In a House subcommittee hearing held January 25, 2011, the US Department of Justice called for new legislation mandating internet service providers (ISPs) to retain customer usage data for up to two years. This has resulted in a number of concerns, ranging from individuals’ privacy worries, to ISP concerns regarding the storage of large amounts of data for long periods of time.
In his statement before the Subcommittee on Crime, Terrorism, and Homeland Security, Jason Weinstein, deputy assistant attorney general at the Justice Department, pointed out that retaining data from ISPs and cell phone service providers can help provide crucial evidence in cases “including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy, computer hacking, and other privacy crimes.”
According to Weinstein, many of the Justice Department’s current criminal investigations are being hindered by its inability to monitor and store the online activity of users. He provided numerous examples in which the retention policies of service providers were obstructing federal, state and local law enforcement investigations. Weinstein said, “These decisions by providers to delete records are rarely done out of a lack of desire to cooperate with law enforcement; rather, they are usually done out of an understandable desire to cut costs. Some providers also seem to delete records out of a concern for customer privacy.”
At this point, ISPs are required to preserve usage data only at the request of law enforcement authorities. Many ISPs are also collecting and maintaining “non-content records,” for instance a subscriber’s login records, information on who is using their services and how. ISPs have widely varying policies and practices regarding the storage of non-content records. In some cases, it will be deleted within days, while others may retain the data for months. Weinstein would like to see this retention period standardized, so that authorities are guaranteed to be able to access such data, should they require it.
There is currently no law that requires ISPs to retain user data. However, the push for extensive data retention legislation is not a new issue. In the past, FBI director Robert Mueller requested that Congress consider such legislation for similar reasons.
Undoubtedly, the January 25th hearing has brought to the surface a number of privacy and freedom of speech concerns. The notion of law enforcement authorities tracking and retaining large amounts of information on over 230 million Americans is an unacceptable outcome for many. This may significantly impact free and anonymous speech and will change how individuals use the internet.
Jim Harper, the director of information policy studies at the Cato Institute, commenting on the issue of mandatory data retention, says “I fail to see where the Fourth Amendment permits the government to require dragnet surveillance of Internet users.”
Another issue is that while the federal government is pushing for pro-privacy laws, it is also contradicting itself with anti-privacy laws, such as this data retention legislation. Recently, the FTC proposed that browsers include Do-Not-Track features, which would help users ensure that their information is not being retained while they browse the internet. At the same time, the Justice Department has asked for more extensive retention laws, though the two are seemingly in conflict with each other.
According to John Morris, the general counsel for the Washington DC-based think-tank Center for Democracy and Technology, the hearing does not necessarily mean that a data retention bill is on the way. It is also uncertain what kind of data ISPs would be expected to retain, or if other online services (e.g. e-mail providers) might be included in the new legislation. Morris said:
“In the best-case scenario, a data retention bill will only require ISPs to track and store Internet Protocol (IP) address allocation data to help law enforcement better link Internet use to specific users. In the worst-case scenario, it could require ISPs and all sorts of online service providers to store and track everything from IP addresses to source data involving e-mail, instant messaging (IM), social media interactions and Web sites visited.”
On January 25, 2011, the US Department of Justice brought the issue of mandatory data retention to the House Subcommittee on Crime, Terrorism, and Homeland Security. Currently, there is no law requiring internet service providers (ISPs) to retain user data, and ISP retention practices are inconsistent in terms of type of data and retention period. Law enforcement authorities have long argued that mandatory data retention would advance criminal investigations, especially those dealing with child pornography and sexual predators. Critics argue that retention of user data would result in numerous privacy and freedom of speech concerns.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Methods of Data Collection (I.B.a.)
- Privacy Concerns – Consumer Perspective (II.A.a.)
- Government and Citizen Surveillance (II.A.k.)
- Privacy Expectations – Consumer Behaviors (II.B.a.)
- Online Privacy (V.D.i.1.)