FBI Joins Data Retention Push; Industry Wants Specifics

“Terrorists coordinate their plans cloaked in the anonymity of the Internet, as do violent sexual predators prowling chat rooms,” Mueller said: “All too often, we find that before we can catch these offenders, Internet service providers have unwittingly deleted the very records that would help us identify these offenders and protect future victims.”

There’s scant evidence for such claims, U.S. Internet Industry Assn. CEO Dave McClure told us. “To my knowledge the only time this has occurred was a case in Colorado,” in which local police sat on evidence for 6 months before requesting subscriber records from an ISP, he said. That incident is a favorite of data retention backers including Rep. DeGette (D-Colo.), who promised to introduce a data retention bill but has missed her own deadlines for doing so (WID Sept 22 p1). “We've asked them to give us hard data documenting [the frequency of hampered investigations] and they haven’t been able to do that,” McClure said. The FBI didn’t respond to our request for data or anecdotal evidence of unhelpful ISPs. A spokesman for DeGette couldn’t meet our deadline for information on other incidents.

ISPs’ and Web hosting companies’ business needs have been “jumbled in together” in retention proposals, ignoring basic differences between them, McClure said. ISPs typically retain subscriber data several months for billing purposes, while host companies need it only for backup, perhaps holding data a single day, he said. “This is very frustrating for law enforcement that want to come in after the fact,” but it’s hard to force companies to hold information for periods of time with no precedent in the industry, he said: “You can’t simply ask our industry to drop a billion” dollars on wider retention protocols and expect the cost of Internet access to decline. AT&T and BellSouth proposed such decreases as a carrot for the FCC to approve their merger (WID Oct 17 p1).

Agencies and legislators have ignored “fundamental questions that we have asked again and again,” McClure said: What information should we collect, and for how long? What format, and who’s responsible for searching it? Who’s in charge of data security? “There’s not a data storage facility in the country large enough” to hold all subscriber data for the year or 2 proponents bandy about, he said.

AT&T’s alleged complicity with NSA domestic wiretapping casts shadows on data retention proposals, McClure said. The telco faces scores of suits by customers and privacy groups accusing the company of violating its service terms and federal and state laws. DoJ “bailed” on AT&T, and ISPs don’t trust the agency to defend them if sued under the Electronic Communications Privacy Act. Industry has received “no response whatsoever” on that concern, he said.

McClure has talked to people “in the trenches” -- investigators of child porn and terrorism on the Internet -- who aren’t pushing retention mandates, he said: “There doesn’t seem to be as strong a drumbeat for this” from the “back office” as from agency brass. Day-to-day investigators know smart criminals will set up virtual private networks and use encryption for online activities if Congress lays down broad mandates, McClure said. -- Greg Piper

International Assn. of Chiefs of Police Notebook…

Better data sharing will help law enforcement catch a new generation of hackers, Mueller said at the conference. A 16-year-old Swede known as “rebel” eluded pursuers for 2 years after penetrating the most secure govt. and university computer systems, with suspects identified from the U.K. to Romania, Mueller said. The Law Enforcement National Data Exchange, or N-DEx, will bring together crime report data from federal, state and local agencies, and correlate FBI databases with a national search system, letting officers nationwide collaborate in “virtual task forces,” Mueller said.