ISPs fear SAFETY Act retention requirements

By Beth Pariseau, News Writer 01 Mar 2007 | SearchStorage.com

News and trends in the storage industry Digg This!     StumbleUpon     Del.icio.us

The passage prompting debate in the industry is Sec. 6 of the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2007 (SAFETY), the newest of several versions of Internet records.retention measures introduced to Congress Feb. 5 by Rep. Lamar Smith, R-Tex. So far, previous versions of the legislation have all died in committee. The bill, which is still being debated in the House, is the first formal bill to be introduced to Congress on this issue.

More on storage compliance regulations Judges speak candidly on new e-discovery rules Lawyers discuss e-discovery gotchas Thirteen data retention mistakes to avoid Users wary of Rule 37(f) data retention 'loophole'

The bill's champions claim that some recent child exploitation investigations have failed where they might have been successful if service providers' records had been easier to sort through. But according to Kate Dean, executive director of the U.S. Internet Service Provider Association representing AOL, Verizon Communications Inc., Comcast Corp., AT&T, Microsoft, and Yahoo, the bill, as it is currently worded, would give U.S. Attorney General Alberto Gonzales powers to establish retention regulations on subscriber data that are too broad.

The language of the bill reads:

According to Enterprise Strategy Group (ESG) analyst Brian Babineau, ISPs would have to keep, at minimum, a log file of their users' activity each day. (Some privacy advocates have also speculated that the data required for retention could be much more broadly defined, even going as far as recording users' keystrokes online.) Particularly for a large company with an established data center, such log files are relatively small in terms of storage space, Babineau said. But the sheer volume of information and its classification, archival, security, protection and retrieval would be near impossible to manage.

"Think about how many people use the Internet, and how many of those people use a service provider to access it," he said. "Just keeping track of the records of subscribers' activity would be very, very difficult, which is to say nothing of having to search and reproduce it quickly for law enforcement."

How quickly such information would have to be produced and in what form is also unclear, according to Dean. "It's difficult for us to get down to a real conversation about these new requirements," she said, "when we don't even know what they are."

Meanwhile, ESG research analyst Bill Lundell also pointed out that there are already procedures in place and even laws already on the books that provide regulations for ISPs to work with law enforcement. He cited the Adam Walsh Child Protection and Safety Act of 2006, which already grants the Department of Homeland Security the ability to monitor Internet users they suspect of preying on children or of participating in terrorist activities.

According to Dean, "ISPs work with law enforcement on a variety of criminal complaints 24 hours a day, seven days a week -- [the SAFETY Act] seems an inefficient solution for a problem not proved to exist."

Your browser history, dropped off the back of a truck

The truly scary potential consequence of the bill for private citizens, according to Babineau, is that in an era where major financial institutions are still exposing consumers' Social Security numbers through data theft, hacker attacks and lost backup tapes, the risk that information about online habits could leak out is substantial.

"The irony of this is that the proposed law subjects even more private consumer data to breaches," Babineau said. "And there is still no [federal] law on the books penalizing companies for losing our data."

Still, it might not necessarily be all doom and gloom. According to Luddell, there is already at least some precedent for this type of regulation elsewhere in the world, in the form of the European Union's (EU) data retention directive. The directive, enacted May 3, 2006, requires the retention of all traffic data generated by fixed and mobile telephony communication, as well as Internet access, Internet telephony and Internet messaging for a minimum of six months and a maximum of two years.

"The European Union is even more sensitive to privacy issues than we are in this country," Babineau said. "And so far it seems they have gotten a process like the one proposed here to work."

Tags: Data storage compliance and archiving,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data storage compliance and archiving EMC Centera Virtual Archive enables larger Centera clusters National Kidney Foundation cuts GroupWise storage with cloud storage email archiving Microsoft Exchange 2010 adds email archiving and high availability features Dexrex Gear offers cloud instant messaging and social media data archiving EMC lays out data archiving and eDiscovery plans Storage Decisions: Pros and cons of cloud storage technology Storage Decisions: Storage managers must explain retention, email archiving and compliance Choosing a storage system for data archiving Mimosa Systems adds case management tool to NearPoint 4.0 data archiving software Mimosa NearPoint, LiveOffice Mail Archive offer hybrid SaaS email archiving approach Data storage compliance and archiving Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary litigation hold  (SearchStorage.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary