Feeds

Retain or restrain access logs?

If the system ain't broke, don't fix it

High performance access to file storage

The problem is that these powers are not limited to cases of organised crime, terrorism or child protection - nor could they be for IP retention. After all, an ISP would have no way of knowing if records were going to be relevant two years hence in some investigation, and therefore they would be required to keep everything.

Nor has the government proposed legislation that would say that the retained records may only be accessed pursuant to a court order in cases of child exploitation or protection. No, once retained, the records are subject to criminal or civil subpoena, investigative demand, National Security Letter, grand jury subpoena, search warrant, administrative demand, or even a secret request from the government pursuant to the powers of the President as Commander in Chief in a time of war. And unprivileged records can be subpoenaed by private litigants as well.

The cost of record retention

Who will pay for creating and storing these terabytes of data? Who will store them? The ISPs or the government? And who will secure and protect them? Perhaps the United States Department of Veteran's Affairs, or the Department of Energy can be trusted with our personal records?

Sure, it would make investigations easier if all kinds of records were created and stored forever. What the Attorney General fails to understand is that ISPs already strike a balance in favour of protecting the privacy of their users. The IP records they create are created solely for the purpose of making sure the connection is made, and serve no real ISP function thereafter. Therefore, they are destroyed.

The government is seeking to fundamentally change that balance and to make ISPs agents of the state in creating and retaining records not for their own purposes, but for the government's. As CNET's Declan McCulloch pointed out, Congress is considering making the retention rules mandatory. This is bad policy.

Law enforcement already has the power to demand, in individual investigations, that ISPs retain specific records for 90 days, in 18 USC 2703(f). This can be extended to up to six months. This should be long enough to get a subpoena for the required records. The government wants two years? Why not 20? Why not forever? I'd better stop typing before I give someone some ideas.

Look, if records exist, they will be subpoenaed, stolen, lost or hacked. We already have a pretty good balance of retaining records when we need them and getting rid of them when we don't. Let's not spoil a system that works unless we have clear evidence that it is failing.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.

High performance access to file storage

More from The Register

next story
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.