Cybertelecom Federal Internet Law & Policy An Educational Project

Record Keeping / Data Retention

Law enforcement confronts a forensics problem. Let's say Joe Cheater uploads a phishing website. Chief Wiggum gets wise and attempts to find out who done it. First thing the Chief does, he looks up the WHOIS record of the domain name of the site. But of course the record is a fake, created with credit cards acquired with a stolen identity. Using the WHOIS record, Chief Wiggum is able to find out that the phishing site is hosted at ACME-HOST ISP. Chief Wiggum walks into ACME-HOST ISP and asks for the server records which would contain the IP number of the creator of the phishing site. Problem is, the web host deleted those records yesterday. Even if the web host had retained those records, all Chief Wiggum would get in an IP number. He can determine that the IP number is a part of an IP number block assigned to the BETA-ACCESS ISP. The BETA-ACCESS ISP, like many ISPs, has more subscribers than IP numbers. Instead of assigning the same IP number to a subscriber every time, the ISP uses Dynamic Host Configuration Protocol (DHCP) to assign a new IP number every time a subscriber logs in. The problem, and where the Chief's trail hits a creamed filled donut ... the BETA ISP does not maintain IP number assignment records at all, and therefore cannot match an IP number to a particular subscriber.

Law enforcement officials have voiced concern that this failure to maintain an Internet bread crumb trail makes it difficult for them to do their job. US Attorney General Alberto Gonzalez made it clear during 2006 that data retention by ISPs is on his wish list. Several proposed criminal laws, including the International Cybercrime Treaty and laws that attempt to fight child pornography, would require ISPs to maintain records of transactions and communications over their networks. In lieu of legal requirements, DOJ and the FBI met with major ISPs in 2006 requesting that they "voluntarily" retain data.

• NOTE: In the fall of 2008, Congress passed Sen. Biden's PROTECT Our Children Act which has a data retention requirement!

Currently, every move you make, every email you send, every website you visit, results in a virtual bread crumb trail. If someone wanted to know what you are doing online, they could. They can know your IP number, your domain name, probably your geolocation, and more if they use cookies. This is a bit of a privacy concern. The question here is, how long before your bread crumb trail evaporates.

Data retention laws are fraught with problems and ISPs have resisted them.

• It requires a definition of what an ISP is - would this obligation fall upon a Wifi Cafe, a School, or an individual with a Wifi access point in their home?
• What is recorded? If the goal is to record user identifying information, some ISPs like free Wifi cafes, have no knowledge of who uses their network. There might be a MAC address but that is about it.
  • What information should be retained
  • Should different types of data have different retention standards
• Should different types of ISPs fall under different retention standards
• There is the potential of a great amount of data storage that will be required. Given that some ISPs do no data storage, this could present a rather significant imposition.
• New equipment will have to be purchased and staff will have to be trained. Where profits are small or the service is offered as a loss leader, the cost of the record keeping could prevent some ISPs from maintaining their service. An additional cost to the ISP would be searching and filtering through data stored for the specific data in question.
• Concern has been raised about risks to privacy.
  • Record keeping could be thwarted by encryption, VPNs, Anonymizing services, and other security service

18 USC § 2703(f) Requirement To Preserve Evidence.— (1) In general.— A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process. (2) Period of retention.— Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.

Rule:

Under an existing law the Electronic Communications Transactional Records Act ISPs are required to retain records for 90 days upon request of a "government entity." This would merely result in the records being retained; it does not give law enforcement access to those records.

Law enforcement access to these records is governed by the 4th Amendment, ECPA, Stored Communications Act, and laws such as FISA and CALEA.

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 139 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

There is no legally prescribed format for § 2703(f ) requests. While a simple phone call should be adequate, a fax or an email is safer practice because it both provides a paper record and guards against misunderstanding. Upon receipt of the government’s request, the provider must retain the records for 90 days, renewable for another 90-day period upon a government request. See 18 U.S.C. § 2703(f )(2). A sample § 2703(f ) letter appears in Appendix C.

Agents who send § 2703(f ) letters to network service providers should be aware of two limitations. First, § 2703(f ) letters should not be used prospectively to order providers to preserve records not yet created. If agents want providers to record information about future electronic communications, they should comply with the electronic surveillance statutes [].

A second limitation of § 2703(f ) is that some providers may be unable to comply effectively with § 2703(f ) requests, or they may be unable to comply without taking actions that potentially could alert a suspect. In such a situation, the agent must weigh the benefit of preservation against the risk of alerting the subscriber. The key here is effective communication: agents should communicate with the network service provider before ordering the provider to take steps that may have unintended adverse effects. Investigators with questions about a provider’s practices may also contact CCIPS [] for further assistance.

Law

• Electronic Communication Transactional Records Act 18 USC s 2703(f)
  • ISPs must retain records for 90 days upon request of a government entity
  • note that this does not give the government official access to the record - the government official must still comply with ECPA and the 4th Amendment to gain access to the record.
• EU data retention laws. See EPIC Information.

Government Activity

• Combating Child Pornography by Eliminating Pornographers’ Access to the Financial Payment System, US Senate Committee on Banking, Housing, and Urban Affairs Sept 2006
  • Honorable Alberto R. Gonzales , Attorney General of the United States PDF "As we’ve looked at ways to improve the law enforcement response to the problem of online exploitation and abuse of children, one thing we are examining is the retention of records by communications service providers. Several months ago, I established a working group within the Department of Justice that is looking at this issue."
• Letter from the National Association of Attorney Generals, June 2006 Recommending federal data retention legislation
• Prepared Remarks of Attorney General Alberto R. Gonzales at the National Center for Missing and Exploited Children April 20, 2006 "But in order for Project Safe Childhood to succeed, we have to make sure law enforcement has all the tools and information it needs to wage this battle. The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet service providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet service providers to keep records has hampered our ability to conduct investigations in this area."
• Prepared Statement of Mark M Richard Counselor for Justice Affairs U.S. Mission to the European Union Presented at the Meeting of EU’s Article 29 Working Group Brussels, 14 April 2005
• Prepared statement of the United States of America Presented at EU Forum on Cybercrime Brussels, 27 November 2001

Audio

• Combating Child Pornography by Eliminating Pornographers’ Access to the Financial Payment System, US Senate Committee on Banking, Housing, and Urban Affairs Sept 2006

Papers

• CDT, Mandatory Data Retention – Invasive, Risky, Unnecessary, Ineffective June 2006
• Canadian Bar Association letter on ISPs and Record Keeping [78 kb PDF]
• Rodney Petersen, Toward a US Data Retention Standards for ISPs, Educause Review 2006

Links

• EPIC Data Retention
• Data Retention is No Solution

News

• Bill Proposes Mandatory Data Retention for ISPs, CDT 2/15/2007
• GOP revives ISP-tracking legislation, CNET 2/9/2007
• Attorney general to talk data retention with new Congress, CNET 1/19/2007
• Feds push for Internet records, Kansas City Star 1/3/2007
• New Rules Compel Firms to Track E-Mails, Wash Post 12/1/2006
• German Supreme Court Says ISPs Should Delete Logs When Asked, Techdirt 11/8/2006
• FBI Director, Police Chiefs Support Record Retention For Internet, Information Week 10/20/2006
• Feds Still Stumping For Data Retention Regs, Internet News 10/20/2006
• U.S. attorney general wants internet record-keeping law, CBC News Sept 20, 2006
• Gonzalez Want US ISP's to Record Your Web Usage - Or Else!, Dvorak 06/02/2006
• Feds Want Web Records Stored for Two Years, Sci Tech Today June 2006
• U.S. asks companies to record Web usage, IHT June 2, 2006
• Terrorism invoked in ISP snooping proposal CNET May 2006
• ISPs spell out true cost of data retention ZDNet Dec 2002

Preservation Request, Example

Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 237 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)