Privacy advocates aren't the only ones up in arms over a bill currently being debated in Congress that would require Internet service providers (ISP) to retain records on subscribers. ISPs themselves are saying the bill contains no clear guidelines for records retention methods or archiving periods for data, and said they are growing nervous about the storage and data management costs that might result if the bill becomes law.
The passage prompting debate in the industry is Sec. 6 of the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2007 (SAFETY), the newest of several versions of Internet records.retention measures introduced to Congress Feb. 5 by Rep. Lamar Smith, R-Tex. So far, previous versions of the legislation have all died in committee. The bill, which is still being debated in the House, is the first formal bill to be introduced to Congress on this issue.
The language of the bill reads:Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information. Whoever knowingly fails to retain any record required under this section shall be fined under title 18, United States Code, and imprisoned for not more than one year, or both. "Depending on what the attorney general comes up with, it could pose significant harm to [ISP] companies," Dean said. "It could mean companies have to keep data live, on primary storage and dedicate staff to keeping it all searchable at a moment's notice -- the costs would be huge."
According to Enterprise Strategy Group (ESG) analyst Brian Babineau, ISPs would have to keep, at minimum, a log file of their users' activity each day. (Some privacy advocates have also speculated that the data required for retention could be much more broadly defined, even going as far as recording users' keystrokes online.) Particularly for a large company with an established data center, such log files are relatively small in terms of storage space, Babineau said. But the sheer volume of information and its classification, archival, security, protection and retrieval would be near impossible to manage.
"Think about how many people use the Internet, and how many of those people use a service provider to access it," he said. "Just keeping track of the records of subscribers' activity would be very, very difficult, which is to say nothing of having to search and reproduce it quickly for law enforcement."
How quickly such information would have to be produced and in what form is also unclear, according to Dean. "It's difficult for us to get down to a real conversation about these new requirements," she said, "when we don't even know what they are."
Meanwhile, ESG research analyst Bill Lundell also pointed out that there are already procedures in place and even laws already on the books that provide regulations for ISPs to work with law enforcement. He cited the Adam Walsh Child Protection and Safety Act of 2006, which already grants the Department of Homeland Security the ability to monitor Internet users they suspect of preying on children or of participating in terrorist activities.
According to Dean, "ISPs work with law enforcement on a variety of criminal complaints 24 hours a day, seven days a week -- [the SAFETY Act] seems an inefficient solution for a problem not proved to exist."
Your browser history, dropped off the back of a truck
The truly scary potential consequence of the bill for private citizens, according to Babineau, is that in an era where major financial institutions are still exposing consumers' Social Security numbers through data theft, hacker attacks and lost backup tapes, the risk that information about online habits could leak out is substantial.
"The irony of this is that the proposed law subjects even more private consumer data to breaches," Babineau said. "And there is still no [federal] law on the books penalizing companies for losing our data."
Still, it might not necessarily be all doom and gloom. According to Luddell, there is already at least some precedent for this type of regulation elsewhere in the world, in the form of the European Union's (EU) data retention directive. The directive, enacted May 3, 2006, requires the retention of all traffic data generated by fixed and mobile telephony communication, as well as Internet access, Internet telephony and Internet messaging for a minimum of six months and a maximum of two years.
"The European Union is even more sensitive to privacy issues than we are in this country," Babineau said. "And so far it seems they have gotten a process like the one proposed here to work."