Bill proposes ISPs, Wi-Fi keep logs for police

[LittleRedToyota]

http://www.cnn.com/2009/TECH/02/20/i...ill/index.html

Quote:

Bill proposes ISPs, Wi-Fi keep logs for policeStory Highlights
Politicians are calling for a federal law to save Internet users' records for police use

Law would apply to all Internet providers and operators of millions of Wi-Fi spots

It would require providers to keep records for two years to aid police investigations

Republican-led bill is certain to draw fire from businesses and privacy advocates


By Declan McCullagh

(CNET) -- Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.

The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.

"While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," U.S. Sen. John Cornyn, a Texas Republican, said at a press conference on Thursday.

"Keeping our children safe requires cooperation on the local, state, federal, and family level."

Joining Cornyn was Texas Rep. Lamar Smith, the senior Republican on the House Judiciary Committee, and Texas Attorney General Greg Abbott, who said such a measure would let "law enforcement stay ahead of the criminals."

Two bills have been introduced so far--S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.

Each contains the same language: "A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."

Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on--but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.)

"Everyone has to keep such information," says Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in this area of electronic privacy law.

The legal definition of electronic communication service is "any service which provides to users thereof the ability to send or receive wire or electronic communications." The U.S. Justice Department's position is that any service "that provides others with means of communicating electronically" qualifies.

That sweeps in not just public Wi-Fi access points, but password-protected ones too, and applies to individuals, small businesses, large corporations, libraries, schools, universities, and even government agencies. Voice over IP services may be covered too.

Under the Internet Safety Act, all of those would have to keep logs for at least two years. It "covers every employer that uses DHCP for its network," Gidari said. "It covers Aircell on airplanes-- hose little pico cells will have to store a lot of data for those in-the-air Internet users."

In the Bush administration, Attorney General Alberto Gonzales had called for a very similar proposal, saying that subscriber information and network data should be logged for two years.

Until Gonzales' remarks in 2006, the Bush administration had generally opposed laws requiring data retention, saying it had "serious reservations" about them. But after the European Parliament approved such a requirement for Internet, telephone and VoIP providers, top administration officials began talking about the practice more favorably.

After Gonzales left the Justice Department, the political will for data retention legislation seemed to ebb for a time, but then FBI Director Robert Mueller resumed lobbying efforts last spring.

This tends to be a bipartisan sentiment: Attorney General Eric Holder, a Democrat, said in 1999 that "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement." Rep. John Conyers, the Democratic chairman of the House Judiciary Committee, said that FBI proposals for data retention legislation "would be most welcome."

Smith, who sponsored the House version of the Internet Safety Act, had previously introduced a one-year requirement as part of a law-and-order agenda in 2007.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity."

Because Internet addresses remain a relatively scarce commodity, ISPs tend to allocate them to customers from a pool based on whether a computer is in use at the time. (Two standard techniques used are the Dynamic Host Configuration Protocol and Point-to-Point Protocol over Ethernet.)

In addition, Internet providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

The Internet Safety Act is broader than just data retention. Other portions add criminal penalties to other child pornography-related offenses, increase penalties for sexual exploitation of minors, and give the FBI an extra $30 million for the "Innocent Images National Initiative."

© 2009 CBS Interactive Inc. All rights reserved. CNET, CNET.com and the CNET logo are registered trademarks of CBS Interactive Inc. Used by permission.

[625]

Oh for fucks sake. I'm hating this country more and more every day. This is what happens when well-intentioned legislators get involved in stuff they know NOTHING about, which is usually everything. How much would this cost to implement? How many terabytes or petabytes of storage would this require? Would this bill make proxy sites illegal? How do they plan on preventing people from spoofing? The list of questions like this could go on and on.

I'm off to punish my liver.

[wa3ra]

Hello, hello, Department of Redundancy Department!

The ISP or cell carrier ALREADY KEEP THIS INFORMATION!!!!! LE can have it at the drop of a warrant.

WTF would you require that a WiFi hotspot keep the info? it's already recorded at every transfer spot across the net. Your provider already tracks what IP the traffic comes from; and many of your digital cell sites use the 'net instead of dedicated landlines now, too.

Jeezus, what a waste of time and money.

[625]

Quote:

The ISP or cell carrier ALREADY KEEP THIS INFORMATION!!!!! LE can have it at the drop of a warrant.

It was my understanding that ISP's didn't keep their logs forever because of the storage issue.

[LittleRedToyota]

Quote:

Originally Posted by wa3ra

The ISP or cell carrier ALREADY KEEP THIS INFORMATION!!!!! LE can have it at the drop of a warrant.

many ISPs do not keep logs for anywhere close to 2 years.

[CoyoteJack]

How does an unsecured Wi-Fi hotspot even identify who is using their bandwith at any given time?

[LittleRedToyota]

Quote:

Originally Posted by CoyoteJack

How does an unsecured Wi-Fi hotspot even identify who is using their bandwith at any given time?

geesh...i suppose you are also against requiring personalized handguns just because the technology doesn't actually exist??

my guess is that, if they thought about it at all...which they prolly didn't...they want the MAC address.

of course, MAC addresses can be spoofed...so, um, epic FAIL on that one.

i'm not actually all that familiar with running Wi-Fi, though, so there could be something i am missing.

[LittleRedToyota]

i'll bet the disk drive manufacturers' lobby loves this bill, though...

in fact, i wonder if they were the ones who came up with the idea...

[CoyoteJack]

Quote:

Originally Posted by LittleRedToyota

geesh...i suppose you are also against requiring personalized handguns just because the technology doesn't actually exist??

my guess is that, if they thought about it at all...which they prolly didn't...they want the MAC address.

of course, MAC addresses can be spoofed...so, um, epic FAIL on that one.

i'm not actually all that familiar with running Wi-Fi, though, so there could be something i am missing.

I fall somewhere between computer illiterate and guru depending on the subject. I resisted setting up a Wi-Fi access point in my home network for quite awhile due to security concerns. I do know that there are plenty of hot spots that are unsecured or secured only so far in that you might have to ask what the password of the month is.

Now supposing they did record the mac address of the user. Wouldn't that only be useful in matching things up with existing suspects? Maybe the next step will be to database all network card sales.

If this crap passes I'm telling my wife it is back to hardwiring the house. She'll just have to keep a long cat5 handy when she wants to work on the laptop in rooms other than her office.

[LittleRedToyota]

Quote:

Originally Posted by CoyoteJack

Now supposing they did record the mac address of the user. Wouldn't that only be useful in matching things up with existing suspects? Maybe the next step will be to database all network card sales.

i think you hit on it.

it would be (if MAC addresses were actually reliable) useful in providing evidence against a known suspect.

also, in theory at least, i guess they could potentially figure out who originally bought the network adapter/laptop with the network adapter in it if it was purchased with a credit card.

i suppose they could also match it up to a known MAC address from another source. for example, if they already have a MAC address/ISP account correlated in their database and see that MAC address used on a WiFi hotspot, they could potentially match the MAC address to the ISP subscriber.

i suppose they could even just ask all the major ISPs to search their logs for that MAC address (at least some of them would prolly cooperate). if the person ever logged into an ISP account with that MAC address, they could get a name that way.

this investigative stuff is all just supposition on my part though. i have zero experience in that area. just thinking of how i might try to approach it based on my knowledge of networking (then again, i have had more than one idea that did not actually work in my life ).

what i do know is that:

1. making yourself appear to be someone else in computer logs is not terribly difficult (both IP addresses and MAC address are easily spoofed). thus, this legislation could easily lead to innocent people being harrassed or worse...while not actually working to catch child predators as i imagine most of them are smart enough to hide their ID (though, on second though, given the idiots on that "to catch a predator show", maybe they aren't that smart).

2. forcing small ISPs to keep logs for two years could put them out of business and, in general, might drive up the price everyone pays for internet connectivity.

3. getting people who run home networks to keep those logs is absolute fantasy...most of them would have absolutely no clue how to do it even if they wanted to...and they don't have the disk space for it. same for coffee shops etc. who offer free Wi-Fi hot spots.