Crucial Evidence

In his statement before the Subcommittee on Crime, Terrorism, and Homeland Security, Jason Weinstein, deputy assistant attorney general at the Justice Department, pointed out that retaining data from ISPs and cell phone service providers can help provide crucial evidence in cases “including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy, computer hacking, and other privacy crimes.”

According to Weinstein, many of the Justice Department’s current criminal investigations are being hindered by its inability to monitor and store the online activity of users. He provided numerous examples in which the retention policies of service providers were obstructing federal, state and local law enforcement investigations. Weinstein said, “These decisions by providers to delete records are rarely done out of a lack of desire to cooperate with law enforcement; rather, they are usually done out of an understandable desire to cut costs.  Some providers also seem to delete records out of a concern for customer privacy.”

Current Practices

At this point, ISPs are required to preserve usage data only at the request of law enforcement authorities. Many ISPs are also collecting and maintaining “non-content records,” for instance a subscriber’s login records, information on who is using their services and how. ISPs have widely varying policies and practices regarding the storage of non-content records. In some cases, it will be deleted within days, while others may retain the data for months. Weinstein would like to see this retention period standardized, so that authorities are guaranteed to be able to access such data, should they require it.

There is currently no law that requires ISPs to retain user data. However, the push for extensive data retention legislation is not a new issue. In the past, FBI director Robert Mueller requested that Congress consider such legislation for similar reasons.

Critics Say…

Undoubtedly, the January 25^th hearing has brought to the surface a number of privacy and freedom of speech concerns. The notion of law enforcement authorities tracking and retaining large amounts of information on over 230 million Americans is an unacceptable outcome for many. This may significantly impact free and anonymous speech and will change how individuals use the internet.

Jim Harper, the director of information policy studies at the Cato Institute, commenting on the issue of mandatory data retention, says “I fail to see where the Fourth Amendment permits the government to require dragnet surveillance of Internet users.”

Another issue is that while the federal government is pushing for pro-privacy laws, it is also contradicting itself with anti-privacy laws, such as this data retention legislation. Recently, the FTC proposed that browsers include Do-Not-Track features, which would help users ensure that their information is not being retained while they browse the internet. At the same time, the Justice Department has asked for more extensive retention laws, though the two are seemingly in conflict with each other.

According to John Morris, the general counsel for the Washington DC-based think-tank Center for Democracy and Technology, the hearing does not necessarily mean that a data retention bill is on the way. It is also uncertain what kind of data ISPs would be expected to retain, or if other online services (e.g. e-mail providers) might be included in the new legislation. Morris said:

“In the best-case scenario, a data retention bill will only require ISPs to track and store Internet Protocol (IP) address allocation data to help law enforcement better link Internet use to specific users. In the worst-case scenario, it could require ISPs and all sorts of online service providers to store and track everything from IP addresses to source data involving e-mail, instant messaging (IM), social media interactions and Web sites visited.”

Summary

On January 25, 2011, the US Department of Justice brought the issue of mandatory data retention to the House Subcommittee on Crime, Terrorism, and Homeland Security. Currently, there is no law requiring internet service providers (ISPs) to retain user data, and ISP retention practices are inconsistent in terms of type of data and retention period. Law enforcement authorities have long argued that mandatory data retention would advance criminal investigations, especially those dealing with child pornography and sexual predators. Critics argue that retention of user data would result in numerous privacy and freedom of speech concerns.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

• Methods of Data Collection (I.B.a.)
• Privacy Concerns – Consumer Perspective (II.A.a.)
• Government and Citizen Surveillance (II.A.k.)
• Privacy Expectations – Consumer Behaviors (II.B.a.)
• Online Privacy (V.D.i.1.)

Member States shall provide that personal data may be processed only if:

• (a) the data subject has unambiguously given his consent; or
• (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or
• (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
• (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

This treatment of personal information held quite a bit of headache for multi-national companies with sensitive HR data or customer relationship information. These problems were eventually ironed out between the EU and the US Department of Commerce through the passage of the Safe Harbor program in 2000. The Center for Democracy and Technology gives a tidy summary of the Directive and international responses.

Intra-EU privacy was supposed to be quite well understood. Except by the British it appears. The European Commission began legal action against the United Kingdom Tuesday for failure to “ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user’s consent.”  In other words, not following Article 7.  To be fair, the 27 EU Members have had 90 cases of some sort of action brought against them, so the British are not in the minority.

The action, says EU Telecoms Commissioner Viviane Reding, relates to behavioral advertising company Phorm, and Internet Service Providers (ISPs) usage of the technology.  Apparently, British Internet users complained about interception and surveillance of their surfing habits.  The Federal Trade Commission brought similar behavioral US marketing problems to light in February.

“Technologies like Internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules,” Reding said in a statement. “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications.”

For the United Kingdom, there has to be some question of sovereignty mixed in with the privacy lapses. EU Member States “cede part of their sovereignty under treaties which empower the EU institutions to adopt laws”. If Britain fails to come in line with the privacy protections from the Directive, Reding has the power to force the country to appear before the EU’s highest court, the European Court of Justice. The Court of Justice can thereby force Britain’s compliance.