On Wednesday, the House Judiciary Committee will markup  H.R. 1981 , a bill that would impose data retention mandates on wireline and wireless ISPs as well as many of the hotels, airports, and coffee shops that today offer Internet access to customers. Last week, CDT voiced our strong opposition  to data retention in any form and expressed additional, serious concerns about the bill’s expansive scope and confusing language. A proposed manager’s amendment  that will be offered for markup on Wednesday fixes some of the worst language in the bill, but it also creates new areas for concern. Even if the proposed amendment is adopted, H.R. 1981 will still create more problems than it will solve:
- Data retention would be very harmful to our civil liberties. By mandating the collection and storage of personal information, requiring that every Internet user’s online activity be associated with her identity, and permitting easy access to this information by law enforcement, a data retention law would fundamentally violate users’ rights to privacy and free expression. Mandatory retention for all users, almost all of whom are innocent of any wrongdoing, fundamentally turns on its head the presumption of innocence on which our justice system is predicated. Finally, before considering whether to require ISPs and certain establishments to retain more information about users, Congress must update the Electronic Communications Privacy Act (ECPA) to ensure that data that is already retained is adequately protected against disclosure.
- While the language of the proposed manager’s amendment is vague and confusing, it could be interpreted to require coffee shops, airports, hotels and other establishments that offer fee-based WiFi access to register each and every user (Want WiFi? We need your name and address and we will log your IP address in case the government comes knocking!). Required registration would itself be a privacy violation and a burden on expression, but it would also expose users to a greater risk of identity theft and impose significant costs on establishments now burdened with retaining – and, crucially, securing – such information for a year. One need look no further than recent headlines  to understand the security risk created by such a mandate. According to Privacy Rights Clearinghouse, a staggering 600 million records have been breached  due to the roughly 2,460 data breaches made public since 2005. Each security breach puts users at higher risk of identity theft. Moreover, this federal burden on mom-and-pop coffee shops and Internet cafes would lead some to stop offering Internet service and would thus reduce the availability of Internet access options, especially in underserved neighborhoods.
- H.R. 1981, as amended, raises serious questions about how cell phone companies that provide 3G and 4G wireless Internet service will cope with what in many cases will be an extraordinarily burdensome and costly mandate. Different companies employ different technologies, but at least some wireless carriers  will issue dozens of IP addresses to a single phone every hour, creating a colossal number of IP addresses, all of which must be retained and associated with individual users. And for other carriers that use NAT-based schemes (Network Address Translation), determining which IP address belongs to which customer can be difficult. Multiply these complexities by tens of millions of users and the sure result is higher cost data plans for consumers and an increasingly wide digital divide.
- Once customer data is retained pursuant to a federal mandate, it will likely be put to other privacy-invasive uses. If service providers are forced to invest in building databases of customer information, they may decide to repurpose that data for other uses, such as behavioral advertising. Without a baseline privacy law in this country, there are no real limits to how retained data can be shared and used.
- On top of all of these serious problems with H.R. 1981, there is little evidence to suggest  that a vast data retention regime would actually empower law enforcement agencies – short on staff and funds – to prosecute more child pornography cases, the purported goal of this bill.
In other words, the data retention provisions in H.R. 1981 would threaten our civil liberties, create significant economic burdens for small businesses and wireless carriers, and put consumers at a greater risk for identity theft and other privacy invasions. With H.R. 1981, there is a lot to lose and little to gain.