Skip to comments.Justice Department seeks mandatory data retention
Posted on 01/25/2011 12:11:43 PM PST by FromLori
Criminal investigations "are being frustrated" because no law currently exists to force Internet providers to keep track of what their customers are doing, the U.S. Department of Justice will announce tomorrow.
CNET obtained a copy of the department's position on mandatory data retention--saying Congress should strike a "more appropriate balance" between privacy and police concerns--that will be announced at a House of Representatives hearing tomorrow.
(Excerpt) Read more at news.cnet.com ...
Internet ‘kill switch’ bill will return
“A controversial bill handing President Obama power over privately owned computer systems during a “national cyberemergency,” and prohibiting any review by the court system, will return this year.
Internet companies should not be alarmed by the legislation, first introduced last summer by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R-Maine), a Senate aide said last week. Lieberman, an independent who caucuses with Democrats, is chairman of the Senate Homeland Security and Governmental Affairs Committee.”
As soon as all government employees wear Internet-connected video/audio cameras 24/7 so we can make sure they're not participating in criminal activity, we can talk about them wiretapping the Internet.
It would be a herculean task getting that through the House. It has zero chance of passing. Also: Lieberman has just emasculated himself early in the 112th Congress by announcing he is a lame duck.
Right, I trust the police to never, ever abuse their power.
"Appropriate balance", indeed. How about innocent until proven guilty? That's the only appropriate balance at stake here.
SO where is the ACLU? crickets....
https: strings of gibberish were exchanged.
Anyone still think we have a functioning Constitution to protect us from the vermin in the ruling class?
It would be a herculean task for each ISP to keep track of everything that everyone of their customers does on-line.
Are they going to keep track of every site we visit? How long we visit? What the site looked like when we visited it? What we downloaded? The actual files we download (and not just the file name)?
If criminals are encrypting data within downloaded movie files, for example, then must the ISP keep copies of every movie their customers download in order to be able to get at the encrypted data that might be there?
The only reasonable requirement would be to keep track of users on-line history, so once again it will be easy to invade the privacy of innocent citizens while being impossible to prevent criminal activity. The only thing that will be accomplished will be the diminishment of our Constitutional freedoms.
Idiots making regulations because they can.
With no idea how much of a logistics and storage nightmare it would be to have to store every website visit and download.
This is already law in Europe. Coming here soon.
Hate to say it, but what they want will be found constitutional. They aren't looking for a full record of every byte, but the computer equivalent of pen traces. ISPs keeping records helped the DoJ catch Mike Kernell, Sarah Palin's email hacker.
1. How do YOU spell "T-A-X"...?
2. Raise your hand if you if you trust the Obama Justice department to refrain from using this additional information to attack 'political' adversaries, and instead use it SOLELY to monitor CRIMINAL activity... and we'll do our best to try to get you some 'help'.
My, the jack-boots have apparently identified control of the internet as their first priority in keeping the unwashed in line. A renewed push for net neutrality, user ID’s and now this all in the past month or so. Seems that a real sense of urgency is in the air.
The list, ping
Let me know if you would like to be on or off the ping list
“soulution” = solution
It is not the governments job to track what sites we go to. If you want to know, get a warrant and come to my house.
Thanks for the ping Seadog Bytes
The new keyboaard is aa llittlle diffe rent.
Note: The following text is a quote:
Statement of Deputy Assistant Attorney General for the Criminal Division Jason Weinstein Before the House Subcommittee on Crime, Terrorism and Homeland Security
Washington, D.C. ~ Tuesday, January 25, 2011
Good afternoon, Subcommittee Chairman Sensenbrenner, Committee Chairman Smith, Ranking Member Scott, and Members of the Subcommittee. Thank you for the opportunity to testify on behalf of the Department of Justice. We welcome this opportunity to provide our views about data retention by companies that provide the public with Internet and cell phone services. I am particularly pleased to be able to speak with you about data retention, because data retention is fundamental to the Departments work in investigating and prosecuting almost every type of crime.
In offering this testimony, our goal is explain the nature of the public safety interest in data retention by providers. We do not attempt to discuss appropriate solutions, evaluate cross-cutting considerations, or evaluate the proper balance between data retention and other concerns. We look forward to continuing the dialog on these important issues with Congress, industry, and other interested organizations.
The harm from a lack of retention
Our modern system of communications is run by private companies that provide communications services. These providers include the companies that sell us cell phone service, the companies that bring Internet connectivity to our homes, and the companies that run online services, such as e-mail. These providers often keep records about who is using their services, and how. They keep these non-content records for business purposes; the records can be useful for billing, to resolve customer disputes, and for business analytics. Some records are kept for weeks or months; others are stored very briefly before being purged. In many cases, these records are the only available evidence that allows us to investigate who committed crimes on the Internet. They may be the only way to learn, for example, that a certain Internet address was used by a particular human being to engage in or facilitate a criminal offense.
All of us rely on the government to protect our lives and safety by thwarting threats to national security and the integrity of our computer networks and punishing and deterring dangerous criminals. That protection often requires the government to obtain a range of information about those who would do us harm.
In discharging its duty to the American people, the Department increasingly finds that Internet and cell phone companies records are crucial evidence in cases involving a wide array of crimes, including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy, computer hacking and other privacy crimes. Whats more, these records are important not only in federal investigations, but also in investigations by state and local law enforcement officers.
Through compulsory process obtained by law enforcement officials satisfying the requirements of law, the government can obtain access to such non-content data, which is essential to pursue investigations and secure convictions that thwart cyber intrusions, protect children from sexual exploitation and neutralize terrorist threats but only if the data is still in existence by the time law enforcement gets there.
There is no doubt among public safety officials that the gaps between providers retention policies and law enforcement agencies needs can be extremely harmful to the agencies investigations. In 2006, forty-nine Attorneys General wrote to Congress to express grave concern about the problem of insufficient data retention policies by Internet Service Providers. They wrote that child exploitation investigations often tragically dead-end at the door of Internet Service Providers (ISPs) that have deleted information critical to determining a suspects name and physical location. The International Association of Chiefs of Police adopted a formal resolution stating that the failure of the Internet access provider industry to retain subscriber information and source or destination information for any uniform, predictable, reasonable period has resulted in the absence of data, which has become a significant hindrance and even an obstacle in certain investigations. In 2008 testimony before this Committee, FBI Director Robert Mueller reported that from the perspective of an investigator, having that backlog of records would be tremendously important, and that where information is retained for only short periods of time, you may lose the information you need to be able to bring the person to justice. Former Attorney General Gonzales similarly testified about investigations where the evidence is no longer available because there’s no requirement to retain the data.
In a 2006 hearing before another committee in this House, an agent of the Wyoming Division of Criminal Investigation gave a heart-wrenching example of the harm that a lack of data retention can cause. He described how an undercover operation discovered a movie, depicting the rape of a two-year-old child that was being traded on a peer-to-peer file sharing network. Investigators were able to determine that the movie had first been traded four months earlier. So, investigators promptly sent a subpoena to the ISP that had first transmitted the video, asking for the name and address of the customer who had sent the video. The ISP reported that it didnt have the records. Despite considerable effort, the child was not rescued and the criminals involved were not apprehended.
In some ways, the problem of investigations being stymied by a lack of data retention is growing worse. One mid-size cell phone company does not retain any records, and others are moving in that direction. A cable Internet provider does not keep track of the Internet protocol addresses it assigns to customers, at all. Another keeps them for only seven daysoften, citizens dont even bring an Internet crime to law enforcements attention that quickly. These practices thwart law enforcements ability to protect the public. When investigators need records to investigate a drug dealers communications, or to investigate a harassing phone call, records are simply unavailable.
These decisions by providers to delete records are rarely done out of a lack of desire to cooperate with law enforcement; rather, they are usually done out of an understandable desire to cut costs. Some providers also seem to delete records out of a concern for customer privacy.
Yet, as a result of short or even non-existent retention periods, criminal investigations are being frustrated. In one ongoing case being investigated by the Criminal Divisions Child Exploitation and Obscenity Section working with the Federal Bureau of Investigation and Immigration and Customs Enforcement, we are seeking to identify members of online groups using social networking sites to upload and trade images of the sexual abuse of children. One U.S. target of this investigation uploaded child sexual abuse images hundreds of times to several different groups of like-minded offenders including one group that had thousands of members. Investigators sent legal process to Internet service providers seeking to identify the distributors based on IP addresses that were six months old or less. Of the 172 requests, they received 33 separate responses noting that the requested information was no longer retained by the company because it was out of their data retention period. In other words, 19 percent of these requests resulted in no information about these offenders being provided due to lack of data retention. Indeed, lack of data retention has to date prevented us from identifying the investigations chief U.S. target.
In October 2008, a federal arrest warrant was issued for a fugitive drug dealer. Law enforcement officers later identified a social networking account used by an associate of the drug dealer. Logins to the social networking account were traced back to IP addresses assigned by a particular cellular provider, revealing that the social networking account was being accessed through that cellular providers network. A subpoena was sought for data identifying the particular cellular phone number to which the IP addresses were assigned, but the cellular provider was unable to isolate the device by the IP addresses identified, because the data was not there. The inability to identify the specific cellular phone being used to access the social networking account stymied the effort to get the drug dealer off the street.
In many cases, investigations simply end once investigators recognize that, pursuant to provider policy, the necessary records have almost certainly been deleted. This occurs, for example, when a victim of a hacking crime discovers an attack too late, or when evidence of criminal conduct involving the Internet comes to light only after lengthy and complex forensic examination. Unlike burglaries, murders, and arsons, online crimes can be difficult to detect, and even more difficult to investigate. A business that has been hacked may not realize that its customers identifying information has been stolen until months after the theft. Moreover, investigating online crimes can require obtaining many different records from many different providers in order to pierce the veil of anonymity provided by the Internet. The reason why the government may need access to records months or years after they were made is not because the government is slow or lazy in investigating those crimes, but because gathering the evidence in compliance with federal law including meeting the statutory thresholds to obtain orders and warrants takes time.
The current preservation regime
These unfortunate incidents arose under a legal regime that does not require providers to retain non-content data for any period of time, but instead relies upon investigators, on a case-by-case basis, to request that providers preserve data.
Federal law permits the government only to request that providers preserve particular records relevant to a particular case while investigators work on getting the proper court order, subpoena, or search warrant to obtain those records.
This approach has had its limitations. The investigator must realize he needs the records before the provider deletes them, but providers are free to delete records after a short period of time, or to destroy them immediately. If, as has sometimes been the case, a provider deletes the relevant records after just a few seconds or a few days, a preservation request can come too late. For example, suppose agents investigating a terrorist seize a computer and analyze it for evidence of who communicated with the target. If the terrorist has communicated over the Internet with co-conspirators, but those communications are older than the ISPs retention periods, then investigators lose the ability to use information about the source and destination of those communications to trace the identity of other terrorists. With respect to those communications, provider practices thwart the governments legal authority to preserve evidence.
The current preservation regime also suffers from inconsistent responses from providers. In some cases, providers have been affirmatively uncooperative. In these instances, providers have failed to provide law enforcement agencies with reliable contact information, have ignored preservation requests, and have undermined the confidentiality of investigations by informing customers about preservation requests.
Many of the larger providers have established policies about how long they retain this data. For obvious reasons, I will not testify about how long those periods are for specific providers. I will say that, in general, those periods are rarely longer than a few months, and in some cases are considerably shorter.
Privacy and costs
Data retention implicates several concerns. These include not just the needs of public safety, but also privacy interests and the burden on providers. Imposing greater retention requirements would raise legitimate concerns about privacy, and these concerns should be considered. However, the absence of strong data retention requirements introduces different privacy risks, as the government may be less effective at targeting malicious activities that threaten citizens private data. Moreover, any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe. In considering those factors, it is important to be clear what data retention is not about.
Data retention is not primarily about collecting additional data that is not already collected. Most responsible providers are already collecting the data that is most relevant to criminal and national security-related investigations. In many cases, they have to collect it in order to provide service to begin with. In other cases, they collect it for the companys security, or to research how their service is being used. They simply do not retain that data for periods that are sufficient to meet the needs of public safety.
To be sure, the presence of large databases, by itself, poses privacy concerns. Those databases exist today, but data retention requirements could make them more common. Privacy concerns about those databases might be addressed by tailoring the information that is retained and clarifying the time period for which it is retained. Although we do not have a position on what information should be retained or for how long, the Department would welcome such a discussion.
A discussion about data retention is also not about whether the government should have the ability to obtain retained data. Retained data is held by the provider, not the government. Federal law controls when providers can disclose information related to communications, and it requires investigators to obtain legal process, such as a subpoena or court order and in some cases with a search warrant, in order to compel providers to disclose it.
As members of the Committee may be aware, there is an ongoing discussion about whether those laws strike a proper balance between privacy protection and public safety. I do not address that discussion in these remarks. Yet, whatever ones position in that discussion might be, data retention concerns a different question: Whether, in cases where law enforcement needs to obtain certain types of non-content data to protect public safety, and satisfies the legal standard for obtaining that data, the data will be available for that discrete purpose at all.
Short or non-existent data retention periods mean the data will not be available. Denying law enforcement that evidence prevents law enforcement from identifying those who victimize others online, whether by the production and trade of sexually abusive images of children, or by other online crimes, such as stealing private personal information.
It also can disserve the cause of privacy. Americans today face a wide range of threats to their privacy interests. In particular, foreign actors, including cyber criminals, routinely and unlawfully access data in the United States pertaining to individuals that most people would regard as highly personal and private. Data retention can help mitigate those threats by enabling effective prosecution of those crimes. Cyber criminals, often anonymously, hack into computer networks of retailers and financial institutions, stealing millions of credit and debit card numbers and other personal information. In addition, many Americans computers are, unbeknownst to them, part of a botnet a collection of compromised computers under the remote command and control of a criminal or foreign adversary. Criminals and other malicious actors can extensively monitor these computers, capturing every keystroke, mouse click, password, credit card number, and e-mail. Unfortunately, because many Americans are using such infected computers, they are suffering from an extensive, pervasive, and entirely unlawful invasion of privacy at the hands of these actors. Making extensive use of data retained by providers, the Department has successfully investigated and prosecuted criminals who use these techniques to invade the publics privacy.
Unlike the Department of Justice which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies malicious cyber actors do not respect our laws or our privacy. The government has an obligation to prevent, disrupt, deter, and defeat such intrusions. The protection of privacy requires that we keep information from those who do not respect it from criminals and others who would abuse that information and cause harm. Investigating and stopping this type of criminal activity is a high priority for the Department, and investigations of this type require that law enforcement be able to utilize lawful process to obtain data about the activities of identity thieves and other online criminals. Privacy interests can be undercut when data is not retained for a reasonable period of time, thereby preventing law enforcement officers from obtaining the information they need to catch and prosecute those criminals. Short or non-existent data retention periods harm those efforts.
Providers incur some costs in retaining that data, and although storage costs have been dropping exponentially, it is possible that longer retention periods would impose higher costs. However, when data retention is purely a business decision, it seems likely that the public safety interest in data retention is not being given sufficient weight. There is a role for Congress in striking a more appropriate balance.
Thus, I welcome a discussion about the balance among public safety, providers needs, and privacy interests. Legitimate debates about privacy protection should not be resolved solely through the delete key.
I very much appreciate the opportunity to discuss with you the important role of data retention in helping law enforcement fight crime, improve public safety, and defend the national security while protecting privacy. We look forward to continuing to work with Congress as it considers whether legal changes are needed in this area. I also wish to emphasize that the Administration is in the process of developing comprehensive views on both cybersecurity legislation and potential amendments to the Electronic Communications Privacy Act. Nothing in my testimony should be interpreted to pre-judge the outcome of those discussions.
This concludes my remarks. I would be pleased to answer questions from you and other members of the Committee.
Good grief!!! Why won’t these ridiculous programs stay dead? How many times will we have to kill ‘em before we’re done with ‘em? I sense zombie legislation/regulation at work here. ;^)
This is a fairy murky area. I was under the impression that ISPs and search engines already retain a fair amount of user data.
Don’t ISPs log basically the same internet activity history that our browser programs log?
And don’t the major search engines, particularly Google, retain search and email data for months and years? I’ve read that Google has large warehouses filled with storage devices and that they never purge old data. Yahoo and others purge old data periodically, AFAIK.
It would be good to have the correct information on this sort of thing.
What about when you use the in private browsing or things like the tor project? Can they track them?
I don’t know the answers to your questions I’m pretty dumb about these things all I know is I don’t think it’s any of the governments business what I do on line or anywhere else for that matter.
They are afraid that sanity will break out in Congress.
If you mean the private or stealth browsing features in some browsers, those just prevent the browsing history from being recorded on your computer, but can't control what an ISP might log and retain.
I assume that most of our browsing history is being recorded by ISPs, but I don't think they would pass that on to anyone else without a legal requirement to do so.
This is an area in which everyone probably needs to be more knowledgeable.
Most ISP’s can and do record where you go. The record companies use it to attack illicit downloads.
I was about to comment, but your long quotation touches on the point I was going to make.
Data retention not only risks Big Brother Government spying on us, but it would also be costly for website providers.
Every bit of data that is “retained” costs money, one way or another. So this would be still another government mandated burden on the private sector. We have already seen small businesses of many kinds suffer, and hire fewer people, because government mandates can be very expensive.
This might not involve large costs, but it would certainly involve costs, and those costs would not be beneficial for the people paying for it, but for the damned, nosy government.
And it would, of course, cost honest businesses more than others; because crooked businesses would erase incriminating data anyway. Kind of like gun control—it ends up with only criminals having guns.
ON THE INTERNET:
H.R. 96: Internet Freedom Act
H.R. 166: Internet Investment, Innovation, and Competition Preservation Act
Phone voice communication is carried on a 56kbs connection. This means that it would not take that much storage capacity if the phone companies recorded and archived every phone conversation, so that they could turn them over if they ever got a warrant.
That's what this measure seeks to do: have ISPs maintain information in anticipation of a law enforcement request, rather than requiring law enforcement to first get a court order to commence recording.
The problem with what the prosecutors are seeking is that IP address assignments on the internet can change for all kinds of reasons - mostly because of the widespread use of DHCP, or dynamic host configuration protocols. Asking the ISPs to keep track of who, as in what customer, is really assigned to a given IP address may be next to impossible. That's why a lot of ISPs don't have those records. In government speak they "deleted" them sometimes "seconds" after they came into being. More accurately, some router somewhere handed out a new IP address to another router when its IP address lease ended, or when one of the routers rebooted, or whatever. There is no "record" of who that IP address belongs to in the first place.
Trying to keep track of who, as in what real customer, had a particular IP address at a particular point in time, over a long period of time may be nearly impossible, and if the ISP were to try to keep track of the assignments, it is likely that there would be errors in the records.
In many cases the IP address seen on the internet really just identifies a WiFi base station. Who happens to be connected to it at a particular moment in time is pretty much unknown. It could be somebody sitting inside McDonalds eating a hamburger and reading Drudgereport, or it could be somebody outside in the parking lot uploading a pirated movie. For open WiFi routers in apartments or homes in urban areas the actual user could be anybody nearby.
Unconstitutional unfunded mandate.
As soon as all government employees wear Internet-connected video/audio cameras 24/7 so we can make sure they're not participating in criminal activity, we can talk about them wiretapping the Internet.
I don't think that changes for me. I've written it down before, but am not finding it now so I can't be sure. I think I'll start recording it periodically to see if it changes.
Will this new law apply to the Obots who keep scrubbing the Internet of articles unfavorable to their Obamamessiah?
Criminal investigations "are being frustrated" because no law currently exists to force Internet providers to keep track of what their customers are doing......and no mention is to be made at the leftist howls when library book lending patterns were going to be studied.
At some point, a future tyrant WILL misuse this information by crunching our internet history with brilliant data mining techniques that already have existed for over a decade.
The next Stalin wannabee will be able to assign an enemies list quotient to all of us serfs. If he is feeling froggy enough or if he has the power, he could order the National Police (we have one) to arrest everybody with a quotient over a certain point on the scale.
Hitler, Stalin and Mao NEVER had a handy tool like that!
Uh, I didn’t say anything about when they were going to misuse the data. I said such legislation is unlike to pass the GOP-led House.
No, I gotcha. I’m not disagreeing, I agree. I just point out that the worse problem is the inevitable future misuse of data.
Good question. I think it varies.
Har! Very good.
SD! I’ve missed you!