Retain or restrain access logs?, 2006-06-12
Story continued from Page 2
“
All of this is dangerous enough. But recent actions of the United States Attorney General and the Director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security. In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP's retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.
”
The problem is that these powers are not limited to cases of organized crime, terrorism or child protection - nor could they be for IP retention. After all, an ISP would have no way of knowing if records were going to be relevant two years hence in some investigation, and therefore they would be required to keep everything. Nor has the government proposed legislation that would say that the retained records may only be accessed pursuant to a court order in cases of child exploitation or protection. No, once retained, the records are subject to criminal or civil subpoena, investigative demand, National Security Letter, grand jury subpoena, search warrant, administrative demand, or even a secret request from the government pursuant to the powers of the President as Commander in Chief in a time of war. And unprivileged records can be subpoenaed by private litigants as well.
The cost of record retention
Who will pay for creating and storing these terabytes of data? Who will store them? The ISPs or the government? And who will secure and protect them? Perhaps the United States Department of Veteran's Affairs, or the Department of Energy can be trusted with our personal records?
Sure, it would make investigations easier if all kinds of records were created and stored forever. What the Attorney General fails to understand is that ISPs already strike a balance in favor of protecting the privacy of their users. The IP records they create are created solely for the purpose of making sure the connection is made, and serve no real ISP function thereafter. Therefore they are destroyed.
The government is seeking to fundamentally change that balance and to make ISPs agents of the state in creating and retaining records not for their own purposes, but for the government's. As CNET's Declan McCulloch pointed out, Congress is considering making the retention rules mandatory. This is bad policy.
Law enforcement already has the power to demand, in individual investigations, that ISPs retain specific records for 90 days, in 18 USC 2703(f). This can be extended to up to six months. This should be long enough to get a subpoena for the required records. The government wants two years? Why not twenty? Why not forever? I'd better stop typing before I give someone some ideas.
Look, if records exist, they will be subpoenaed, stolen, lost or hacked. We already have a pretty good balance of retaining records when we need them and getting rid of them when we don't. Let's not spoil a system that works unless we have clear evidence that it is failing.
