Record Keeping / Data Retention
| Navigation Links:
:: Home :: Feedback ::
:: Disclaimer :: Sitemap ::
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
Crimes Against Network
- Worms, Viruses, Attacks
- Wireless Malware
- WiFi Security
- Network Reliability
- Infrastructure Protection
- - Kill Switch
Crimes Over Network
- - Auctions
- - Phishing
- ID Theft
- Offensive Words
- Patriot Act
- Data Retention
- Safe Web Act
Law enforcement confronts a forensics problem. Let's say Joe Cheater uploads a phishing website. Chief Wiggum gets wise and attempts to find out who done it. First thing the Chief does, he looks up the WHOIS record of the domain name of the site. But of course the record is a fake, created with credit cards acquired with a stolen identity. Using the WHOIS record, Chief Wiggum is able to find out that the phishing site is hosted at ACME-HOST ISP. Chief Wiggum walks into ACME-HOST ISP and asks for the server records which would contain the IP number of the creator of the phishing site. Problem is, the web host deleted those records yesterday. Even if the web host had retained those records, all Chief Wiggum would get in an IP number. He can determine that the IP number is a part of an IP number block assigned to the BETA-ACCESS ISP. The BETA-ACCESS ISP, like many ISPs, has more subscribers than IP numbers. Instead of assigning the same IP number to a subscriber every time, the ISP uses Dynamic Host Configuration Protocol (DHCP) to assign a new IP number every time a subscriber logs in. The problem, and where the Chief's trail hits a creamed filled donut ... the BETA ISP does not maintain IP number assignment records at all, and therefore cannot match an IP number to a particular subscriber.
Law enforcement officials have voiced concern that this failure to maintain an Internet bread crumb trail makes it difficult for them to do their job. US Attorney General Alberto Gonzalez made it clear during 2006 that data retention by ISPs is on his wish list. Several proposed criminal laws, including the International Cybercrime Treaty and laws that attempt to fight child pornography, would require ISPs to maintain records of transactions and communications over their networks. In lieu of legal requirements, DOJ and the FBI met with major ISPs in 2006 requesting that they "voluntarily" retain data.
- NOTE: In the fall of 2008, Congress passed Sen. Biden's PROTECT Our Children Act which has a data retention requirement!
Data retention laws are fraught with problems and ISPs have resisted them.
- It requires a definition of what an ISP is - would this obligation fall upon a Wifi Cafe, a School, or an individual with a Wifi access point in their home?
- What is recorded? If the goal is to record user identifying information, some ISPs like free Wifi cafes, have no knowledge of who uses their network. There might be a MAC address but that is about it.
- What information should be retained
- Should different types of data have different retention standards
- Should different types of ISPs fall under different retention standards
- There is the potential of a great amount of data storage that will be required. Given that some ISPs do no data storage, this could present a rather significant imposition.
- New equipment will have to be purchased and staff will have to be trained. Where profits are small or the service is offered as a loss leader, the cost of the record keeping could prevent some ISPs from maintaining their service. An additional cost to the ISP would be searching and filtering through data stored for the specific data in question.
- Concern has been raised about risks to privacy.
- Record keeping could be thwarted by encryption, VPNs, Anonymizing services, and other security service
18 USC § 2703(f) Requirement To Preserve Evidence.-
(1) In general.- A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.
(2) Period of retention.- Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.
Under an existing law the Electronic Communications Transactional Records Act ISPs are required to retain records for 90 days upon request of a "government entity." This would merely result in the records being retained; it does not give law enforcement access to those records.
Law enforcement access to these records is governed by the 4th Amendment, ECPA, Stored Communications Act, and laws such as FISA and CALEA.
Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 139 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)
There is no legally prescribed format for § 2703(f ) requests. While a simple phone call should be adequate, a fax or an email is safer practice because it both provides a paper record and guards against misunderstanding. Upon receipt of the government's request, the provider must retain the records for 90 days, renewable for another 90-day period upon a government request. See 18 U.S.C. § 2703(f )(2). A sample § 2703(f ) letter appears in Appendix C.
Agents who send § 2703(f ) letters to network service providers should be aware of two limitations. First, § 2703(f ) letters should not be used prospectively to order providers to preserve records not yet created. If agents want providers to record information about future electronic communications, they should comply with the electronic surveillance statutes .
A second limitation of § 2703(f ) is that some providers may be unable to comply effectively with § 2703(f ) requests, or they may be unable to comply without taking actions that potentially could alert a suspect. In such a situation, the agent must weigh the benefit of preservation against the risk of alerting the subscriber. The key here is effective communication: agents should communicate with the network service provider before ordering the provider to take steps that may have unintended adverse effects. Investigators with questions about a provider's practices may also contact CCIPS  for further assistance.
Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 237 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)
Re: Request for Preservation of Records
Pursuant to Title 18, United States Code Section 2703(f ), this letter is a formal request for the preservation of all stored communications, records, and other evidence in your possession regarding the following email address pending further legal process: email@example.com (hereinafter, "the Account").
I request that you not disclose the existence of this request to the subscriber or any other person, other than as necessary to comply with this request. If compliance with this request might result in a permanent or temporary termination of service to the Account, or otherwise alert any user of the Account as to your actions to preserve the information described below, please contact me as soon as possible and before taking action.
I request that you preserve, for a period of 90 days, the information described below currently in your possession in a form that includes the complete record. This request applies only retrospectively. It does not in any way obligate you to capture and preserve new information that arises after the date of this request. This request applies to the following items, whether in electronic or other form, including information stored on backup media, if available:
1. The contents of any communication or file stored by or for the Account and any associated accounts, and any information associated with those communications or files, such as the source and destination email addresses or IP addresses.
2. All records and other information relating to the Account and any associated accounts including the following:
a. subscriber names, user names, screen names, or other identities;
b. mailing addresses, residential addresses, business addresses, email addresses, and other contact information;
c. length of service (including start date) and types of service utilized;
d. records of user activity for any connections made to or from the Account, including the date, time, length, and method of connections, data transfer volume, user name, and source and destination Internet Protocol address(es);
e. telephone records, including local and long distance telephone connection records, caller identification records, cellular site and sector information, GPS data, and cellular network identifying information (such as the IMSI, MSISDN, IMEI, MEID, or ESN);
f. telephone or instrument number or other subscriber number or identity, including temporarily assigned network address;
g. means and source of payment for the Account (including any credit card or bank account numbers) and billing records;
h. correspondence and other records of contact by any person or entity about the Account, such as "Help Desk" notes; and
i. any other records or evidence relating to the Account.
If you have questions regarding this request, please call me at [phone number].Sincerely,
Web services provided by
: ADA : Broadband : Crime : Copyright : DNS : ECommerce : EGovt : First Amendment : Digital Divide :
: Network Neutrality : Intl : Privacy : Security : SPAM : Statistics : VoIP : Vote : And Much More! :
:: Feedback : Disclaimer ::