Every Move You Make, Every Click You Take, I'll Be Watching You

Boing-boing notices that “yesterday, the House Judiciary Committee voted 19-10 for H.R. 1981, a data-retention bill that will require your ISP to spy on everything you do online and save records of it for 12 months. California Rep Zoe Lofgren, one of the Democrats who opposed the bill, called it a ‘data bank of every digital act by every American’ that would ‘let us find out where every single American visited Web sites.'”

The databank is “for the children”. HR 1981 is actually titled “Protecting Children From Internet Pornographers Act of 2011”. Its sponsors say “the Protecting Children from Internet Pornographers Act of 2011 (H.R. 1981) directs Internet Service Providers (ISPs) to retain subscriber information for up to 12 months in order to assist federal law enforcement in online child pornography and child exploitation investigations. This is similar to existing federal law that requires telephone companies to retain caller information for up to 18 months.”

HR 1981 is the latest in a long line efforts by the Federal Government to mandate data retention. Broadband DSL reports writes:

New bills seem to pop up every year or so, though privacy advocates have traditionally beaten such efforts back. Mandatory ISP data retention was something you’ll recall was a priority for the Bush/Gonzales Justice Department, and (much like warrantless wiretapping) is now being championed by the Obama Administration Justice Department.

The latest effort is H.R. 1981: Protecting Children From Internet Pornographers Act of 2011, and is the focus of hearings this week. The bill has support from the The National Sheriffs’ Association, who insisted this week the lack of log retention “significantly hinders law enforcement’s ability to identify predators when they come across child pornography.” However eager law enforcement is for the new law, it appears to have hit a stumbling block — in that wireless carriers (and hotspot owners) have been excluded, largely due to wireless carrier lobbying. That’s resulted in some politicians — including this latest bill’s sponsor — to have second thoughts.

EU legislation already requires that ISPs keep the following data on users for at least six months.

Each website ever visited with time and date stamp
Each file ever downloaded using FTP or P2P
A record of every e-mail sent and received, including the e-mail content. [the Wikipedia citation above is in error. According to Directive 2006/24/EC, article 4 Section 2, “No data revealing the content of the communication may be retained pursuant to this Directive.”] the primary purpose of the retention being traffic analysis.
The name, time, date, etc of every user who chatted with via an Internet Messaging program, including the logs of the chats.
Each web forum posted on or visited
Logs of IRC sessions

Collecting information on the public is one of those rare things in Washington that has broad bipartisan support — except where it runs into the interests of a powerful lobbying group. Not everyone is happy to pass such legislation. Testimony on HR 1981 pointed out that the government already has the ability to order an ISP to retain data — but only for individuals under the authority of a warrant. By contrast, HR 1981 and similar efforts would essentially retain everyone’s data whether or not they were suspected of a crime or the subject of an investigation. Marc Rotenberg testified that:

This is a critical distinction. It reflects a central purpose of the Fourth Amendment: to ensure that the investigative powers of the government are directed toward those who have actually committed a crime or maybe planning a crime.

As in many things the government does, what the left hand does, the right hand undoes. Interestingly, data retention mandates can potentially come into conflict with privacy mandates. Rotenberg notes that there are laws on the books requiring companies to collect only the data required, a process known as “data minimization” to protect privacy and enhance security. And here they go in the opposite direction.

The security risks of collecting data for “just in case” reasons are easy to understand. Collecting large volumes of potentially private data at ISPs creates big fat targets for hackers and other illegitimate data collectors. Creating these dumps implicitly creates the requirement to protect them.

“Aside from the risk of hacking by activist groups like LulzSec and cyber criminals, Congress should consider the national security risks associated with data breaches and targeted attacks by nation states. Rich logs of user network data held by ISPs could prove to be an attractive target for nation state attackers,” Rotenberg said.

In short, there is little guarantee that creating these clusters of low-hanging fruit will help the children instead of becoming a royal road for Chinese intelligence and identity thieves. One can even conceive of a situation where criminals will benefit from this retention of data rather than be deterred by them.

The data retention net would be spread very wide and very little would escape collection. “Nothing in the bill, though, indicates exactly what information must be retained. Furthermore, even if a customer closes an account with an ISP, that ISP would be required to maintain his records for a full eighteen months after he ceased service.”

As the importance of online identities and reputations grows, the value of the retained data would grow correspondingly. The importance of the retained information could determine ruin or success for companies, professionals and small businesses. Such data retention programs would expose online reputations and identities to attackers. LulzSec, for example:

claimed responsibility for an attack against Sony and took data that included “names, passwords, e-mail addresses, home addresses and dates of birth for thousands of people … hacked into the website of Black & Berg Cybersecurity Consulting, a small network security company, and changed the image displayed on their front page to one containing the LulzSec logo. … released the e-mails and passwords of a number of users of senate.gov, the website of the United States Senate … launched an attack on www.cia.gov, the public website of the United States Central Intelligence Agency, taking the website offline with a distributed denial-of-service attack. The website was down from 5:48 pm to 8:00 pm eastern time

It recalls the debacle of December 7, 1941, when authorities at Pearl Harbor ordered all available aircraft parked in the center of the runways to prevent them from being sabotaged in their revetments. History buffs will recall that this measure prevented sabotage entirely — but only at the cost of facilitating their destruction by the Imperial Japanese naval air force.

"Park Them in a Row to Prevent Sabotage in the Hangars"

The value of secrecy is nothing but the price associated with control over information. The value of privacy is what you would be willing to pay for the right to retain control over personally identifiable data. The reason why government has not in the past been able to assert control over every piece of information is that to do so would be theft. Nobody, not even the government, should get information kept out of the public view for free.

In the past, the cost to the government for obtaining such information has been processes associated with a warrant. By mandating data retention government is essentially obtaining very valuable data for free. It is a kind of tax levied on the public for the ostensible purpose of fighting child pornographers. But everyone pays the price; the price in terms of added risk or the additional cost of avoiding the data traps now set up by the government — whether they are objects of investigation or not.

While the measure appears to provide efficiencies for law enforcement, in broader economic terms it is a highly wasteful way of obtaining what could be achieved far more cheaply. The public policy question as always should be whether such a tax is commensurate with the benefits of its intended purpose or whether there aren’t better ways to run a railroad.