February 2, 2011
Filed under Free Expression, More Issues in Free Expression, More Issues in Security & Surveillance, Data Retention Mandates
Policy Posts are in-depth analyses on current tech policy issues from CDT experts. Sign up to receive the latest Policy Posts here:
In late January 2011, the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security held a hearing on "Data Retention as a Tool for Investigating Internet Child Pornography and Other Internet Crimes." The informational hearing focused whether ISPs and online service providers should be made to collect and retain information about their users' Internet communications, so that law enforcement could access the inform in child pornography and other criminal investigations.
At issue is the fact that most ISPs provide subscribers with “dynamic” IP addresses, meaning that the IP address assigned to a particular user will change every few days or weeks. When law enforcement is pursuing a case of online child exploitation, they may have the IP address of a user who sent or received the child pornography file. To assist law enforcement, the leading ISPs in the United States have voluntarily kept records of their IP address allocations so that, for limited periods of time, the ISPs would be able to tell law enforcement who had a given IP address on a particular date and time. But some law enforcement officials and legislators want to make this kind of data retention mandatory. And some in law enforcement have gone even farther to suggest mandatory tracking of communications by all online service providers (including blog hosts, webmail providers, and social networks).
The Subcommittee’s hearing was not the first time Congress has directed its attention to data retention. Rep. Lamar Smith – now Chairmain of the House Judiciary Committee – has twice introduced the Internet Stopping Adults Facilitating Exploitation of Today’s Youth (SAFETY) Act, in 2007and 2009. The versions of that bill are somewhat different, but each would have required ISPs and others to maintain records about their subscribers’ Internet use for at least two years. Other mandatory data retention proposals in recent years have come from the Department of Justice and the U.S. Treasury Department.
In the January hearing, the Subcommittee heard from CDT’s John Morris about the significant costs to privacy, free expression, and innovation online posed by data retention mandates. Kate Dean, Executive Director for the U.S. Internet Service Providers Association, testified on behalf of industry, highlighting the steps that ISPs have already taken to cooperate with law enforcement in the prosecution of child exploitation crimes, and the burdens that a mandated rule would impose on service providers. Jason Weinstein, Deputy Assistant Attorney General, U.S. Department of Justice, and John Douglass, Chief of Police for Overland Park, Kansas (representing the International Association for Chiefs of Police), presented the law enforcement perspective and called for more comprehensive standardized data retention across the industry.
Neither of the law enforcement representatives defined the exact scope of the data retention they sought, but a starting point in any discussion of "data retention" must be to identify what is meant by the term. In the narrowest possible definition relevant to the issue of prosecuting child exploitation crimes, “data retention” could mean the retention by ISPs of records of IP address allocations indicating which subscriber was assigned which IP address for a particular period of time. (An IP address is the unique numeric address used on the Internet to route communications to their proper destination. For any Internet traffic to reach the right place, it must contain the unique address of the destination computer or server.)
Retention of IP address allocations by ISPs, especially if made mandatory, raises a host of serious policy and economic concerns. But some data retention proposals have gone much farther. Some have advocated that ISPs monitor and record their users’ online activities. Other proposals have suggested that any entity that gives temporary, dynamic IP addresses (such as coffee shops or WiFi “hotspots”) be required to gather and retain data about their users. And in the Department of Commerce Online Safety and Technology Working Group (OSTWG) process last year, law enforcement went even further to urge that any online site or service that allows users to communicate (such as blogs, social networks, and e-mail services) be required to track and retain “source data” about every communication that any users make online. These proposals raise enormous concerns.
It is also critical to differentiate data retention from data preservation. A data retention mandate would affect all users, not just bad actors. By contrast, a far more targeted approach – preserving the data of suspects – can already be found in current law. Section 2703(f) of U.S. Code Title 18 permits law enforcement, without any judicial permission or notice at all, to require an ISP or other service provider to retain data – including IP address and customer identifying information – for as much as 180 days. A data retention law, on the other hand, would require ISPs to keep detailed records about each of their users (and their users' Internet activity) for months or years.
CDT’s testimony highlighted the significant civil liberties concerns raised by mandates on ISPs and online service providers to retain user data. Such a mandate would harm users' privacy rights, both vis-à-vis the government as well as private actors. A key to protecting privacy is to minimize the amount of data collected and held by ISPs and online companies in the first place. A data retention law would undermine this important principle. Mandatory data retention laws would require companies to maintain large databases of subscribers' personal information, which would be vulnerable to hackers, accidental disclosure, and government or other third party access, thereby aggravating the identity theft problem and undermining public trust in the Internet. And the longer data is maintained, the more at risk it is to compromise or disclosure. The risk of harm would be even greater if entities that do not now keep data on their customers – such as coffee shops, airports, libraries, and others offering wireless access – were required to keep information on customers who use wireless services. And if companies are forced to collect data on their customers, it is very likely that they would decide to use that data for their own commercial purposes as well.
Data retention laws would also threaten a core First Amendment right: the right to speak and access content anonymously. The speech harms that would flow from a data retention mandate are not limited to political speech. A study from European Digital Rights shows that data retention in Europe (which, as discussed more fully below, has a data retention rule that is under attack and is being reconsidered) has significantly diminished citizens' willingness to discuss and obtain information about mental health issues online. This is precisely the type of vital speech that would be harmed by a data retention mandate. CDT thinks that Congress should not risk chilling the discussion of politics, mental health issues, or a vast range of other sensitive topics, when less intrusive tools are already available.
And we fear that a data retention mandate would seriously damage competition and innovation in the Internet industry, harming the U.S.-based industry’s ability to compete in the global online market. A threshold concern is simply one of cost. ISPs have no business reason to retain IP address allocations. A mandate that all ISPs retain IP address allocations would impose significant costs on those providers. Extending a data retention mandate to the other end of Internet communications - the vast array of large and small online services that allow users to communicate with each other - would be an overwhelming and extraordinarily costly burden. Such a data retention mandate would, without question, drive some providers out of business. Other providers would need to pass the increased costs on to their customers or find some way to monetize the vast databases of subscriber information that they would be required to maintain.
By increasing costs on Internet access and online services, data retention mandates would harm American businesses, and they would likely drive services overseas to markets that do not have burdensome "source data" retention mandates. The United States has been the leading engine of innovation on the Internet, but costly federal mandates could make this country unfriendly to innovation and new services. Exciting new online services would still be developed – just not as often in the United States.
CDT Data Retention Testimony, January, 2011
Still, many of the legislators at the Subcommittee’s hearing expressed interest in data retention, pointedly encouraging Kate Dean of USISPA to encourage her members to "voluntarily" agree to industry standards around data retention (or face the prospect of a data retention mandate in legislation).
If Congress is seriously considering legislation, it should look carefully at the development of Europe’s mandatory data retention policy. Many European countries and courts are backing away from the European Union data retention mandates that were enacted (but not fully implemented) a few years ago. At least three national courts have questioned the validity of a data retention regime, and another has referred to the European Court of Justice a case that could call into question the validity of the entire European data retention scheme itself.
Finally, Congress must look at the whole picture when assessing law enforcement success in prosecuting child exploitation crimes. Child exploitation is a horrific crime and it is important that law enforcement have the necessary resources to prosecute it. But data retention mandate is not the answer. Congress has already enacted strong data preservation laws to aid in the prosecution of child pornography. The PROTECT Our Children Act of 2008 requires ISPs who receive reports of apparent child pornography to immediately preserve detailed subscriber records for the user associated with the implicated IP address and to forward a report to the National Center for Missing and Exploited Children. NCMEC sends the report to the appropriate law enforcement agency and the ISP must preserve the records for at least 90 days, and up to 180, to give law enforcement time to begin an investigation.
The fact is, law enforcement agencies lack the funding and manpower to investigate and prosecute many of the child exploitation cases they encounter. Several members of Congress raised questions about how many cases law enforcement is able to handle. While direct comparison data is not forthcoming, in a given year, NCMEC forwards around 140,000 reports to law enforcement, while between 2005-2009, the Department of Justice prosecuted 8,352 child pornography cases, according to the Department’s National Strategy for Child Exploitation Prevention and Interdiction. No one questions law enforcement's commitment to child predators to justice, but it is far from clear that, given more data, they would be able to prosecute more cases.