Bill proposes ISPs, Wi-Fi keep logs for police

[Eugen Leitl]

http://news.cnet.com/8301-13578_3-10168114-38.html

Bill proposes ISPs, Wi-Fi keep logs for police

by Declan McCullagh

Republican politicians on Thursday called for a sweeping new federal law that
would require all Internet providers and operators of millions of Wi-Fi
access points, even hotels, local coffee shops, and home users, to keep
records about users for two years to aid police investigations.

The legislation, which echoes a measure proposed by one of their Democratic
colleagues three years ago, would impose unprecedented data retention
requirements on a broad swath of Internet access providers and is certain to
draw fire from businesses and privacy advocates.

"While the Internet has generated many positive changes in the way we
communicate and do business, its limitless nature offers anonymity that has
opened the door to criminals looking to harm innocent children," U.S. Sen.
John Cornyn, a Texas Republican, said at a press conference on Thursday.
"Keeping our children safe requires cooperation on the local, state, federal,
and family level."

Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House
Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a
measure would let "law enforcement stay ahead of the criminals."

Two bills have been introduced so far--S.436 in the Senate and H.R.1076 in
the House. Each of the companion bills is titled "Internet Stopping Adults
Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.

Each contains the same language: "A provider of an electronic communication
service or remote computing service shall retain for a period of at least two
years all records or other information pertaining to the identity of a user
of a temporarily assigned network address the service assigns to that user."

Translated, the Internet Safety Act applies not just to AT&T, Comcast,
Verizon, and so on--but also to the tens of millions of homes with Wi-Fi
access points or wired routers that use the standard method of dynamically
assigning temporary addresses. (That method is called Dynamic Host
Configuration Protocol, or DHCP.)

"Everyone has to keep such information," says Albert Gidari, a partner at the
Perkins Coie law firm in Seattle who specializes in this area of electronic
privacy law.

The legal definition of electronic communication service is "any service
which provides to users thereof the ability to send or receive wire or
electronic communications." The U.S. Justice Department's position is that
any service "that provides others with means of communicating electronically"
qualifies.

That sweeps in not just public Wi-Fi access points, but password-protected
ones too, and applies to individuals, small businesses, large corporations,
libraries, schools, universities, and even government agencies. Voice over IP
services may be covered too.

Under the Internet Safety Act, all of those would have to keep logs for at
least two years. It "covers every employer that uses DHCP for its network,"
Gidari said. "It covers Aircell on airplanes-- hose little pico cells will
have to store a lot of data for those in-the-air Internet users."

In the Bush administration, Attorney General Alberto Gonzales had called for
a very similar proposal, saying that subscriber information and network data
should be logged for two years.

Until Gonzales' remarks in 2006, the Bush administration had generally
opposed laws requiring data retention, saying it had "serious reservations"
about them. But after the European Parliament approved such a requirement for
Internet, telephone and VoIP providers, top administration officials began
talking about the practice more favorably.

After Gonzales left the Justice Department, the political will for data
retention legislation seemed to ebb for a time, but then FBI Director Robert
Mueller resumed lobbying efforts last spring.

This tends to be a bipartisan sentiment: Attorney General Eric Holder, a
Democrat, said in 1999 that "certain data must be retained by ISPs for
reasonable periods of time so that it can be accessible to law enforcement."
Rep. John Conyers, the Democratic chairman of the House Judiciary Committee,
said that FBI proposals for data retention legislation "would be most
welcome."

Smith, who sponsored the House version of the Internet Safety Act, had
previously introduced a one-year requirement as part of a law-and-order
agenda in 2007.

A 1996 federal law called the Electronic Communication Transactional Records
Act regulates data preservation. It requires Internet providers to retain any
"record" in their possession for 90 days "upon the request of a governmental
entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to
allocate them to customers from a pool based on whether a computer is in use
at the time. (Two standard techniques used are the Dynamic Host Configuration
Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report
child pornography sightings to the National Center for Missing and Exploited
Children, which is in turn charged with forwarding that report to the
appropriate police agency.

The Internet Safety Act is broader than just data retention. Other portions
add criminal penalties to other child pornography-related offenses, increase
penalties for sexual exploitation of minors, and give the FBI an extra $30
million for the "Innocent Images National Initiative."