Feeds

Retain or restrain access logs?

If the system ain't broke, don't fix it

Internet Security Threat Report 2014

The problem is that these powers are not limited to cases of organised crime, terrorism or child protection - nor could they be for IP retention. After all, an ISP would have no way of knowing if records were going to be relevant two years hence in some investigation, and therefore they would be required to keep everything.

Nor has the government proposed legislation that would say that the retained records may only be accessed pursuant to a court order in cases of child exploitation or protection. No, once retained, the records are subject to criminal or civil subpoena, investigative demand, National Security Letter, grand jury subpoena, search warrant, administrative demand, or even a secret request from the government pursuant to the powers of the President as Commander in Chief in a time of war. And unprivileged records can be subpoenaed by private litigants as well.

The cost of record retention

Who will pay for creating and storing these terabytes of data? Who will store them? The ISPs or the government? And who will secure and protect them? Perhaps the United States Department of Veteran's Affairs, or the Department of Energy can be trusted with our personal records?

Sure, it would make investigations easier if all kinds of records were created and stored forever. What the Attorney General fails to understand is that ISPs already strike a balance in favour of protecting the privacy of their users. The IP records they create are created solely for the purpose of making sure the connection is made, and serve no real ISP function thereafter. Therefore, they are destroyed.

The government is seeking to fundamentally change that balance and to make ISPs agents of the state in creating and retaining records not for their own purposes, but for the government's. As CNET's Declan McCulloch pointed out, Congress is considering making the retention rules mandatory. This is bad policy.

Law enforcement already has the power to demand, in individual investigations, that ISPs retain specific records for 90 days, in 18 USC 2703(f). This can be extended to up to six months. This should be long enough to get a subpoena for the required records. The government wants two years? Why not 20? Why not forever? I'd better stop typing before I give someone some ideas.

Look, if records exist, they will be subpoenaed, stolen, lost or hacked. We already have a pretty good balance of retaining records when we need them and getting rid of them when we don't. Let's not spoil a system that works unless we have clear evidence that it is failing.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.

Beginner's guide to SSL certificates

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.