By Steve Watson
Legislation that will force Internet providers to store information on all their customers and share it with the federal government and law enforcement agencies was significantly beefed at the last minute yesterday and approved by a U.S. House of Representatives committee.
Under the guise of protecting children from internet pornographers, the House Judiciary committee voted 19-10 to approve a bill that will require Internet Service Providers to store temporarily assigned IP addresses for future government use.
In addition, the bill was re-written yesterday to also include the enforced retention of customers’ names, addresses, phone numbers, credit card numbers and bank account numbers.
As Declan McCullagh of CNet reports, the panel rejected an amendment that would have clarified that only IP addresses must be stored.
“The bill is mislabeled,” said Rep. John Conyers of Michigan, the senior Democrat on the panel. “This is not protecting children from Internet pornography. It’s creating a database for everybody in this country for a lot of other purposes.”
It represents “a data bank of every digital act by every American” that would “let us find out where every single American visited Web sites,” said Rep. Zoe Lofgren, who led Democratic opposition to the bill. The Californian Representative described the legislation as a “mess of a bill” and a “stalking horse for a massive expansion of federal power”.
Rep. Darrell Issa, R-Calif., noted that the bill would open a Pandora’s box of government abuse.
“This is not about child porn. It never has been and never will be,” Issa said. “This is a convenient way for law enforcement to get what they couldn’t get in the PATRIOT Act.”
Advocates for the legislation include the National Sheriffs’ Association, which has said it “strongly supports” mandatory data retention. The bill has also attracted endorsements from the National Center for Missing and Exploited Children, as well as the FBI.
In a last ditch effort to derail the bill, the ACLU, along with dozens of other privacy watchdog groups penned a letter (PDF) to House Judiciary Committee Chairman Lamar Smith earlier this week, noting that “any data retention mandate is a direct assault on bedrock privacy principles.”
“The data retention mandate in this bill would treat every Internet user like a criminal and threaten the online privacy and free speech rights of every American, as lawmakers on both sides of the aisle have recognized,” Senior Staff Attorney Kevin Bankston of the Electronic Frontier Foundation said.
“Requiring Internet companies to redesign and reconfigure their systems to facilitate government surveillance of Americans’ expressive activities is simply un-American. Such a scheme would be as objectionable to our Founders as the requiring of licenses for printing presses or the banning of anonymous pamphlets.” Bankston added.
“This is China-style law enforcement, treating everyone as a potential suspect and requiring the collection of personal information just in case it might later be useful to the government,” said Greg Nojeim, senior counsel for the Washington based Center for Democracy and Technology, in an interview with Bloomberg.
A fortnight ago, the Electronic Privacy Information Center (EPIC) appealed before the House Judiciary Committee, asking that Congress recognize the fact that retaining identifying information would put at risk “99.9% of Internet users.”
EPIC President Marc Rotenberg pointed out that it is more prudent to seek data minimization rather than data retention, in the wake of increased risk of data breaches and identity theft. Rotenberg noted that enforced data retention would make ISPs more vulnerable to hackers, citing the LulzSec group, which recently claimed responsibility for temporarily shutting down a CIA website and other high-profile hacks.
“Minimizing stored user data reduces incentives for hackers to attack data storage systems by reducing the amount of data available to steal. Minimization also reduces the costs of data breaches,” Rotenberg said in prepared testimony.
Rotenberg suggested that the data could be used to bring criminal charges that were unrelated to child pornography, noting that any mandatory retention of data would be accessible to police investigating any crime.
“Although this data retention requirement has been introduced as part of a bill focused on child sexual exploitation, there is no evidence to suggest that the majority of law enforcement requests for customer subscriber information relate to child protection cases.” Rotenberg argued.
The bill would also allow access to the data by attorneys litigating civil disputes in divorce, insurance fraud, and other cases that have nothing to do with the protection of children on the internet.
“It would give the government sweeping authority to mandate the collection and retention of personal information obtained by business from their customers, or generated by the business in the course of providing services, for subsequent examination without any reason to believe that information is relevant or necessary for a criminal investigation,” Rotenberg further testified.
Rep. Bobby Scott, D-Va., had proposed an amendment to the bill that would have limited use of the data to child-pornography or terrorism cases, but it was withdrawn at the last minute, as Lamar Smith claimed that limiting the use of the information to child-pornography investigations could “undermine current cases on other issues”.
Rep. Scott also attempted to add an amendment to allocate $45 million a year to pay for more than 200 additional federal investigators and prosecutors dedicated to child pornography cases. Clearly a real move to crack down on child porn peddlers was unwelcome, however, as this too was struck down by committee members who claimed the funding wasn’t available.
The legislation, with all it’s privacy stripping measures intact