This story appeared on Network World at

http://www.networkworld.com/columnists/2007/022007bradner.html

Easier for the cops: record everything you do

By Scott Bradner, Network World, 02/20/07

For the last year or so U.S. Attorney General Alberto Gonzales has been pushing the idea of requiring ISPs to retain some types of information about their customers. He may soon get his wish, but there are far more questions raised than answers given in the current proposal.

This proposal is part of the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act (SAFETY) of 2007, which was introduced in Congress by Rep. Lamar Smith (R-Texas). The bill targets people distributing child porn or handling the money involved. It has a seemingly simple provision called Record Retention Requirements for Internet Service Providers, which reads: “Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.“

The draft bill provides fines and a jail sentence for as long as a year for anyone who knowingly fails to retain any record required under the section.

The blogsphere is going a bit nuts over this section, with most of the comments focusing on the open-ended nature of the power given to the attorney general. To date, Gonzales has been less than forthcoming on exactly what kind of data he would like retained. It is quite easy to imagine that he could require ISPs record the to and from addresses for all e-mail, the content of all instant messages as well as the minimum information mentioned in the bill (IP address, user name and address, logon and phone number). Gonzales could even ask for a list of URLs visited. This could be a lot of data, all in the name of fighting child porn.

Child porn is vile stuff and anyone engaged in its creation, distribution or consumption should get trashed to the full extent of the laws, but there needs to be a balance between the rights of the individuals and the powers of law enforcement. It would be far easier for law enforcement if they could have software in every computer that recorded everything the user did but most people would see that as going too far, even to fight child porn.

But there are a lot of open questions and potentially significant impacts to this simple section. The bill does not define “Internet service provider." Will you be an ISP if you have an open Wi-Fi access point in your house that your neighbors use? How about the company across the street from the FCC in Washington, D.C., with an open Wi-Fi access point? Will the Pittsburg Airport be an ISP for its open Wi-Fi service in the airport? None of these currently obtains user information. The best that they can do without changing the basic nature of their service is to record media access control address/IP address/time combinations. But would you know how to do that with the open Wi-Fi access point that came with your DSL service?

Maybe this part of the bill should be renamed the DMP-DOW (disk manufacturers preservation and death to open Wi-Fi ) Act.

Disclaimer: I do not know if Harvard would be an ISP under this bill so the above worry is mine, not the university’s.