RealTime IT News

Privacy Groups Hit ISP Data Storage Bill

Led by Rep. Lamar Smith of Texas, eight Republican U.S. House members have filed legislation that would give Attorney General Alberto Gonzales broad powers to require Internet service providers (ISPs) to retain customer data.

Privacy groups were quick to respond to the legislation, arguing that the language isn't clear enough.

Under the Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2007 (SAFETY Act), the attorney general would be required to issue ISP data retention requirements, powers Gonzales has sought since last year as part of the Department of Justice's (DoJ) campaign against online child pornography.

According to the bill (H.R. 837), ISPs would be required to retain, at a minimum, subscriber names, addresses, telephone numbers and Internet protocol addresses to "permit compliance with court orders that may require production of such information."

The DoJ would determine the length of time the data must be retained. Most ISPs currently retain minimum customer data for six months or less. Gonzales has said he favors at least a two-year retention requirement.

The SAFETY Act also would require ISPs to report the accessibility of child pornography through their services or face fines of $150,000-$300,000. ISPs and e-mail providers would also face stiff fines and up to 10 years in prison if they knowingly facilitate the transfer of child pornography.

In addition the bill would require websites to post "sexually explicit" warning labels or face criminal sanctions. Legislation to require labeling of adult sites failed in Congress last year.

Privacy advocates worry that the vagueness of the bill's language could allow the DoJ to expand upon the minimum data requirements to include more customer data such as most frequently visited websites, instant messages and e-mail correspondence.

"This is a real First Amendment and privacy threat," John Morris, director of Internet Standards at the Center for Democracy and Technology (CDT), told internetnews.com. "This proposal gives the attorney general unbounded discretion to create whatever data retention requirements he wants. There's no restraint."

Morris noted that failed proposals for greater ISP data retention in Congress last year were far narrower in scope, such as a one-year retention period of IP addresses. "But even a narrow one could lead to abuses and this [Smith's bill] goes far beyond those provisions."

The American Civil Liberties Union (ACLU) also slammed the proposed bill.

"Legislation like this is like swatting a fly with a bazooka," Marvin Johnson, the ACLU's Washington legislative counsel, said in a statement. "Such sweeping measures do little to stop online crime; instead, they overwhelm law enforcement agents with mountains of raw data and have a chilling effect on ISP subscribers' First Amendment rights."

Johnson said the bill would allow "no limit" on the amount of information the DoJ could require ISPs to keep and that the DoJ could mandate the records be retained "forever."

"This represents an incredible invasion into our privacy and freedom to use the Internet without the government reading over our shoulders," Johnson said.

Smith's office did not return requests for comments on his bill. Nor did Smith issue a press release or public statement when he introduced the legislation last week.

The CDT's Morris said that even though Democrats now control Congress, Smith's bill could not be written off as a Republican proposal with little chance of passage, noting that last year one of the prime proponents for greater ISP data retention was Democrat Diana DeGette of Colorado.

During the House Commerce Committee debate last year over telecom reform, DeGette proposed an amendment to the bill requiring ISPs to retain information about subscribers for at least one year.

"The goal is to help law enforcement identify perpetrators when evidence is discovered connecting an account to the production and/or distribution of child pornography," she said. "Law enforcement agencies are desperate for more technological assistance in their work to eradicate the trade of online child sexual abuse."

DeGette ultimately pulled the amendment.

Last June, top tech executives met with Gonzales and other DoJ officials in a meeting shrouded in secrecy over Gonzales' efforts to force ISPs to retain more data for longer periods of time. Gonzales contends the measure is necessary for DoJ efforts to combat online child pornography and terrorism.

Among the companies meeting with the DoJ were Microsoft, Google, AOL, AT&T, Time Warner and Comcast. Gonzales later said, "We had a good faith dialog on the issue. It was a very fruitful meeting."