[Politech] Data retention: Not just ISPs, but Google, domain registrars, and more? [priv]

From: Declan McCullagh (declan@private)
Date: Wed Jan 24 2007 - 01:06:38 PST


The Bush administration has made it entirely clear that new laws forcing 
Internet service providers to save certain customer records for police 
convenience will be a priority this year. The concept is called data 
retention (also known as treating all Americans as suspects).

This is not entirely new. The Bush Justice Department has been quietly 
shopping it around since at least mid-2005; I wrote about it at the time:
http://news.com.com/Your+ISP+as+Net+watchdog/2100-1028_3-5748649.html

But bureaucracies take a while to really get organized, and it wasn't 
until last year that Gonzales and Mueller got their talking points lined 
up and found some uncritical sympathizers in the U.S. Congress to carry 
their water for them. Here's a timeline:
http://news.com.com/2100-1028_3-6118283.html

This brings us to the key questions: What's the scope? Who will have to 
comply, and what type of data will be forcibly retained?

Certainly broadband Internet service providers will be regulated. But 
how about coffee shops, bookstores, companies (like CNET) that provide 
free open wireless points, or even private individuals who do? Will they 
have to keep logs of who connects and what their users do? FBI and DOJ 
have also talked about search engines being forced to comply:
http://news.com.com/2100-7348_3-6126877.html

This may not be a big deal for Google, which seems to want to retain all 
user search data until the heat death of the universe, but it does limit 
the valuable competition over privacy-friendly practices that's taking 
place among search engines. AOL says it deletes personally identifiable 
search data after 30 days (and does not keep backups), and Ixquick.com 
is trying to differentiate itself from its rivals by embracing what its 
CEO told me was "the privacy cause":
http://news.com.com/2100-1025_3-6034626.html
http://news.com.com/2100-1025_3-6103486.html

Domain name registrars have also been mentioned as targets of 
regulation. Rep. Bart Stupak, a privacy-impaired Democrat now in a 
position to make some mischief as chairman of an oversight subcommittee, 
said in September that: "If we do compel data retention, is there any 
reason Web hosting sites should be treated differently than ISPs?" See:
http://energycommerce.house.gov/Subcommittees/ovin.shtml
http://news.com.com/2100-1028_3-6119878.html

GoDaddy's general counsel was on the panel and, unfortunately for the 
well-being of thousands of her customers, chose to curry favor by 
agreeing with this constitutionally-challenged politico rather than 
standing on principle. She allowed that such a law would be "productive" 
for law enforcement but should not include the content of communications.

Unfortunately, in the realpolitik of Washington, that's tantamount to an 
enthusiastic endorsement. And Gonzales has already signaled that he's 
interested in more than just what IP address was assigned to what user. 
That's defined as non-content data, and it's readily accessible to Joe 
Local Cop (not to mention an FBI agent) armed with a simple subpoena, no 
judge's signature required.

But last week (and nobody really noticed this), Gonzales suggested he 
wants to force data retention laws on ISPs for data that "could be 
accessed with a court order." See:
http://news.com.com/2100-1036_3-6151325.html

By talking about a court order instead of a subpoena, Gonzales seemed to 
be implying content data instead of just IP addresses. A subpoena is 
merely a request for documents signed by a lawyer; a court order is 
signed by a judge and compliance isn't exactly optional. Federal law 
draws a distinction:
http://www4.law.cornell.edu/uscode/html/uscode42/usc_sec_42_00002000--aa000-.html

I admit my interpretation relies on Gonzales being precise with his 
words (though the alternative is realizing our nation's top law 
enforcement officer knows less about court practices than a first year 
law student). If I'm right, Gonzales is contemplating the content of 
email you send, the content of web pages you visit, the content of IMs 
you send, the content of VoIP calls you -- all recorded, or some subset 
recorded, for future police convenience.

Earlier today, Eric Wenger, a trial attorney with the Justice 
Department's computer crime unit, showed up at a bar association meeting 
and said the DOJ does not have a position on "what records would have to 
be retained":
http://news.com.com/2100-1028_3-6152598.html

One last thought: If all ISPs must keep track of what their users are 
doing, then criminals, terrorists, First Amendment supporters and all 
other miscreants would be more likely to use anonymizing proxies like 
Tor or anonymizer.com. If the DOJ is serious about this anti-privacy 
campaign, banning the use or operation of anonymizing services might be 
a next step (after all, data retention probably doesn't help track 
someone if he's using Tor).

Unlikely? Probably. But not impossible. Remember, back in 1997, one 
House of Representatives committee voted to ban all encryption without 
backdoors for the DOJ, a step that made about as much sense as today's 
data retention mandates:
http://news.com.com/2100-1023-961969.html

-Declan
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Wed Jan 24 2007 - 01:24:42 PST