Results tagged “data retention”

They just don't quit:

WASHINGTON--The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes.

FBI Director Robert Mueller supports storing Internet users' "origin and destination information," a bureau attorney said at a federal task force meeting on Thursday.

At Thursday's meeting (PDF) of the Online Safety and Technology Working Group, which was created by Congress and organized by the U.S. Department of Commerce, Motta stressed that the bureau was not asking that content data, such as the text of e-mail messages, be retained. 

What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html.

I guess the FBI figures that if they keep pressuring Congress like a horny teenage boy pressuring his date on prom night that it'll finally give in and enact a data retention mandate. The reason why one has not been enacted so far is that it would be expensive and open up a can of worms for Congress on issues ranging from creating more incentive for hackers to hit large ISPs, to funding the upgrades to ISP infrastructure, to creating a data retention mandate that gives the FBI only just enough data, not too little or too much.

The FBI would need the third of the three options that CNet identified. The IP address alone is ludicrously insufficient to prove intent. If illegal data is stored on a shared host, it's likely that there are as many as several hundred legitimate domains hosted on the server with that IP address. The domain name is also insufficient in many cases. Only storing the exact URL would be sufficient, but then the FBI would have to comb through the logs for the actual URL the user requested since web browsers make automated HTTP requests for all of the content in a HTML page and those requests would not be immediately distinguishable from what the user actually intended to request.

This is what happens when the government allows the camel to get its nose into the tent on the issue of data retention:

A European Union directive, which Britain was instrumental in devising, comes into force which will require all internet service providers to retain information on email traffic, visits to web sites and telephone calls made over the internet, for 12 months.

Police and the security services will be able to access the information to combat crime and terrorism.

Hundreds of public bodies and quangos, including local councils, will also be able to access the data to investigate flytipping and other less serious crimes.

It was previously thought that only the large companies would be required to take part, covering 95 per cent of Britain's internet usage, but a Home Office spokesman has confirmed it will be applied "across the board" to even the smallest company.

Privacy campaigners say the move to force telecoms companies to store the data is the first step towards the controversial central database at the heart of the Home Office's Intercept Modernisation Programme, which will gather far more detailed information on Britain's online activities.

Simon Davies, director of Privacy International, said: "I don't think people are aware of the implications of this move. It means that everything we do online or on the phone will be known to the authorities.

"They are using this to produce probably the world's most comprehensive surveillance system.

The Stasi would be proud to have lost to a people who would go on to make a surveillance system that is far more comprehensive than anything they had ever been able to attempt. What you see here is precisely the reason why I say that data retention simply must be opposed on principle. No compromises, no "reasonable regulations." Once the legal and technological infrastructure is in place, government surveillance on a level previously never imagined will be possible in the United States--much of it automated. Even if ostensibly 4th amendment-friendly controls are put into place, the only protection that the public will have at that point is the willingness of the government to obey its own regulations, something which federal law enforcement has shown time and again that it cannot regarding the USA PATRIOT Act according to the FBI's Office of the Inspector General.

If Britain persists in creating this database, then they will succeed only in creating one of the most tempting information targets in human history. There are a lot of criminals and foreign intelligence services that would love to get their hands on all of that personal, financial and communication information for purposes ranging from datamining for credit card information, to analyzing call patterns in Britain to find links between government agencies, individuals and private businesses.

And so once again, the Republicans prove why they deserve to be a minority party, having learned absolutely nothing--nothing--about why they lost power and credibility in the first place with small government conservatives and libertarians:

Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.

The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.

"While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," U.S. Sen. John Cornyn, a Texas Republican, said at a press conference on Thursday. "Keeping our children safe requires cooperation on the local, state, federal, and family level."

Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a measure would let "law enforcement stay ahead of the criminals."

The legal definition of electronic communication service is "any service which provides to users thereof the ability to send or receive wire or electronic communications." The U.S. Justice Department's position is that any service "that provides others with means of communicating electronically" qualifies.

This is another kudgel that law enforcement can use against average citizens if it gets passed. Most people don't know how to even set up the wireless security on their home networks, and this bill would mandate that such people get new routers that can be in compliance with this law, and to be able to configure them for recording everything they do online. At a time when the Republicans should be rebuilding their party by kicking out big government regulators and spenders, they are joining forces with the Democrats to create legislation that would create one of the most dangerous and comprehensive surveillance mandates in the history of the United States.

One of the things that I find most troubling about this legislation, in its current form in the House of Representatives is the weasel-wording of the "facilitates access to" clause:

(a) Offense- Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 10 years, or both.

Given the way that prosecutors are known to twist language and seek expansive readings of laws, it's easy to see how the "reason to believe" wording there could be interpreted to include any unsecured wireless network because the owner would have reason to believe that someone might be able to get onto it and use it for criminal purposes. That puts a lot of people in danger because they don't know how to secure the current generation of wireless routers, let alone handle ones that are designed to be in compliance with this legislation should it get passed.

One of the first casualties of this will probably be projects like the open firmware projects for consumer routers. Hackable routers are anathema to this legislation, as they would give people the ability to turn the little black box that this law mandates into something that is a lot friendlier to the owner than law enforcement viz-a-vis privacy rights. If you can modify the firmware, you can change the behavior of the logging software.

For now, they seem to be just wanting to keep the IP address assignment logs and related data, but the camel is trying to shove its snout into the tent and unless we want to share a room with that beast, the only choice is to give it a smart, principled kick. Today, it's DHCP records. Tomorrow, it's HTTP and SMTP headers.

Declan McCullagh did a great write up for CNET describing the myriad problems with Eric Holder as our next Attorney General, but one of those issues deserves a lot more exposure. That issue is that Eric Holder is a supporter of the creation of a data retention policy at ISPs to make it easier for the government to track what people do online.

In a speech in Vienna in 1999, he was quoted as saying:

First, we must take steps to ensure that we can obtain the evidence necessary to identify child pornographers. That means certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement,

Some privacy activists have tried to give him the benefit of the doubt that he was only referring to retaining records that have been requested by the government, but there was no context for that in his speech. Lacking that sort of nuance, we must simply take him at his word that he wants ISPs to get into the game of retaining records of their customers' activities for long periods of time. Whether that is through the government leaning on ISPs until they "voluntarily" adopt such policies or through naked force is immaterial.

A lot of people assume that the Internet is a "public place" and that you have no reasonable guarantee of privacy. To some extent that is true, but the real policy issue here is why should the government take actions which are absolutely guaranteed to diminish what privacy we do have. That's precisely what a data retention policy/mandate would do, as it would leave copious amounts of information about everything from instant messages, to emails, to web site visits exposed on an ISPs network. Such information is ripe for abuse, be it from law enforcement, criminals looking to score a big heist on personal information or curious employees.

Long-term data retention has been the norm in Europe for a while now, and according to one survey, it's already changing the behavior of some non-criminal segments of the German population. That is one of the natural side effects of living in a society where everyone knows that a significant amount of information about all of their electronic communications are stored and possibly monitored by third parties. It goes without saying that raising future generations of America under such a regime is going to have the result of making them generally accept such systematic surveillance as the norm of modern life. Such a thing does not bode well for the long term defense of liberty.

Between technologies like deep packet inspection and the steadily decreasing cost of storing large amounts of information, the technology barriers against large scale, systematic surveillance of Internet activity are almost gone. Compression algorithms like Bzip and 7zip would allow several terabytes of logged activity to be compressed to fit onto a single hard drive that costs less than $100.

Efforts to make ISPs retain data on their users' activities for several years are not only feasible now, but not even very expensive to mandate. They will also be the first, and probably most important, battles that civil libertarians will fight against the future of government surveillance of the public. As more and more communications are consolidated into Internet-based communications, the possibilities that will be opened up for spying on the public will be unprecedented.

Ever since former Attorney General Alberto Gonzalez first seriously raised the issue with ISPs and Congress, there has been bipartisan support for data retention mandates. The Democrats were more modest in their proposals, but that can be more readily attributed to them distrusting the Bush Administration's potential use of a data retention mandate than principled opposition. Pushed under the guise of yet another "will somebody please think of the children" piece of legislation to help fight child pornographers, it didn't get much outrage despite being a far more devastating proposal than anything the NSA was caught doing these past several years.

Holder's views are not very far away from those held by Gonzalez on this issue and others regarding police powers and surveillance. For one, he has a very spotty record on encryption technology in the hands of the average person. We take powerful encryption for granted today, but during the mid to late 1990s, it was considered to be a very dangerous tool, often called a military technology, that shouldn't be left unchecked in any civilian's hands. Holder was typical of the Clinton Administration, which was no friend of encryption technology and tried to get backdoors put into encryption products. Taken together, his positions on a myriad number of privacy and Internet-related issues give civil libertarians good reason to believe that he will jump at the first chance to get a long-term data retention scheme either voluntarily implemented or mandated.

Perhaps Holder and Obama have bigger fish to fry, and will not actually do anything on this issue, but events of the last year or two combined with Holder's early calls for a long-term data retention scheme should give us reason to be vigilant. There wasn't much principled opposition when it was being debated by both parties under the Bush Administration, and it's even less likely that a Democratic Congress will challenge Holder if he wants to raise the issue. Despite superficial outrage over the privacy and constitution violations of the Bush Administration, the Democrats have largely shown themselves to have little inherent opposition to the sort of surveillance that this issue presents to the public.

Would you like some mandatory data retention with that?

WASHINGTON--The Federal Communications Commission on Friday said it wants to auction a section of wireless airwaves to buyers willing to provide free broadband Internet service without pornography.

I don't think they will have many interested buyers because the potential cost of building up such a free network would be huge. Probably a lot more than the spectrum that is being sold is really worth. I would imagine the cost to cover just the South would be well into a few billion dollars, and the majority of the space between the coasts would be just a blackhole of investment like it is for most telecoms.

Of course, if this sort of thing were to succeed, the FCC would, no doubt, quickly slip in a data retention mandate in there to make it easier for law enforcement to spy on the public. This is one of the reasons why I have never been a fan of municipal wifi. Any network that closely tied to a government authority or mandate is bound to be easily monitored by every Tom, Dick and Harry on the government's payroll.

Just in case you had forgotten about it, the FBI and some members of Congress have brought back the issue of data retention policies. This comes on the heels of the FBI asking for a massive, unprecedented expansion of authority to conduct surveillance online. From the sounds of their proposal, it is something akin to the way that the NSA has been caught doing filtering at some of AT&T's offices in the past. It also comes at a time when it has been discovered that the FBI has routinely lied and broken the law in its use of National Security Letters. Yet somehow we are supposed to feel safe about how the FBI would use data retention legislation and an "omnibus surveillance mandate" when it comes to them obeying the law and constitution.

How problematic the data retention legislation will end up being depends entirely on the scope of it, obviously. Initially, I think it will cover a combination of DHCP transactions (how you get your IP address), all of the HTTP information describing what websites you are going to (though not the content of the sites themselves), and the plain text of email and IM conversations. Inevitably, it will get worse if the legislation goes through because some judge and/or politician will wake up to the realization that there are many protocols which are not being covered, and that a file name or URL is not often sufficient to prove anything other than intent.

If we get a data retention mandate, one of the expansions that I predict within ten years of enactment is broad regulation of how network protocols are designed. It'll probably bridge CALEA and whatever the mandate is called, requiring anyone who makes a new network protocol to make it thoroughly accessible to law enforcement. It's only a matter of time before that is needed because aside from some of the mainstays, protocols are a dime-a-dozen. If someone at the FBI figures out how to monitor one new network protocol where people don't want to be monitored, for whatever their reason, good or bad, someone will just modify it or create a new one. It is almost a given that, in order to make it enforceable, unless the government is uncharacteristically restrained, that it would evolve into a broader mandate that regulates software development and deployment extensively.

The major downside to capitalism is that when you establish a market for screwing over your fellow man and surveilling his every move, it won't be that hard to find people who are eager to make a quick buck by supplying innovative ideas on how to implement tyranny:

HP today announced a new data retention solution for telecommunication service providers that are being asked by governments to join the fight against global terrorism, organized crime and drug trafficking.

The HP Data Retention and Guardian ONline (DRAGON) solution goes beyond conventional storage. It is a comprehensive solution designed specifically for service providers that need a scalable system that enables them to capture massive volumes of voice and data traffic on their networks, retain it for months and years, and retrieve selected records - almost in real time - if asked by government agencies. The system also has robust security features to protect individual privacy.

They always talk about the security features in place to protect the public from abuse of power whenever a new law or technology is introduced to help the government do something that is more invasive, but the media never bothers to find out what those so-called safeguards really are. All I see is a one stop solution for data retention needs that would make it far less painful for the government to implement its data retention desires. As much as I love capitalism, it has a pernicious habit of living up to what the Communists used to say about how shorted sighted it is: "the capitalists will sell us the rope we will use to hang them."

Google, do no evil, just enable others to do it instead:

Google's announced acquisition of DoubleClick has raised considerable concern among privacy advocates, who argue that combining the search engine giant with a major online advertising firm puts too much information in the hands of one company.

The launch of Google's new Web History product should send those fears into overdrive.

The new service allows you to search and view your entire online life, including what pages they visited online and when. Google will also analyze your online travels, revealing which sites you visit most frequently and what your top searches are.

Combine that with data retention policies and you have a sure fire way of making sure that the Internet becomes the most heavily and successfully surveilled communication medium in the world. Granted, only half of that would apply to the Internet as a whole, but the web in particular would be completely naked, exposed and monitored. In theory, anyway. There are always cryptographic solutions, anonymous proxies and things like that--which also happen to not be on the radar of the average person who would find their habits caught up in this surveillance!

When you combine all of the features that Google is trying to provide to the public with its hunger for dark fiber networks, you can get a pretty scary picture of where they are trying to go. I'm almost tempted to say that it's AOL 2.0 based on open standards instead of a proprietary set of technologies. Even though they release so many freebies to the public, there is more than a little bit of easy comparison between them and other companies that feel that to be safe, they have to do everything.

Sidenote: for a while now I have decided that as soon as Google cuts me a check for the money that they owe me for advertising on my blog, I am going to stop allowing AdSense ads on my blog. I would encourage other bloggers to do that as well, to do their own small part to not directly fund what is turning out to be a company that makes mid-90s Microsoft look like a paper tiger in terms of potential for mischief and mayhem.

A quick overview for those of you unfamiliar with what might happen as a result of the data retention policies that the Bush Administration is now pushing. For starters, everything you do without encryption online is fair game. Do you want an idea of how much information HTTP data retention would keep on you for the police and any criminal that breaks into your ISP? Here's an overview. This is also something that individual members of Congress have been pushing on their own, such as Sensenbrenner and Lamar Smith. Smith's proposal, while seemingly not that bad, opens the door for massive privacy violations. Finally, the newest proposal from the Bush Administration puts the burden on web service providers that host lots of images and video. This proposal is in fact one that might be doable and not easily resisted by the service providers because the cost of keeping basic log data such as IP addresses and timestamps is not that hard for these companies to handle. Regardless, the net result would be more intrusion, less privacy, more room for abuse and more burden imposed on private companies.

The Bush Administration just can't seem to stop trying to push data retention policies on the public and private businesses. Unfortunately, this proposal, might actually be a feasible one for them to get away with forcing on service providers:

The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET News.com has learned.

That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to News.com by several people who attended the meeting.

A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of what customer is assigned a specific Internet address.

I was reminded by the article of last year's attempts by the FBI to force companies that make network devices such as routers include wiretapping features. One thing is very clear about the FBI, Department of Justice and the Bush Administration, and that is that they don't seem to really care about how much burden they would impose on the public, or how many liberties would be infringed by some of their more dubious crime-fighting proposals.

Now, what is problematic with this current effort, and it's just that for now, a proposal. However, the catch is that it would not be that difficult for a service like Flickr to log its users' activity, provided the federal government doesn't demand a lot of detail. Simply tracking the IP address that the upload came from and the time stamp would impose a negligible cost to them. To put it into perspective, the system log for my installation of Movable Type, which keeps a record of what's going on with my blog internally, has 4,253 entries in it as of this moment and those entries consume a whopping 494.9Kb of data. Even at a rate of tracking 1,000 images costing 100Kb of storage, one of these would be enough to track a few billion file uploads.

Beside the costs imposed on the service provider, mission creep is going to be a problem here. Other websites, from forums to blogs, will probably be required to keep their logs in case of criminal activity. The government is already practically swimming in data, so it remains to be seen if this sort of thing will even do any good at all.

And this is supposed to make us more sympathetic, not less sympathetic, to law enforcement's need for more data:

As digital evidence increases in importance, authorities seize anything that can hold data. This includes computers, CDs, USB keys, MP3 players, cell phones and game consoles, Jim Christy, a director of the U.S. Department of Defense Cyber Crime Center, said in a presentation at the Black Hat DC Briefings & Training event here.

"This is everything that you got and gave for Christmas," Christy said. In one case, investigators found child pornography on a modified Xbox, he said. "The challenge is that with digital proliferation, the data volume is tremendous these days."

A single terabyte of data equals about 8,333 old-fashioned, five-drawer file cabinets filled with papers. "That's an awful lot for an examiner to go through," Christy said.

Remember this the next time that you hear an argument for data retention. The same people whose software is so primitive that they often have a hard time handling a single criminal's personal electronics are the ones who say that preserving the log files on your activity at your ISP for years is absolutely essential to getting the evidence they need to prosecute criminals and of course, stop terrorists. If the DC3 has this sort of problem, one can only imagine how bad the problem must be at an agency like the FBI or a local or state agency which would likely have far, far fewer resources than a major federal agency.

Another interesting facet of this argument is that they don't even know what they're looking for or where they're looking for it. That's why they seize so many devices and so much storage media. I'm surprised that the judiciary hasn't started nailing them hard for that. I guess I don't understand why none of the companies out there that have sell forensics software haven't made reliable software for scanning volumes for certain types of files. It shouldn't be that hard for them to scan for the common file formats.

Don't let the 1TB number be taken too seriousl, either. 1TB is, at this point, well outside the bounds for most people. We're getting there, but most of that is still going to be free space. Law enforcement does not deserve the pity of having to scan multiple TB of actual data at this point.

--Morally, law and order cuts both ways. The police and prosecutors don't get the "rule of law" argument when they enforce laws that are unconstitutional, just as it is no defense for a private citizen to claim that he or she shouldn't be prosecuted for breaking one law because they observed fifty other laws. Enforcement of a single unconstitutional law, even if you enforce fifty constitutional ones is no morally different than obeying fifty laws and breaking one. "Just doing your job" is not an excuse, just as ignorance and being otherwise law-abiding is not an excuse. If you enforce an unconstitutional law, you are a law-breaker, and you deserve to lose your job and go to prison. No more mercy should be extended to the agents of the states or the political classes than would be extended to a private citizen who broke the law. The Constitution is easy to read--if you aren't dishonest and/or an imbecile. Every bad ruling based on it that hurts the public has come out of a sophist's understanding of the document.

--Is it a good sign or a bad one that major bloggers have all but ignored the most fundamental threat to privacy online, data retention legislation? After the way that so few of them got it right on network neutrality legislation, maybe we are better off, rather than having the sort of technically illiterate schmucks that thought that REAL ID would solve our problems, cheerlead the creation of vast repositories of data to "assist" law enforcement.

--It never ceases to amaze me the number of atheists who simply cannot fathom a world without religious morality. They go through great pains to take the morality of those around them who are religious and make up secular justifications for them. Well, the parts that don't require much effort on their apart to abide by. I have yet to see an atheist moral philosopher who is willing to come up with something as bold as the system revealed in the Bible. What we end up with in practice is just a self-serving patchwork, and I say self-serving because there is no real challenge. What good is a moral framework that for all intents and purposes asks nothing of the average man that he isn't already capable of giving in spades, such as not murdering his neighbor, raping his wife, taking his daughters as concubines and his sons as slaves? (Why choose such an extreme example? Read this.)

--Blogging and reading other blogs has been fairly light this week because I have been having to work longer hours out at another office. This is my old office, which requires about a thirty minute commute in bad traffic. To avoid this, I have been working from home for a while, then going there, but that's been eating into my time. I have also been reading Starship Troopers, which I am now about halfway through with. An amazing book, totally ruined by Hollywood. I think so far that the only things that they share in common are the names and some of the personalities of most of the characters, races and governments.

So far, these are my two favorite sections:

"Of course, the Marxian definition of value is ridiculous. All the work one cares to add will not turn a mud pie into an apple tart; t remains a mud pie, value zero. By corollary, unskillful work can easily subtract value; an untalented cook can turn wholesome dough and fresh green apples, valuable already, into an incredible mess, value zero. Conversely, a great chef can fashion of those same materials a confection of greater value than a commonplace apple tart, with no more effort than an ordinary cook uses to prepare an ordinary sweet."

****************

"Never mind. Long enough. It means that such punishment is so unusual as to be significant, to deter, to instruct. Back to these young criminals-They probably were not spanked as babies; they certainly were not flogged for their crimes. The usual sequence was: for a first offense, a warning-a scolding, often without trial. After several offenses, a sentence of confinement but with sentence suspended and the youngster placed on probation. A boy might be arrested many times and convicted several times before he was punished-and then it would be merely confinement, with others like him from whom he learned still more criminal habits. If he kept out of major trouble while confined, he could usually evade most of even the mild punishment by given probation-'paroled' in the jargon of the times."

"This incredible sequence could go on for years while his crimes increased in frequency and viciousness, whith no punishment hwatever save rare dull-but-comfortable confinements. Then suddenly, usually by law on his eighteenth birthday, this so-called 'juvenile delinquent' becomes an adult criminal-and sometimes wound up in only weeks or months in a death cell awaiting execution for murder. You-?"

He had singled me out again. "Suppose you merely scolded your puppy, never punished him, let him go on making messes in the house... and occasionally locked him up in an outbuilding but soon let him back into the house with a warning not to do it again. Then one day you notice that he is now a grown dog and still not housebroken-whereupon you whip out a gun and shoot him dead. Comment, please?"

"Why... that's the craziest way to raise a dog I ever heard of!"

"I agree. Or a child. Whose fault would it be?"

"Uh... why, mine, I guess."

"Again, I agree. But I'm not guessing."

"Mr. Dubois," a girl blurted out, "but why? Why didn't they spank little kids when they needed it and use a good dose of the strap on any older ones who deserved it-the sort of lesson they wouldn't forget! I mean ones who did really bad. Why not?"

"I don't know," he answered grimly, "except that time-tested method of instilling social virtue and respect for law in the minds of the young did not appeal to a pre-scientific pusedo-professional class who called themselves 'social workers' or sometimes 'child psychologists.' I twas too simple for them, apparently, since anybody could do it, using only the patience and firmness needed in training a puppy. I have sometimes wondered if they cherished a vested interest in disorder-but that is unlikely; adults almost always act from conscious 'highest motives' no matter what their behavior."

Once again, a leading Republican comes up with a way to sacrifice liberty without any appreciable gains in security:

(a) Regulations- Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.

(b) Failure To Comply- Whoever knowingly fails to retain any record required under this section shall be fined under title 18, United States Code, and imprisoned for not more than one year, or both.

I have written extensively before on data retention and why it is just a bad policy in general, but here's a simple reminder. You are creating a huge repository of personal information that can be easily compromised by criminals. Every unencrypted thing that you do online is vulnerable to data retention policies. That means every username, every password, every blog post, every email, every IM conversation. The whole motherload of what you do online that doesn't involve serious encryption. There are two obvious threats from this. First, you have the temptation on the part of government agents to abuse the data repository, and second, you have the fact that it represents a real coup for an identity thief.

The way that this bill is worded is such that the Attorney General can basically surreptitiously get everything that he wants, which does in fact include tracking your online activities, not the basic information you use to connect with your ISP. He has "tried to be nice about it" with the major ISPs before by trying to convince them to voluntarily join in on the surveillance program, but that has failed. If Lamar Smith gets his way, the first step toward total communications surveillance will be in place. That is not paranoia, but a simple fact of how the Internet works. Once the system is in place, adapting it to new protocols won't be that difficult. That's why I just don't get why so few people seem alarmed by this.

Lazy law enforcement is at it again:

"Terrorists coordinate their plans cloaked in the anonymity of the Internet, as do violent sexual predators prowling chat rooms," Mueller said in a speech at the International Association of Chiefs of Police conference in Boston.

"All too often, we find that before we can catch these offenders, Internet service providers have unwittingly deleted the very records that would help us identify these offenders and protect future victims," Mueller said. "We must find a balance between the legitimate need for privacy and law enforcement's clear need for access."

It really comes down to this:

Law enforcement groups claim that by the time they contact Internet service providers, customers' records may have been deleted in the routine course of business. Industry representatives, however, say that if police respond to tips promptly instead of dawdling, it would be difficult to imagine any investigation that would be imperiled.

I have said it once, I'll say it again, this is just bad policy that dooms the online communications of millions. Anyone who even thinks "I have nothing to hide, so I'm fine" proves that they know nothing about the technology in question. Do you send emails that you wouldn't want others to see? Do you like the idea of every username and password you log into a website with being held in a log somewhere for up to two years? If so, this law is for you! See, anything you send over the net without encryption will be fair game for these laws. That means that anyone gets the logs, criminal, employee or law enforcement, can look at everything from your emails to your unprotected web accounts' (which are the norm) information.

So take one for the children because they are the future of America! Surely you have no problem with having your every username and password, every webmail message, every blog post, every instant message and every phone call recorded just in case law enforcement suspects you of something. Oh, but don't worry, they don't suspect you right now, they just want options for later if they need them.

• Mandatory data retention.
• Dragnetting of financial records.
• Dragnetting of almost all national phone records.
• Pushing ISPs to take steps to filter content.

Those are some of the many things that the government has done which should cause anyone who cares about the future of the Internet to be not exactly thrilled about the idea of new federal regulations. Yet once again, many people turn to Uncle Sam, the peeping tom, to make sure that the Internet remains Demokratik. This is the same Uncle Sam that wants their ISPs to record everything they do online for at least six months to two years and that goes through their financial records like a suspicious spouse looking for signs of wrongdoing.

The next time that you think that you can trust the government to make sure that the Internet works properly, ask yourself if you'd like to have someone who monitors everything you buy, records in detail every place you go, keeps a log of every person you talk to and who coerces the mailman to filter your mail, be the one to make sure that your life runs smoothly. Doesn't sound so good now, does it?

The MercuryNews has a good article on the subject of the new federal push for data retention policies at ISPs. As I have written in the past on the subject, there are a lot of security and privacy implications because the data that can be gleaned from raw packet dumps or proxy logs is enough to attract unscrupulous cops and criminals. It would be the ultimate repository of information for identity thieves.

It's not hard for your ISP to keep a record of all of the HTTP (web) traffic that goes through it. The logs would not be too big, and a 50GB-100GB hard drive would be more than enough for them to use for storing the logs for at least a few months in between backups. One of the problems is that unless you send a username and password to a website that is using SSL, your username, password and all other personal information will go unencrypted into that log file.

One of the security risks here is that the police could potentially in the name of national security or "emergency" do the Internet equivalent of a no-knock raid on your accounts using this information. If your webmail provider doesn't use SSL, they could read all of your email without having to get the provider to comply with their demands. There would be simply no way for them to get caught unless somehow the provider notices something funny while checking access logs for errors or something like that.

The slippery slope gets very steep here, very quickly because log files are not very difficult to parse and do simple, regular analyses on a regular basis. In fact, a 50GB HTTP proxy log that is stored in plain text could be processed on a weekly, or even daily, basis with a ten year old computer running Linux using a simple Python script.

As long as the DoJ does not ask for packet dumps, I have a suspicion that they will be able to make headway with this. Packet dumps would cause them to record everything that goes through their networks, and would give the ISPs basic business grounds to complain to Congress. Simply logging HTTP transaction data, IM protocols, email and usenet would not be such a burden on the average ISP that the DoJ would face an insurmountable obstacle in getting what it wants.

Now it's terrorism:

A Justice Department representative said Tuesday that the proposal would not require Internet providers to retain records of the actual contents of conversations and other Internet traffic.

Color me totally unimpressed with their "assurance." As I have said before, there is no easy way to protect privacy with this legislation. What we need to know is what information they do in fact plan to ask for legal assistance in retaining. That's the key, and it's a point that is going to be missed by most of the political bloggers and talking heads in the media. A "web conversation" is the useful information. It's the HTTP headers and bodies that negotiate the transaction. Do you really want to bet your privacy on them just stripping out the URL that was requested in the GET/POST operation?

This is the problem, and why I suspect that the Bush Administration is not being honest with the public. There are no "conversations" as far as the protocols themselves are concerned. It would take an extremely sophisticated filtering system, one tailored for each popular protocol, to strip out the stuff that rightfully should be kept out on fourth amendment grounds. As far as the network is concerned, your instant message text or login attempt at your blog is just a block of text contained within a larger message. That message is padded with what is called "metadata" or information that describes the information being sent. However, to a logger on its initial pass as it filters the data for the retention law, there would be no distinction here. It's all data. So, naturally, we would be totally dependent on the government sticking to its word.

This should scare the hell out of people who care at all about freedom:

Details of the Justice Department's proposal remain murky. One possibility is requiring Internet providers to record the Internet addresses that their customers are temporarily assigned. A more extensive mandate would require them to keep track of the identities of Americans' e-mail and instant messaging correspondents and save the logs of Internet phone calls.

In other words, because it's the Internet, allow the government to log the audio of every single Voice Over IP (VoIP) call that you make.

Other previous entries on this, to give a perspective on how this battle has evolved:

Recording everything you ever do online.
Is this really a data retention law?.
America's pedocratic surveillance state.

Just when you thought that your privacy rights might be safe for the time being, the Bush Administration has once again renewed its efforts to create a TCP/IP surveillance state. Gonzales is now trying to heckle ISPs into working with the Department of Justice on data retention policies that would prove to be disastrous in the long run to the basic privacy rights and security of the average American:

In a private meeting with industry representatives, Gonzales, Mueller and other senior members of the Justice Department said Internet service providers should retain subscriber information and network data for two years, according to two sources familiar with the discussion who spoke on condition of anonymity.

The closed-door meeting at the Justice Department, which Gonzales had requested, according to the sources, comes as the idea of legally mandated data retention has become popular on Capitol Hill and inside the Bush administration. Supporters of the idea say it will help prosecutions of child pornography because in many cases, logs are deleted during the routine course of business.

It will undoubtedly help them, but then so would allowing the federal government to get a realtime, warrantless power to access anyone's bank and credit information without those pesky probable cause constraints. There are limits on these powers for a reason: the ends do not justify the means. Child pornography is not nuclear terrorism. It is not such an extreme threat to civil society that basic safeguards can be eschewed in order to stop it. What Gonzales is stumping for is the Internet's equivalent of a NSA program that not only scans your phone number records, but also records and does batch analysis of the audio of every single phone call that you make. Mandatory data retention laws provide the fundamental foundation for a totalitarian surveillance state on a TCP/IP-based network.

I find it actually quite disturbing that child pornography is used as the justification for this, when we get reports daily of law enforcement successfully busting actual child molesters using the "measely" powers that are already provided to them. The current system, by all counts, seems to be working just fine. The real problem that law enforcement faces is getting other countries like Russia and Thailand where child molestation is punished nowhere near as badly as it is here to cooperate. Clearly, this is just a side issue. This administration has time and again sought to reduce the scope of the due process and privacy rights protected by the Bill of Rights against the federal government.

"I will reach out personally to the CEOs of the leading service providers and to other industry leaders," Gonzales said. "Record retention by Internet service providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed."

As I have noted before, there are unique privacy implications that apply to TCP/IP-based communications that do not apply to the telephone network. The amount of information that could be gathered on a person through these sorts of policies is simply outrageous, and we already have existing laws that allow law enforcement to get data retention set up when the probable cause standard has been met. This law or "gentleman's agreement" would amount to a policy of stripping people of every pretense of privacy online so that law enforcement could go back and analyze a person's entire history of online activity if they suspect a crime has been committed. It's not an exaggeration to say that the potential for civil liberties abuse is so extreme here that it would represent an effective destruction of the fourth amendment as far as the Internet is concerned because there would be few technical and practical barriers to police abuse of these powers.

There is no way for the Bush Administration to implement data retention policies in such a way as to be "consistent with the legitimate privacy rights of Americans," unless one starts from the premise that Scott McNealy (former CEO of Sun Microsystems) espoused, "you have no privacy, get over it." There are three levels that they could do this, and one of them is a pretty safe bet that they are going to consider as simply part of the other two. They can log all DHCP assignments of IP addresses, thus keeping track of what IP address was issued to a user, they can log all popular protocols at the protocol level (headers and bodies for SMTP, POP3, HTTP, etc.) or they can simply do a packet-level dump. Either way, the amount of information that they would get would amount to a profile of online activity that would make it easy for the federal government to scrutinze almost everything you have ever said or done online.

If you think that the system is not ripe for abuse, consider this. If they log at the protocol level, thus trapping the messages, not the raw packets themselves, they will get every username and password you submit to a website, email or possibly IM server without encryption. Just like the backdoors in encryption that the Clinton Administration wanted, criminals can exploit this as well. The longer that those logs exist, the more potential there is for a criminal to walk away with a true motherload of information about an ISP's users. In addition, law enforcement might be tempted to break the law and ethical standards. If a cop finds out that his ex-wife uses that ISP, it would be very easy to discretely strip out her log information, put it into a separate group of files and store them on a USB key drive.

This issue is one that most big bloggers have hitherto ignored, probably because they are not computer geeks. It threatens the very heart of basic relations between law enforcement and the public in regard to privacy rights. As I have said before, if you think that the NSA program is "problematic," this goes well above and beyond anything that might be considered controversial about it. This push by Sensenbrenner's office and the Bush Administration, if allowed to go through, would represent the first bonafide establishment of the surveillance capabilities necessary to usher in a Cold War-style police state in the United States.

Rep DeGette has finally started talking about some of the details about her mandatory data retention law. On first glance, it doesn't seem to be a bad law. In fact, it actually seems to be completely overblown:

It's not clear whether the DeGette language would be limited only to commercial e-mail providers and ISPs and places like coffeehouses, bookstores, or home users that provide Wi-Fi access at no charge. Also, an expansive reading of DeGette's measure would require every Web site to retain those records. (Details would be left to the Federal Communications Commission.)

The bill is only two very short pages long. CNet is, I am sorry to say, just fear-mongering on this issue because the bill clearly excludes websites and other services from having to do any logging:

INTERNET ACCESS SERVICE.-The term 9 'Internet access service' means a service that enables 10 users to access content, information, electronic mail, 11 or other services offered over the Internet, and may 12 also include access to proprietary content, informa13 tion, and other services as part of a package of serv14 ices offered to consumers. Such term does not in15 clude telecommunications services.''.

It's possible that the FCC could try to require all service providers to do this, but any judge would see that the bill only grants authority to regulate companies that provide general TCP/IP access. Now, the bigger question is will this satisfy law enforcement and I seriously doubt that it will come even close to satisfying the Department of Justice's desire to get ahold of as much data as possible. However, on its face, this bill, as is, is not a particularly big deal. The burden it would impose would be to periodically update a simple log file and even for a large ISP it's unlike that that log file would get bigger than a single DVD-R for an entire year if some good compression is applied.

Update: Mark has a point. Even though this is semi-necessary, there is probably not enough clear constitutional authority to enact this new police power. As such, I think it is worth opposing, even though it is "common sense" in the long run. They need to start doing things the right way and police powers of all things need constitutional grounding.

I got to thinking about the esteemed Congresscritter from Colorado's befuddled response to her mandatory data retention law, and got amused at how easily a badly configured HTTP proxy could be fooled into registering false positives. Imagine running a script like this on someone you hate's computer, only with domains and file names that don't look absurdly fake on their face like the ones I used:

import httplib

domains = [
    "www.wehostkiddyporn.com",
    "www.welikeemreeeelyoung.com",
    "www.misckiddypornsite.com"
]
files = [
    "13yoldgangbang.jpeg",
    "12suck_dick.jpeg",
    "6yrold_teacher.jpeg"
]

for domain in domains:
    con = httplib.HTTPConnection(domain, "80")
    for file in files:
        con.request("GET", file)
        con.close()

The scary part is that let's say that it does come up as a bunch of 404 errors, as it should. How many cops, judges and jurors are not going to believe that this script's bogus requests weren't a sincere effort to get ahold of some illegal content? Reason 53,632 why this is a dangerous bill.