Federal Internet Law & Policy
An Educational Project
Record Keeping / Data Retention Dont be a FOOL; The Law is Not DIY
- Agencies
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
- Reference
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- WiFi Security
- Cyberwar
- Network Reliability
- Infrastructure Protection
- - Kill Switch

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- ID Theft
- Offensive Words

Info Gathering
- Wiretaps
- Forensics
- Carnivore
- Patriot Act
- Data Retention
- Safe Web Act

- Assessment
- Reliability
- Vulnerabilities

Law enforcement confronts a forensics problem. Let's say Joe Cheater uploads a phishing website. Chief Wiggum gets wise and attempts to find out who done it. First thing the Chief does, he looks up the WHOIS record of the domain name of the site. But of course the record is a fake, created with credit cards acquired with a stolen identity. Using the WHOIS record, Chief Wiggum is able to find out that the phishing site is hosted at ACME-HOST ISP. Chief Wiggum walks into ACME-HOST ISP and asks for the server records which would contain the IP number of the creator of the phishing site. Problem is, the web host deleted those records yesterday. Even if the web host had retained those records, all Chief Wiggum would get in an IP number. He can determine that the IP number is a part of an IP number block assigned to the BETA-ACCESS ISP. The BETA-ACCESS ISP, like many ISPs, has more subscribers than IP numbers. Instead of assigning the same IP number to a subscriber every time, the ISP uses Dynamic Host Configuration Protocol (DHCP) to assign a new IP number every time a subscriber logs in. The problem, and where the Chief's trail hits a creamed filled donut ... the BETA ISP does not maintain IP number assignment records at all, and therefore cannot match an IP number to a particular subscriber.

Law enforcement officials have voiced concern that this failure to maintain an Internet bread crumb trail makes it difficult for them to do their job. US Attorney General Alberto Gonzalez made it clear during 2006 that data retention by ISPs is on his wish list. Several proposed criminal laws, including the International Cybercrime Treaty and laws that attempt to fight child pornography, would require ISPs to maintain records of transactions and communications over their networks. In lieu of legal requirements, DOJ and the FBI met with major ISPs in 2006 requesting that they "voluntarily" retain data.

  • NOTE: In the fall of 2008, Congress passed Sen. Biden's PROTECT Our Children Act which has a data retention requirement!
  • Currently, every move you make, every email you send, every website you visit, results in a virtual bread crumb trail. If someone wanted to know what you are doing online, they could. They can know your IP number, your domain name, probably your geolocation, and more if they use cookies. This is a bit of a privacy concern. The question here is, how long before your bread crumb trail evaporates.

    Data retention laws are fraught with problems and ISPs have resisted them.

    18 USC § 2703(f) Requirement To Preserve Evidence.-

    (1) In general.- A provider of wire or electronic communication services or a remote computing service, upon the request of a governmental entity, shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process.

    (2) Period of retention.- Records referred to in paragraph (1) shall be retained for a period of 90 days, which shall be extended for an additional 90-day period upon a renewed request by the governmental entity.


    Under an existing law the Electronic Communications Transactional Records Act ISPs are required to retain records for 90 days upon request of a "government entity." This would merely result in the records being retained; it does not give law enforcement access to those records.

    Law enforcement access to these records is governed by the 4th Amendment, ECPA, Stored Communications Act, and laws such as FISA and CALEA.

    Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ p 139 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)

    There is no legally prescribed format for 2703(f ) requests. While a simple phone call should be adequate, a fax or an email is safer practice because it both provides a paper record and guards against misunderstanding. Upon receipt of the government's request, the provider must retain the records for 90 days, renewable for another 90-day period upon a government request. See 18 U.S.C. 2703(f )(2). A sample 2703(f ) letter appears in Appendix C.

    Agents who send 2703(f ) letters to network service providers should be aware of two limitations. First, 2703(f ) letters should not be used prospectively to order providers to preserve records not yet created. If agents want providers to record information about future electronic communications, they should comply with the electronic surveillance statutes [].

    A second limitation of 2703(f ) is that some providers may be unable to comply effectively with 2703(f ) requests, or they may be unable to comply without taking actions that potentially could alert a suspect. In such a situation, the agent must weigh the benefit of preservation against the risk of alerting the subscriber. The key here is effective communication: agents should communicate with the network service provider before ordering the provider to take steps that may have unintended adverse effects. Investigators with questions about a provider's practices may also contact CCIPS [] for further assistance.


    Government Activity





    Preservation Request, Example

    Derived From: Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal InvestigationsPDF Computer Crime and Intellectual Property Section, Criminal Division, DOJ, p 237 (2009) (Remember: This is a rendition of the state of the law from law enforcement and reflects their views)


    Re: Request for Preservation of Records

    Dear ISPCompany:

    Pursuant to Title 18, United States Code Section 2703(f ), this letter is a formal request for the preservation of all stored communications, records, and other evidence in your possession regarding the following email address pending further legal process: (hereinafter, "the Account").

    I request that you not disclose the existence of this request to the subscriber or any other person, other than as necessary to comply with this request. If compliance with this request might result in a permanent or temporary termination of service to the Account, or otherwise alert any user of the Account as to your actions to preserve the information described below, please contact me as soon as possible and before taking action.

    I request that you preserve, for a period of 90 days, the information described below currently in your possession in a form that includes the complete record. This request applies only retrospectively. It does not in any way obligate you to capture and preserve new information that arises after the date of this request. This request applies to the following items, whether in electronic or other form, including information stored on backup media, if available:

    1. The contents of any communication or file stored by or for the Account and any associated accounts, and any information associated with those communications or files, such as the source and destination email addresses or IP addresses.

    2. All records and other information relating to the Account and any associated accounts including the following:

    a. subscriber names, user names, screen names, or other identities;

    b. mailing addresses, residential addresses, business addresses, email addresses, and other contact information;

    c. length of service (including start date) and types of service utilized;

    d. records of user activity for any connections made to or from the Account, including the date, time, length, and method of connections, data transfer volume, user name, and source and destination Internet Protocol address(es);

    e. telephone records, including local and long distance telephone connection records, caller identification records, cellular site and sector information, GPS data, and cellular network identifying information (such as the IMSI, MSISDN, IMEI, MEID, or ESN);

    f. telephone or instrument number or other subscriber number or identity, including temporarily assigned network address;

    g. means and source of payment for the Account (including any credit card or bank account numbers) and billing records;

    h. correspondence and other records of contact by any person or entity about the Account, such as "Help Desk" notes; and

    i. any other records or evidence relating to the Account.

    If you have questions regarding this request, please call me at [phone number].

    © Cybertelecom ::