Tuesday, January 25, 2011

House Subcommittee Revives Mandatory Data Retention Debate...With a Surprise Attack on EFF #tcot

News Update by Richard Esguerra

This morning, the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security held a hearing on mandatory Internet data retention, once again reviving the debate over whether Congress should pass legislation to force ISPs and telecom providers to log information about how users communicate and use the Internet. The hearing, awash with rhetoric about targeting Internet crime and including an unexpected condemnation of EFF's privacy advocacy, was purportedly an information- and fact-finding hearing to explore the issue of data retention and consider what Congress' role should be. However, it's already clear where the new House Judiciary Chairman, Representative Lamar Smith, stands on the issue: he introduced data retention legislation just last year and likely will do so again this year.

EFF believes that government-mandated data retention would be an overwhelmingly invasive and costly demand, raising serious privacy and free speech concerns — points well-argued at the hearing by John Morris, General Counsel of CDT [written testimony], and Kate Dean, Executive Director of the United States Internet Service Provider Association [written testimony].

Although the Obama Adminstration has not yet put forward a specific data retention proposal, any such proposal would likely have ISPs and perhaps other online service providers preemptively recording data about the online activities of millions of Americans who haven't committed any crime. Advocates for data retention typically focus narrowly on the benefits afforded to law enforcement without accounting for the massive costs and extreme security risks that come with storing significant quantities of data about every Internet user — databanks that will prove to be irresistible not only to government investigators but also civil litigants (read: ex-spouses, insurance companies, disgruntled neighbors) and malicious hackers of every stripe. A legal obligation to log users' Internet use, paired with weak federal privacy laws that allow the government to easily obtain those records, would dangerously expand the government's ability to surveil its citizens, damage privacy, and chill freedom of expression.

Perhaps the biggest surprise in the hearing was Deputy Assistant Attorney General Jason Weinstein's attack on EFF and our Best Practices for Online Service Providers (OSPs) whitepaper. As Weinstein testified, "In 2008, the Electronic Frontier Foundation published a user guide or a guide that was titled Best Practices for Online Service Providers which I think is unintentionally the best argument for Congress to intervene in this space than anything that I can say today." Weinstein went on to object to some of the guidelines in the whitepaper, designed by attorneys and technologists to best balance the business and technical needs of OSPs and their users' privacy and civil liberties. Apparently, the Justice Department thinks that informing Internet companies that data retention is not legally required, and also suggesting strategies for protecting their users' privacy, is a clear and present danger to online safety.

On the contrary, we think that the Best Practices for OSPs encourages sound privacy policy, a position borne out in 2009 when the Justice Department illegally demanded logs reflecting the IP address of every single person who had visited any page on the political news site Indymedia.us. Lucky for the readers of Indymedia.us, that site followed our OSP best practices and didn't keep such logs, and with EFF's help, beat back the government's overreaching subpoena. However, a mandatory data retention regime would inevitably lead to even more such illegal demands for Internet users' data being made and complied with, to the detriment of Americans' digital rights.

Full Article