Congress May Again Seek Mandatory ISP Data Retention

WASHINGTON, D.C.—Tuesday, the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security held a hearing chaired by Rep. F. James Sensenbrenner (R-Wis.) on mandatory internet data retention, a subject with which Congress seems congenitally obsessed. Ostensibly a fact-finding hearing, the true intent of the new House leadership is clearly to revive legislation that has previously stalled.

The extent to which such legislation would impose mandatory data retention on internet service providers (ISPs) is unclear at this time, but previous bills from lawmakers and proposals by law enforcement range from forcing providers to retain data for two years about what IP addresses are assigned to which customers to making them store email and instant messaging data as well as what websites people visit. No matter how such a law would be initially crafted, however, the probability that its scope would expand to cover the most common surfing habits is of deep concern to civil libertarians.

“It's already clear where the new House Judiciary Chairman, Representative Lamar Smith (R-Texas), stands on the issue: he introduced data retention legislation just last year and likely will do so again this year,” reported the Electronic Frontier Foundation, whose 2008 whitepaper on Best Practices for Online Service Providers was singled out during the hearing by Deputy Assistant Attorney General Jason Weinstein as “unintentionally the best argument for Congress to intervene in this space than anything that I can say today.”

EFF blasted Weinstein for his thinly veiled implication that the suggested best practices—“designed by attorneys and technologists to best balance the business and technical needs of OSPs and their users' privacy and civil liberties,” according to EFF—were purposefully designed to instruct online service providers how to skirt the law.

“Apparently, the Justice Department thinks that informing internet companies that data retention is not legally required, and also suggesting strategies for protecting their users' privacy, is a clear and present danger to online safety,” wrote Richard Esguerra for EFF. “On the contrary, we think that the Best Practices for OSPs encourages sound privacy policy, a position borne out in 2009 when the Justice Department illegally demanded logs reflecting the IP address of every single person who had visited any page on the political news site Indymedia.us.”

There were voices of opposition to the idea at the hearing. John Morris, general counsel of CDT (Center for Democracy and Technology) [written testimony], and Kate Dean, executive director of the United States Internet Service Provider Association [written testimony], both spoke against any such legislation. But the political winds are blowing to the right, and as CNET’s Declan McCullogh wrote on Monday, the belief that mandatory data retention is necessary in order to give law enforcement more tools to catch child pornographers, predators and other cyber criminals is not a partisan issue.

“Rep. Diana DeGette, a Colorado Democrat, was the first to announce such a proposal,” he wrote. DeGette held similar hearings in 2006, when the Justice Department also was “quietly shopping around the idea of mandatory data retention.” The EU had passed a sweeping mandatory data retention law in December of 2005, a move that was assumed to spark similar interest in the States.

Six years later, a U.S. law has not yet been passed, but it is not for a lack of trying. Smith of Texas introduced the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act (SAFETY) of 2007, but the bill never made it out of committee. In 2008, FBI director Robert Mueller and several members of Congress proposed extending to private networks a program already in use by the FBI called Einstein that supervised traffic on federal government networks. Darrell Issa (R-CA), who is now the chairman of the House Committee on Oversight and Government Reform, supported the idea at the time.

In 2009, Smith tried again, joining John Cornyn (R-TX) in introducing companion bills in the House and Senate that would have required all internet providers and operators of Wi-Fi access points, hotels, local coffee shops and home users, to keep records about users for two years. Those efforts also failed to make it out of their various committees.

2011 is of course a decidedly different political environment in Washington than even a year ago, and it is quite likely that social conservatives feel that groups like the Tea Party provide a momentum that needs to be exploited as soon as possible, certainly before the next election. But even more troubling for groups like EFF and CDT is the fact that the current administration seems all too eager to support mandatory data retention.

“Unfortunately,” wrote Esguerra, “today's hearing is the first signal that the Obama administration, like the Bush administration before it, hopes to push a new data retention law through Congress. Thankfully, at least some representatives present at the hearing seemed to recognize that when Americans' privacy and security are at risk, a healthy level of skepticism and rigorous investigation will be vital to avoid creating disastrous legislation.”