Automatic Wiretap? Data Retention Bills Proposed
Automatic Wiretap? Data Retention Bills Proposed
Automatic Wiretap? Data Retention Bills Proposed

    Get Involved Today

    Both the House and Senate have introduced bills that would require “electronic communications service providers” to store “all records or other information pertaining to the identity of a user” of a temporary network address for two years. While the bulk of the bills are targeted at preventing child porn, this one provision creates a more sweeping, general requirement.

    Some early coverage at CNet and on Ars Technica, among others, has noted the potential risk that anyone operating an open WiFi access point might then be required to maintain mountains of records on whatever information they have regarding anyone to use their connections.

    While there's room for debate about how broadly any court would interpret the definition of an “electronic communications service provider,” though, what's not debatable is that this provision would result in a massive amount of data collection on most, if not all, ISP users.

    The more immediate concern is probably not whether or not you'll be treated as an ISP with record-keeping burdens, but that your ISP (as well as any online services that qualify as “remote computing services”) will be required to keep records on your usage of your Internet connection. The definition of “information pertaining to the identity of a user” will matter a lot.

    That's because, read broadly, the content of a person's traffic can say a lot about their identity. Note, for example, the ability of reporters to identify an individual given anonymized search strings. If search strings and other data are considered “pertinent,” then this provision acts as an automatic wiretap of sorts. Imagine, for instance, if the phone company was required to record all your telephone conversations on the off chance that you might be abusing children.

    Even a narrower reading would require online service providers to collect and store information about their customers. How that information will eventually be used by the companies collecting it, or by those who would subpoena (or steal) it later, isn't specified in the bills. Current law already requires storage of user information pursuant to a request from law enforcement—but nothing so sweeping as this, which would apply to all users automatically.