Do Data Retention Risks Outweigh the Rewards?

Hance Haney
New Millennium Research Council Milestones
June 22, 2007
Print ArticleOriginal Article

Last year when Congress conducted a series of hearings on how to prevent crimes against children on the Internet, Lt. Anthony Ritter of the computer crimes bureau at the New Jersey State Police recommended requiring Internet Service Providers to store customer data for not less than two years. The data should “include, but not be limited to, subscriber information, method of payment, types of devices connected and all in and out IP logging records,” he added.

Legislation pending in Congress would allow the Attorney General to issue regulations governing the retention of records by ISPs. A spokesman for the Justice Department stated last year that the actual content that customers look at on the Web would not be stored. He added that all of the data would be stored by the companies, not by the government, and that the government would have access to the data only by current means, such as warrants and subpoenas. But the legislation before Congress includes none of these safeguards. The Attorney General could require anything he wants above and beyond the “name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned.”

No one is quite sure how costly mandatory retention would be, but the amount of data that would need to be stored, indexed and formatted would be huge.

A couple of things are clear. One is that civil litigants, private investigators, marketers and hackers would seek access to the data, and security breaches would occur. Another is that there are a number of ways criminals can conceal their online activities.

For example, Relakks.com maintains an encrypted network which allows its subscribers to browse the Web anonymously. The subscriber’s local ISP can see the connection to the Swedish company’s network but doesn’t have any record of the user’s online activities beyond that point.

There are nearly 46,000 public Wi-Fi access points at cafes, hotels, airports and town squares which anyone can access anonymously. These hotspots could be modified to require pre-registration and access codes so that network administrators could record both who accesses them and which Web sites are visited. That would push criminals out into neighborhoods, where wireless networks for home computers are increasingly common and are frequently unsecured.

Will lawmakers see the futility of trying to control offshore proxy servers, encryption software, unsupervised Wi-Fi access and other means of evading data retention, or will mandatory data retention beget more regulation in an effort to ensure its reliability as a law enforcement tool?

Although there was one highly-publicized failure of a Colorado ISP to provide data needed for an investigation – because the ISP didn’t keep the data – law enforcement agencies face unrelated problems that are much more serious.

Congressional inquiries in 2005 and 2006 revealed that over 100,000 sex offenders, or nearly one-fifth of the total were “missing,” meaning that they chose not to comply with sex offender registration requirements. The median prison sentence for sexual abuse crimes was only 41 months. Some states do not even have laws making the sexual solicitation of a minor online a felony offense with automatic jail time; nor is the possession of child pornography a felony offense in all 50 states.

Congress passed the Adam Walsh Child Protection and Safety Act of 2006 to expand the sex offender registry, strengthen federal penalties for crimes against children and to authorize regional task forces to provide training and funding for law enforcement agents. But scant resources continue to hinder the effort to combat crimes against children online – particularly in the states, where 70 percent of all online child sexual exploitation cases are prosecuted. In Wyoming, for example, “we have over 250 search warrants we could request if the manpower permitted,” according to Flint Waters, a member of a Task Force. “Our investigators are averaging over 70 hours per week,” he said at one of the congressional hearings.

The problems of our criminal justice system notwithstanding, parents want to be certain the Internet is safe as possible for their children. Although nothing can fully replace parental supervision, ISPs and others are working in a number of ways to reduce the potential for online child exploitation.

British ISPs voluntarily block access to Web sites identified by the Internet Watch Foundation as containing images of child pornography, no matter where the sites are hosted. British officials believe this cooperation partly accounts for the fact that only 0.2 percent of Web sites containing child pornography are currently hosted in Britain — down from 18 percent in 1997. But instead of taking down U.S. Web sites with child pornography, until recently these sites were left up long enough to allow investigators to gather evidence. Now some of these sites are taken down immediately – those which are not the subject of a criminal investigation. This emphasis on gathering evidence and preparing charges for criminal prosecutions may be one reason IWF has found that 51.1 percent of Web sites containing child pornography are hosted in the U.S.

ISPs including AOL, Yahoo, Microsoft and Earthlink record an “electronic signature” of child pornography images that they can use to identify and block the images if they are sent again. Every piece of e-mail is scanned for files that match the list of signatures, and those that do are forwarded to law enforcement. Filters and algorithms are also used by ISPs to identify child pornography transmitted over their networks.

Beyond these and other initiatives, most ISPs already retain customer data for at least 60 days. Once a law enforcement agent sends a data preservation request to an ISP, the ISP is required by law to retain the data for an additional 90 to 180 days.

On the surface, a government mandate for ISPs to preserve customer data for at least two years sounds like it would make it easier for investigators who are averaging over 70 hours per week to catch hapless criminals. But given the opportunities for criminals to conceal their identities and the various defects in the criminal justice system, the real danger is that mandatory data retention might give parents and children a false confidence that the Internet is or ever can be a crime-free zone.

Mandatory data retention won’t eliminate the need for parents to supervise their children’s online activity, nor make it unnecessary for the government to adequately fund the criminal justice system. Mandatory storage of the online activity of every American would create an irresistible target for troublemakers and potentially subject innocent people to embarrassment, misunderstanding or increase their exposure to identity theft and other crimes.

Hance Haney is a Senior Fellow with the Discovery Institute.