FBI Pushing For 2-Year Retention of Web Traffic Logs 256
suraj.sun writes to tell us that the FBI is pushing to have ISPs keep detailed records of what web sites customers have visited for up to two years. Claiming a desire to combat "child pornography and other serious crimes," the FBI and others are pressing for increased data retention, which they have been doing since as early as 2006. "If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant. What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html. While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States."
Skewed rulings (Score:3, Interesting)
Re:Won't someone please think of the children (Score:5, Interesting)
Seriously though, what happens when you don't use the dns provider of the ISP (either running your own, or using a 3pd DNS provider)? Would that make anyone running their own DNS server (or an alternate third party) a suspicious person? They would only be able to log IP addresses then, and given the proliferation of mass shared hosts, how is this helpful? If a child porn site was on a godaddy server, and you go to another site on the same server, would you have to prove you went to the other site? More guilty until proven innocent...
How many PB? (Score:2, Interesting)
Re:Won't someone please think of the children (Score:4, Interesting)
And what about https? Or would it be mandatory for ISP's to do man-in-the-middle attack so they can store the data?
Re:Think of the kids (Score:4, Interesting)
It is much more rare that I see stories about the actual pornographers being caught and while the viewers are certainly depraved (and you can argue that by consuming the child porn, they encourage those who make it), aren't the pornographers the ones we would rather catch? It wouldn't surprise me if the amount of children actually being forced into child porn is VERY small since the already existing library of images probably contains enough to keep the perverts trading for a long time.
If that is true...then this definitely is an excuse to encroach on peoples rights and use the old "think of the children" excuse because if this much effort was really being put in to catching so few potential criminals...it would be a huge waste compared to what those officers could be doing elsewhere.
Not going to happen anytime soon (Score:4, Interesting)
As someone that works in the Adult hosting industry, this is going to be poorly received. A lot of our clients are already hurting for money and as such have scaled back their server footprint. We're pushing servers (disk IO) a lot harder than before -- one easy solution we have is to just disable access logs. Writing 1GB+ of log data per hour swamps disks and just adds huge amounts of overhead. Since these logs are of clients browsing through porn ... it'll cost a decent amount of money to actually be able to start logging again AND to store raw log data for two years.
Deep Packet Inspection for URL Not Required... (Score:3, Interesting)
Deep packet inspection for URL not required, in theory, if the U.S. government mandates both ISPs *and* websites to maintain logs.
That may be how they'll rope websites, and other types of internet services for that matter, into complying with log retention.
Another route, though I've never seen it mentioned in context to log retention laws, is to require web browsers to log the information in tamper-resistant (think DRM) hidden files. MSIE, in a matter of speaking, already does with index.dat files (some suggest their real purpose is, in large part, to help law enforcement), which the regular computer user has no clue of, let alone know how to get rid of, since Windows makes it difficult to delete them.
Ron
Re:Won't someone please think of the children (Score:4, Interesting)
Re:Won't someone please think of the children (Score:3, Interesting)
Deep packet inspection can be a very, very resource intensive thing. I seriously doubt that any such laws will be likely to require deep packet inspection. For one, it would put quite a few smaller ISPs out of business for good.
I have a feeling I know why the FBI wants this. It used to be that all the traffic passed through telco routers owned by Verizon and AT&T. Nowadays, most traffic is being handled by companies like Level3 or UUNet. They had it easy with the telcos, who always had a close relationship with government regulators. Businesses like Level 3, Google, etc., are far less likely to be cooperative.
The problem is jurisdiction, smarts, and privacy (Score:2, Interesting)
1) It's easier to catch dumb people than smart ones. People who run anything larger than home-made porn are probably going out of their way not to be caught.
2) If the media is right, a large percentage of circulating child porn is produced outside the United
States. In some countries 16- or 17-year-olds can, or could until recently, be porn stars. Such pictures are illegal in America.
3) When someone is busted for "made at home" child porn, the media won't publish his name to protect the kids. They may even suppress the story or bury it as a blurb in another article.
The feds can do something about #1. As for #2, only international crackdowns will help here. As for #3, it's probably a good thing this doesn't make the papers.
Re:Evidence Already? (Score:1, Interesting)
Hmmm, let's take a look at this.
In the 1920s Al Capone was, in every way imaginable, the top criminal in the mid-western United States. It is reasonable to say that Mr. Capone's activities and businesses were responsible for, or at least connected to, over 50% of the crime in the mid-western states in the last half of that decade. The FBI at that time was a weak organization compared to the powers the organization wields these days. Still the FBI was powerful and it was backed by the full goodwill and monies of the government of the U.S. But with all of the crimes Mr. Capone and his organizations and businesses, partners and friends and acquaintances, all across the mid-west were involved in what did the FBI finally jail him for?
Tax evasion.
Now let's apply this lesson to today's FBI. What are they really looking for on the web? Tax fraud? Money laundering? Interstate liquor transport? What one law can these agents convict someone of with absolutely no chance that a jury will fail to convict based on even nominal evidence?
Child Pornography.
And what better crime to punish. Currently people convicted of even looking at child porn are branded as sex offenders and are required to register with local law enforcement whenever they move. The FBI then gets to keep track of these guys forever and not pay a dime for it. Want to know where criminal 12345 is? Check the sex offender DB or just call the local PD. They are required to know. And it gets worse every day. And even better, you can convict someone of looking at child porn even if the person in the pictures is eighty years old as long as they were under eighteen when the photo was snapped. And they want to extend it to cartoons, computer graphics, and written stories. All child porn.
Don't kid yourself. child porn is a big thing for the FBI -- just not for the reasons you think.
Re:Won't someone please think of the children (Score:3, Interesting)
While they're at it, why not ask that vendors of red light cameras and security cameras keep 2 years of footage from every camera they install?
Enforcers are always wishing to be allowed to do things they think will make their jobs easier. One of those things is the Fishing Expedition. Two times in over 20 years I've been held up where the police erected a roadblock ostensibly to check for drunk drivers, a valid driver's license, current inspection sticker, and current insurance. They didn't try to get inside the car to look for drugs, but who knows, maybe they would have if any of those other items hadn't checked out. I hear that they sometimes block I10, to check for illegal immigrants. I think they'd like to do roadblocks more often, but the public backlash is too much. Making people late to work would get them in a lot of trouble.
Re:Won't someone please think of the children (Score:4, Interesting)
meaning that this technology is only effective against people who don't think they are doing anything wrong!
Which perfectly suits the needs of 'law enforcement' - we've got a long history of them going after the defenseless and ignorant - like civil forfeiture laws where the property is charged with a crime (literally, lawsuits are titled like US vs One Jeep Wrangler I think being non-sentient qualifies as being 100% defenseless) or even the child porn laws where they go after kids for sexting pictures of themselves rather than hunt down the people who actually abuse kids in the manufacturing of child porn.
Re:Won't someone please think of the children (Score:3, Interesting)
Good "think of the children" dilemma for Haiti:
Human trafficking, sex slavery, and other forms of abuse happen. When you start transporting large numbers of people over borders, it's pretty much inevitable that some are going to end up in a living hell.
OTOH, kids in Haiti have lost parents, government has pretty much collapsed, and there will probably be plenty of horror stories of infection, disease, and abuse for the kids stuck in Haiti...in other words, children denied the opportunity to get out of the country will end up in a living hell.
So here's the question for all those 'think of the children' moralizers out there:
There is no good answer--"think of the children" is usually an excuse to get what you want anyways--without considering the consequences.
Re:Won't someone please think of the children (Score:4, Interesting)
I'd expect the logs would require IP's and/or hostnames.
HTTP, it's trivial to sniff hostnames.
HTTPS, it's trivial to see the destination IP.
HTTPS only works one IP per host, so that gives a positive track to where they were going.
Of course, domains change ownership, and IP's change, so what an IP is today, could be anything else tomorrow.
I'm curious to if by "ISP", they mean the residential line providers, or both ends? At my old job, they'd end up with about 2Gb of log files per day per server. There were 15 redundant servers. That was just for one site. I don't even care to think about how much storage was required for all the logs across 150 servers. No, it didn't scale evenly. The web server logs were dumped every few hours, just so it didn't fill up the drives, but left enough for forensics, if we needed them.
(15 * 2) * 365 * 2 = 21,900Gb. I would love to still be there, and have them ask for 22Tb of logs. :) I was joking with someone about how to deliver those. I suggested burnt CD's. 14,500 CD's would be fun to offer up. We then thought a little harder, and though paper tape would be the way to go. :) I know there would be better methods, but we were looking for the entertainment value in it. :) I'd feel really sorry for the guy who had to feed 14,500 CD's into a machine to burn for the feds on demand. :)
Logistically, this would become a nightmare for almost any provider, except for mom & pop shops.
Comment removed (Score:4, Interesting)