ISP Tracking Legislation Hits the House

cnet-declan writes "CNET News.com reports that Republicans in the U.S. House of Representatives announced yesterday legislation to force ISPs to keep track of what their users are doing. It's part of the Republicans 'law and order agenda,' with other components devoted to the death penalty, gangs, and terrorists. Attorney General Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, and e-mail conversations indefinitely. The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages. The idea enjoys bipartisan support: a Colorado Democrat has been the most ardent supporter in the entire Congress."

Good luck

They may as well legislate that gravity be lessened to solve the obesity problem. It's just as feasible from a technical sense.

Re:Good luck

Shhhhhh!

Don't give them ideas.

the problem is, they don't realize the massive hardware costs that would be involved.

What's more if they did understand the expense and barriers of such a plan, they wouldn't care.

Re:Good luck

Screw the hardware costs. It's just plain impossible. How can the ISP know which data is e-mail, IMs, etc?

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits? Are they going to force people to use their ISP's mail server? Who is an ISP? Anybody who resells bandwidth? How will they know you're reselling bandwidth? Etc...

Re:Good luck

You're thinking of "ISP" in the wrong light.

Whoever your e-mail provider is is also an ISP. They provide an Internet service. Therefore, they are required to maintain whatever logs are mandated by the government. If that includes storing backups of e-mails, so be it. The company that provides you access to the Internet doesn't have to maintain that information--they're just a conduit.

Of course, the government might try to claim this, and then they will simply shut down any ISP for which they go after this information. It's pretty well impossible to capture and maintain all of the traffic that crosses the ISP's gateway for any useful length of time.

Re:Good luck - SSL?

I do have something to hide.

It's my password. If anybody learns what it is they can use my server as a spam relay, read my mail, etc.

Re:Good luck

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits? Are they going to force people to use their ISP's mail server? Who is an ISP? Anybody who resells bandwidth? How will they know you're reselling bandwidth? Etc...

Bingo. Even if the government gives you bad SSL certs and otherwise attacks and cripples every KNOWN secure protocol, it'll only get them so far.

If that happens, some company will spring up outside the USA that will charge a monthly fee to tunnel your Internet traffic through their servers via SSH. And they'll send you the server's public key fingerprint via postal mail so that you can verify that there's no man-in-the-middle attack. That will be foolproof unless the US govt decides to start opening mail and altering anything that looks like a public key fingerprint or SHA sum or whatever. And then the foreign companies will start broadcasting their public keys via short-wave radio. And then the govt could ban short-wave radios. And then... this is beginning to look like North Korea...

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run. I think the proposed policy is destined to fail and is the result of (a) a power-hungry administration (whose time is up in 2 years anyway) and (b) a desire to catch terrorists and (c) an extraordinarily bad understanding of technology.

It's amazing to me how legislators and policy-makers fail to understand crucial points about technology. They believe that DRM can be effective (or, failing that, they make it illegal to break), they blithely ignore the global reach of the Internet, and they don't know how easy it is to use strong encryption. They need to pick and choose their battles differently.

Re:Good luck

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run.

How about a little bipartisan power grab, who'll continue to pass the ball back and forth every four or eight years. They'll keep the people entertained by focusing on social issues (are we pro-gay or anti-gay this year?) while the actual running of government is left to Party lead... sorry, political families like the Kennedys, Bushs and Clintons putting relatives in key positions whenever their side wins an election. Presumably in close cooperation with corporations who run large lobby groups and are the only ones with a considerable sway in day-to-day politics and pay attention to rider bills and the like. Between an election system where it's almost impossible to create a third party and so much of the mass media controlled by corporate interests, it'll seem like the will of the people. I don't think the question is "would people oppose a totalitarian government" as much as "would Americans recognize a totalitarian government before they were neck deep in one?".

Re:Good luck

The sky is not falling.

Here's what the bill says:

SEC. 6. RECORD RETENTION REQUIREMENTS FOR INTERNET SERVICE PROVIDERS.
(a) REGULATIONS.Not later than 90 days after the
date of the enactment of this section, the Attorney General
shall issue regulations governing the retention of records
by Internet Service Providers. Such regulations shall, at
a minimum, require retention of records, such as the name
and address of the subscriber or registered user to whom
an Internet Protocol address, user identification or telephone
number was assigned, in order to permit compliance
with court orders that may require production of such information.

First note that the information they are primarily interested in is being able to tie a user to an IP address. It is trivial for an ISP to keep this information, and any responsible ISP already does so that they can investigate fraud and abuse complaints.

Second, the regulations are to deal with record retention, not tracking. So, if an ISP currently tracks user activity, the AG could require the ISP to keep that information for x days. But this bill does not seem to give anyone the power to order ISPs to start tracking users in ways they aren't already.

Re:Good luck

As the text you notes quotes, that's the bare minimum. The concern is more laws allowing even more to be tracked.
From TFA.
"Because there is no limit on how broad the rules can be, Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, or e-mail conversations indefinitely. (The bill does not, however, explicitly cover search engines or Web hosting companies, which officials have talked about before as targets of regulation.)

That broad wording also would permit the records to be obtained by private litigants in noncriminal cases, such as divorces and employment disputes. That raises additional privacy concerns, civil libertarians say. "

Re:Good luck

"...but there's nothing in the clear language of the bill that would give the AG the power to force ISPs to track browsing, etc..."

Actually there is:

...the Attorney General shall issue regulations governing the retention of records by Internet Service Providers.

Now, I suggest you go read Title 18, 2257:http://www4.law.cornell.edu/uscode/html/uscod e18/usc_sec_18_00002257----000-.html

Specifically this line:
"(g) The Attorney General shall issue appropriate regulations to carry out this section."

Now... go out and read about the "appropriate regulations" which have been issued by the Attorney General and their practical applications and implications. For example: Federal agents can enter a private home without warning nor warrant, and search through her computer files to check for compliance. Anything seen during that "visit"--regardless of whether or not it has anything to do with "porn", can be used as evidence of crime. By order of the AG, the 4th Amendment ceases to exist for cam girls (any "cam girl" who shows skin is considered a "producer of pornography" and her home is a "place of business").

As with 2257, this legislation clearly and specifically gives the Attorney General a blank check in writing rules--rules which are not debated before nor voted on by Congress, nor signed by the President, yet which hold the weight of law.

You can bet that the initial "attack" will be 2-pronged: Porn and Terrorism. Morality and Fear.

And let's be very clear about this: This will be done under the authority of a single, unelected man; a man who, in the current incarnation, wrote guidelines telling members of the current administration how to get away with torture.

While there are very few politicians that I trust, I do trust in the conflict of personal interests which pervades Congress to create a situation where there is at least some degree of valid debate and limit of authority.

Re:Good luck

This legislator has been sponsored by Toshiba, Seagate, Western Digital, and Network Appliances.

Hard disks are obsolete

The storage requirements are easily achieved with Curved Space Storage (CSS) or the secure equivalent CSS/DES.

This storage method is based on the accoustical storage method that was proven over 50 years ago, now updated with more recent innovations to provide better bit density and bandwitdh. The way this works is that the digital stream is moduled onto a laser that is pointed upwards. As we all know, space is curved, so eventually the laser beam comes back to earth where it can be reread after a long trip through space. There's lots of space out there and it is free.

Re:Hard disks are obsolete - write-only memory!

First, I love this idea, bravo. ;)

However, there is a flaw, the earth, solar system, and galaxy itself are moving at incredible rates, the point in space we occupy now will not be the same point that the laser will return to in a hojillion years give or take. BUT! I think you have come up with a very novel approach at creating the proverbial write-only memory. Quick, patent it!

To keep on topic (some mod has been busting my chops lately for trying to have actual interesting conversations), since the bill sets no maximums on the retention requirements I think it's very likely that Gonzalez et al are going to ask for a rediculous amount of data retention. They've been dropping hints about it for years now, something like a permanent record of every website visited would be the first thing they try to mandate. That alone will be a gut-busting storage requirement, and force many non-mega ISPs right out of business. This bill has the potential to radically affect the businesses that provide internet access, and radically alter the privacy people expect when using the internet. While I hope this bill dies quickly, I fear it will ride the tide of "think of the children" with few obstacles. :(

Re:Good luck

I'm scared that it would be feasible to store logs of URLs visited (at most a few hundred per customer per hour?).

You underestimate the web pages you visit. I did an experiment a few weeks ago along these lines using Firefox's LiveHTTPHeaders. After hitting the front pages of Slashdot, MSN, Yahoo, and two other portal sites, I had 150 requests. That's 30 requests per page. Just now, loading yro.slashdot.org took over 50 requests.

People generate an enormous amount of web traffic without even thinking about it. To expect every ISP to archive that information just because is crazy. It's only really feasible for someone like Google, who is in the business of profiling potential customers (or AT&T, who is in the business of letting the Feds spy on you).

Re:Good luck

That would be an interesting theory if the growth of power was actually fueled by those in power. In reality, it is fueled by the citizens demanding more from their government under the delusion that it will help them. People don't understand that when the government gives you something, it has to take it from you first. Even with progressive taxation, it comes out of everybody's pockets. Giving money to the rich may not cause it to "trickle-down" to the lower classes, but if you stick it to the rich, they'll figure out (Actually there isn't any figuring out involved, but...) how to pass the costs down the chain.

If an idea starts with "The government should..." and doesn't end with something about providing infrastructure or protecting you from physical harm, it's a bad idea... And even some things that fit the formula are bad ideas too.

Guess it's time to stop using the internet

You know, I'd like find out what kind of porn or other illicit sites these legislators are surfing and then dredge that up those records to news agencies. See how that flies in their faces.

Oh, Congress won't pay for it.

This will be another "unfunded mandate" where they'll just fine you if you fail to spend the money to comply.

All in the name of "protecting the children" and "War against Terror".

The question will be, how much money will an ISP have to spend to record everything, in a secure fashion, for years and years? And at what point will the that expense be LESS than any fine that will be levied for non-compliance?

Re:Oh, Congress won't pay for it.

Well here's a quick, very unscientific, estimation:

A quick look at my Firefox history (which stores 9 days of info) shows that it's a little under 1 meg in size. That means that over a month I'd generate 3 megs of history. However, since most web page hits actually result in dozens of actual HTTP requests and most of my browsing is to pages I've already visited, it's reasonable to say that a complete log of my browsing would be at least 10x that, so let's say 30MB/month, or 360MB/year.

My email (which goes back 3.5 years) is about 1GB, but I'd say it's safe to assume that between spam and messages that I didn't need, I've only kept 1% of the email I've received in that time, so 100GB/3.5years would give us about 30GB/year.

I don't keep logs of my instant messaging, but let's just round up to an even 50GB/year for the whole thing. Of course, I'm probably an atypically heavy user of the internet, so for the sake of discussion let's say that the average user is really only 10% of that, or 5GB/year (which is probably very low).

5GB/year * 200Million U.S. internet users is 953 Petabytes of generated data every year. At a current storage cost of about $4M/petabyte, ISPs would (under this law) have to bear a combined total of almost $4 billion / year just to buy storage space for all of this data (which doesn't even begin to take into account the physical space to store the storage servers, the people to run them, the electricity to run them, the backups, etc., etc.).

Conclusion: This is completely infeasible, regardless of whether the law is passed. After all of the costs are factored in, you'd probably end up seeing a doubling (if not more) in the cost of Internet access just to support this.

Won't somebody please think of the children!

This is just sick. Every time I hear this shrill siren about protecting the children I know they're coming for another liberty.

I, for one, don't want my kids growing up in a country run by the thought police.

Re:Won't somebody please think of the children!

Didn't you know that "Child Porn" is the root password to the US Constitution?

With "Terrorism" and "Think of the Children" as the alternates?

Option Labeling of Non-Sexual Content

The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages.

What they need is exactly the opposite: optional Web labeling for non-sexually explicit content.

If you think your site is safe for children then you can add a label to that effect. There could even be a well defined process where, if you labeled your site as safe-for-children and it wasn't, then you could be required to take down the safe-for-children label.

Ideally, there wouldn't just be one safe-for-children label but a variety of specific government defined labels that identified a site as being free of specific types of content (e.g. no nude photos versus no sex photos).

huh?

Republicans in the U.S. House of Representatives announced yesterday legislation to force ISPs to keep track of what their users are doing. It's part of the Republicans 'law and order agenda,' with other components devoted to the death penalty, gangs, and terrorists.

Why don't they just put everyone in prison? Then we wouldn't have any crime at all. Problem solved.

Re:huh?

> Why don't they just put everyone in prison? Then we wouldn't have any crime at all. Problem solved.

The Party's goal isn't to eliminate crime by throwing everyone in jail -- it's to eliminate people who piss it off by merely being able to throw anyone in jail.

"Did you really think that we want those laws to be observed?" said Dr. Ferris. "We want them broken. You'd better get it straight that it's not a bunch of boy scouts you're up against - then you'll know that this is not the age for beautiful gestures. We're after power and we mean it. You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens' What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted - and you create a nation of law-breakers - and then you cash in on guilt."

- Ayn Rand, Atlas Shrugged, 1957

You don't have to like Rand to apppreciate that she was onto something when it came to how governments think during the design phase of legislation.

Putting everyone in prison

President Eisenhower speaking:

"If all that Americans want is security, they can go to prison. They'll have enough to eat, a bed and a roof over their heads. But if an American wants to preserve his dignity and his equality as a human being, he must not bow his neck to any dictatorial government."

This would change the way people use the web.

I imagine many people would simply start tunneling all their traffic to countries without such idiocy.

You have to admit...

Mandatory labeling of sexually explicit images will make them much easier to find.

I love the spin

Folding this bill into a larger "law and order" agenda makes it more difficult for people to criticize it; "what, you against law and order, you filthy terrorist?"

If similar bills had no chance in a Republican-controlled Congress, does it really have a chance now? Doubtful, especially since the Democrats have a comfortable majority in the House.

Besides, I'm not a fan of impractical laws that are extraordinarily difficult to enforce. If this bill became law, do you think certain users would create scripts that visit hundreds of thousands of sites, just to clog the log books?

Nice work

I can only imagine how politicians think:

"Hey how can we kill off a lot of small businesses so our big behemoth telecomm contributors can make more money in the long run? Ooh! increased operating costs! Our friends have the coffers to handle this while their smaller competitors die off. We'll have to make it look like something else though. Tie it to crime. Everyone hates criminals."

constitution

we havent had a decent amendment in a while. time for a push for an explicit right to privacy?

First Reaction and Real reaction.

My first reaction was "Good because wading through terrabytes of useless data will really help win the war on terrer!" However on sober reflection I realize that the very technical infeasability of this is part and parcel of the problem.

For those of you that haven't seen Terry Gilliam's Brazil [imdb.com] you must it is an essential requirement for anyone who would just react with the snarkiness I mentioned above.

They can't parse all of that data. A single major ISP on a single day would generate terrabytes of data if everything was logged. In that event any actual law enforcement methods would be swamped by the sheer beureucratic waste of it all. Massive computer systems performing continuous number crunching would still come up with garbage.

But that doesn't matter!

It isn't necessary for this to work. What is necessary is for them to make people perceive that it works at least enough to get it put in place. At that point the system becomes self feeding. Don't like it, well that can get you put on the short list for a check of your habits. Because they can look at a single person's habits, they may be wrong but they can and will do it. But in general the system will be a large self-feeding monstrosoty and any "errors", because there are always errors will be dealt with in the same way that the no-fly-list errors are handled: "not my department, next please!"

Eventually success of this process ceases to be the object only its continuation. Once a large enough beureucracy is established staffed with enough place-men and place-seekers to protect themselves then this will take over. Consider the Drug war as an example. Yes it hasn't hit full steam but think of ho many things today are justified by means of the "Drug War". And take a look at the way justifications for the war are handled. Money for the Partnership for a Drug-Free America (led by America's Drug Czar) is spent convincing us to back the drug war or not to vote for legalization. In turn the DEA's budget (paying America's Drug Czar) goes up and who the hell cares if the drugs are stopped. And they aren't even fighting "Terrorists".

In many respects it reminds me of East Germany. At the height of their power the East German Stasi employed one in fifty members of the population as full or part-time spies. This doesn't count the large beureucratic staff that they had or the massive infrastructure that was built and run just to sort through it all. The social costs were enormous as any infraction was targeted for no good reason. The economic costs in turn were insane and deprived the state budget of much of the money that might have been spent say building an infrastructure or feeding the population. No nation on earth had more complete information on its citizens and no nation on earth spent more obtaining it.

Ultimately crime was still committed and even the dissident groups grew because they a) hated the government that much, b) were often flooded with spies sent in by the Stasi, and c) could get away with it. None of the objectives of the Stasi were acheived and East Germany fell, it fell and noone misses it.

This "Law and Order" bull must be stopped, and it must be stopped now! We cannot sit back and think that this is okay or that it will "work its way out. Those of us with a technical mindset are in the best position to explain why this will not work and what a costly destructive system this will be, and we cannot put it off.

For those in the U.S. go Here [house.gov] to find your house rep and place a phone call or send a letter. Then for good measure go Here [senate.gov] and tell the Senate not to go there either. Following that try sending a letter to you local paper's letters to the editor. While many of us no longer read the dead-tree press it can and will make

You think this is bad!

Look at what they have also introduced! Beware H.R. 393 [loc.gov]!!

reference to IM and chat records misleading

The post refers to IM and chat logging but they are mentioned no-where in the bill draft. The bill asks that IPs be logged to subscriber names and nothing else. The words instant messaging and chat dont even appear in the text of the the bill at all. The post then links to a previous post about what some people in government would like to monitor - including the IM and chat logs. You cant just draw a line between the two without support facts.

Re:reference to IM and chat records misleading

I interpret bills for a major civil rights lobby, and this bill's language is ambiguous. It requires, at a minimum, the retention of personal identification linked to IPs. Whereas I do see your point, that it does not enumerate retention of IM and chat logs, this draft bill is STILL scary. If the legislation passes, it is up to Alberto Gonzales to interpret it. This, the man that recently advocated the revoke of Habeus Corpus, citing the lack of its specific constitutional enumeration. The problem is that the bill's language is broad, and the AG could ASSSUME that it gives him certain powers. The bill would be less scary if it was amended with language that limits the amount of liberal interpretation that could take place. In the end, this draft represents a common problem, and a scary possibility. Politicians struggle balancing individual liberty and safety, and if passed, this bill could establish a precedent of invasion of personal privacy. All of this must be qualified by the following-- I understand the desire to protect our children at all costs. It is an emotionally charged issue, but we must not allow rational thought to be trampled by emotionally charged debate. I do not believe this bill will make us safer. I'd be interested to see how many times and ISP could not produce personal information on the IPs they regulate, and how many times failure of an ISP to produce personal information translated into the loss of a conviction for child predators. This bill represents the beginning of a slippery slope for internet privacy, and a more general affront on free speech.