Network Security

Requiring ISPs to retain user logs

Two months after the Federal Trade Commission outlined a framework to protect consumers from being tracked online, privacy advocates now appear to be on the losing end of another agency's initiative.

The Department of Justice (DoJ), with likely blessing from the new Republican majority, is pushing for a law mandating the retention of user data by internet service providers (ISPs).

In late January, the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security held a hearing on how impelling data retention can help authorities better investigate child pornography and other digital crimes.

“All of us rely on the government to protect our lives and safety by thwarting threats to national security and the integrity of computer networks, and punishing and deterring dangerous criminals,” testified Jason Weinstein, the DoJ's deputy assistant attorney general. “That protection often requires the government to obtain a range of information about those who do us harm.”

In his remarks, Weinstein acknowledged that retention requirements may incite privacy concerns, but said critics should realize that expanding law enforcement's reach into records can enable swifter prosecution of individuals responsible for illegal actions, such as installing bot malware.

He also dismissed concerns that retention requirements would lead to additional costs for ISPs. “[When] data retention is purely a business decision, it seems likely that the public safety interest in data retention is not being given sufficient weight,” Weinstein said.

Christopher Soghoian, a security privacy researcher, said he isn't surprised by the seemingly contradictory efforts of two major federal agencies. “The FTC can be talking about wanting to protect privacy, and Justice can do everything in its power to eviscerate privacy, and that can be totally rational because they don't have to consult each other,” Soghoian said.

But he warned that forcing ISPs to hold on to personal information invites significant risk, even though most of them already voluntarily keep records. “The more data you keep, the more at risk you are for data breaches,” he said.

Another less-verbalized argument is that media companies pursuing copyright infringers, as well as divorce lawyers seeking information on behalf of their clients, may turn out to be the biggest winners if a law took effect. “Civil litigants can get access to all types of data,” Soghoian said.

Number of child pornography cases prosecuted by the Department of Justice between 2005-2009.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.