washingtonpost.com
Bill Would Make ISPs Keep Data On Users
Questions Are Raised On Privacy, Practicality

By Ellen Nakashima
Washington Post Staff Writer
Tuesday, February 13, 2007

A House Republican is pushing a measure that echoes a long-sought Bush administration goal: to require all Internet service providers to keep records on their subscribers.

The measure, introduced by Rep. Lamar Smith (R-Tex.) last week as part of the larger SAFETY Act, would give the attorney general broad discretion to write the rules on what information companies have to retain and for how long.

It is aimed at protecting children from predators, but privacy advocates say its privacy and civil-liberties implications are huge, and industry is concerned about the costs of compliance. News of the measure has spread around the blogosphere, as critics seek to mobilize opposition to the SAFETY Act.

The provision would require Internet service companies to provide at a minimum the Internet subscriber's name and address, which can be linked to an Internet protocol address -- an identification number associated with a particular computer at a given time. Law enforcement officials would have to obtain a subpoena to have access to the records and could not use the tool to track law-abiding citizens on the Internet, Smith said.

Smith, the ranking minority member of the House Judiciary Committee, said law enforcement has identified mandatory data retention as "the number one tool" it needs to identify and prosecute Internet sexual predators. Last year, the European Union adopted a two-year data-retention requirement for all Internet service providers, and Smith said Congress should adopt a similar law that balances the cost of retaining data with the benefits to law enforcement.

But Lauren Weinstein, co-founder of People for Internet Responsibility, an advocacy group, said Smith's proposal is far too vague. "This bill is so incredibly bad that it opens up a whole array of things that can go wrong, because there's nothing in this legislation to prevent the attorney general from simply saying, 'Save everything forever,' " he said.

He called data retention the "single most important issue" relating to privacy, free speech and technology.

Under mandatory data retention, the chances of targeting innocent people would go up, opponents say. In Arlington County last summer, detectives thought they had tracked an Internet child predator to an apartment, only to find that their target was an innocent elderly woman whose computer's wireless router sent a signal throughout her 10-story building that could be easily hijacked.

Last fall, a child-porn squad in central Virginia led by sheriffs armed with semiautomatic pistols scared a farmer who was mistakenly targeted when his Internet provider gave authorities the incorrect IP address.

U.S. Attorney General Alberto R. Gonzales, who began pushing for mandatory data retention about a year ago, told the Senate Judiciary Committee last month that child exploitation investigations have hit dead ends because Internet service providers were not required to keep subscriber data.

A Justice Department spokeswoman said the department had not taken a position on Smith's proposal but was looking at data retention. "We do believe that there is a need for it," spokeswoman Tasia Scolinos said.

What concerns both privacy advocates and industry is the bill's open-endedness.

"The Smith proposal would give the attorney general carte blanche to require service providers to keep all information imaginable on every one of their users," said Kate Dean, executive director of the U.S. Internet Service Provider Association, which represents the nine major providers, including AOL, AT&T, Microsoft, Yahoo and Comcast.

Dean also said the measure could affect a wide range of service providers. "Does this cover wi-fi providers and coffee shops and hotels? Schools and libraries? And, most importantly, the government itself, because that remains unclear."

John Morris, policy director for the Center for Technology and Democracy, said the risks for civil liberties would be enormous if a bill that extends to content of e-mails, computer instant messaging and Web surfing habits. "I would expect that the Justice Department would impose an extremely broad data-retention mandate," he said.

The sheer volume of data could be overwhelming. The amount of data in a week's worth of short instant messages alone would fill two Libraries of Congress, Morris said. Dean said the data retention could impose new costs on innovation. "Any blanket data-retention requirement would dramatically affect new services that companies bring to the market," she said, referring to potential new storage requirements.

The issues proliferate, she said: What if there's a technical failure? Would the data need to be kept "live" for quicker law enforcement access or stored on tapes? Would the data be kept for one year, 20 years or indefinitely?

Weinstein, a computer scientist who focuses on technology's impact, said people interested in child porn could easily use computer viruses to direct innocent people's machines to download the images and then shoot the images back to the perpetrators through obscure channels that are difficult to trace.

Staff researcher Richard Drezen contributed to this report.

View all comments that have been posted about this article.

© 2007 The Washington Post Company