Bill Would Make ISPs Keep Data On Users
Tuesday, February 13, 2007
A House Republican is pushing a measure that echoes a long-sought Bush administration goal: to require all Internet service providers to keep records on their subscribers.
The measure, introduced by Rep. Lamar Smith (R-Tex.) last week as part of the larger SAFETY Act, would give the attorney general broad discretion to write the rules on what information companies have to retain and for how long.
It is aimed at protecting children from predators, but privacy advocates say its privacy and civil-liberties implications are huge, and industry is concerned about the costs of compliance. News of the measure has spread around the blogosphere, as critics seek to mobilize opposition to the SAFETY Act.
The provision would require Internet service companies to provide at a minimum the Internet subscriber's name and address, which can be linked to an Internet protocol address -- an identification number associated with a particular computer at a given time. Law enforcement officials would have to obtain a subpoena to have access to the records and could not use the tool to track law-abiding citizens on the Internet, Smith said.
Smith, the ranking minority member of the House Judiciary Committee, said law enforcement has identified mandatory data retention as "the number one tool" it needs to identify and prosecute Internet sexual predators. Last year, the European Union adopted a two-year data-retention requirement for all Internet service providers, and Smith said Congress should adopt a similar law that balances the cost of retaining data with the benefits to law enforcement.
But Lauren Weinstein, co-founder of People for Internet Responsibility, an advocacy group, said Smith's proposal is far too vague. "This bill is so incredibly bad that it opens up a whole array of things that can go wrong, because there's nothing in this legislation to prevent the attorney general from simply saying, 'Save everything forever,' " he said.
He called data retention the "single most important issue" relating to privacy, free speech and technology.
Under mandatory data retention, the chances of targeting innocent people would go up, opponents say. In Arlington County last summer, detectives thought they had tracked an Internet child predator to an apartment, only to find that their target was an innocent elderly woman whose computer's wireless router sent a signal throughout her 10-story building that could be easily hijacked.
Last fall, a child-porn squad in central Virginia led by sheriffs armed with semiautomatic pistols scared a farmer who was mistakenly targeted when his Internet provider gave authorities the incorrect IP address.
U.S. Attorney General Alberto R. Gonzales, who began pushing for mandatory data retention about a year ago, told the Senate Judiciary Committee last month that child exploitation investigations have hit dead ends because Internet service providers were not required to keep subscriber data.
A Justice Department spokeswoman said the department had not taken a position on Smith's proposal but was looking at data retention. "We do believe that there is a need for it," spokeswoman Tasia Scolinos said.
What concerns both privacy advocates and industry is the bill's open-endedness.