Just in case you had forgotten about it, the FBI and some members of Congress have brought back the issue of data retention policies. This comes on the heels of the FBI asking for a massive, unprecedented expansion of authority to conduct surveillance online. From the sounds of their proposal, it is something akin to the way that the NSA has been caught doing filtering at some of AT&T's offices in the past. It also comes at a time when it has been discovered that the FBI has routinely lied and broken the law in its use of National Security Letters. Yet somehow we are supposed to feel safe about how the FBI would use data retention legislation and an "omnibus surveillance mandate" when it comes to them obeying the law and constitution.
How problematic the data retention legislation will end up being depends entirely on the scope of it, obviously. Initially, I think it will cover a combination of DHCP transactions (how you get your IP address), all of the HTTP information describing what websites you are going to (though not the content of the sites themselves), and the plain text of email and IM conversations. Inevitably, it will get worse if the legislation goes through because some judge and/or politician will wake up to the realization that there are many protocols which are not being covered, and that a file name or URL is not often sufficient to prove anything other than intent.
If we get a data retention mandate, one of the expansions that I predict within ten years of enactment is broad regulation of how network protocols are designed. It'll probably bridge CALEA and whatever the mandate is called, requiring anyone who makes a new network protocol to make it thoroughly accessible to law enforcement. It's only a matter of time before that is needed because aside from some of the mainstays, protocols are a dime-a-dozen. If someone at the FBI figures out how to monitor one new network protocol where people don't want to be monitored, for whatever their reason, good or bad, someone will just modify it or create a new one. It is almost a given that, in order to make it enforceable, unless the government is uncharacteristically restrained, that it would evolve into a broader mandate that regulates software development and deployment extensively.
How problematic the data retention legislation will end up being depends entirely on the scope of it, obviously. Initially, I think it will cover a combination of DHCP transactions (how you get your IP address), all of the HTTP information describing what websites you are going to (though not the content of the sites themselves), and the plain text of email and IM conversations. Inevitably, it will get worse if the legislation goes through because some judge and/or politician will wake up to the realization that there are many protocols which are not being covered, and that a file name or URL is not often sufficient to prove anything other than intent.
If we get a data retention mandate, one of the expansions that I predict within ten years of enactment is broad regulation of how network protocols are designed. It'll probably bridge CALEA and whatever the mandate is called, requiring anyone who makes a new network protocol to make it thoroughly accessible to law enforcement. It's only a matter of time before that is needed because aside from some of the mainstays, protocols are a dime-a-dozen. If someone at the FBI figures out how to monitor one new network protocol where people don't want to be monitored, for whatever their reason, good or bad, someone will just modify it or create a new one. It is almost a given that, in order to make it enforceable, unless the government is uncharacteristically restrained, that it would evolve into a broader mandate that regulates software development and deployment extensively.
Leave a comment