I testified earlier this week about “data retention” before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security. (For a more in-depth look at CDT's position, please refer to the written testimony  we submitted to the committee, it digs into the issue in some depth and sets out the very serious problems that we see with data retention proposals.) In short, the idea of data retention is that the government would require ISPs, and possibly even online service providers such as Facebook and Hotmail, to record and retain information about users’ communications online, so that law enforcement could later access the information. The potential scope of the data retention is undefined, but some proposals have been pretty breathtaking, and if the concept were applied to online services it would cover pretty much any Web 2.0 site, including any site that allows users to post comments or other content (including blog sites, newspaper sites, and, I suppose, CDT’s own site).
The political dynamics within the hearing were interesting, and showed that data retention does not break down along party lines. Subcommittee Chairman Sensenbrenner and full Judiciary Committee Chairman Smith, both Republicans, clearly support a data retention obligation. But other Republicans, such as Congressman Poe, expressed concern about the massive amounts of innocent citizens’ data that would be retained, and there was some skepticism about whether retention of the data would actually serve the intended purpose of facilitating child pornography prosecutions. On the Democratic side, Ranking Member Scott expressed significant concern for the privacy and free speech implications of any data retention mandate, as well as the very significant financial cost that such a mandate would impose on service providers (and ultimately users). But some on the Democratic side, including Congresswoman Wasserman Schultz, appeared to support imposing data retention.
Subcommittee members expressed a great deal of frustration with Deputy Assistant Attorney General Jason Weinstein, who testified on behalf of the Justice Department, because Weinstein would not give any concrete answers as to what kind of data retention mandate DOJ was proposing. It is clear that the Obama Administration has not settled on a proposal. I assume (at least I hope) that the explanation for this lack of a proposal is that some in the Administration recognize that data retention mandates (especially if they were imposed on online service providers in addition to ISPs) could be devastating to innovation and competition in the online context. If any online service or site that allows users to communicate were required to create a law enforcement tracking database and hire the staff needed to operate the database and interact with law enforcement (especially on the 24/7 basis that law enforcement demands), lots of startups could not afford to be in business.
The hearing also offered a stark example of how Members of Congress can use a Congressional hearing to demand that an industry or company “voluntarily” agree to some rule or regulation. In strong terms, Chairman Sensenbrenner told Kate Dean, testifying for the U.S. ISP Association, that if her members did not start retaining data on a uniform basis, then Congress would impose such a requirement.
As a final note, in preparing for the hearing, I was trying to figure out the best way to explain the true magnitude of what law enforcement was asking service providers to do. Our community – the Internet community of advocates and industry – often throws out “terabytes” and “exabytes” and other such terms to show the huge volumes of data that would have to be retained. But I feared that these terms would not mean anything to the Members of Congress. So instead – knowing that Congress is quite familiar with the term “trillion” (since the federal budget is in the trillions) – I noted that Facebook alone would have to retain data on more than 1 trillion separate communications each year, and that law enforcement was urging that more than 90 trillion separate e-mails be tracked and recorded each year. Those numbers seemed to make an impression on the Members – and I hope the numbers will make them think twice about any data retention mandate.