There has been quite a flurry of conversation here at the Berkman Center, both face-to-face and online, about the recent suggestion by the Justice Department that it might seek either mandatory or voluntary data retention by ISPs and perhaps other businesses operating on the internet. I think USA Today first reported the story in the mainstream media, but that article credits CNET’s Declan McCullagh with the original scoop.
According to those sources, DOJ officials including Attorney General Alberto Gonzales and FBI Director Robert Mueller recently met with major industry figures to float the idea. McCullagh later reported that a follow-up meeting last Friday ended without agreement.
The basic premise of data retention is simply stated. Internet businesses currently delete data as soon as it is no longer necessary for their own purposes, typically within a few weeks or months. DOJ and the FBI want the companies to retain it for much longer — two years is the figure mentioned in the news stories. In general, the data in question is not the contents of communications (such as the text of e-mails) but information on packet routing, IP addresses, web searches, and the like. This type of data is sometimes called an internet user’s “clicktrail.”
The arguments in favor of the idea are simple as well — deceptively so. Unfortunately, the problems with it are often a little more complicated to explain. There may be some merit to some modest expansion of current data preservation law, but the sweeping proposal advanced by DOJ raises serious concerns. Here are a few of the seemingly simple arguments followed by some responses. (The Center for Democracy and Technology put out a great memo on Friday that quickly summarizes a long series of concerns about the proposal, some overlapping with the ones I outline below.)
1. Current law and practices do not allow the government to obtain clicktrail data about bad guys.
Present law allows government entities (federal, state, or local) to order, without any judicial involvement, that particular data be preserved for 90 days (and the order can be renewed continuously). The proposed new rule would render that one superfluous. Instead, all data would be saved automatically for much longer periods. The contrast highlights one of the most troubling aspects of the new proposal: it calls for preserving data indiscriminately, rather than on the basis of any individualized suspicion as in the existing requirement.
Right now, whenever the government is investigating a potential terrorist or criminal, there are virtually no impediments to ensuring that data related to the suspect is preserved. But the government wants everything about everyone warehoused, just in case it later decides it would like to dissect someone’s long-term clicktrail. As Dan Gillmor suggests, the knowledge that movements on the internet are recorded in this way can be expected to have a chilling effect on everyone.
2. The government would still need a warrant to examine retained clicktrail data.
Present law, particularly portions of the Electronic Communications Privacy Act (also known as the Stored Communications Act) likely requires warrants before investigators could actually gain access to any of the data retained under this proposal. DOJ spokesman Brian Roehrkasse told USA Today much the same thing:
the government is required to seek proper legal authority, such as a subpoena, before obtaining the records. He said any change in the retention period would not alter that requirement.”
Yet placed against the backdrop of the NSA’s program to obtain comparable records about telephone calls, this assurance fades away. While details of the NSA program remain very sketchy (as I complained earlier), it seems clear that no search warrants were secured before the NSA obtained at least some data, and I am pretty confident that previously existing statutes required such warrants (as analyzed in the posts collected here). In the distinct category of recording telephone calls placed between the United States and other countries, the Administration has argued that warrants were not required because of a combination of the asserted Article II power to fight terrorism and a resolution Congress passed after the September 11th attacks authorizing the use of force against al Queda (fairly weak arguments in my view and the view of this memo by the nonpartisan Congressional Research Service).
I cannot find any principled distinction between the NSA’s warrantless collection of telephone records and the warrantless obtention of equivalent clicktrail data from ISPs. It seems to me that if one is legal than the other is too. Why wouldn’t investigators (perhaps including the NSA) use the same logic to collect clicktrail data as phone records?
3. Only the government will look at clicktrail data, for purposes of catching especially heinous bad guys.
If I really believed that the use of clicktrail data would be strictly limited to good-faith government investigations of terrorism plots and serious crime like child pornography, pursuant to valid search warrants, I would have a lot less concern. The problem, of course, is that the multiple assumptions in that last sentence are not supportable.
First, history suggests it is unlikely that government officials would limit the purposes for which they used clicktrail data, once it became available. What about enforcement of tax, immigration, or welfare laws?. What about probing journalists’ records to identify anonymous sources (something that has allegedly happened with retained telephone records)? And what about blatant misuse of the data to serve narrow political interests, a la J. Edgar Hoover?
Beyond the government, there are plenty of others who would be interested in mining clicktrail data if it covered a two-year period. Civil subpoenas seeking such data already outnumber criminal ones. As the CDT memo argues, two years worth of data would prove an irresistible “honeypot” for attorneys involved in garden-variety lawsuits of every kind: divorce, libel, intellectual property, contract, and so forth. Likewise, commercial data mining that was not quite valuable enough to justify the expense of retaining massive quantities of information may become more worthwhile if ISPs are compelled to warehouse data anyhow. What better way to recoup some of that cost than trying to extract patterns from long-term clicktrail data that allow even more fine-grained customer profiling?
4. Clicktrail data does not have privacy implications, unlike copies of actual communications.
While it would be much more invasive (and expensive) to preserve e-mail text too, that hardly means that the data covered by this proposal has no privacy implications. Just like the domestic phone records obtained in the NSA program, accumulated clicktrail data provides a portrait of an individual.
Applying a physical-space metaphor to internet browsing, it is the equivalent of being tailed everywhere you go — or, as Gillmor said, it is “roughly akin to having them follow you around everywhere you go with a video camera, watching everything you do.” It would be cold comfort to be told that there was no audio track to document what you said. Furthermore, as Wendy Seltzer pointed out in Berkman discussions, a pervasive clicktrail over time undermines your practical ability to remain anonymous, because analysis of that data is likely to identify you.
5. This proposal just mirrors the European Union’s new data retention rules.
The European Union recently adopted data retention requirements for telcos and ISPs after lengthy debate about the privacy implications (see BBC report here). The rules must be implemented by individual countries and are expected to come into effect next year. The two-year time period for retention that the DOJ and FBI seek appears to come from the European plan.
Even if the US enacted a data retention law that matched the European one exactly, however, the result would not be a similar regime. As I noted in an earlier post, Europe’s approach to data privacy is much more stringent than the American model, leading to some US-EU tension concerning sharing of data, even for counter-terrorism purposes. A US data retention law on top of already-lax American privacy law is nothing like a European data retention law counterbalanced by effective data protection requirements.
In all this, there is one definite silver lining. The public found out about the NSA programs only after they were already in operation, probably for years. The anonymous sources inside the ISPs and search engine companies who leaked this news are ensuring that the public finds out about this plan now — whether because they saw the backlash that the telcos suffered, or because the culture of the internet is so different from the phone company attitude, or for some other reason (maybe even principle!).
What happens next is difficult to predict. It may be that the Administration hoped to get ISPs simply to comply with a request. Perhaps some will, although it appears that plenty are ready to resist. The Administration’s alternative then would be to seek legislation in Congress or provoke a court fight with the internet businesses. Neither is a politically attractive option. Dare we hope that this trial balloon, having floated, will now deflate and descend harmlessly to the ground? At least for now?