FBI director wants ISPs to track users
Robert Mueller becomes latest Bush administration official to call for
ISPs to store customers’ data.
Staff Writer, CNET News.com
4:18 PM PDT
FBI Director Robert Mueller on Tuesday
called on Internet service
providers to record their customers’ online activities, a move that
anticipates a fierce debate over privacy and law enforcement in
Washington next year.
"Terrorists coordinate their plans cloaked in
the anonymity of the Internet, as do violent sexual predators prowling
chat rooms," Mueller said in a speech at the International Association
of Chiefs of Police conference in Boston.
ISP snooping time line
In events that were first reported by CNET News.com, Bush
administration officials have said Internet providers must keep track
of what Americans are doing online.
Justice Department officials quietly propose data retention rules.
2005: European Parliament votes for data retention of up to two
2006: Data retention proposals surface in Colorado and the U.S.
20, 2006: Attorney General Alberto Gonzales says data retention
"must be addressed."
28, 2006: Rep. Diana DeGette proposes data retention amendment.
26, 2006: Gonzales and FBI Director Robert Mueller meet with
Internet and telecommunications companies.
27, 2006: Rep. Joe Barton, chair of a House committee, calls
new child protection legislation "highest priority."
"All too often, we find that before we can
catch these offenders,
Internet service providers have unwittingly deleted the very records
that would help us identify these offenders and protect future
victims," Mueller said. "We must find a balance between the legitimate
need for privacy and law enforcement’s clear need for access."
The speech to the law enforcement group, which
approved a resolution
on the topic earlier in the day, echoes other calls from Bush
administration officials to force private firms to record information
about customers. Attorney General Alberto Gonzales, for instance, told
Congress last month that "this is a national problem that requires
Justice Department officials admit privately that data retention
legislation is controversial enough that there wasn’t time to ease it
through the U.S. Congress before politicians left to campaign for
re-election. Instead, the idea is expected to surface in early 2007,
and one Democratic
politician has already promised legislation.
Law enforcement groups claim that by the time they contact Internet
service providers, customers’ records may have been deleted in the
routine course of business. Industry representatives, however, say that
if police respond to tips promptly instead of dawdling, it would be
difficult to imagine any investigation that would be imperiled.
It’s not clear exactly what a data retention law would require. One proposal would go beyond Internet providers and require
the companies that sell domain names, to maintain records too. And
during private meetings with industry officials, FBI and Justice
Department representatives have cited the desirability of also forcing
search engines to keep logs–a proposal that could gain additional law
enforcement support after AOL showed how useful
such records could be in investigations.
A representative of the International Association of Chiefs of Police
said he was not able to provide a copy of the resolution.
Preservation vs. retention
At the moment, Internet service providers typically discard any log
file that’s no longer required for business reasons such as network
monitoring, fraud prevention or billing disputes. Companies do,
however, alter that general rule when contacted by police performing an
investigation–a practice called data preservation.
A 1996 federal law called the Electronic Communication Transactional
Records Act regulates data preservation. It requires
Internet providers to retain any "record" in their possession for
90 days "upon the request of a governmental entity."
Because Internet addresses remain a relatively
ISPs tend to allocate them to customers from a pool based on whether a
computer is in use at the time. (Two standard techniques used are the Dynamic
Host Configuration Protocol and Point-to-Point
Protocol over Ethernet.)
In addition, Internet providers are required
by another federal law
to report child pornography sightings to the National Center for
Missing and Exploited Children, which is in turn charged with
forwarding that report to the appropriate police agency.
When adopting its data retention rules, the
European Parliament approved U.K.-backed
saying that communications providers in its 25 member
countries–several of which had enacted their own data retention laws
already–must retain customer data for a minimum of six months and a
maximum of two years.
The Europe-wide requirement applies to a wide
variety of "traffic"
and "location" data, including: the identities of the customers’
correspondents; the date, time and duration of phone calls, VoIP (voice
over Internet Protocol) calls or e-mail messages; and the location of
the device used for the communications. But the "content" of the
communications is not supposed to be retained. The rules are expected
to take effect in 2008.
CNET News.com’s Anne Broache contributed to