The Bush administration has made it entirely clear that new laws forcing Internet service providers to save certain customer records for police convenience will be a priority this year. The concept is called data retention (also known as treating all Americans as suspects). This is not entirely new. The Bush Justice Department has been quietly shopping it around since at least mid-2005; I wrote about it at the time: http://news.com.com/Your+ISP+as+Net+watchdog/2100-1028_3-5748649.html But bureaucracies take a while to really get organized, and it wasn't until last year that Gonzales and Mueller got their talking points lined up and found some uncritical sympathizers in the U.S. Congress to carry their water for them. Here's a timeline: http://news.com.com/2100-1028_3-6118283.html This brings us to the key questions: What's the scope? Who will have to comply, and what type of data will be forcibly retained? Certainly broadband Internet service providers will be regulated. But how about coffee shops, bookstores, companies (like CNET) that provide free open wireless points, or even private individuals who do? Will they have to keep logs of who connects and what their users do? FBI and DOJ have also talked about search engines being forced to comply: http://news.com.com/2100-7348_3-6126877.html This may not be a big deal for Google, which seems to want to retain all user search data until the heat death of the universe, but it does limit the valuable competition over privacy-friendly practices that's taking place among search engines. AOL says it deletes personally identifiable search data after 30 days (and does not keep backups), and Ixquick.com is trying to differentiate itself from its rivals by embracing what its CEO told me was "the privacy cause": http://news.com.com/2100-1025_3-6034626.html http://news.com.com/2100-1025_3-6103486.html Domain name registrars have also been mentioned as targets of regulation. Rep. Bart Stupak, a privacy-impaired Democrat now in a position to make some mischief as chairman of an oversight subcommittee, said in September that: "If we do compel data retention, is there any reason Web hosting sites should be treated differently than ISPs?" See: http://energycommerce.house.gov/Subcommittees/ovin.shtml http://news.com.com/2100-1028_3-6119878.html GoDaddy's general counsel was on the panel and, unfortunately for the well-being of thousands of her customers, chose to curry favor by agreeing with this constitutionally-challenged politico rather than standing on principle. She allowed that such a law would be "productive" for law enforcement but should not include the content of communications. Unfortunately, in the realpolitik of Washington, that's tantamount to an enthusiastic endorsement. And Gonzales has already signaled that he's interested in more than just what IP address was assigned to what user. That's defined as non-content data, and it's readily accessible to Joe Local Cop (not to mention an FBI agent) armed with a simple subpoena, no judge's signature required. But last week (and nobody really noticed this), Gonzales suggested he wants to force data retention laws on ISPs for data that "could be accessed with a court order." See: http://news.com.com/2100-1036_3-6151325.html By talking about a court order instead of a subpoena, Gonzales seemed to be implying content data instead of just IP addresses. A subpoena is merely a request for documents signed by a lawyer; a court order is signed by a judge and compliance isn't exactly optional. Federal law draws a distinction: http://www4.law.cornell.edu/uscode/html/uscode42/usc_sec_42_00002000--aa000-.html I admit my interpretation relies on Gonzales being precise with his words (though the alternative is realizing our nation's top law enforcement officer knows less about court practices than a first year law student). If I'm right, Gonzales is contemplating the content of email you send, the content of web pages you visit, the content of IMs you send, the content of VoIP calls you -- all recorded, or some subset recorded, for future police convenience. Earlier today, Eric Wenger, a trial attorney with the Justice Department's computer crime unit, showed up at a bar association meeting and said the DOJ does not have a position on "what records would have to be retained": http://news.com.com/2100-1028_3-6152598.html One last thought: If all ISPs must keep track of what their users are doing, then criminals, terrorists, First Amendment supporters and all other miscreants would be more likely to use anonymizing proxies like Tor or anonymizer.com. If the DOJ is serious about this anti-privacy campaign, banning the use or operation of anonymizing services might be a next step (after all, data retention probably doesn't help track someone if he's using Tor). Unlikely? Probably. But not impossible. Remember, back in 1997, one House of Representatives committee voted to ban all encryption without backdoors for the DOJ, a step that made about as much sense as today's data retention mandates: http://news.com.com/2100-1023-961969.html -Declan _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2.1.3 : Wed Jan 24 2007 - 01:24:42 PST