Members of a House Judiciary subcommittee on crime Tuesday expressed bipartisan support for new rules that would direct Internet service providers to retain information about their users for a set period of time, a move backed by law-enforcement agencies that have complained that providers too often delete information that could be used to build cases in areas such as child pornography and other online criminal activity.
At a hearing on the issue this morning, Jason Weinstein, the Justice Department’s deputy assistant attorney general, testified that investigations of Internet crimes often drag on for months or years as law-enforcement agents deal with a tangle of overlapping and often international jurisdictions.
But too often, businesses delete critical information that could be used to build a case by the time agents have traced the subject of their investigation back to a specific service provider.
“In setting their retention policies and practices, companies are often motivated by a completely understandable desire to control costs and to protect the privacy of their users, but those factors must be balanced against the cost to public safety of allowing criminals to go free.” Weinstein said.
Kate Dean, executive director of the United States Internet Service Provider Association, pushed back against the idea of a federal retention mandate, arguing that it would subject her group’s members to an undue burden of building and maintaining massive databases to house records of the communications of innocent subscribers.
Instead, Dean defended the language of the 1986 Electronic Communications Privacy Act (ECPA), which allows for law enforcement officials to submit a targeted request for data about an individual, known as a preservation request, covering information dating back six months.
But the Justice Department, though it has yet to formulate a recommendation for how Congress should act, is arguing that some service providers — particularly cellular companies — don’t retain any data at all, while others don’t adhere to their stated policies and delete information more quickly than they advertise. As a result, investigations can be hobbled by the wide swings in providers’ policies, and preservation requests, even when submitted within the ECPA timeline, often cannot be granted because the provider has deleted the record.
“The problem is the inconsistency,” Weinstein said.
Wisconsin Republican Jim Sensenbrenner, the chairman of the Judiciary Subcommittee on Crime, Terrorism and Homeland Security, gave Dean the choice between a “carrot and a stick,” telling her to consult with her members to develop an industry-backed solution that would meet the needs of law enforcement to investigate and prosecute Internet crimes, or the committee would be compelled to advance a data-retention bill.
“I think there’s a desire on the part of both the administration and Congress to legislate in this area,” Sensenbrenner said.
Lawmakers have floated proposals for legislating online data retention for years, including a bill introduced last session by Rep. Lamar Smith (R-Texas), who currently chairs the Judiciary Committee.
But many public-interest groups have historically opposed efforts to codify a federal data-retention standard, warning against an unnecessary intrusion into personal privacy, and arguing that the new requirements would put users at risk of identity theft.
John Morris, general counsel at the Center for Democracy and Technology, warned at this morning’s hearing that new data retention rules could extend beyond Internet service providers, to apply to Web content and application companies, such as Facebook or Google.
“The reach of the proposal cannot be underestimated,” Morris said. “It’s clear that if the data is required to be held, it will be used for broad purposes.”
Morris’ group is at the center of a broad coalition pushing for a rewrite of the ECPA statute, asking lawmakers to enact tougher privacy safeguards that better suit the cloud-computing era.