Reasonable Data Retention: An Important Tool for Law Enforcement or Further Erosion on Privacy?
Posted by K.M. Das
In December 2005, the European Parliament passed a far-reaching directive requiring Internet service providers and telephone companies to retain data on every electronic message sent and phone call, including VoIP, made for six months to two years. Although ISPs and telephone companies will not be required to maintain the content of the communications, they will be required to keep data such as the time of a call, whether the call is answered or not, the times customers were connected to the Internet, their IP addresses, and other details related to e-mails and VoIP calls. The European parliament’s rationale for passing the directive was to combat terrorism and serious crimes.
On Thursday, April 20, in a speech to staff at the National Center for Missing and Exploited Children, Attorney General Alberto Gonzales indicated that similar data retention rules might soon be implemented in the United States. The Attorney General’s comments follow the comments of Congressional staffers and members of Congress that data retention laws for ISPs would be a valuable tool for law enforcement in combating crimes against children. Although the primary rationale for the data retention rules in the United States appears to be combating crimes against children, this information could be used for anything from tracking terrorist activities to tax fraud.
ISPs have offered three reasons why such a data retention law is not necessary and likely to create more problems than it solves. First, it is unclear who will be allowed to have access to this information. Second, echoing a concern of their European counterparts, ISPs are concerned about the cost of implementing such a mandatory data retention program. Third, such a law may not be needed as current laws allow law enforcement officers access to such data if they move quickly enough. CNET’s News.Com quotes Dave McClure, president of the U.S. Internet Industry Association as saying, “What we haven’t seen is any evidence where the data would have been helpful, where the problem was not caused by law enforcement taking too long when they knew a problem existed.”
Investigators of Internet sex crimes have indicated they would like to see the U.S. adopt a data retention law for ISPs that require them to retain data related to their customers’ Internet use for at least several months, if not a year or more. Current federal law already requires ISPs to retain records for 90 days when requested by a governmental entity, and to report online child pornography to the National Center for Missing and Exploited Children. The data retention laws being considered by Congress and lobbied for by Attorney General Gonzales would make the retention of records mandatory and may require ISPs to retain information regarding not only the Internet address assigned to their customers at any given time, but would also require them to keep track of telephone numbers dialed (in using VoIP), contents of web pages visited, and recipients of e-mail messages.
Privacy advocates note that this suggestion for mandatory data retention appears to be a further extension of the Department of Justice’s request for data relating to searches earlier this year. They fear that this data retention law will give law enforcement officials access to records of e-mail content, web browsing, and chat room activity that is currently discarded after a few months or not recorded at all.