There is a scary bill working its way through Congress right now: H.R. 1981 – the Protecting Children From Internet Pornographers Act of 2011
While this sounds like a worthy goal, the bill features a repressive data retention requirement that would open ordinary Americans to abuse from government as well as cyber-criminals. Specifically, the bill requires that the temporary IP address of users of commercial ISP access be retained along with identifying information for 18 months.
Here’s a quick primer on how your computer gets on the internet with the average commercial ISP:
- You plug the phone line/TV cable into this modem.
- The modem establishes a connection with the ISP through the phone line/TV cable.
- The modem is assigned an IP address (e.g. 22.214.171.124)
- You hook a computer or a router into the modem.
- This computer or router is assigned an IP address (either 192.168.xxx.xxx or 10.xxx.xxx.xxx)
- If you hooked up a router, then the computers hooked to it will be assigned IP addresses by the router.
The important thing here is that only the IP address of the modem is visible to the ISP. There could be one, five, or fifty computers sitting behind that modem, but to the ISP all that traffic would be coming from a single IP.
Let’s look now at a couple of cases in which child pornography might be requested by a machine behind an IP without the ISP customer’s knowledge:
- The WiFi Stealer: The customer is running a poorly-secured wireless access point. A neighbor looking to download child porn cracks the security and uses the access point to download the material.
- The Virus: A computer virus makes it on to one of the customer’s machines. It is programmed to fetch data from child porn websites and relay it to the virus creator.
Note that in both cases, the customer of the ISP and those living in his household wouldn’t even know their connection had been used to download child porn until they got the knock on the door. Aside from the thousands of families each year whose lives would be disrupted by purely mistaken prosecutions, setting this standard in law would make it possible to deliberately set people up to undergo a time-consuming and costly legal battle.
If that weren’t bad enough, the requirement to retain “identifying account data” is troublesome as well. What could be so bad about keeping the name of the customer for 18 months? Nothing, except keeping the name alone won’t do what the bill wants. As someone who’s designed software to match identities, I can say with certainty that in practice this requirement would force retention, at a minimum, of customer name, address, and date of birth. Most ISPs would probably go farther and retain a unique ID number such as a Social Security Number or a financial ID number such as a credit/debit card number or checking account number.
But wait a minute, you say. Don’t ISPs already have all this?
Yes, they do. Today, they are not required to relate the assigned IP addresses for the last 18 months to it. This requires storing the customer data in such a way that it can be related to the IP addresses, as well as being recalled later for use by law enforcement.
The simple fact of making it usable for law enforcement makes it less secure. The logs have to be linked to the customer accounts, meaning that the data is likely exposed to the internet. All the data has to be recalled as plain text, meaning that weaker encryption practices must be used. Even if everything is done perfectly right, an interface must be built to get the data out and to law enforcement, meaning that a bad actor inside an ISP has a ready-made portal to all sorts of personally-identifiable information.
Sounds pretty bad, right? It’s worse than you think. Corporate records are not subject to the same Fourth Amendment protections as individual records. Currently, to find out everything an ISP user is doing, law enforcement needs to prove its case and get a warrant. Under this bill, your internet activity would be pre-existing corporate records. No more warrants. Government wants to find out about your IP address, they subpoena the ISP for that record and they get information about you without having to prove a thing.
This bill is bad, folks. We need each of our readers to step up and contact your Representative and encourage them to say NO to this bill that treats all internet users as criminals.