Last month, a group of eight Republican lawmakers introduced H.R. 837, the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act 2007. The bill would give the Attorney General very broad authority to enact rules requiring Internet Service Providers (“ISPs”) to retain records so law enforcement could access their customers’ online activities. The ostensible purpose of the bill is to give the Government greater tools to fight child pornography and terrorism. As introduced, however, there is no limitation on the scope of any Attorney General rules as long as they govern ISP record retention. The only substantive guidance the SAFETY Act provides is that the regulations, “at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.” The Act would therefore result in rules requiring ISPs to at least retain logs that associate specific users with specific Internet Protocol (“IP”) addresses.
New data retention requirements would likely impose major burdens on ISPs. Industry interests argue such requirements are unnecessary as ISPs already cooperate with the Government to combat online child predators and to provide customer identification when required by law. Currently, in many instances, law enforcement obtains user IP addresses from website operators when they suspect illegal behavior. Usually, law enforcement then issues a subpoena to the ISP associated with the IP address to obtain the identity of the user associated with that IP address. Because IP addresses are scarce, they are not permanently assigned to one customer. Instead they are dynamic – reassigned to different users for different on-line sessions. Data retention policies among ISPs differ, but they usually dispose of IP logs when there is no longer a business reason to keep the records. The Electronic Communications Privacy Act ("ECPA") already requires ISPs to preserve records for 90 days upon receipt of a government request, to allow the Government time to obtain a court order.
If the Internet SAFETY Act or similar legislation becomes law, the Attorney General could impose a relatively lengthy record retention requirement. The Department of Justice met with a group of ISPs on February 28, 2007, and discussed a two year record retention timeframe. Such a timeframe would result in significant new costs for ISPs not only to store data but to keep it in a searchable format. Some speculate that Congress could amend the SAFETY Act or introduce similar legislation that would reimburse ISPs for compliance costs, that might remove some of the Industry’s objections to such legislation. In addition, ISPs are also considering the possibility that new rules could expand the records that must be retained to include web browsing logs, contents of communications, such as emails and instant messages and even records of customers’ online keystrokes.
Privacy advocates fear the effects of such a law on personal privacy. In this age of large scale hacking, exemplified by such incidents at Cardsystems Solutions, BJ’s Wholesale Club, DSW, TJ Maxx and others, businesses and privacy advocates alike are coming to understand that destroying data that no longer has a business purpose is one of the best ways to protect consumers’ personal information. Government-mandated data retention increases the likelihood of wrongful access and misuse of ISP records. In addition, such mandates also substantially increase the likelihood of lawful access to ISP records by non-government persons. The larger pool of ISP data creates more information to be accessed by civil litigants using subpoenas in divorce, employment, or intellectual property lawsuits.
The Internet SAFETY Act contains various other provisions, some of which extend beyond just ISPs. For example, there are provisions that:
- Require most website operators to have a label on any website page with sexually explicit material and to prevent the first accessible page from having sexually explicit material;
- Prohibit web hosts or email service providers from knowingly facilitating access to child pornography;
- Prohibit conducting a financial transaction knowing it will facilitate access to child pornography;
- Increase fines for communications providers who knowingly fail to report child pornography crimes to the National Center for Missing and Exploited Children; and
- Increase penalties for crimes related to the sexual exploitation of children and child pornography.
Although it was Republican lawmakers who introduced the Internet SAFETY Act, the principle of ISP data retention requirements enjoys bipartisan support. ISPs and privacy advocates will likely be lobbying to defeat, or at least impose some limitations on, the Internet SAFETY ACT or similar legislation.