Cybertelecom :: Record Keeping

Law enforcement confronts a forensics problem. Let's say Joe Cheater uploads a phishing website. Chief Wiggum gets wise and attempts to find out who done it. First thing the Chief does, he looks up the WHOIS record of the domain name of the site. But of course the record is a fake, created with credit cards acquired with a stolen identity. Using the WHOIS record, Chief Wiggum is able to find out that the phishing site is hosted at ACME-HOST ISP. Chief Wiggum walks into ACME-HOST ISP and asks for the server records which would contain the IP number of the creator of the phishing site. Problem is, the web host deleted those records yesterday. Even if the web host had retained those records, all Chief Wiggum would get in an IP number. He can determine that the IP number is a part of an IP number block assigned to the BETA-ACCESS ISP. The BETA-ACCESS ISP, like many ISPs, has more subscribers than IP numbers. Instead of assigning the same IP number to a subscriber every time, the ISP uses Dynamic Host Configuration Protocol (DHCP) to assign a new IP number every time a subscriber logs in. The problem, and where the Chief's trail hits a creamed filled donut ... the BETA ISP does not maintain IP number assignment records at all, and therefore cannot match an IP number to a particular subscriber.

Law enforcement officials have voiced concern that this failure to maintain an Internet bread crumb trail makes it difficult for them to do their job. US Attorney General Alberto Gonzalez made it clear during 2006 that data retention by ISPs is on his wish list. Several proposed criminal laws, including the International Cybercrime Treaty and laws that attempt to fight child pornography, would require ISPs to maintain records of transactions and communications over their networks. In lieu of legal requirements, DOJ and the FBI met with major ISPs in 2006 requesting that they "voluntarily" retain data.

Currently, every move you make, every email you send, every website you visit, results in a virtual bread crumb trail. If someone wanted to know what you are doing online, they could. They can know your IP number, your domain name, probably your geolocation, and more if they use cookies. This is a bit of a privacy concern. The question here is, how long before your bread crumb trail evaporates.

Under an existing law the Electronic Communications Transactional Records Act ISPs are required to retain records for 90 days upon request of a "government entity." This would merely result in the records being retained; it does not give law enforcement access to those records.

Law enforcement access to these records is governed by the 4th Amendment, ECPA and laws such as FISA and CALEA.

It requires a definition of what an ISP is - would this obligation fall upon a Wifi Cafe, a School, or an individual with a Wifi access point in their home?
What is recorded? If the goal is to record user identifying information, some ISPs like free Wifi cafes, have no knowledge of who uses their network. There might be a MAC address but that is about it.
- What information should be retained
- Should different types of data have different retention standards

Should different types of ISPs fall under different retention standards

There is the potential of a great amount of data storage that will be required. Given that some ISPs do no data storage, this could present a rather significant imposition.
New equipment will have to be purchased and staff will have to be trained. Where profits are small or the service is offered as a loss leader, the cost of the record keeping could prevent some ISPs from maintaining their service.
Concern has been raised about risks to privacy.
- Record keeping could be thwarted by encryption, VPNs, Anonymizing services, and other security service

Law

Electronic Communication Transactional Records Act 18 USC s 2703(f)

ISPs must retain records for 90 days upon request of a government entity
note that this does not give the government official access to the record - the government official must still comply with ECPA and the 4th Amendment to gain access to the record.

EU data retention laws. See EPIC Information.

Government Activity

Combating Child Pornography by Eliminating Pornographers’ Access to the Financial Payment System, US Senate Committee on Banking, Housing, and Urban Affairs Sept 2006

Honorable Alberto R. Gonzales , Attorney General of the United States PDF "As we’ve looked at ways to improve the law enforcement response to the problem of online exploitation and abuse of children, one thing we are examining is the retention of records by communications service providers. Several months ago, I established a working group within the Department of Justice that is looking at this issue."

Letter from the National Association of Attorney Generals, June 2006 Recommending federal data retention legislation

Prepared Remarks of Attorney General Alberto R. Gonzales at the National Center for Missing and Exploited Children April 20, 2006 "But in order for Project Safe Childhood to succeed, we have to make sure law enforcement has all the tools and information it needs to wage this battle. The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet service providers to keep records has hampered our ability to conduct investigations in this area."

Audio

Papers

Links

News

Record Keeping / Data Retention

Law

Proposed Legislation

Government Activity

Audio

Papers