DOJ Seeks Mandatory Data Retention For ISPs

Hugh Pickens writes "Computerworld reports that in testimony before Congress the US Department of Justice renewed its call for legislation mandating Internet Service Providers (ISP) retain customer usage data for up to two years because law enforcement authorities are coming up empty-handed in their efforts to go after online predators and other criminals because of the unavailability of data relating to their online activities. 'There is no doubt among public safety officials that the gaps between providers' retention policies and law enforcement agencies' needs, can be extremely harmful to the agencies' investigations,' says Jason Weinstein, deputy assistant attorney general at the Justice Department, adding that data retention is crucial to fighting Internet crimes (PDF), especially online child pornography. Weinstein admits that a data retention policy raises valid privacy concerns however, saying such concerns need to be addressed and balanced against the need for law enforcement to have access to the data. 'Denying law enforcement that evidence prevents law enforcement from identifying those who victimize others online,' concludes Weinstein." Think about how much evidence is denied to law enforcement by envelopes, opaque concrete, and criminals' failure to shout.

Another unfunded mandate

[snobody]

So, now ISPs all have to buy terabytes of hard disk space to store all of those log files just in case some nosy prosecutor comes a callin'? ISPs might be better off threatening to just shut down operations and leave their customers disconnected to get the point across to the lawyers in congress that they need to consult with the people they're trying to regulate before throwing impractical solutions at them.

Re:

[Anonymous Coward]

As an unfunded mandate it would effectively be a stealth tax. Either the firm eats the cost and lowers returns or they raise prices. No matter what the firm does someone will pay (either investors or customers). I doubt the politicians will support an effective tax increase in the current environment, especially given that it would not help with the deficit.

Re:Another unfunded mandate

[stonewallred]

How about passing a law that states no one may sweep, mop, dust or clean any building because of possible evidence? And don't forget to make it illegal to wash or destroy any clothing because it may contain evidence to a possible crime. Not to be an ass, but catch them in the act, catch them through stings or give the fuck up. Ain't no business of the government what I am looking at on line, and the fact they want to hold those records, forcing the ISPs to pay for it (which in turn forces me to pay for it) is fucking retarded just like GWB and Obama's love child would be.

Re:

[Anonymous Coward]

You seem to be laboring under the delusion that politicians' support depends on the economic effects of a proposed measure, rather than on popular perception.

Most people will see this as "Yay, gonna get them child pronoguffers now!" and completely ignore the economic effects, so politicians will either stand for it, or use such excuses as "keepin' tha gubbermint out of your damn bizness" to oppose it. Nobody will talk about the economic impact, because most voters don't want to hear about it.

Re:

[poetmatt]

it won't pass.

companies will fight this bigtime, and it incurs a huge cost upon the companies (and a huge liability).

So unless government wants to pay for it I highly doubt the ISP's will be willing to do it.

Re:

[JBL2]

Why not send the data to "law enforcement" in real-time, and let them worry about storing it?

Re:

[olsmeister]

Why not send to /DEV/NULL? I think the real issue here is the fact that the information is being kept, and not necessarily the mechanics of how it is done.

Re:Another unfunded mandate

[Chrisq]

Why not send to /DEV/NULL? I

because my system is case sensitive and you would fill up the hard disk very quickly.

Re:

[eternalelegy]

mkdir /DEV && ln -s /dev/null /DEV/NULL

I'm Winston Wolfe. I solve problems.

Re:

[calmofthestorm]

+1 creepy

Re:

[element-o.p.]

Two words: "Chilling Effect".

It's supposed to be hard for the government to snoop on ${Random_User}. That is what prevents the government from going on fishing expeditions, which is definitely a Bad Thing.

As a simple example, I have been rather put off by the policies TSA put in effect last November, and have visited quite a few web sites protesting those measures in the last couple of months. I also have an interest in amateur model rocketry, and recently discovered that there were people

Re:

[enaso1970]

The NSA will help - they need something to put on that 150 yottabyte system they're thinking about. Or are they planning the world's greatest porn repository ever in a socialist takeover of another great American business. In which case they may need more space soon.

Re:

[Charliemopps]

Speaking from experience an ISP with a couple of million customers keeping DHCP log files for all of them, stored in flat text files, come to about 1-2gig per day. Stored in a proper database, they are <100mb per day. That's all I've seen Law Enforcement ever ask for "Who does was using this IP address on this date?" and the DHCP logs cover that.

The problem isn't the storage. The problem is the retrieval. You've got to remember DHCP logs go by mac address. Finding out which customer was on a paticular pi

Re:

[Danathar]

Is it 2Gigs after compression?

Re:

[lamber45]

Postgres has data-types for storing MAC addresses and IP addresses: manual section 8.8. Now the only other thing you need is a table of equipment by MAC address and time-range... although maintaining that table would be a big unfunded mandate if you don't do it already.

Re:

[bleh-of-the-huns]

More so, logging via MAC address, which is a modifiable identifier is a moot point. For example, I have FIOS, I have long since replaced my actiontec router (three times actually), and use an openbsd box as my primary gateway/firewall, for the DHCP to function, I had to forge the mac address of the actiontec on the openbsd box.. easy enough to reset, and when they show up, the actiontec router I have will have a different mac address. Obviously, this will not remove all suspicion since the MAC is associat

Re:

[SuricouRaven]

Depends if they just want to mandate retention of DHCP logs. Useful as it is to be able to match up an IP address to a customer, they may be thinking of other things they could request. For example: "Jonny Pervert is probably a pedophile. Please tell us every email address he has sent email to in the last two years, the subject line and the size and filenames of attachments, so we can see if he emailed any child porn to his pedophile friends."

Devils advocate - I do understand the cops

[h00manist]

I do understand the cops. There is a lot of crime, and there is data available to catch crime, without having to resort to infiltrating organized gangs and risking the life of an investigator. Access to that data that could save a lot of lives and abuse and trouble, but such data collection is prohibited under privacy laws. Now, they must understand the public position if they want data to be able to do their jobs better. Allowing data to be collected is a serious invasion of privacy, basically amounts to

Re:

[Lord Ender]

Forcing companies to record what you do online just in case the police want to investigate you in the future is the ethical equivalent of forcing companies to record what happens in their bathrooms just in case the police want to investigate something in the future.

Someone could commit crimes in either locations. Spying on people preemptively is a violation of a fundamental human right to privacy. If there is a crime and a warrant for a specific incident, plant the cameras and taps to record activities. But

community mesh networks

[h00manist]

http://www.open-mesh.com/ [open-mesh.com]
closest thing I've found so far.

Re:

[mlts]

Those logs will be REALLY useful to a bunch of people, and not just LEOs.

Take lawsuits on a large scale. It would be trivial to get a litigation group together to demand ISP logs, riffle through them and build massive copyright lawsuits on the ISP's customers based on sites visited, and perhaps info downloaded. Remember: if it swings past a jury, it works, so it doesn't have to be CSI level of evidence for proof, just something to show it is more likely Joe Sixpack downloaded a movie than not likely. So

Re:

[SuricouRaven]

And advertising or market research. If an ISP has extensive monitoring and logging installed anyway, why not? They are paying for it, they'd like to see some return. Just runs the logs through a minimal anonymiser and sell to a market research agency, so they can ask important questions like 'do people who visit Apple's website tend to google for information on Android phones first, or just go straight to the iPhone?'

This'll end well...

[Onuma]

The government basically has the ability to snoop into about any portion of your life, and some people want to INCREASE that ability? No thank you. He who sacrifices freedom for security deserves neither.

Re:

[h00manist]

Just link the monitoring of the public to the monitoring of the government.

Warrant?

[sureshot007]

I think as long as they have strict rules for the burden of evidence for a warrant to see these records, I wouldn't be opposed to it. I don't think that police should have free range over all of this data though. I think this data should be used to help convict people, not discover them in the first place.

Re:Warrant?

[characterZer0]

I have a problem with it. The want to demand that my ISP increases their costs (which naturally will be passed on to me) to store data to be used against me, despite that I have done nothing illegal. And it will do nothing to catch criminals, because they can just pass all their data through an encrypted tunnel to a VPN provider in another country. Waste of my money.

Re:

[SuricouRaven]

It'll help catch the stupid criminals, at least. Why go after the smart ones when the convictions-per-dollar rate is so much better catching the dumb ones?

Re:

[thejynxed]

They already catch the stupid criminals without this.

This is nothing but security theater, just like it is over in Europe.

Oh wait, it's the 10 year anniversary of 9/11 this year, coincidence? I think not.

Let them give the example, and record themselves.

[h00manist]

If they want individual behavior data records to audit misbehaving people, let them produce it on themselves first and give the example. When we see a serious increase in the levels of sentencing, not just arrests, of public and corporate officials and law enforcement for pedophilia, involvement in drug trafficking, blackmailing, illegal espionage, corruption, and so on, then we'll discuss allowing it for the rest of the population.

Comment removed

[account_deleted]

Comment removed based on user account deletion

were prosecuted

[tinkerghost]

According to the article you linked to, most of them were charged. One fled the country & at least 1 died before he could be indited.

On the other hand, how exactly do you find child porn on a PC doing virus removal or hardware repairs? Unless the guy is stupid enough to leave the individual files on the desktop or label a folder child porn you shouldn't have any clue that it's there.

Re:

[JonySuede]

names in the most recently used files in the start menu is usually a good give away

Re:

[SuricouRaven]

"In reality, what will happen is that the dumb crooks will get smarter and start using VPN services"

Possible. But, hypothetically, if I were an internet pedophile, I'd look at Freenet first. Possibly Freenet via a VPN if espicially paranoid.

Re:Warrant?

[cold fjord]

Most things that the government requires add costs: various forms of record keeping, emission controls on automobiles, workplace safety devices, etc.

Substitute accountant for ISP and you could make the same argument, including most of the "clever criminals can outsmart law enforcement" argument.

How is this really different?

Re:

[sjames]

It's a LOT of data and contrary to claims, much of it is not recorded at all now. At least with the accounting, it really is data that was already tracked so the new laws really just made them wait longer before shredding it.

Emission controls and workplace safety are internalizing externalities and in the case of safety, spelling out how to not be negligent.

In contrast, this is demanding new infrastructure to do something never done before so the police can conscript and deputize the ISPs.

I say we start wit

Re:

[blueg3]

And it will do nothing to catch criminals, because they can just pass all their data through an encrypted tunnel to a VPN provider in another country.

This argument isn't correct. You assume that every criminal will circumvent this measure. That ignores all the criminals who don't (obviously). Given that there are a ton of great ways out there already to avoid getting caught doing bad things on the Internet and lots of criminals don't bother with any of them, it seems likely that lots of criminals also won't bother circumventing ISP logs.

Re:

[StikyPad]

The want to demand that my ISP increases their costs (which naturally will be passed on to me) to store data to be used against me, despite that I have done nothing illegal.

Yeah, man! Where does this end? Next thing you know they'll be taking money straight out of our paychecks to build prisons and shit!

Requiring warrants are not a guarantee of anything

[h00manist]

Requiring warrants doesn't make conditions equal. Once data exists, it leaks, via legal, semi-legal, and extra-legal routes. There's no denying it happens. So if data exists on the public, data should exist on the officials. More so perhaps, as their positions require us to trust them for our basic rights to exist, but they don't need to trust us for their rights to exist. Records on citizens are usually used to prosecute criminals and/or abuse citizens rights. Records on public officials can be manipulated and forged to fake legitimacy. It'll be rare to have it leaked or released for evidence of abusive behavior. So the balance of power the records will supply has to be equalized somehow.

Re:Requiring warrants are not a guarantee of anyth

[Anonymous Coward]

It's not going to be just the police. If the data is there it will be available to civil suits. Things like showing your ex-spouse visits porn sites and is clearly not a suitable parent.

Re:

[h00manist]

It's not going to be just the police. If the data is there it will be available to civil suits. Things like showing your ex-spouse visits porn sites and is clearly not a suitable parent.

Fair game, so long as legit, verified data of the same kind is available on anyone and everyone upon judicial order, from the nerdy teenager all the way to everyone in the White House, DOJ, Wall St, Pentagon, your boss and his wife, etc. We'll see who has the most stuff to hide.

Re:

[gknoy]

Or whose records were "lost" in a "freak backup accident".

Re:

[h00manist]

So the balance of power the records will supply has to be equalized somehow.

We just have to throw enough chaff into the system to drown it in crap

Honestly if something like this were proposed and I actually thought the records on all officials would be kept and presented correctly, when investigations are requested by the public, I would vote for it. I think the public in general would have much less to hide than people in power.

Re:

[intheshelter]

Because they adhere to the strict letter of the law as it is, right? Warrantless wiretaps? Secretly funnelling all telecom traffic to the NSA? Bypassing FISA courts?

Seriously? You actually trust the government to adhere to the law?

Re:Warrant?

[SuricouRaven]

We had a recent incident in the UK where a full armed assault team were sent in to raid a guina-pig hut. The high-powered heaters used to keep the pets warm in the winter made the hut glow in infrared, and a building that hot usually means a small pot farm. So in go the SWAT team, only to find out with great embarassment that there were no drugs to be found. Just comfortably warm guina-pigs. It ended up with the department head having to go to visit the family and give his personal apology for the mistake.

Re:

[Anonymous Coward]

That would never happen here in the US!

(In the US, the family would have been forced to watch as the police killed the guina-pig (because it tried to bite one of the officers), and then been forced to stand outside in the cold while the police tore the house apart looking for anything illegal. And when it was all over, there would definitely not have been any apology, and the family would be left needing a new door.)

Re:

[Hatta]

Is that really any more outrageous than the police raiding a home and finding pot? In either case, the greatest threat to the public is the police.

Re:

[commodore6502]

>>>Move along citizen or "you'll be in BIG trouble!"

Just because a cop orders you to do something, does not mean you have to comply:

"Open your trunk!"
No.
"Let us in your house!"
No.
"Stop camcording me!"
No.
"Let me search your bags and stick my hand on your breast!"
No.

Learn to say no to unconstitutional orders from the jackbooted officers. And if the cops lose control and beat you, well you just won a multi-million dollar lottery. Celebrate.

Re:

[SuricouRaven]

They can't be sniffing all the traffic - reassembling TCP on that scale just isn't practical. Far too much data. I wouldn't be surprised if there were something like this operating on email, though - as any attachment has to go through the SMTP server, it would be easy to check them there.

OK. You can record me if I can record you.

[h00manist]

If records of my activities are recorded and available for investigation, and I have equal rights, those of all people should be too. Given that home users are directly linked to an ISP and all their activities can be directly monitored with a very high likelyhood of locating and monitoring the proper suspect in an investigation, they are at a distinct disadvantage when compared to others who can mix their activities with many other users in a large office or government division by hiding behind a corporate firewall, who can then respond to investigators with strong legal and technical protections as well. So all government offices and corporations should have their records kept by third parties as well, installed on equipment directly linked to their switches within their environments, and revealed to the public under FOIA and/or judicial order. In fact, for certain positions requiring high public confidence, such as public representatives, publicly traded companies, or groups managing public resources, connection of their own computers and that of their staff should be monitored and records kept for possible future breach of public trust investigations.

Re:OK. You can record me if I can record you.

[dkleinsc]

See, you don't understand the rules right now. In the post-9/11 world, you have to remember that any attempt by the government to record you is justified until the crisis is over because it is needed to defend your freedom, and any attempt of you to record the government is serious espionage that will result in being locked up for months in solitary confinement without trial [wikipedia.org] until you turn on somebody else that the government wants to prosecute but doesn't have any evidence on.

Now, please show us your papers.

Re:OK. You can record me if I can record you.

[jimbolauski]

Or you could just use an out of country VPN to hide yourself and if your super paranoid multiple VPNs. The best part is that the pedophiles all ready do this so it won't even help the children, and will probably hurt them because more people will turn to VPN's so the traffic will be even harder to trace.

publicly traded companies?

[tacokill]

You do realize that publicly traded companies aren't "public" like the government, right?

Despite the misnomer, publicly traded companies are still private entities owned by individuals (or groups of individuals). What the heck gives you the right to see ANYTHING they are doing, aside from normal regulatory compliance?

Re:

[GrantRobertson]

Publicly traded companies have a fiduciary duty to behave responsibly with the money their stockholders have entrusted to them. Even though they are owned by a relatively small portion of the public, any member of the public could be an owner or be considering becoming an owner. Therefore, the public has a right to know what is going on inside of that company. That is the concession the company makes in order to be allowed to sell stock on the publicly traded markets. That is why publicly traded companies a

Re:

[h00manist]

The stockholders have the legitimate rights to inspect their corporate representatives. They need access to reliable data on abuse of power. Also, given that many of these executives hold vast power over matters of great public influence, public infrastructure, services, etc, such as the military, security, health care, education, telecommunications, and transportation, in many cases members of the public and law enforcement need evidence of criminal activity in case there is any. There is often suspicion o

Re:

[sjames]

Their corporate charter that requires their existence to be in the public interest. Note that most of the owners will end up better informed than they are now as well.

Note that the OP also offers that NOBODY be tracked in that way as an alternative.

Re:

[EasyTarget]

"What the heck gives you the right to see ANYTHING they are doing"

Straight from the 'smells faintly of fascism' big business apologist jerk handbook..

When corporations influence over me becomes equal to my influence over them.. then I will no longer need such a right... Until then, while they lord it over us in a manner indistinguishable from a government, I will treat them with equal distrust as a government.

Re:

[elrous0]

Oh, but law enforcement is above the law, of course. You ever seen a cop get pulled over for speeding?

Re:

[h00manist]

Oh, but law enforcement is above the law, of course. You ever seen a cop get pulled over for speeding?

Right. So public vehicles must have GPS trackers with code analyzing abuses such as speed, slacking off, use for private purposes, etc. The public has a right to it.

Yes, let's collect evidence of crime at all levels

[h00manist]

The public has a right to have evidence of crime collected and available for investigation in Washington.

Re:

[schmidt349]

Only if you want DC-area bathrooms to be flooded with, er, wide-stanced Republican congressmen.

Re:

[h00manist]

Only if you want DC-area bathrooms to be flooded with, er, wide-stanced Republican congressmen.

I'm no fan of Bush's criminal party, but neither party has a monopoly on wrongdoing or is composed of 100% clean-record public officials. Investigate everyone and let the chips fall where they may.

envelopes

[UnderCoverPenguin]

,quote> Think about how much evidence is denied to law enforcement by envelopes, opaque concrete, and criminals' failure to shout.

I remember reading (several years ago) about a chemical that can supposedly make paper temporarily transparent .Also, seems to me that graphite and even pen ink might show up on an MRI scan. As for concrete, a portable neutron scanner should be useful to get some idea of what is inside. (No idea if such a scanner would be affordable to any but the very most important cases any time soon.)

Re:

[SuricouRaven]

Old ink, of the type used in some historical documents, can show up on an xray. That's one way of recovering data from such documents when they are too old to read by conventional means. It wouldn't work on modern biro ink though.

Re:

[sjames]

X-rays won't, but there are other scans that might work on modern ink.

Monitoring capability is here. It will be used.

[h00manist]

There was no technical ability to monitor before, by government or by people or by random groups. Concrete walls, paper envelopes and quiet conversations were all reasonable guarantees of privacy by nature, there was no way to record them. Now everything can become data and be recorded and transmitted. The cost is going down and the abilities expanding. It will be done undercover, and sold on a black or gray market, legal or not, in dozens of ways. As we are all seeing. Universal monitoring capability

The good old "child porn" excuse

[dkleinsc]

especially online child pornography

There are 3 targets for every government intrusion on civil liberties:
1. Terrorists
2. Child porn
3. Drugs

The law enforcement agencies have determined that those are the issues that can be used to push absolutely anything through. For instance, trying to catch terrorists allows them to grope everybody with absolutely no suspicion of wrongdoing. Drugs allow them to break down your door at 2 AM, guns drawn, without identifying themselves as the government, and in some cases killing people. And of course child porn and terrorism allows them to watch absolutely everything you do online. That these are plainly illegal doesn't matter, because anybody who disagrees with them must be a terrorist, child pornographer, or junkie.

That doesn't mean those threats don't exist, but if they were serious about addressing the real risks around us they'd be focused on more mundane issues like traffic violations.

Re:The good old "child porn" excuse

[inthealpine]

You may have a point. I always found it interesting how the government flips shit about child porn pictures, yet we hear very little of actually catching the people who make the child pornography. I mean, how many people have the feds arrested for having child pornography where the result of that arrest ended with the subject child being rescued from whomever was taking the pictures? It's not like I feel bad for the scum bags being arrested, but if we are doing this ''for the children'', are we actually directly saving any children?

Re:

[silas_moeckel]

I work in the hosting business and can tell you flat out they only care about the low hanging fruit. If they were commercial and took CC payments in any way they were all over it as it was straight forward we hand them the evidence from the site (site contents logs etc) they got the info on everybody that paid them and arrested them all. I do not think they ever got the site owners they generally came in from countries (or were proxied in) that were not to friendly to the US. Ok fine and dandy they got t

Re:The good old "child porn" excuse

[melikamp]

Child abuse and child pornography have very little in common. If you are a child pornographer, it is virtually impossible for you to be also a child abuser: child abuse is already against the law in every jurisdiction in the world, and if you put pictures of your wrongdoing online, it's like turning yourself in. We all guess that nearly all child abuse is done by parents, who do it without any kind of incentive besides the abuse itself. They don't do it for money, they don't do it to brag. Only the stupidest of them actually take pictures, and the insane ones share them, and it stands to reason that they are also the ones who tend to get caught (another case for non-commercial distribution being legal). We can all also guess that almost all child porn that's out there is done by Russian cyber-criminals, who don't abuse any children themselves, but rather push around badly-cut RARs with compilations of 30 year old photos of children abused by someone else in the past. Of course there must be exceptions, and there are gray areas having to do with the exact legal age, but when it comes to having 8-year-olds participating in sexual acts, the picture is just as above. IMHO, it is a lie that non-commercial distribution of child porn hurts children (abusing children hurts children, and so does child porn production, as so does commercial distribution, and people who engage in any of these should be in jail), and it is true that modern child porn laws are characteristic of a police state.

Re:

[capnchicken]

You forgot drunk driving. [drunkdrivingdefense.com]

Child Pornography

[Tuan121]

adding that data retention is crucial to fighting Internet crimes (PDF), especially online child pornography.

Sorry, but what is this obsession with child pornography? I don't care that someone is looking at it. Sure I care that someone took the pictures / did whatever, but so what if people are looking at it. You can call them sick or whatever you want, but there is a huge difference between some perverse fantasy and acting on it. Have you been arrested for the random dream of killing your boss? I don't think so.

On this subject, is there anything else that is illegal to simply have possession of that can abso

Re:Child Pornography

[SuricouRaven]

Originally, just sexual abuse of children was illegal. Then it became child pornography, on the grounds that demand for it created an incentive to abuse children. After that though, it just got sillier and sillier. It's a ratchett effect - any politician can gain by tightening or extending the law in this area, but to so much as suggest weakening it would open one up to accusations of not careing about protecting children. So the laws can only ever get broader, never narrower.

Re:

[dreampod]

The theory is that the production of child pornography fundamentally requires a child to have been abused. Thus by possessing such an image you are complicit in that abuse and create incentives to do so. I'm not convinced that it would be a sound theory in reality even if it weren't for the fact that the same laws criminalize non-abuse involved images produced by artists without the use of a model and fictional stories that include child sexuality. Overall the entire mass of 'child porn' laws are predica

Fixed IP(v6) addresses and end-to-end encryption

[cpghost]

All this data retention crap w.r.t. recording IP addresses is a moot issue, when the ISPs will move to IPv6. Everyone will have a (set of) fixed IP addresses anyway; just like our currently fixed phone numbers. For everything else, we'll have to develop or use an already existing end-to-end encrypted layer on top of IP, so that ISPs as men in the middle won't have anything to record and report to our big brother governments.

Re:

[SuricouRaven]

End-to-end encryption is awkward, though. It's doable, yes, but it takes some level of skill to impliment still - and most people, having nothing to hide, just don't care about privacy that much. Just look at how many people use Facebook.

Re:

[mlts]

For now that is. If people start getting arrested left and right for stuff they did on their ISP, or their school suspends/expels them for activities done at home, people will start caring and start locking their business down.

I think it is only a matter of time before we start seeing some extremely large anonymous VPN services appearing, and an anonymous service provider will be as needed as an ISP.

Re:

[Imagix]

Re: Fixed IPv6 addresses That would depend on how your ISP deploys IPv6. In the cases that I know of, you're gonna get a dynamic IPv6 address pretty much the same way you do in IPv4 (see RFC 3315). Or for the enlightened ISPs, you'll get an entire /56 prefix from your ISP (or at least something between a /48 and /64).

This could be a drinking game

[Ltap]

"For the children" excuse, data retention, "cracking down", child molesters . . . Although I think almost all of these stories have the same elements, we would need new livers soon enough.

So, I'm curious...

[Akratist]

Given that it seems like quite a few cases of people who have illegal porn on their computers are caught when they take their computer in for service, why don't we just pass a law requiring that everyone has to take their computers in for random checks? Really, absurdity doesn't play a role in these decisions, does it?

Next, record all phone calls.

[inthealpine]

This would be like saying that all phone providers need to record all Americans phone call 'content', just in case the government wanted to investigate you for something at a later date.

Stop "Cooperating" With Law Enforcement

[chill]

Provide the information they seek ONLY when they provide a valid warrant. ISPs should not "informally" cooperate with law enforcement. If there is reasonable suspicion of a crime, the law enforcement agency should be able to convince a judge of that and obtain a warrant. Checks and balances.

Re:Stop "Cooperating" With Law Enforcement

[PPH]

Remember how well this worked with the telcos? When the constitutionality of law enforcement's extra-judicial National Security Letter (NSL) program was called intto question and they (the telcos) were at risk of lawsuits for having turned over data, they went crying to Congress for amnesty. And they got it. So why shouldn't they cooperate? Their down side (pissing off dirty cops) is too great.

The NSL program continues to this day unabated. And some of these letters and the subsequent data collection isn't in support of criminal investigations. Its for political or even industrial espionage. Want some info on a competitor (particularly if its foreign)? Got a buddy in the FBI? No problem. They'll tap their phone/-email for you.

I say: All subjects (at least US persons) subject to monitoring shall be served with the warrant or NSL at some reasonable time following the investigation. And no amnesty for ISPs or telcos unless they can be forced to testify against corrupt law enforcement officials in court should those letters be abused by corrupt LE officials.

I have said it before and I will say it again...

[jonwil]

Even if it was Osama Bin Laden brutally raping and murdering little kids and posting footage of same on YouTube it doesn't justify giving the government ANY right whatsoever to do wholesale data collection of telephone calls, bank account data, retail purchases, library borrowings or (as in this case) internet data (emails, web access etc).

I have no problem whatsoever with the FBI/cops/etc going to an ISP and saying "we have x IP address at y time, please find out which customer that was and set up a tap/trace on that customer so we can bust the guy" but wholesale data gathering is something I will NEVER support.

What we need is for someone to come up with something that shows why continued erosion of civil liberties is bad and wont do a thing to stop criminals (including Child Pornographers) or terrorists (including Osama Bin Laden). Something that even the most clueless person can understand.

If you can show people that what their government wants to do wont actually stop whatever criminal activity people want the government to stop (and more to the point, suggest an alternative that will be more effective in stopping the criminal activity in question) people might just listen.

Re:

[blueg3]

All they ask for in this statement is exactly what you said you have no problem with: a reverse mapping of (IP address, time) to customer and customer information (e.g., address).

The problem, they claim, is that ISPs only store this data for short periods of time, which is insufficient. They specifically mention that they are not requesting that ISPs start storing data that they do not already store.

Re:

[VortexCortex]

If you can show people that what their government wants to do wont actually stop whatever criminal activity people want the government to stop (and more to the point, suggest an alternative that will be more effective in stopping the criminal activity in question) people might just listen.

Your assumption is wrong: The Onion Router provides the proof you seek. [torproject.org]

You see, no matter how blatant, commonplace or accessible the proof is people just won't listen; People are stupid -- It's the Wizard's First Rule: Some people will believe anything if they fear it to be true.

Re:

[element-o.p.]

If you can show people that what their government wants to do wont actually stop whatever criminal activity people want the government to stop (and more to the point, suggest an alternative that will be more effective in stopping the criminal activity in question) people might just listen.

I admire your optimism, but my experience suggests otherwise. When you bring someone face-to-face with an unpleasant truth, the tendency is to pull a Miracle Max (you know, fingers in their ears while loudly repeating, "nobody's hearing nothing, la la la la"). Why? Because people are generally lazy, and forcing the government to change requires effort. Typically, people are unwilling to expend that effort until things get so bad that they can no longer pretend not to see what's happening arou

Wow ....

[gstoddart]

So, we should monitor everybody so that if in the future we need to monitor a specific person, we'll already have the data. Brilliant!

Welcome to the surveillance society. Wouldn't this run afoul of the whole "unreasonable search and seizure"? Hell, keep everybody's web history long enough and you'll likely find something you could use against them.

I completely disagree that ISPs should just track everything in case law-enforcement wants it at some point. It's a little Orwellian, and I fear that it is only going to get worse -- in their zeal, governments are really going overboard. This is just depressing.

Re:

[blueg3]

All they're asking for is for ISPs to retain DHCP logs longer.

Re:Wow ....

[gstoddart]

All they're asking for is for ISPs to retain DHCP logs longer.

For now. But this snippet from the linked PDF is kind of scary:

Federal law permits the government only to request that providers preserve particular records relevant to a particular case while investigators work on getting the proper court order, subpoena, or search warrant to obtain those records.

This approach has had its limitations.

Basically, "we find it inconvenient that by law we're only allowed to ask for specific information based on an on-going investigation, we would like some blanket powers so we don't need to bother with this".

Hell, in my book, anybody who is quoting Alberto Gonzales is not to be trusted ... Gonzales routinely made awful decisions like "it's legal because we say so" and "who needs habeus corpus?". From the PDF again ... "Former Attorney General Gonzales similarly testified about “investigations where the evidence is no longer available because there's no requirement to retain the data.”"

Looking at this section:

In some ways, the problem of investigations being stymied by a lack of data retention is growing worse. One mid-size cell phone company does not retain any records, and others are moving in that direction. A cable Internet provider does not keep track of the Internet protocol addresses it assigns to customers, at all. Another keeps them for only seven days—often, citizens don’t even bring an Internet crime to law enforcement’s attention that quickly. These practices thwart law enforcement’s ability to protect the public. When investigators need records to investigate a drug dealer’s communications, or to investigate a harassing phone call, records are simply unavailable.

they're pulling out pretty much all of the bogey-men to say "we need to be able to monitor everything just in case". They cite child abuse, drugs, terrorism ... harassing calls. While these are legitimate law enforcement targets, it's definitely stating the case that they'd really like to be able to monitor everything.

Hell, even the wording they use is charged "Most responsible providers are already collecting the data that is most relevant to criminal and national security-related investigations." ... meaning those who aren't actively helping the government monitor everything are irresponsible and therefore evil.

This just sets them up for way too many fishing trips as far as I'm concerned. You can't just simply apply surveillance and monitoring against an entire society "just in case". This is just plain bad, and it's more like something Iran or Stalinist Russia would do.

Time Warner

[inthealpine]

I was a stand in security and abuse coordinator for a little less than a year at Time Warner Cable. All it took was a subpoena faxed to the office for us to hand over any data request. A lot of times cops would get pissed because a police letterhead fax wasn't enough, but it takes no time to get a subpoena. Police would try to say they were afraid the data could get purged if they didn't get it now, versus a few hours from now which is BS. I would tell them I already pulled the requested data and had it right in front of me so no worries about it being purged, they were not amused.

If any expansion of power is needed it should be the ability to have a request to hold data while a subpoena is processed. That is a simple answer, but the government isn't interested in simple answers its intent is to chip away at privacy so it can do whatever it wants whenever it wants.

How about law enforcement prioritization?

[swb]

My sense is that the "need" for ISPs to do their work for them indicates that law enforcement could better utilize their limited resources.

Maybe spend fewer resources on enforcing, say, drug laws, marijuana specifically, and more time and resources on other crimes that actually hurt people?

And I don't necessarily mean physical crimes (assault, murder) -- how about simple burglary or breaking and entering?

A neighbor's house got broken into; the daughter's laptop was stolen and the window to her room was damaged beyond repair. She needed a laptop for school and, obviously, the window needed replacement. So they're out $3k they don't necessarily have and/or she falls behind in school or they can't close the window to her room, none of which are very palatable choices, especially in a Minnesota winter.

Yet, when they called the cops they got two nice guys who gave them a case number and took the laptop S/N "on the very slim chance it turns up."

So, basically there's no resources to do extra patrols or extra investigators but plenty of guys to take down pot dealers. Yay.

Re:

[Sentrion]

No sheriff or police cheif is going to get serious publicity going after burglars and scam artists. If you want to win Chuck Norris style accolades then you have to bust the drug dealers, and most people associate the dealers with organized crime and street violence. People from affluent neighborhoods have good security systems and insurance policies, so if they are a victim of theft it's just a minor inconvenience, but they will do everything to protect little Johnny from the drug dealers.

Re:

[TheTyrannyOfForcedRe]

My parents were the victims of a hit and run. They were sitting in their car in a parking lot, parked with engine off. An elderly couple hit them while trying to park. The couple claimed they they didn't and refused to provide insurance information. They also refused to stop and get out of their car. My parents got their license plate number and filed a criminal report. The officer taking the report said it was indeed a hit and run. This was over a year ago. Nothing has been done. They cops haven't

Balance

[carrier lost]

the US Department of Justice renewed its call for legislation mandating Internet Service Providers (ISP) retain customer usage data for up to two years because law enforcement authorities are coming up empty-handed in their efforts to go after online predators and other criminals

Just as long as politicians are exempt.

And Just how are they Identifying my traffic?

[haasta]

This is about as useful as a tank of gas with no car. Especially since courts have already determined that an IP address does not identify a person, rather a machine (pc, router, etc). As evidenced in articles such as these: http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=109242 [mediapost.com] ; http://yro.slashdot.org/story/09/07/08/1522247/Judge-Rules-IP-Addresses-Not-Personally-Identifiable?from=rss [slashdot.org] & http://www.techdirt.com/articles/20090708/1323075488.shtml [techdirt.com] I am sure there is more out

Who qualifies as an ISP?

[ducomputergeek]

One of my clients is a coffee shop that offers 3 hours of wifi with purchase. I built the software that allows people to log in using their rewards card or by typing their name and an employee granting access. It's been working well for over 5 years on a FBSD box.

The question then becomes, do they count as an ISP? Will they have to maintain records and if so, for a small business like theirs is it going to be worth the hassle?

Mandatory data retention for bars and restaurants

[Animats]

We need mandatory data retention for bars and restaurants. Bars and restaurants should be required to retain audio and video surveillance data for six months, in case it's needed by law enforcement.

Implementation should begin with Washington, D.C., to retain evidence of political corruption.

Re:

[Vectormatic]

man, i've seen people say "1984 is not a manual" in their sigs, you yanks* must have read that and thought "Fine, we'll use mein kampf instead"

*the govern-mental types anyway

But good god, that is fucking scary right there...

Re:

[betterunixthanunix]

Making the legal system work faster? We have too many laws for that. Ironically, it seems that the police want this mandatory retention so that they can better prosecute people for breaking the very same laws that are responsible for our judicial slow down.

Re:

[bughunter]

Which behaves just like BushCheney's "justice" department, which acted just like Clinton's "Justice" department, which acted just like Bush40's "Justice" Department, which acted just like....

The DOJ stopped 'belonging' to a president long, long ago.