Not that long ago, the Ninth Circuit Court of Appeals ruled that reading a list of websites you visit without a warrant is legally indistinguishable from a normal pen register search. Ars Technica has some analysis of the issue. Orin Kerr of Volokh Conspiracy doesn't really know what to make of it because the search methods described in the court briefing apparently are ambiguous. However, there is something that both he and the other professor cited by Ars Technica missed that is very important to consider: HTTP addresses do often contain transactional information!
Consider this CGI script, for example: http://www.codemonkeyramblings.com/lookup.cgi?Name="MikeT"&LookFor="HomeAddress"
If the government retrieves information like that, which is not unlikely, they are going beyond a pen register into the domain of finding information that shows specific actions taken. It is a quasi-search at that point, not merely a listing of who went where, and when they did it. In a case like this, it would show what the person was actually looking for by preserving the HTTP GET variables in the recorded URL.
Professor Shaun Martin of the University of San Diego School of Law agrees. Writing recently about the case on his blog, Martin notes, "Once the government records that I'm going to the IP addresses for NAMBLA and High Times and Bondage.com, the fact that they won't (initially) know which particular page of those sites I choose to view hardly matters. They've already invaded my privacy and know a boatload about me that I'd rather not reveal to the government."
What is not clear here is why legal experts would expect their ISP to only record broad and essentially useless information like the domain names of sites you visit, but not the actual pages themselves. Each ISP may have its own logging policies, but it is a safer bet to assume that they are going to be recording the full URL that you access, not information as vague and generic as just the domain name. With many sites, that would be literally useless information as the "incriminating" hits would be to subdomains or particular pages hosted in a small hierarchy of directories on the server.
As with data retention in general, it's not a simple issue. This needs a more nuanced, technically savvy ruling.
*sigh*
Death of a thousand cuts...
BTW, you have been awarded a "Thinking Blog Award", btw.
Kind of a compliment and meme, combined.
Keep up the great work, Mike.
And sorry for the double "btw"; long day.
As you mentioned there are many subdomains that are fairly important distinctions. For instance, blogspot. They range from obscene to boring and mundane, from statist to revolutionary.
You are right, to an ISP anything less than the full URL isn't really useful plus it would require processing of the logs to parse it to the original domain.
The invasion of privacy is proceeding at a fair clip and will soon reach the point where individuals will no longer possess the right to "hide" anything.
Seriously, are people so sheepish that they don't care that this is happening?!?
News bulletin to those who haven't been paying attention:
If you are on the internet, it isn't private.
I have no sympathy for people who demand privacy in public places.
Then surely you won't mind the government passing a law requiring that everything you do online be logged. And if you use SSL while doing it, the service provider must keep an unencrypted copy of it so that the government doesn't have to work hard to find out what you did.
If you have nothing to hide, you have nothing to fear. Privacy is for communists; total surveillance is for free people.
Then surely you won't mind the government passing a law requiring that everything you do online be logged.
Of course I would. I don't like laws that require private businesses to act as agents of the government at their own expense. I have no problem with the government using its own computing resources to track, gather, and store as much information as they want. At some point I would demand a cost-benefit analysis to see if their efforts are paying off in any useful way.
If you have nothing to hide, you have nothing to fear. Privacy is for communists; total surveillance is for free people.
What I have to hide, I am smart enough to actually hide. What I parade around in public, like this comment, I understand is not private. If I see it on the front page of the Washington Post tomorrow under the headline, "Govt employee misuses resources", I will have no one to blame but myself.
The same goes for any other crime or moral weakness that I engage in and allow other people to discover.
If you want to keep something a secret, don't put it on the internet or entrust it to anyone you don't trust. That should be obvious.
"Govt employee misuses resources", I will have no one to blame but myself.-Big Daddy Roc
Hmmm, So said the SS officer to the Jew. What you fail to grasp Roci is that the loaded gun of government prerogative trumping individual rights is that you never know whose finger shall be on the trigger.
After all, if Muslamic terrorists can use our freedoms against us, than pissants on powertrips in the beltway are no less incapable of doing the same.