Every Move You Make, Every Click You Take, I’ll Be Watching You
Boing-boing notices that “yesterday, the House Judiciary Committee voted 19-10 for H.R. 1981, a data-retention bill that will require your ISP to spy on everything you do online and save records of it for 12 months. California Rep Zoe Lofgren, one of the Democrats who opposed the bill, called it a ‘data bank of every digital act by every American’ that would ‘let us find out where every single American visited Web sites.’”
The databank is “for the children”. HR 1981 is actually titled “Protecting Children From Internet Pornographers Act of 2011″. Its sponsors say “the Protecting Children from Internet Pornographers Act of 2011 (H.R. 1981) directs Internet Service Providers (ISPs) to retain subscriber information for up to 12 months in order to assist federal law enforcement in online child pornography and child exploitation investigations. This is similar to existing federal law that requires telephone companies to retain caller information for up to 18 months.”
HR 1981 is the latest in a long line efforts by the Federal Government to mandate data retention. Broadband DSL reports writes:
New bills seem to pop up every year or so, though privacy advocates have traditionally beaten such efforts back. Mandatory ISP data retention was something you’ll recall was a priority for the Bush/Gonzales Justice Department, and (much like warrantless wiretapping) is now being championed by the Obama Administration Justice Department.
The latest effort is H.R. 1981: Protecting Children From Internet Pornographers Act of 2011, and is the focus of hearings this week. The bill has support from the The National Sheriffs’ Association, who insisted this week the lack of log retention “significantly hinders law enforcement’s ability to identify predators when they come across child pornography.” However eager law enforcement is for the new law, it appears to have hit a stumbling block — in that wireless carriers (and hotspot owners) have been excluded, largely due to wireless carrier lobbying. That’s resulted in some politicians — including this latest bill’s sponsor — to have second thoughts.
EU legislation already requires that ISPs keep the following data on users for at least six months.
- Each website ever visited with time and date stamp
- Each file ever downloaded using FTP or P2P
- A record of every e-mail sent and received, including the e-mail content. [the Wikipedia citation above is in error. According to Directive 2006/24/EC, article 4 Section 2, "No data revealing the content of the communication may be retained pursuant to this Directive."] the primary purpose of the retention being traffic analysis.
- The name, time, date, etc of every user who chatted with via an Internet Messaging program, including the logs of the chats.
- Each web forum posted on or visited
- Logs of IRC sessions
Collecting information on the public is one of those rare things in Washington that has broad bipartisan support — except where it runs into the interests of a powerful lobbying group. Not everyone is happy to pass such legislation. Testimony on HR 1981 pointed out that the government already has the ability to order an ISP to retain data — but only for individuals under the authority of a warrant. By contrast, HR 1981 and similar efforts would essentially retain everyone’s data whether or not they were suspected of a crime or the subject of an investigation. Marc Rotenberg testified that:
This is a critical distinction. It reflects a central purpose of the Fourth Amendment: to ensure that the investigative powers of the government are directed toward those who have actually committed a crime or maybe planning a crime.
As in many things the government does, what the left hand does, the right hand undoes. Interestingly, data retention mandates can potentially come into conflict with privacy mandates. Rotenberg notes that there are laws on the books requiring companies to collect only the data required, a process known as “data minimization” to protect privacy and enhance security. And here they go in the opposite direction.
The security risks of collecting data for “just in case” reasons are easy to understand. Collecting large volumes of potentially private data at ISPs creates big fat targets for hackers and other illegitimate data collectors. Creating these dumps implicitly creates the requirement to protect them.
“Aside from the risk of hacking by activist groups like LulzSec and cyber criminals, Congress should consider the national security risks associated with data breaches and targeted attacks by nation states. Rich logs of user network data held by ISPs could prove to be an attractive target for nation state attackers,” Rotenberg said.
In short, there is little guarantee that creating these clusters of low-hanging fruit will help the children instead of becoming a royal road for Chinese intelligence and identity thieves. One can even conceive of a situation where criminals will benefit from this retention of data rather than be deterred by them.
The data retention net would be spread very wide and very little would escape collection. “Nothing in the bill, though, indicates exactly what information must be retained. Furthermore, even if a customer closes an account with an ISP, that ISP would be required to maintain his records for a full eighteen months after he ceased service.”
As the importance of online identities and reputations grows, the value of the retained data would grow correspondingly. The importance of the retained information could determine ruin or success for companies, professionals and small businesses. Such data retention programs would expose online reputations and identities to attackers. LulzSec, for example:
claimed responsibility for an attack against Sony and took data that included “names, passwords, e-mail addresses, home addresses and dates of birth for thousands of people … hacked into the website of Black & Berg Cybersecurity Consulting, a small network security company, and changed the image displayed on their front page to one containing the LulzSec logo. … released the e-mails and passwords of a number of users of senate.gov, the website of the United States Senate … launched an attack on www.cia.gov, the public website of the United States Central Intelligence Agency, taking the website offline with a distributed denial-of-service attack. The website was down from 5:48 pm to 8:00 pm eastern time
It recalls the debacle of December 7, 1941, when authorities at Pearl Harbor ordered all available aircraft parked in the center of the runways to prevent them from being sabotaged in their revetments. History buffs will recall that this measure prevented sabotage entirely — but only at the cost of facilitating their destruction by the Imperial Japanese naval air force.
"Park Them in a Row to Prevent Sabotage in the Hangars"
The value of secrecy is nothing but the price associated with control over information. The value of privacy is what you would be willing to pay for the right to retain control over personally identifiable data. The reason why government has not in the past been able to assert control over every piece of information is that to do so would be theft. Nobody, not even the government, should get information kept out of the public view for free.
In the past, the cost to the government for obtaining such information has been processes associated with a warrant. By mandating data retention government is essentially obtaining very valuable data for free. It is a kind of tax levied on the public for the ostensible purpose of fighting child pornographers. But everyone pays the price; the price in terms of added risk or the additional cost of avoiding the data traps now set up by the government — whether they are objects of investigation or not.
While the measure appears to provide efficiencies for law enforcement, in broader economic terms it is a highly wasteful way of obtaining what could be achieved far more cheaply. The public policy question as always should be whether such a tax is commensurate with the benefits of its intended purpose or whether there aren’t better ways to run a railroad.
“No Way In” print and Kindle edition at Amazon
Tip Jar or Subscribe for $5
As someone so astutely commented at Boing-boing, H.R. 1981 should be renamed H.R. 1984
Again, one has to ask “what up with the GOP”? Did we vote these guys in?
And then again what’s up with Turkey? OT-
http://www.zerohedge.com/news/turkeys-entire-armed-forces-resign-en-masse#comments
There’s something connected to a power station blowing up in Cyprus, and maybe a purge – but by which side?
Most likely I would disagree with Rep Zoe Lofgren on almost everything, but her opposition to the bill illustrates the existence of intersections of viewpoints coming from very disparate origins. Periodically, for instance, many of us commenting at BC can sound almost like Michael Moore in our suspiciaons of government/corporate collusion, or on the whole Lybia debacle.
In the end it isn’t so much about Right vs. Left as it is Statism vs. the rest of us. In current history the Left is the heavy in this because it has grabbed the most power throughout society, but the lust for and grabbing of power are the real issue.
I have a saying, likely borrowed from elsewhere by osmosis:
“There are more people who want power than there are people who deserve power”
It is that phenomenon that lies at the base of most of the world’s miseries.
“The enemy of my enemy is my friend”
Isn’t that how a lot of us feel when we go into the voting booth and choose the “anybody but . . .” option? Isn’t that what the GOP is to many of us here in the current context? To me this choice is “practical” in context, it’s just that the context stinks.
That song (the last you-tube video wretchard linked to above): “Can You See” I think is going to be super popular, especially if they get the 9 year old to sing it with video.
Here is a link to the explanation of the song.
The full lyrics are at the link. Here is the Chorus:
I think “The more you give me. The less I have” is the most brilliant summation of liberalism I have heard or read anywhere.
~
proving once again that the gop in fact does not value liberty.
a nice new revenue source for criminals, providing proxy access.
let’s ammend this bill to require the personal logs for all government officials to be made public in real time.
Goodbye Senor Equis, you dastardly Russophile scumbag right winger, you.
As for the Turkey stuff, maybe Stanislav Mishin aka Mat Rodina aka Glenn Beck’s favorite Russian commentator had it right when he says Russia might team up with Israel against Turkey:
http://mat-rodina.blogspot.com/2010/12/2011-dark-year-ahead.html
Still seems about as likely as a war between the Dutch and the Italians, considering the flow of tourist rubles to veritable Russian exclaves like Antalya.
And what safeguards are there against somebody’s computer getting hacked and then a bot installed that directs to illegal sites, with all of it recorded by Uncle Sam? Seems like none. How can you prove it wasn’t you? Seems like the gov could destroy the reputation of anyone it wanted to given this power.
Dugout Doug did the same thing with his B-17s—lined ‘em right up there.
Anyone who checks out my web visits will be just as floggin’ bored as I am.
The Wan conjured up digital ‘proof’ of his nativity…
Any tyrant, using this pedophillic profiler, can crush any citizen by spoofing the perversion digitally.
The assembled data stack would require massive investments — a tax — by ISPs.
Inevitably, the data would be mined by the unsavory and the alien fore.
The ability of a digital campaigner like the Wan to disadvantage non-incumbents is intolerable.
It’s a rape of the 4th Amendment.
Naturally, ‘it’s for the children.’
“EU legislation already requires that ISPs keep the following data on users for at least six months.”
Lord O Lord, when will my people seek to be free?
Sorry, a little O/T, but I thought this pretty interesting – especially the part of about “dividing us.” Watch the video.
From Home Depot founder Paul Langone:
http://www.theblaze.com/stories/another-home-depot-co-founder-blasts-obama-hes-unpresidential-and-willfully-dividing-us/
Sorry if this was previously entered, but I just saw it.
3. Don Rodrigo
Ahhh, power. When I was dating and winning some and loosing lots more, an epiphany came to me. I was sometimes amazed at what the ladies would put at my feet as make or break dedision on our relationship. One would say, “That’s it! Your dog has to go…or I do.” Or it might be, “That friend of yours who drinks milk out of the container; him or me.” Now I could prove my love by getting rid of a “friend” by adhering to Ms. Cumquat’s demands and she would stay, right? Actually, no. Soon would come another off-the-wall “requirement” followed by threats to end the relationship. Instinctively I realized there would be no end to it, so while I might give up the milk drinking knucklehead, you’d have to shoot me before I’d give up my dog.
To be honest, this wasn’t always one-way; I used it myself on two occasions, usually making the demand something that I knew would be rejected, and I would get my freedom. I don’t know when the name for this weird penchant in human selfish behavior came to me, but I ended up with this explanation:
It is “The power of the person who cares the least.”
In every relationship the sense of love, or feeling will never be the exactly the same between two people. There is always one person who is “stronger” than the other or loves more than the other. That can either have a bad turn or it can lead to a life-long loving relationship between the couple. Yet, whenever the stronger person in the relationship has bad intentions, that strength can led to the misery of the other party, who by their relative weakness, may not have the strength to leave what can become an abusive relationship. Co-dependency comes to mind.
Projecting that theory onto the current political scene, it is clear who are the ones that love America with all their hearts and who are willing to trash the world if they don’t get their way. The ones who love America are the ones who, recognizing the emergency that this country is in, are willing to propose solutions (often even at the loss of income and personal security) that will help the current situation and get this country back on its feet. Think the Old Testament story (1 Kings 3:25) about the woman who has stolen a child from mother and the King, in his wisdom, offered to cut the baby in half, so that each woman claiming the child can have their share of the child. When the real mother says “No, she can hve the baby – please don’t cut it in half,” the King then knows who the baby’s real mother truly is.
As to the power of the person who cares the least today?
Michelle says, “Go ahead, I was never proud of that baby anyway,” and…
Barack Hussein Obama? Well, he wants me to get rid of my dog.
The EU legislation referenced is at http://www.europarl.europa.eu/oeil/file.jsp?id=5275032 and states, “No data revealing the content of the communication may be retained pursuant to this Directive.”
So it would seem that the column needs a minor update, as this would suggest the content of emails is not to be retained.
We’ll see how long it takes for the communists to use the information as warfare against their enemies.
Why not seize the data on individual computers like they did before? Child pornography is disgusting but so is government spying. Especially when information is leaked by communists to embarrass political opponents, which they will certainly do.
Quis custodiet ipsos custodes?
Sgian Dubh 14,
“The power of the person who cares the least.”
You are referring to the Law of Negative Net Value. Who has more to lose? Who wins an argument over a parking space, a brand new Lamborghini or a 1974 Chevy Nova urban assault vehicle with copious rust? If you drive in the 3rd World then expect people to J-walk and fall down in front of you. If you are the US Navy don’t be shocked when small craft ignore the Rules of the Road and cut in front of you.
When you care about the Truth and Respect more than Empathy then people will lie and cheat less. That healthier less manipulative relationship will lead to trust and empathy as a secondary effect. Between nations that leads to Comity. Between persons it works also. It may even get your girl friend to stop treating you like a doormat and let both of you to really fall for each other.
Should we consider the simpler cases first? And define fundamental principles?
Does the government have any right to demand access to telephony billing records (which show who calls and texts whom). Should phone companies even keep these records and be allowed to create bills from them? (i.e. they could count calls, or minutes, or have a fixed fee, or a mix, rather than making a record of who called whom). All transactions between two individuals mediated by a third have this trust and privacy element. At times process (aided by technology) could insure there are no records beyond days if not seconds – which suggests a return to depending on human testimony and an elimination of records, written and otherwise, as evidence in court proceedings.
Ditto for financial records. And shipping records.
What about non-U.S. persons? And U.S. persons in other countries? Does their presence in another country subject them to the other countries rules?
“How can you prove it wasn’t you? Seems like the gov could destroy the reputation of anyone it wanted to given this power.”
Don’t have to. Innocent until proven guilty, at least in the USA. Europe uses the Napoleon code, which has a preponderance of evidence test. AFAIK, Europe already has laws such as this.
It will be interesting to see if this law passes the ‘unreasonable search and seizure’ test. The courts are pretty picky about what is legal evidence and what isn’t. It will be decades before this bill is close to being “Law”.
ON a technical level, ‘botting requires software on the ‘botted computer. There are security programs that find and remove ‘botware.
http://ab.ersca.com/
http://www.darkreading.com/security/security-management/208803647/index.html
http://download.cnet.com/Norton-AntiBot/3000-8022_4-10698973.html
I run Ubuntu 10.4 LTS so as long as I keep track of my .bin I don’t worry to much about getting botted.
Anyone running Windoze should install Anti-botting software.
Your security suite is incomplete without it.
13. Sgian Dubh
I got to the part where he said he should pay more taxes, then I realised he is a Lying sack o’sh1t, which I should have known from the CNBC on the upper left of the screen.
If he wants to pay more taxes, akll he has to do is write a check to the IRS. They will take it.
NO, the LSoS wants everybody else to pay more taxes. That makes his opinion valueless to me. Have you ever heard of the ‘Authority Close’?
Having just read the law, it seems that what this bill does do is require ISPs to retain information on dynamically assigned IP addresses for 18 months. What the government wants is for ISPs to retain a log of who is connected via what IP address at what times. When you connect to an ISP, most ISPs assign you a temporary IP address through DHCP. When you disconnect from that ISP, your IP address is assigned to someone else.
The FBI might discover, for instance, that someone connected to a computer at IP address 128.200.100.5, on Aug 5, 2010 at 5:35PM and downloaded child pornography. They would then contact the ISP that controls that IP address to find out the name and address of the customer who was assigned that IP address at that time. If the ISP is not keeping logs of DHCP connections, then it has no way of answering the question. The legislation requires the ISP to retain logs of who was connected through what IP address at what time, thus allowing the ISP to answer the question of what customer was connected to what IP address at what time.
This is very different from the EU legislation referred to in the article. The proposed legislation does not require the ISP to retain any information whatsoever about *what* you do while you are on the internet; it only requires the ISP to retain information about *who* is connected to the internet at what time.
The radio exception is likely because it would be infeasible to legally require data logging on wireless routers, both because most wireless routers do not support DHCP logging, and because current wireless network protocols have just a single password to gain access to the router. The protocol does not support userids and individual passwords, so retaining the desired information is impossible because the desired information does not exist.
The legislation may or may not be appropriate, but should at least be debated on the merits of what it actually is, rather than a tightly-spun scare piece.
20. stoicheion
Thanks for your take, stoicheion. I think I turned off my BS detector because his slam of Obama was just too delicious. My bad.
If HR 1981 is passed, all our privacy will be online–send a letter to Congress today! http://act.demandprogress.org/letter/snooping_bill/