FBI Pushing For 2-Year Retention of Web Traffic Logs

suraj.sun writes to tell us that the FBI is pushing to have ISPs keep detailed records of what web sites customers have visited for up to two years. Claiming a desire to combat "child pornography and other serious crimes," the FBI and others are pressing for increased data retention, which they have been doing since as early as 2006. "If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant. What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html. While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States."

Before someone says it

[Anonymous Coward]

This goes beyond the data retention laws in the EU, and even those are under a lot of public pressure and currently being looked at by the highest courts. What you'll see is that your guys will back down from requiring access logs and make ISPs "just" keep a log of the IPs of their customers for two years, like the EU requires, and they'll call it a compromise.

Re:Won't someone please think of the children

[Nadaka]

Don't kid yourself, Most of Asia (and by that I mean China) is just as quick to "think of the children" as America.

Host names

[unix1]

Host names cannot be logged without packet inspection unless they assume that a corresponding request against the ISP's DNS services constitutes to "visiting" the resolved host name. You are also free to use DNS servers of your choice that are different from your ISP's. You can run your own DNS server too.

When a client "visits" a URI it:

1. resolves the host name to IP address via a DNS service
2. makes a connection to the said IP address
3. if connection uses SSL, proceeds with the "handshake"
4. sends host name, URI, and other request info via the above connection

ISPs can log #2, but cannot log #4 without packet inspection. It's even more complicated if the connection is encrypted (e.g. https).

Re:How many PB?

[Wesley Felter]

Even better when people start using a program that for example does random searches on Google and does a request to every search result.

What if one of those results happens to be an illegal Web page? Maybe you should call this program the Auto-Incriminator.

Chaff traffic may defeat human observers, but I doubt grep will bat an eye. And your ISP will pass the costs of tracking your chaff traffic on to you.

Re:Won't someone please think of the children

[Anonymous Coward]

Won't someone please think of the photographs?

In the UK they are the terrorists.

http://www.theregister.co.uk/2010/01/12/police_search_illegal/ [theregister.co.uk]
http://www.theregister.co.uk/2009/12/11/police_quiz_itn_reporter/ [theregister.co.uk]
http://www.theregister.co.uk/2009/11/26/kent_police_tall_explanation/ [theregister.co.uk]

Re:Won't someone please think of the children

[tomhudson]

"Businesses like Level 3, Google, etc., are far less likely to be cooperative.:

Wrong about google. Google has said that they don't need a subpoena, just a belief that the cops *could* get a subpoena, and they'll roll over on you.

And google has a LOT of data on you.

Re:Just make it permanent

[the eric conspiracy]

Uh I thought the US Constitution had the concept that laws could not be retroactive.

Just sayin'

Re:Won't someone please think of the children

[tomhudson]

Wrong about google. Google has said that they don't need a subpoena, just a belief that the cops *could* get a subpoena, and they'll roll over on you.

Reference please.

Try reading Google's Privacy Policy [google.com].

Information sharing

Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:

• We have your consent. We require opt-in consent for the sharing of any sensitive personal information.
• We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures.
• We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

What this means is that google only needs to believe that the government has to make a request that they "could" enforce if they had to.

No warrant required - they just have to believe that the government could get one if they needed to.

Also, google just has to have a "good faith belief" that a request is necessary to satisfy any legal process - which also includes the **AA requesting records of your searches, google docs, etc., if they're suing you. Again, no warrant, etc., so no chance for you to quash it in court.

"good-faith" - that's nice. Would you let cops search your house on a "good-faith belief", or would you demand to see the warrant first, like the law says is your inalienable right?