[Politech] Data retention: Not just ISPs, but Google, domain registrars, and more? [priv]

Declan McCullagh declan at well.com
Wed Jan 24 01:06:38 PST 2007

The Bush administration has made it entirely clear that new laws forcing
Internet service providers to save certain customer records for police
convenience will be a priority this year. The concept is called data
retention (also known as treating all Americans as suspects).

This is not entirely new. The Bush Justice Department has been quietly
shopping it around since at least mid-2005; I wrote about it at the time:

But bureaucracies take a while to really get organized, and it wasn't
until last year that Gonzales and Mueller got their talking points lined
up and found some uncritical sympathizers in the U.S. Congress to carry
their water for them. Here's a timeline:

This brings us to the key questions: What's the scope? Who will have to
comply, and what type of data will be forcibly retained?

Certainly broadband Internet service providers will be regulated. But
how about coffee shops, bookstores, companies (like CNET) that provide
free open wireless points, or even private individuals who do? Will they
have to keep logs of who connects and what their users do? FBI and DOJ
have also talked about search engines being forced to comply:

This may not be a big deal for Google, which seems to want to retain all
user search data until the heat death of the universe, but it does limit
the valuable competition over privacy-friendly practices that's taking
place among search engines. AOL says it deletes personally identifiable
search data after 30 days (and does not keep backups), and Ixquick.com
is trying to differentiate itself from its rivals by embracing what its
CEO told me was "the privacy cause":

Domain name registrars have also been mentioned as targets of
regulation. Rep. Bart Stupak, a privacy-impaired Democrat now in a
position to make some mischief as chairman of an oversight subcommittee,
said in September that: "If we do compel data retention, is there any
reason Web hosting sites should be treated differently than ISPs?" See:

GoDaddy's general counsel was on the panel and, unfortunately for the
well-being of thousands of her customers, chose to curry favor by
agreeing with this constitutionally-challenged politico rather than
standing on principle. She allowed that such a law would be "productive"
for law enforcement but should not include the content of communications.

Unfortunately, in the realpolitik of Washington, that's tantamount to an
enthusiastic endorsement. And Gonzales has already signaled that he's
interested in more than just what IP address was assigned to what user.
That's defined as non-content data, and it's readily accessible to Joe
Local Cop (not to mention an FBI agent) armed with a simple subpoena, no
judge's signature required.

But last week (and nobody really noticed this), Gonzales suggested he
wants to force data retention laws on ISPs for data that "could be
accessed with a court order." See:

By talking about a court order instead of a subpoena, Gonzales seemed to
be implying content data instead of just IP addresses. A subpoena is
merely a request for documents signed by a lawyer; a court order is
signed by a judge and compliance isn't exactly optional. Federal law
draws a distinction:

I admit my interpretation relies on Gonzales being precise with his
words (though the alternative is realizing our nation's top law
enforcement officer knows less about court practices than a first year
law student). If I'm right, Gonzales is contemplating the content of
email you send, the content of web pages you visit, the content of IMs
you send, the content of VoIP calls you -- all recorded, or some subset
recorded, for future police convenience.

Earlier today, Eric Wenger, a trial attorney with the Justice
Department's computer crime unit, showed up at a bar association meeting
and said the DOJ does not have a position on "what records would have to
be retained":

One last thought: If all ISPs must keep track of what their users are
doing, then criminals, terrorists, First Amendment supporters and all
other miscreants would be more likely to use anonymizing proxies like
Tor or anonymizer.com. If the DOJ is serious about this anti-privacy
campaign, banning the use or operation of anonymizing services might be
a next step (after all, data retention probably doesn't help track
someone if he's using Tor).

Unlikely? Probably. But not impossible. Remember, back in 1997, one
House of Representatives committee voted to ban all encryption without
backdoors for the DOJ, a step that made about as much sense as today's
data retention mandates:

Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)

----- End forwarded message -----
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

More information about the cypherpunks-legacy mailing list