[TriLUG] FBI director wants ISPs to track users

[WA Brown]

http://news.com.com/FBI+director+wants+ISPs+to+track+users/2100-7348_3-6126877.html?tag=nefd.top


FBI director wants ISPs to track users
Robert Mueller becomes latest Bush administration official to call for ISPs 
to store customers' data.
By Declan McCullagh
Staff Writer, CNET News.com

Published: October 17, 2006, 4:18 PM PDT
TalkBack E-mail Print del.icio.us Digg this
FBI Director Robert Mueller on Tuesday called on Internet service providers 
to record their customers' online activities, a move that anticipates a 
fierce debate over privacy and law enforcement in Washington next year.

"Terrorists coordinate their plans cloaked in the anonymity of the Internet, 
as do violent sexual predators prowling chat rooms," Mueller said in a 
speech at the International Association of Chiefs of Police conference in 
Boston.

"All too often, we find that before we can catch these offenders, Internet 
service providers have unwittingly deleted the very records that would help 
us identify these offenders and protect future victims," Mueller said. "We 
must find a balance between the legitimate need for privacy and law 
enforcement's clear need for access."

The speech to the law enforcement group, which approved a resolution on the 
topic earlier in the day, echoes other calls from Bush administration 
officials to force private firms to record information about customers. 
Attorney General Alberto Gonzales, for instance, told Congress last month 
that "this is a national problem that requires federal legislation."

Justice Department officials admit privately that data retention legislation 
is controversial enough that there wasn't time to ease it through the U.S. 
Congress before politicians left to campaign for re-election. Instead, the 
idea is expected to surface in early 2007, and one Democratic politician has 
already promised legislation.

Law enforcement groups claim that by the time they contact Internet service 
providers, customers' records may have been deleted in the routine course of 
business. Industry representatives, however, say that if police respond to 
tips promptly instead of dawdling, it would be difficult to imagine any 
investigation that would be imperiled.

It's not clear exactly what a data retention law would require. One proposal 
would go beyond Internet providers and require registrars, the companies 
that sell domain names, to maintain records too. And during private meetings 
with industry officials, FBI and Justice Department representatives have 
cited the desirability of also forcing search engines to keep logs--a 
proposal that could gain additional law enforcement support after AOL showed 
how useful such records could be in investigations.

A representative of the International Association of Chiefs of Police said 
he was not able to provide a copy of the resolution.

Preservation vs. retention
At the moment, Internet service providers typically discard any log file 
that's no longer required for business reasons such as network monitoring, 
fraud prevention or billing disputes. Companies do, however, alter that 
general rule when contacted by police performing an investigation--a 
practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records 
Act regulates data preservation. It requires Internet providers to retain 
any "record" in their possession for 90 days "upon the request of a 
governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend 
to allocate them to customers from a pool based on whether a computer is in 
use at the time. (Two standard techniques used are the Dynamic Host 
Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to 
report child pornography sightings to the National Center for Missing and 
Exploited Children, which is in turn charged with forwarding that report to 
the appropriate police agency.

When adopting its data retention rules, the European Parliament approved 
U.K.-backed requirements saying that communications providers in its 25 
member countries--several of which had enacted their own data retention laws 
already--must retain customer data for a minimum of six months and a maximum 
of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and 
"location" data, including: the identities of the customers' correspondents; 
the date, time and duration of phone calls, VoIP (voice over Internet 
Protocol) calls or e-mail messages; and the location of the device used for 
the communications. But the "content" of the communications is not supposed 
to be retained. The rules are expected to take effect in 2008.