The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


Easier for the cops, record everything you do


By: Scott Bradner


For the last year or so U.S. Attorney General Alberto R. Gonzales has been pushing the idea of requiring Internet service providers (ISPs) to retain some types of information about their customers.  He may soon get his wish but there are far more questions than answers in the current proposal.


The current proposal is part of the "Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act (SAFETY) of 2007" ( which was introduced in Congress by Rep. Lamar Smith (R-Tx).   The bill targets people distributing child porn or handling the money for child porn.   It has a seemingly simple provision titled "Record Retention Requirements for Internet Service Providers."  That section reads:


"Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information."


The draft bill provides fines and a jail sentence of up to 1 year for anyone who knowingly fails to retain any record required under the section.


The blogsphere is going a bit nutz over this section, with most of the comments focusing on the open ended nature of the power given to the Attorney General (AG).  To date, the AG has been less than forthcoming on just exactly what kind of data he would like retained.  It is quite easy to imagine that the AG could require that ISPs record the to and from addresses for all email, the content of all instant messages as well as the minimum information mentioned in the bill (IP address, user name and address, logname and phone number).   The AG could even ask for a list of all URLs visited.  This could be a lot of data.  All this in the name of fighting child porn. 


Child porn is vile stuff and anyone engaged in its creation, distribution or consumption should get trashed to the full extent of the laws but there needs to be a balance between the rights of the individuals and the powers of law enforcement.  It would be far easier for law enforcement if they could just have software in everyone's computer that recorded everything the user did but most people would see that as going too far, even to fight child porn.


But there are a lot of open questions and potentially significant impacts to this simple section.  The bill does not define "Internet service provider."  Will you be an ISP if you have an open WiFi access point in your house that your neighbors use?  How about the company across the street from the FCC in Washington with an open WiFi access point? Will the Pittsburg Airport be an ISP for their open WiFil service in the airport.  Will other provides of open WiFi service be ISPs.  None of these currently obtains user information.  The best that they could do without changing the basic nature of their service would be to record MAC address / IP address / time combinations.  But would you know how to do that with the open WiFi access point that came with your DSL service?


Maybe this part of the bill should be renamed the DMP-DOW  (disk manufactures preservation and death to open WiFi ) Act.



disclaimer:  I do not know if Harvard would be an ISP under this bill so the above worry is mine not the university's.