ISP Tracking Legislation Hits the House

cnet-declan writes "CNET News.com reports that Republicans in the U.S. House of Representatives announced yesterday legislation to force ISPs to keep track of what their users are doing. It's part of the Republicans 'law and order agenda,' with other components devoted to the death penalty, gangs, and terrorists. Attorney General Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, and e-mail conversations indefinitely. The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages. The idea enjoys bipartisan support: a Colorado Democrat has been the most ardent supporter in the entire Congress."

Good luck

[ivan256]

They may as well legislate that gravity be lessened to solve the obesity problem. It's just as feasible from a technical sense.

Re:Good luck

[doublem]

Shhhhhh!

Don't give them ideas.

the problem is, they don't realize the massive hardware costs that would be involved.

What's more if they did understand the expense and barriers of such a plan, they wouldn't care.

Re:Good luck

[ivan256]

Screw the hardware costs. It's just plain impossible. How can the ISP know which data is e-mail, IMs, etc?

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits? Are they going to force people to use their ISP's mail server? Who is an ISP? Anybody who resells bandwidth? How will they know you're reselling bandwidth? Etc...

Re:

[Nasarius]

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits?

It's fairly easy for an ISP to set up a man-in-the-middle attack, if they don't mind giving you a bad SSL cert. It's evil and obvious, but certainly possible if they're required by law to do so.

Re:

[naChoZ]

ISP's keep logs anyway. When we get a subpoena from the feds for "any and all" logs related to a customer's usage, they know they're just going to get things like dhcp logs and mail server logs. On the *extremely* rare occasion where they require full blown network activity, they get a network trace dump. I remember one instance where the person's network traffic was fairly light, so the dump was a few hundred MB for a couple of days. While in another instance, we were required to trace someone's traf

Re:

[imroy]

...I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits?

No, but if you're on this list they'll just assume you're doing something wrong. They'll summon the FBI, who will take away your computer(s) for analysis and question you. Hello police state!

Re:Good luck

[Sancho]

You're thinking of "ISP" in the wrong light.

Whoever your e-mail provider is is also an ISP. They provide an Internet service. Therefore, they are required to maintain whatever logs are mandated by the government. If that includes storing backups of e-mails, so be it. The company that provides you access to the Internet doesn't have to maintain that information--they're just a conduit.

Of course, the government might try to claim this, and then they will simply shut down any ISP for which they go after this information. It's pretty well impossible to capture and maintain all of the traffic that crosses the ISP's gateway for any useful length of time.

Re:

[ivan256]

But e-mail doesn't need a provider. Any system with an IP address can send a properly formatted message to any system that is willing to listen on port 25.

Re:Good luck

[MoxFulder]

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits? Are they going to force people to use their ISP's mail server? Who is an ISP? Anybody who resells bandwidth? How will they know you're reselling bandwidth? Etc...

Bingo. Even if the government gives you bad SSL certs and otherwise attacks and cripples every KNOWN secure protocol, it'll only get them so far.

If that happens, some company will spring up outside the USA that will charge a monthly fee to tunnel your Internet traffic through their servers via SSH. And they'll send you the server's public key fingerprint via postal mail so that you can verify that there's no man-in-the-middle attack. That will be foolproof unless the US govt decides to start opening mail and altering anything that looks like a public key fingerprint or SHA sum or whatever. And then the foreign companies will start broadcasting their public keys via short-wave radio. And then the govt could ban short-wave radios. And then... this is beginning to look like North Korea...

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run. I think the proposed policy is destined to fail and is the result of (a) a power-hungry administration (whose time is up in 2 years anyway) and (b) a desire to catch terrorists and (c) an extraordinarily bad understanding of technology.

It's amazing to me how legislators and policy-makers fail to understand crucial points about technology. They believe that DRM can be effective (or, failing that, they make it illegal to break), they blithely ignore the global reach of the Internet, and they don't know how easy it is to use strong encryption. They need to pick and choose their battles differently.

Re:Good luck

[Kjella]

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run.

How about a little bipartisan power grab, who'll continue to pass the ball back and forth every four or eight years. They'll keep the people entertained by focusing on social issues (are we pro-gay or anti-gay this year?) while the actual running of government is left to Party lead... sorry, political families like the Kennedys, Bushs and Clintons putting relatives in key positions whenever their side wins an election. Presumably in close cooperation with corporations who run large lobby groups and are the only ones with a considerable sway in day-to-day politics and pay attention to rider bills and the like. Between an election system where it's almost impossible to create a third party and so much of the mass media controlled by corporate interests, it'll seem like the will of the people. I don't think the question is "would people oppose a totalitarian government" as much as "would Americans recognize a totalitarian government before they were neck deep in one?".

Re:

[russotto]

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run.

We're not even inching towards it any more. We're running towards it with joy in our hearts. In both the big issues (like surveillance) and the little (trans-fat bans, banning iPods while crossing the street), freedom has little constituency and no champion.

Re:Good luck - SSL?

[ivan256]

I do have something to hide.

It's my password. If anybody learns what it is they can use my server as a spam relay, read my mail, etc.

Re:

[__aaclcg7560]

... the massive hardware costs ...

Bits and bytes don't weigh anything, so it's all free. Besides, I'm sure the hard drive companies will offer steep discounts for bulk purchases.

Re:Good luck

[monkeydo]

The sky is not falling.

Here's what the bill says:

SEC. 6. RECORD RETENTION REQUIREMENTS FOR INTERNET SERVICE PROVIDERS.
(a) REGULATIONS.Not later than 90 days after the
date of the enactment of this section, the Attorney General
shall issue regulations governing the retention of records
by Internet Service Providers. Such regulations shall, at
a minimum, require retention of records, such as the name
and address of the subscriber or registered user to whom
an Internet Protocol address, user identification or telephone
number was assigned, in order to permit compliance
with court orders that may require production of such information.

First note that the information they are primarily interested in is being able to tie a user to an IP address. It is trivial for an ISP to keep this information, and any responsible ISP already does so that they can investigate fraud and abuse complaints.

Second, the regulations are to deal with record retention, not tracking. So, if an ISP currently tracks user activity, the AG could require the ISP to keep that information for x days. But this bill does not seem to give anyone the power to order ISPs to start tracking users in ways they aren't already.

Re:Good luck

[Derek Pomery]

As the text you notes quotes, that's the bare minimum. The concern is more laws allowing even more to be tracked.
From TFA.
"Because there is no limit on how broad the rules can be, Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, or e-mail conversations indefinitely. (The bill does not, however, explicitly cover search engines or Web hosting companies, which officials have talked about before as targets of regulation.)

That broad wording also would permit the records to be obtained by private litigants in noncriminal cases, such as divorces and employment disputes. That raises additional privacy concerns, civil libertarians say. "

Re:

[Anonymous Coward]

but there's nothing in the clear language of the bill that would give the AG the power to force ISPs to track browsing, etc.

Why you're absolutely right! And there's nothing in the constitution that says we have a right to habeus corpus either, only that it cannot be taken away. All these people trying to be so liberal in their interpretation of things, so silly! The fact that it permits the AG to ask for anything he wants, as long as he collects at least that much information is such a niggling little de

Re:Good luck

[BlazeMiskulin]

"...but there's nothing in the clear language of the bill that would give the AG the power to force ISPs to track browsing, etc..."

Actually there is:

...the Attorney General shall issue regulations governing the retention of records by Internet Service Providers.

Now, I suggest you go read Title 18, 2257:http://www4.law.cornell.edu/uscode/html/uscod e18/usc_sec_18_00002257----000-.html

Specifically this line:
"(g) The Attorney General shall issue appropriate regulations to carry out this section."

Now... go out and read about the "appropriate regulations" which have been issued by the Attorney General and their practical applications and implications. For example: Federal agents can enter a private home without warning nor warrant, and search through her computer files to check for compliance. Anything seen during that "visit"--regardless of whether or not it has anything to do with "porn", can be used as evidence of crime. By order of the AG, the 4th Amendment ceases to exist for cam girls (any "cam girl" who shows skin is considered a "producer of pornography" and her home is a "place of business").

As with 2257, this legislation clearly and specifically gives the Attorney General a blank check in writing rules--rules which are not debated before nor voted on by Congress, nor signed by the President, yet which hold the weight of law.

You can bet that the initial "attack" will be 2-pronged: Porn and Terrorism. Morality and Fear.

And let's be very clear about this: This will be done under the authority of a single, unelected man; a man who, in the current incarnation, wrote guidelines telling members of the current administration how to get away with torture.

While there are very few politicians that I trust, I do trust in the conflict of personal interests which pervades Congress to create a situation where there is at least some degree of valid debate and limit of authority.

Re:Good luck

[Poruchik]

This legislator has been sponsored by Toshiba, Seagate, Western Digital, and Network Appliances.

Re:

[frodo from middle ea]

And don't forget the new addendum , "File everything in triplicate", courtesy Canon/HP/Lexmark/Epson/Brother/Kodak.

Hard disks are obsolete

[EmbeddedJanitor]

The storage requirements are easily achieved with Curved Space Storage (CSS) or the secure equivalent CSS/DES.

This storage method is based on the accoustical storage method that was proven over 50 years ago, now updated with more recent innovations to provide better bit density and bandwitdh. The way this works is that the digital stream is moduled onto a laser that is pointed upwards. As we all know, space is curved, so eventually the laser beam comes back to earth where it can be reread after a long trip through space. There's lots of space out there and it is free.

Re:Hard disks are obsolete - write-only memory!

[Jtheletter]

First, I love this idea, bravo. ;)

However, there is a flaw, the earth, solar system, and galaxy itself are moving at incredible rates, the point in space we occupy now will not be the same point that the laser will return to in a hojillion years give or take. BUT! I think you have come up with a very novel approach at creating the proverbial write-only memory. Quick, patent it!

To keep on topic (some mod has been busting my chops lately for trying to have actual interesting conversations), since the bill sets no maximums on the retention requirements I think it's very likely that Gonzalez et al are going to ask for a rediculous amount of data retention. They've been dropping hints about it for years now, something like a permanent record of every website visited would be the first thing they try to mandate. That alone will be a gut-busting storage requirement, and force many non-mega ISPs right out of business. This bill has the potential to radically affect the businesses that provide internet access, and radically alter the privacy people expect when using the internet. While I hope this bill dies quickly, I fear it will ride the tide of "think of the children" with few obstacles. :(

Re:

[Beryllium Sphere(tm)]

But it should be highly compressible, and a terabyte costs $300 retail these days. I'm scared that it would be feasible to store logs of URLs visited (at most a few hundred per customer per hour?).

Re:

[ivan256]

Yeah, that would do a great job of logging all the boring traffic of law-abiding people. How are going to log the traffic of the law-breakers who use an SSL enabled proxy? Just because it's the law doesn't mean it is possible.

Re:

[futuresheep]

Sure, if you're using off the shelf SATA drives in a USB enclosure attached to a server, but enterprise class? A decent attached storage array will start at $1700.00 per terabyte, (based on a 4.5 TB Polyell 3U SATA unit), then add in the cost of racks, rackspace, bandwidth, power, cooling, new networking equipment, admins to manage it, tape units for offsite backups, etc...the costs are much higher than $300.00 per TB.

Re:Good luck

[smellotron]

I'm scared that it would be feasible to store logs of URLs visited (at most a few hundred per customer per hour?).

You underestimate the web pages you visit. I did an experiment a few weeks ago along these lines using Firefox's LiveHTTPHeaders. After hitting the front pages of Slashdot, MSN, Yahoo, and two other portal sites, I had 150 requests. That's 30 requests per page. Just now, loading yro.slashdot.org took over 50 requests.

People generate an enormous amount of web traffic without even thinking about it. To expect every ISP to archive that information just because is crazy. It's only really feasible for someone like Google, who is in the business of profiling potential customers (or AT&T, who is in the business of letting the Feds spy on you).

Re:

[MrAnnoyanceToYou]

Actually, wouldn't increasing gravity be a better solution? And to do that, all we really need to do is crash the moon into Asia. That should increase gravity by, like a lot.

Re:

[Mr. Underbridge]

They may as well legislate that gravity be lessened to solve the obesity problem. It's just as feasible from a technical sense.

Google logs every search made by its logged-in users. I expect it's quite feasible to set up a database to record every url requested by every person for quite some time. Unfortunately.

Zero G on the Earth's Surface Is Possible

[spun]

Physicist and hard sci-fi author Robert L. Forward [wikipedia.org] envisioned a method to do this that violates no laws of physics. It was in one of his non-fiction collections of essays, either Future Magic or Indistinguishable from Magic. It's a bit far fetched, but quite interesting.

First, find a big asteroid. Put a bunch of metal plates around it with a carbon on the inside and nuclear bombs on the outside. Set off the bombs. If you've set it up right, the plates slam into the asteroid, compressing it tremendously. The

Re:Good luck

[ivan256]

That would be an interesting theory if the growth of power was actually fueled by those in power. In reality, it is fueled by the citizens demanding more from their government under the delusion that it will help them. People don't understand that when the government gives you something, it has to take it from you first. Even with progressive taxation, it comes out of everybody's pockets. Giving money to the rich may not cause it to "trickle-down" to the lower classes, but if you stick it to the rich, they'll figure out (Actually there isn't any figuring out involved, but...) how to pass the costs down the chain.

If an idea starts with "The government should..." and doesn't end with something about providing infrastructure or protecting you from physical harm, it's a bad idea... And even some things that fit the formula are bad ideas too.

Guess it's time to stop using the internet

[the_humeister]

You know, I'd like find out what kind of porn or other illicit sites these legislators are surfing and then dredge that up those records to news agencies. See how that flies in their faces.

Re:

[db32]

When they refuse to examine election fraud on the grounds of "it would damage voter confidence" I think it would be safe to assume they will find a way to keep themselves out of this. In fact, it would probably even extend protection to them after they are out of office. My first guess would be seeing this tossed out on grounds of national security given that this administration has classified more crap than any other administration.

Re:

[futuresheep]

How long do you think it'll take before and ISP gets broken into, records get stolen, and very public names get exposed doing things on the internet that they may not be proud of?

Won't somebody please think of the children!

[aborchers]

This is just sick. Every time I hear this shrill siren about protecting the children I know they're coming for another liberty.

I, for one, don't want my kids growing up in a country run by the thought police.

Re:Won't somebody please think of the children!

[sconeu]

Didn't you know that "Child Porn" is the root password to the US Constitution?

With "Terrorism" and "Think of the Children" as the alternates?

Re:

[jhantin]

Even if you didn't, Schneier mentions these issues in the article linked earlier -- any threat that is rare but spectacular or directed at children (among a few others) tends to provoke irrational reaction in most people. GP calls it a shrill siren, but it's going off so often and so loudly I'm beginning to wonder if isn't more like a Nebelwerfer [wikipedia.org] pointed in the general direction of privacy.

Overcoming the funding gap

[Flying pig]

Now that lobbying is going to be regulated, the parties have to make money somehow. Buy shares in HDD manufacturers and network hardware providers and then regulate to send their sales through the roof - profit!

Option Labeling of Non-Sexual Content

[Anonymous Coward]

The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages.

What they need is exactly the opposite: optional Web labeling for non-sexually explicit content.

If you think your site is safe for children then you can add a label to that effect. There could even be a well defined process where, if you labeled your site as safe-for-children and it wasn't, then you could be required to take down the safe-for-children label.

Ideally, there wouldn't just be one safe-for-children label but a variety of specific government defined labels that identified a site as being free of specific types of content (e.g. no nude photos versus no sex photos).

Re:

[CustomDesigned]

This is so sensible. No wonder Congress didn't think of it. It is worth making a phone call about, anyway. But there are already non-government labels akin to MPAA movie ratings, like http://www.icra.org/ [icra.org] or http://www.safesurf.com/ [safesurf.com] . I guess the problem is too many choices.

Re:

[Beer_Smurf]

Sounds great!
I get to decide what is bad and what is good
You can send you tributes to the folllowing address.........

Pointless

[Foofoobar]

Even assuming that this is done on a tape backup or something as stupid as that, this is pointless and useless because it would be almost impossible to search through all of this info without having it easily importable into a database where you could search through records or have a universal format tha all these log files could be output into, for easy import and read, etc.
Also considering that these records are kept 'indefinitely' the storage and money spent on this should be subsidized in some sense

Re:

[pluther]

It's easy.
Just email your logs to the Attorney General each evening.
Solves both the problem of where to store them and how to get them to him when he wants to see them.
Simple.

Re:

[TheRaven64]

Nah. Print them out and post them. Without a stamp, so the recipient has to pay postage. One envelope per age of print-out.

Re:

[Beryllium Sphere(tm)]

All it has to do is contribute, decisively or not, to a single sensational child abuse case and everyone will think it's good.

huh?

[User 956]

Republicans in the U.S. House of Representatives announced yesterday legislation to force ISPs to keep track of what their users are doing. It's part of the Republicans 'law and order agenda,' with other components devoted to the death penalty, gangs, and terrorists.

Why don't they just put everyone in prison? Then we wouldn't have any crime at all. Problem solved.

Re:huh?

[Tackhead]

> Why don't they just put everyone in prison? Then we wouldn't have any crime at all. Problem solved.

The Party's goal isn't to eliminate crime by throwing everyone in jail -- it's to eliminate people who piss it off by merely being able to throw anyone in jail.

"Did you really think that we want those laws to be observed?" said Dr. Ferris. "We want them broken. You'd better get it straight that it's not a bunch of boy scouts you're up against - then you'll know that this is not the age for beautiful gestures. We're after power and we mean it. You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens' What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted - and you create a nation of law-breakers - and then you cash in on guilt."

- Ayn Rand, Atlas Shrugged, 1957

You don't have to like Rand to apppreciate that she was onto something when it came to how governments think during the design phase of legislation.

Putting everyone in prison

[Beryllium Sphere(tm)]

President Eisenhower speaking:

"If all that Americans want is security, they can go to prison. They'll have enough to eat, a bed and a roof over their heads. But if an American wants to preserve his dignity and his equality as a human being, he must not bow his neck to any dictatorial government."

Re:

[MBGMorden]

Instead of throwing everyone in prison they're already working on building the prison around everyone. If they boil them slowly they won't jump out the pot.

Re:

[Bobzibub]

we already are in prison, aren't we?

Re:

[User 956]

Because, of course, there is no crime in prison...

Depends which prison. Supermax [spunk.org] doesn't have a crime problem, I can tell you that. 23-hour a day lockdown.

Time to Invest

[dave562]

If I had a broker, I'd be calling him and buying up stock in EMC, Quantum ATL and every other company involved in storage and retention of large quantities of data.

This would change the way people use the web.

[topical_surfactant]

I imagine many people would simply start tunneling all their traffic to countries without such idiocy.

You're thinking too hard

[Lord_Slepnir]

Hell, just default to ssh tunneling all traffic between all hosts. they won't be able to prove you downloaded anything, just that you pulled 500mb from port 22 of bigbazoongas.com. For all they can prove, you were aggressively reloading robots.txt.

Re:

[Nasarius]

I think you're both looking for Tor [eff.org]. Works great, if you don't mind speeds comparable to dialup.

Sexuality explicit issue

[Antony-Kyre]

I thought this wasn't a problem. I thought most websites do post warnings. Is Congress just trying to solve a non-existent to show they are doing something supposedly worthwhile?

Re:

[User 956]

Is Congress just trying to solve a non-existent to show they are doing something supposedly worthwhile?

It really must be non-existent-- the word doesn't even show up in your post.

You have to admit...

[FellowConspirator]

Mandatory labeling of sexually explicit images will make them much easier to find.

Re:

[jandrese]

That is pretty much the reason the .xxx domain failed initiative failed. Even though it was going to be voluntary there were people who were worried that it would create a "red light district on the web". I'm still not sure why that is such a bad thing, but I suspect that similar pressures will derail this bill.

I love the spin

[RichPowers]

Folding this bill into a larger "law and order" agenda makes it more difficult for people to criticize it; "what, you against law and order, you filthy terrorist?"

If similar bills had no chance in a Republican-controlled Congress, does it really have a chance now? Doubtful, especially since the Democrats have a comfortable majority in the House.

Besides, I'm not a fan of impractical laws that are extraordinarily difficult to enforce. If this bill became law, do you think certain users would create scripts that visit hundreds of thousands of sites, just to clog the log books?

Reagan Turning in His Grave

[bill_mcgonigle]

Real conservatives would have nothing to do with this stupid bill, which places way too heavy a load on small businesses. And no, I don't consider any of the supporters of the bill conservative in the fiscal sense.

Oh, the conservatives are pissed [cnsnews.com]. But like you said, it all comes down to whether they'll stop strategizing long enough to not elect another Bush.

The price of freedom is eternal vigilance

[geekoid]

COntact your representitives and tell them why this is a bad bill.
As also, be professional and use there perferred method of contact.
If in doubt send a letter.If it is real important send a certified letter.

Re:

[Beryllium Sphere(tm)]

>If in doubt send a letter.

Aren't those still being held up to be checked for anthrax? If it's time sensitive, try something else.

Nice work

[Amoeba]

I can only imagine how politicians think:

"Hey how can we kill off a lot of small businesses so our big behemoth telecomm contributors can make more money in the long run? Ooh! increased operating costs! Our friends have the coffers to handle this while their smaller competitors die off. We'll have to make it look like something else though. Tie it to crime. Everyone hates criminals."

No

[rodentia]

Here is how politicians think:

"What sort of grandstanding can I do to get my name in today's local/state media cycle? Let's see, my likely opponent has introduced a bill in the statehouse mandating that sex offenders register their online accounts. . . . Hrm, what trumps pedophiles? Sure, Terror, domestic Terror! that's the ticket!"

Actually, that is the politician's Chief of Staff thinking; the politician is thinking:

"Does this tie make me look soft on crime? If that minxy little intern thinks

Re:

[SpaceLifeForm]

Exactly. And, they want to legalize all of the
NSA spying at the same time.

constitution

[mobydobius]

we havent had a decent amendment in a while. time for a push for an explicit right to privacy?

Confusing

[Anonymous Coward]

Doesn't this just amount to wiretapping using different wires, only instead of just doing it for individuals suspected of something illegal, it's being done en masse to the masses. Certain members of Congress have been very vocal about how they're against the President listening to the conversations of suspected terrorists or foreign nationals because it might violate their rights...but it's okay to monitor everyone else?

We here at the Future Crimes Department take pride in knowing you're going to do someth

Three Letters

[imemyself]

SSL. Seriously, why the f*ck aren't people using SSL for everything? It isn't that complicated. Even if they're just self-signed certs, it's still vastly more secure then sending almost everything plaintext.

First Reaction and Real reaction.

[Irvu]

My first reaction was "Good because wading through terrabytes of useless data will really help win the war on terrer!" However on sober reflection I realize that the very technical infeasability of this is part and parcel of the problem.

For those of you that haven't seen Terry Gilliam's Brazil [imdb.com] you must it is an essential requirement for anyone who would just react with the snarkiness I mentioned above.

They can't parse all of that data. A single major ISP on a single day would generate terrabytes of data if everything was logged. In that event any actual law enforcement methods would be swamped by the sheer beureucratic waste of it all. Massive computer systems performing continuous number crunching would still come up with garbage.

But that doesn't matter!

It isn't necessary for this to work. What is necessary is for them to make people perceive that it works at least enough to get it put in place. At that point the system becomes self feeding. Don't like it, well that can get you put on the short list for a check of your habits. Because they can look at a single person's habits, they may be wrong but they can and will do it. But in general the system will be a large self-feeding monstrosoty and any "errors", because there are always errors will be dealt with in the same way that the no-fly-list errors are handled: "not my department, next please!"

Eventually success of this process ceases to be the object only its continuation. Once a large enough beureucracy is established staffed with enough place-men and place-seekers to protect themselves then this will take over. Consider the Drug war as an example. Yes it hasn't hit full steam but think of ho many things today are justified by means of the "Drug War". And take a look at the way justifications for the war are handled. Money for the Partnership for a Drug-Free America (led by America's Drug Czar) is spent convincing us to back the drug war or not to vote for legalization. In turn the DEA's budget (paying America's Drug Czar) goes up and who the hell cares if the drugs are stopped. And they aren't even fighting "Terrorists".

In many respects it reminds me of East Germany. At the height of their power the East German Stasi employed one in fifty members of the population as full or part-time spies. This doesn't count the large beureucratic staff that they had or the massive infrastructure that was built and run just to sort through it all. The social costs were enormous as any infraction was targeted for no good reason. The economic costs in turn were insane and deprived the state budget of much of the money that might have been spent say building an infrastructure or feeding the population. No nation on earth had more complete information on its citizens and no nation on earth spent more obtaining it.

Ultimately crime was still committed and even the dissident groups grew because they a) hated the government that much, b) were often flooded with spies sent in by the Stasi, and c) could get away with it. None of the objectives of the Stasi were acheived and East Germany fell, it fell and noone misses it.

This "Law and Order" bull must be stopped, and it must be stopped now! We cannot sit back and think that this is okay or that it will "work its way out. Those of us with a technical mindset are in the best position to explain why this will not work and what a costly destructive system this will be, and we cannot put it off.

For those in the U.S. go Here [house.gov] to find your house rep and place a phone call or send a letter. Then for good measure go Here [senate.gov] and tell the Senate not to go there either. Following that try sending a letter to you local paper's letters to the editor. While many of us no longer read the dead-tree press it can and will make a big impact for those that do (read: most people over 35).

Re:

[Tackhead]

> In many respects it reminds me of East Germany. At the height of their power the East German Stasi employed one in fifty members of the population as full or part-time spies. This doesn't count the large beureucratic staff that they had or the massive infrastructure that was built and run just to sort through it all. The social costs were enormous as any infraction was targeted for no good reason. The economic costs in turn were insane and deprived the state budget of much of the money that might have

Re:

[smoker2]

While I realise you spent a good deal of time and effort composing your thoughts there, I must just say, I am unable to accept your comments without a valid stamp from the Ministry of Acceptable Criticism. If you would like to come back and post later, when you have such a valid stamp, then I will be glad to ignore your comments correctly, and within the law.

Re: Get the lawmakers to arrest themselves?

[TaoPhoenix]

Does this help?

Problem: "Attorney General Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, and e-mail conversations indefinitely."

Solution, from 3 stories down on Slashdot: "UK will start jailing the people who trade in email addresses, or any other personal data. The new regulations will result in a two year prison sentence for violating the Act."

Not counting the minor detail of countries involved, does anyone else read this as : "Attorney Ge

Bad Bad Bad

[pestilence669]

Everybody knows that politicians know very little about the Internet (tubes anyone?). There's a misconception that an IP address is as reliable as a fingerprint. The reality is, most criminals can bounce their connection around and evade lame measures like this.

IP addresses aren't unique nor do they necessarily identify a user at a particular moment in time. If coming behind an AOL proxy, the only way to discover the actual user, is for AOL to log all outbound TCP & UDP connections. It can't be done...

Re:

[Unlikely_Hero]

What is there to be done then? What is the clearest course of action that will have positive results?
Is the political system too broken to even bother writing to our congressthings?
If it isn't, what's the best way to get the point across?
If it is in fact too broken to do any good then what do we do?
99% of folks in the US don't know how to set up good crypto or would be intimidated about it. So then we ask is this a discussion we only want to have within the tech community or do we want the average joe to ca

You think this is bad!

[Slithe]

Look at what they have also introduced! Beware H.R. 393 [loc.gov]!!

Re:

[Reziac]

I don't think the *concept* of required national service is necessarily bad; certainly the younger generation would get a better picture of the Real World if they were forced to go forth and help construct it. (Frex, this could be a way to get kids back into the many entry-level, farm labour, and general labour jobs that kids used to do, but are now the province of illegal aliens.) It'd also be a good way for them to earn a nest egg for higher education.

However, in the current political climate, I foresee i

This bill changes nothing

[Sloppy]

Remember that whether or not Big Government ends up forcing your ISP to spy on you, the ISP has the capability anyway. There's no new threat here, merely a new statement of malicious intent and contempt for citizens (which has been pretty implicit for quite some time anyway).

Also remember that Big Government isn't the only entity that may feel it has something to gain from spying on you. No matter what sort of legislation exists for limiting or opening government intrusion into our lives, regardless of a

By a strange coincidence...

[ENOENT]

the RIAA and MPAA would find this kind of law very useful.

Hmm.

FBI just wants the money....

[tinkerghost]

Last time this came up, it was estimated to cost over $400M/year. The estimated number of arrests it would help generate? 700. The FBI said just give them the $400M for agents & they could do a hell of a lot better. The truth is that the 60-90 day cycle that most of these companies already have is enough to cover the vast majority of the requests by the police - this is asking the industry to absorb $400M in costs for an infitesimal gain.
Funny the AG didn't want to do that... guess it didn't sound as g

reference to IM and chat records misleading

[segfault_0]

The post refers to IM and chat logging but they are mentioned no-where in the bill draft. The bill asks that IPs be logged to subscriber names and nothing else. The words instant messaging and chat dont even appear in the text of the the bill at all. The post then links to a previous post about what some people in government would like to monitor - including the IM and chat logs. You cant just draw a line between the two without support facts.

Re:reference to IM and chat records misleading

[nhudson35]

I interpret bills for a major civil rights lobby, and this bill's language is ambiguous. It requires, at a minimum, the retention of personal identification linked to IPs. Whereas I do see your point, that it does not enumerate retention of IM and chat logs, this draft bill is STILL scary. If the legislation passes, it is up to Alberto Gonzales to interpret it. This, the man that recently advocated the revoke of Habeus Corpus, citing the lack of its specific constitutional enumeration. The problem is that the bill's language is broad, and the AG could ASSSUME that it gives him certain powers. The bill would be less scary if it was amended with language that limits the amount of liberal interpretation that could take place. In the end, this draft represents a common problem, and a scary possibility. Politicians struggle balancing individual liberty and safety, and if passed, this bill could establish a precedent of invasion of personal privacy. All of this must be qualified by the following-- I understand the desire to protect our children at all costs. It is an emotionally charged issue, but we must not allow rational thought to be trampled by emotionally charged debate. I do not believe this bill will make us safer. I'd be interested to see how many times and ISP could not produce personal information on the IPs they regulate, and how many times failure of an ISP to produce personal information translated into the loss of a conviction for child predators. This bill represents the beginning of a slippery slope for internet privacy, and a more general affront on free speech.

Why are proposals like this even acceptable?

[QCompson]

Why is widespread surveillance acceptable to politicians and a good portion of the public when dealing with the internet?

Can you imagine the uproar if smirking ass-face Gonzales (sorry, his first name escapes me right now) proposed that every letter sent through the U.S. postal system must be photocopied, indexed, and stored? Or if all telephone conversations must be recorded in case the Justice Department needs access to them at a later date? People would be livid, and justifiably so.

Yet the internet has

Serves Broader Agenda

[mpapet]

From the ISP's side, they will take the time/effort to simply provide a way for the data to be delivered in bulk to a gov't contractor. From there the contractor does the actual storage. The ISP's will jump at that because it's costs practically nothing. On the contractor's side, when you are buying storage by the petabyte, it's pretty cheap.

It still boggles my mind that this is somehow offensive behavior in the /. echo-chamber. The time to have done something about it was maybe 10 years ago.

Most of us have *no* clue about the scale and scope of data collection is like in the U.S. right now and I believe most would be very nervous if we actually knew besides what's already been leaked. What brings me some comfort is gov't agencies are not known for their effectiveness or ability to coordinate much beyond a luncheon.

Does the "in-home" ISP count?

[beej]

I can't tell from the definitions if the record-keeping would apply to my machine that runs out of my house for me and my friends (email/web stuff).

My hardware matches the description of Internet Content Hosting Provider and Internet Email Provider, but the record-keeping portion of the bill refers to "Internet Service Provider" which I presume is defined elsewhere (not in this bill.)

*sigh*.

An Affront On Privacy

[nhudson35]

Lamar Smith's bill's language is ambiguous. It requires, at a minimum, the retention of personal identification linked to IPs. The contention that that Smith's bill does not explicitly mandate the retention of IM and chat logs ignores a very important fact. The Attorney General gets to interpret the bill. Alberto Gonzales is the man that recently advocated revocation of Habeus Corpus, citing the lack of its specific constitutional foundations. Gonzales has an expansionist view of the Constitution, as evidenced by his moronic opinion that specific protections not enumerated in the constitution are open season for federal government. I have a feeling that his interpretation would augment the executive branch's power. This is just is one major problem with this bill-- it's ambiguous language is too broad, and Gonzales could liberally interpret the legislation however he feels. More generally, this bill is part of a national problem-- the belief that politicians are justified in sacrificing our privacy. This "struggle" they face, balancing individual liberty against security, is a nonexistent red herring. We can be both safe and free. The bill also represents a scary possibility. If passed, it would establish a legal precedent for acceptable invasion of personal privacy. Socially, this precedent has already been established. The technology industry has already justified, and is currently implementing, the widespread, viral invasion of our personal computer-- in the form of DRM protection of music and software. All of this must be qualified by the following--Smith's bill is aimed at stopping child predators, and I understand and wholeheartedly support his desire to protect our children. This bill's reach extends far beyond the sick and twisted world of pedophiles, though-- it requires retention of everyone's records. Alberto Gonzales could theoretically interpret the bill to include widespread monitoring of internet use. Including AIM conversations and E-mails. I do not believe this bill will make us safer. I am interested to see how many times an ISP could not produce personal information on their customers, and how many times failure of an ISP to produce personal information translated into the loss of a conviction for child predators. My guess is none. One of two things can happen with Lamar Smith's bill in the short term. First, it could die, or second, It could be amended-- perhaps with limits on the retention of records to convicted sex offenders. This bill represents the beginning of a slippery slope for internet privacy, and a more general affront on free speech. We must not let our leaders continue the abolition of rational thought.

Re:

[alshithead]

"Lamar Smith's bill's language is ambiguous."

Of course it is! It's written by a technologically ignorant fuck. Also, it's not as if the US government has never passed ambiguous laws/rules. The burden placed on ISPs and possibly others is so onerous as to be laughable, if it wasn't so sad. To put it in a context some elected officials MIGHT understand, it's similar to telling the US government to document every work conversation for every government elected official and worker. I told my politically and

I am my own ISP

[eldenbu]

So, way back, I ended up with a block of IP's and have been my own ISP ever since. I, of course, would never do anything illegal but if I did, and the police wanted my surfing records, is there not a 5th amendment situation here?

Oh, Congress won't pay for it.

[khasim]

This will be another "unfunded mandate" where they'll just fine you if you fail to spend the money to comply.

All in the name of "protecting the children" and "War against Terror".

The question will be, how much money will an ISP have to spend to record everything, in a secure fashion, for years and years? And at what point will the that expense be LESS than any fine that will be levied for non-compliance?

Re:

[TheRaven64]

The thing I don't understand is what kind of idiots work in election publicity in the USA these days? How hard can it be to win an election with adverts saying 'Candidate X voted for a bill that will add $5/month to your Internet bill,' 'Candidate Y voted for a bill that will add 10% to your phone bill,' or 'Candidate Z voted for a bill to restrict what you can watch on TV?'

Re:

[Frogbert]

As much as I hate it, Australian law requires ISP's to keep logs of all their users activities for 7 years. Meaning the records of the first porn site I ever visited should be expiring in about a month. I don't like it, but it is entirely possible to log all web browsing activity.

Re:Oh, Congress won't pay for it.

[Wateshay]

Well here's a quick, very unscientific, estimation:

A quick look at my Firefox history (which stores 9 days of info) shows that it's a little under 1 meg in size. That means that over a month I'd generate 3 megs of history. However, since most web page hits actually result in dozens of actual HTTP requests and most of my browsing is to pages I've already visited, it's reasonable to say that a complete log of my browsing would be at least 10x that, so let's say 30MB/month, or 360MB/year.

My email (which goes back 3.5 years) is about 1GB, but I'd say it's safe to assume that between spam and messages that I didn't need, I've only kept 1% of the email I've received in that time, so 100GB/3.5years would give us about 30GB/year.

I don't keep logs of my instant messaging, but let's just round up to an even 50GB/year for the whole thing. Of course, I'm probably an atypically heavy user of the internet, so for the sake of discussion let's say that the average user is really only 10% of that, or 5GB/year (which is probably very low).

5GB/year * 200Million U.S. internet users is 953 Petabytes of generated data every year. At a current storage cost of about $4M/petabyte, ISPs would (under this law) have to bear a combined total of almost $4 billion / year just to buy storage space for all of this data (which doesn't even begin to take into account the physical space to store the storage servers, the people to run them, the electricity to run them, the backups, etc., etc.).

Conclusion: This is completely infeasible, regardless of whether the law is passed. After all of the costs are factored in, you'd probably end up seeing a doubling (if not more) in the cost of Internet access just to support this.

Re:

[llefler]

The question will be, how much money will an ISP have to spend to record everything, in a secure fashion, for years and years?

In my case, a whole lot. Because as soon as someone starts collecting IMs from my system, I'm going to set up a bot to entertain them. I think Chatterbot would like to read War and Peace. Then brush up on world events with the CIA World Factbook. And then maybe work the rest of the way through Project Gutenberg.

I'm not too worried about e-Mail, they already have to sort through all

Re:

[arthurpaliden]

Then they will just make it illegal to use proxie servers.

Re:

[walt-sjc]

Hello freenet.

Re:

[grimJester]

Does fiber count as electromagnetic transmission? Junk legislation like this shows why they shouldn't write new laws for the Internet.

Re:

[Qzukk]

Does fiber count as electromagnetic transmission?

Light is an electromagnetic wave/particle/whatever.

It's still junk legislation.

Re:

[hotdiggitydawg]

I think you've just found the loophole that the big ISPs will be using to avoid this, while the little guys go out of business.

Re:

[Apocalypse111]

Fiber transmits using light, which is part of the electromagnetic spectrum, so yeah, it counts.

Actually

[Travoltus]

Conservatives like the concept of absolute monitoring of citizens. It's the whole war on terror thing that is their brainchild to begin with. Conservatives brought us the USAPATRIOT Act, etc.

Re:Useful only for abuse

[InsaneGeek]

You might want to look at Sarbanes Oxley laws and look at the similarity. You have to keep emails, access logs, etc for years and years for businesses, this is a smaller extension of that. Same with phone records, business transactions, etc.

I'm not quite sure you understand reality some ISP's delete customer login information hours after they are used, (which in reality may or may not be the truth as which information really gets destroyed diverges from the official company policy). It litterally takes days to weeks to months to track down a user to an originating IP who went through multiple servers in different countries, talking with different admins and end users who have a compromised box, working your way back to the source. The police don't have a movie style magic box, they can plugin that will tell them, hacker trying to break into bank , bounced through 10 different systems, 3 different countries but is actually sitting in Columbus, Ohio (of course as a proper nod to the movies, the hacker always knows they are onto him and disconnects right as the last line is being drawn to his house).

What I think it comes down to is there is such a wide varience to the rules, 8+ years ago when admined at an ISP we had conversations with FBI about retention policies: email, backup, authentication logs, etc. There statement to us was that we could do anything we wanted as long as the whole organization followed the same rules; if they would call up the secretary and she said that we never deleted backup tapes, and they call up the admin and he says they are deleted every days. That they would be flying in and getting all the equipment under court-order evidence protection (effectively putting us into a bind operationally having no equipment anymore).

Re:If this law can actually be feasably implemente

[0x0000]

how does the government plan to address the issue of unsecure wifi?

There has been some hinting around - mostly at the state level - a couple years ago that open WiFi will be made illegal - the rationale was [from the published articles, which unfortunately I don't have a cite for at hand] to "protect" the owner of the back-haul connection from "liability". The context here was the state of Michigan, who - it was my understanding - had just become the first state to successfully prosecute war-drivers.