of our personal information to theft or accidental disclosure. You might as well paint a bulls-eye on your private files; such a database would be an all-too-tempting target for computer criminals.
The Internet activity of government employees -- members of Congress, law enforcement and other agencies -- could also get swept up in Internet service providers' efforts to comply with this proposed law.
Homeland Security Measures Could Be Compromised
Data about the communication between government agencies and covert operatives who communicate over regular Internet channels would be retained, making the Internet Safety Act problematic for domestic and international security.
That stockpile would be a goldmine for exploitation.
At a time when recent exploits by hackers -- such as the Conficker worm that took control of at least 10 million personal computers -- have exposed the security vulnerabilities of the Internet, mandatory data retention would aggravate the risk of breaches and unauthorized use.
Each time you sign onto to WiFi at the coffee shop, check a social networking site via a mobile phone, or sign on to send an email, your ISP and other providers would be required by the law to store information about you for at least two years to enable law enforcement -- on the off chance that you commit a specific crime -- to use legal process to identify you and track you down.
Private Parties, Marketers Could Clamor for Access to Databases
The burden of keeping that data secure would fall on individual service providers, cable companies, wireless carriers, employers who provide Internet access, universities, WiFi hotspot providers, hotels, libraries, schools -- the list extends as far as the Internet reaches: nearly everywhere, including possibly even homeowners.
The vast databases that Internet service and telecom providers (and many others) create will surely be tapped by law enforcement for purposes wholly unrelated to child pornography and abuse.
Private parties, too, will be clamoring for access to the databases. Divorce lawyers and other litigants will seek access as part of civil discovery and the data may also be used for marketing.
Finally, imposing data retention sets a dangerous global precedent at a time when regimes such as China, Vietnam and Egypt are clamping down on Internet freedom by demanding access to information on dissidents and bloggers. The United States cannot ask that Internet companies retain less information on users in those repressive countries in order to protect their rights while at the same time demanding retention of more user data at home.
Ironically, the Internet Safety Act would make the Internet a less safe place.
Enforcing the Laws Already on the Books
We don't need mandatory data retention to effectively investigate child pornography. Under current law, any governmental department can require service providers (such as a phone company, ISP, cable company, university, etc.) to immediately preserve any relevant records on its users for up to 90 days (renewable indefinitely).
And the law is already written in the government's favor. Law enforcement does not need a warrant and is not required to meet an evidentiary threshold in order to trigger this retention requirement.
There are no known cases in which an ISP failed to cooperate under this law. Current law focuses data preservation requirements on criminal suspects; the proposed legislation would extend them to everyone else.
Representative Lamar Smith, R-Texas, the author of the House version of the Internet Safety Act, implied in a Dallas Morning News editorial that a Colorado service provider's failure to keep private records on a perpetrator hindered the investigation of a young victim.
"When investigators approached the service provider in order to match the IP address with the Internet subscriber, the provider had already purged the records," he wrote. "The rapist remains at large; the child has never been found."
The Colorado victim's story tugs at the heartstrings, and we should all be angry that a criminal remains at large.
However, assuming the case is the same one disclosed in media reports in 2006, Smith omits a key point. It's our understanding that the law enforcement agency in question waited four months before asking the ISP for information.
The law already allows investigators to order providers to freeze their data even for months, to give prosecutors time to build their case, and ISPs have always responded to timely requests for assistance.
Unfortunately, in the Colorado case, the prosecutor was too slow to act.
If this data retention requirement becomes law, other such requirements will almost surely follow, and extend to even more sensitive information, including the content of communications. Proceeding with government-mandated data retention would require a full-scale examination of our nation's privacy laws and could potentially open up a host of constitutional questions.
The European Union, for instance, has a data retention directive in place but it also has strict rules about how the privacy of electronic communications should be governed in the commercial sector, how governments may access it, or when it may be disclosed.
The United States does not have comparable protections. In fact, the United States has no general commercial privacy law that protects the data that would be collected and retained from misuse, and its laws on government access to such stored data are woefully outdated.
It's commendable that our nation's lawmakers care so deeply about stopping the spread of child pornography. We have tough laws on our books and they should be vigorously enforced. But we must not let an emotional issue potentially jeopardize the liberties of the citizenry and the privacy of their electronic communications.