House panel approves broadened ISP snooping bill

Read more: http://news.cnet.com/8301-31921_3-20084939-281/house-panel-approves...

Internet providers would be forced to keep logs of their customers' activities for one year--in case police want to review them in the future--under legislation that a U.S. House of Representatives committee approved today.

The 19 to 10 vote represents a victory for conservative Republicans, who made data retention their first major technology initiative after last fall's elections, and the Justice Department officials who have quietly lobbied for the sweeping new requirements, a development first reported by CNET.

House Judiciary committee prepares to vote on sweeping data retention mandate.

(Credit: U.S. House of Representatives)

A last-minute rewrite of the bill expands the information that commercial Internet providers are required to store to include customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses, some committee members suggested. By a 7-16 vote, the panel rejected an amendment that would have clarified that only IP addresses must be stored.

It represents "a data bank of every digital act by every American" that would "let us find out where every single American visited Web sites," said Rep. Zoe Lofgren of California, who led Democratic opposition to the bill.

Lofgren said the data retention requirements are easily avoided because they only apply to "commercial" providers. Criminals would simply go to libraries or Starbucks coffeehouses and use the Web anonymously, she said, while law-abiding Americans would have their activities recorded.

To make it politically difficult to oppose, proponents of the data retention requirements dubbed the bill the Protecting Children From Internet Pornographers Act of 2011, even though the mandatory logs would be accessible to police investigating any crime and perhaps attorneys litigating civil disputes in divorce, insurance fraud, and other cases as well.

"The bill is mislabeled," said Rep. John Conyers of Michigan, the senior Democrat on the panel. "This is not protecting children from Internet pornography. It's creating a database for everybody in this country for a lot of other purposes."

Supporters of the measure characterized it as something that would aid law enforcement in investigating Internet crimes. Not enacting it "would keep our law enforcement officials in the dark ages," said its primary sponsor, House Judiciary chairman Lamar Smith (R-Texas).

"Both Democratic and Republican administrations have called for data retention for over a decade," said Smith, who noted that groups including the National Sheriffs' Association, the Major County Sheriffs' Association, and the Fraternal Order of Police have endorsed the concept.

For a while, it seemed like opposition from a handful of conservative members of Congress, coupled with Democrats concerned about civil liberties, would derail the bill.

Rep. F. James Sensenbrenner, a Wisconsin Republican and previous chairman of the House Judiciary committee, had criticized it at a hearing earlier this month, and again in the voting session that began yesterday and continued through this morning.

"I oppose this bill," said Sensenbrenner. "It can be amended, but I don't think it can be fixed... It poses numerous risks that well outweigh any benefits, and I'm not convinced it will contribute in a significant way to protecting children."

So did Rep. Jason Chaffetz (R-Utah), who has made privacy a signature issue and introduced a geolocation bill last month after trying to curb the use of airport body-scanners two years ago.

The original version of the bill, introduced in May, required Internet providers to "retain for a period of at least 18 months the temporarily assigned network addresses the service assigns to each account, unless that address is transmitted by radio communication." The wireless exemption appeared to be the result of lobbying from major carriers, but drew the ire of the Justice Department, which says it didn't go far enough, and was removed in a revised draft.

The mobile exemption represents a new twist in the debate over data retention requirements, which has been simmering since the Justice Department pushed the topic in 2005, a development that was first reported by CNET. Proposals publicly surfaced in the U.S. Congress the following year, and President Bush's attorney general, Alberto Gonzales said it's an issue that "must be addressed." So, eventually, didFBI director Robert Mueller.

In January 2011, CNET was the first to report that the Obama Justice Department was following suit. Jason Weinstein, the deputy assistant attorney general for the criminal division, warned that wireless providers must be included because "when this information is not stored, it may be impossible for law enforcement to collect essential evidence."

Smith introduced a broadly similar bill in 2007, without the wireless exemption, calling it a necessary anti-cybercrime measure. "The legislation introduced today will give law enforcement the tools it needs to find and prosecute criminals," he said in a statement at the time.

"Retention" vs. "preservation" 
At the moment, Internet service providers typically discard any log file that's no longer required for business reasons such as network monitoring, fraud prevention, or billing disputes. Companies do, however, alter that general rule when contacted by police performing an investigation--a practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are theDynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, an existing law called the Protect Our Children Act of 2008 requires any Internet provider who "obtains actual knowledge" of possible child pornography transmissions to "make a report of such facts or circumstances." Companies that knowingly fail to comply can be fined up to $150,000 for the first offense and up to $300,000 for each subsequent offense.