Retain or restrain access logs?
If the system ain't broke, don't fix it
Comment A recent proposal by the US Department of Justice that would mandate Internet Service Providers to retain certain records represents a dangerous trend of turning private companies into proxies for law enforcement or intelligence agencies against the interests of their clients or customers.
When you use the internet, a certain record of your activities is invariably created and - at least for a short time - retained by your Internet Service Provider (ISP).
For example, when you establish an account with your ISP - whether it is AOL, Comcast, Verizon, Time-Warner, or any of thousands of ISPs you generally provide the ISP with your name, address, telephone number, and if it is a paid service, some form of payment - credit card, bank account, etc. The ISP will typically retain this account information, and will also keep records that associate this account information with any accounts that you create.
Thus, while you think you are so clever creating the online persona "cyber-stud" the ISP knows that you are really a 29-year-oold permanent undergraduate engineering student living at home in your mother's basement.
This "real world" account information - associating a cyber persona with a real identity - is a gold mine for marketers, law enforcement agencies and the intelligence community, as they want to know who their customers or the users of online services really are. This information can be used for good or for evil. If there is an online pedophile or terrorist, one certainly wants the police to have the ability to, in close-to-real-time when necessary, be able to learn who these people are, and physically where they are as well. One would think that the police would need a subpoena or court order for this information, right? Well, not exactly.
Subpoenaing ISP logs
About five years ago, at a US Federal court in Virginia in a case called United States v. Habrick (PDF), the Court dealt with a situation where the government obtained a faulty subpoena for account information about a suspected purveyor of child porn. The subpoena, which all parties agreed was invalid, called for the ISP Mindspring to deliver to the government records relating to a particular online user, his Internet Protocol address, and the name, address and billing information he gave at the time of establishing the account. They also obtained his name, work and fax telephone numbers.
Now remember, because the subpoena was faulty, there was, in effect, no lawful court order in place for these records. It was as if the FBI burst into the offices of Mindspring and merely took what subscriber information they wanted - well, at least in the eyes of the law.
So the question was, when Mindspring turned over the subscriber information to the cops without an effective warrant or subpoena, did Hambrick have any cause to complain?
The answer the court gave was, well, no. You see, the Habrick court said, the Constitution protects only "legitimate" expectations of privacy. When you turn your personal information over to a third party (like the ISP) you give up your privacy rights. Similarly, when you send an email, participate in a chat, or give any information to anyone, you run the risk that the information, now in the hands of some third party, will be turned over to the cops.
So, according to the Hambrick court, you have a diminished expectation of privacy in these records. Indeed, it was this rationale that was relied upon by the Bush administration's NSA in concluding that the records of your telephone calls - who you called and when - were not your records, but rather the records of the phone company, and that you therefore had no expectation of privacy in those records. So, the government could demand, or the ISP could voluntarily produce such records - subpoena or not.
All of this is dangerous enough. But recent actions of the United States Attorney General and the director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security.
In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP's retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.
Logs are a grab bag full of goodies
In April 2006, Attorney General Gonzales, before the National Centre for Missing and Exploited Children noted that:
"...we have to make sure law enforcement has all the tools and information it needs to wage this battle [against child predators.] The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet Service Providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet Service Providers to keep records has hampered our ability to conduct investigations in this area.
As a result, I have asked the appropriate experts at the department to examine this issue and provide me with proposed recommendations. And I will reach out personally to the CEOs of the leading service providers, and to other industry leaders, to solicit their input and assistance. Record retention by Internet Service Providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed."
Apparently, this was the real purpose of the meetings with ISPs last week. The Attorney General wanted discuss why they should change their document retention policies to retain records they do not need for business purposes, solely to assist the Untied States Government. So what are the legitimate privacy rights of Americans? Or Europeans? Or Asians, Africans, South Americans, Australians, Pacific Islanders, or Antarticans?
After you establish your account, you then use it to browse the web, post content, establish blogs, create or edit a MySpace or YouTube account, download materials, create a P2P connection with others, and so on. In other words, you use the internet.
Virtually every connection you make online, whether it is to read webmail or have a Voice Over Internet Protocol (VoIP) telephone call, essentially directs packets from one your Internet Protocol address to another Internet Protocol address.
While your IP address may be static or dynamic (and for you technologists reading this, excuse the deliberate simplification) the ISP will, for the most part, have at least a temporary record of everything you do, the contents of every email and chat, every webpage visited, and in what order. ISPs certainly log access to their own internal servers for at least a short period time.
Even if the same ISP does not all external access, their DNS logs could point authorities to other websites visited by a customer that would each retain logs of access by IP address. Your online life goes through one of these third parties that, at least according to the government, you have no right to trust.
Because ISPs create records of virtually everything that virtually everyone does virtually, our privacy is generally protected by the fact that these records are frequently purged. After all, we are talking about terabytes of data that serves no real function for the ISP. The only reason the records were maintained was to make sure the packets got to their intended destination.
In the case of records of long distance calls made, the phone companies kept these records so they could charge you for the long distance calls. With flat-rate billing, there is no need for them to keep any record that you called Wisconsin.
What the FBI director and Attorney General asked the ISPs to do was to retain - for a period of about two years - records of all internet traffic. Indeed, they want to do this under the threat, express or implied, of legislation mandating such document retention. Now, the news reports were not clear about exactly what information the government wanted the ISPs to keep. Currently, with a few basic limitations, ISPs are not required to keep any records. If they want, they can delete all their records, including subscriber records.
Records for the taking
It has always been the case that if a record exists, it is subject to subpoena. There are several laws protecting the privacy of internet related records. For example, the Cable TV Privacy Act 47 USC 551 provides that:
"A cable operator shall destroy personally identifiable information if the information is no longer necessary for the purpose for which it was collected and there are no pending requests or orders for access to such information under subsection (d) of this section [which allows the subscriber to have access to his or her own records] or pursuant to a court order."
Thus, for a cable modem at least, Congress mandates that without a court order, the Cable ISP must destroy the records. The Attorney General and FBI director appear to be asking the cable ISPs to ignore or violate that law.
These requirements are similar to those now coming into force in Europe after the December 2005 vote of the European Parliament. During discussion, the Parliament noted that, "[b]ecause retention of data has proved to be such a necessary and effective investigative tool for law enforcement in several Member States, and in particular concerning serious matters such as organised crime and terrorism, it is necessary to ensure that retained data are made available to law enforcement authorities for a certain period, subject to the conditions provided for in this Directive."
Now whenever government seeks to increase the powers of law enforcement at the expense of freedom or civil liberties, it always hauls out the troika of organised crime, terrorism and the protection of children. After all, who is opposed to preventing terrorism? Who is in favour of organised crime? And who can be opposed to protecting kids, after all?
The problem is that these powers are not limited to cases of organised crime, terrorism or child protection - nor could they be for IP retention. After all, an ISP would have no way of knowing if records were going to be relevant two years hence in some investigation, and therefore they would be required to keep everything.
Nor has the government proposed legislation that would say that the retained records may only be accessed pursuant to a court order in cases of child exploitation or protection. No, once retained, the records are subject to criminal or civil subpoena, investigative demand, National Security Letter, grand jury subpoena, search warrant, administrative demand, or even a secret request from the government pursuant to the powers of the President as Commander in Chief in a time of war. And unprivileged records can be subpoenaed by private litigants as well.
The cost of record retention
Who will pay for creating and storing these terabytes of data? Who will store them? The ISPs or the government? And who will secure and protect them? Perhaps the United States Department of Veteran's Affairs, or the Department of Energy can be trusted with our personal records?
Sure, it would make investigations easier if all kinds of records were created and stored forever. What the Attorney General fails to understand is that ISPs already strike a balance in favour of protecting the privacy of their users. The IP records they create are created solely for the purpose of making sure the connection is made, and serve no real ISP function thereafter. Therefore, they are destroyed.
The government is seeking to fundamentally change that balance and to make ISPs agents of the state in creating and retaining records not for their own purposes, but for the government's. As CNET's Declan McCulloch pointed out, Congress is considering making the retention rules mandatory. This is bad policy.
Law enforcement already has the power to demand, in individual investigations, that ISPs retain specific records for 90 days, in 18 USC 2703(f). This can be extended to up to six months. This should be long enough to get a subpoena for the required records. The government wants two years? Why not 20? Why not forever? I'd better stop typing before I give someone some ideas.
Look, if records exist, they will be subpoenaed, stolen, lost or hacked. We already have a pretty good balance of retaining records when we need them and getting rid of them when we don't. Let's not spoil a system that works unless we have clear evidence that it is failing.
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus
SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.