May 8, 2006 – Congresswoman Diana DeGette (D-CO) wants to know what you’re up to when you are online. That’s why she has proposed new legislation that would require companies with an online presence to track your IP addresses and store that information forever. Why does she want to do this? Well, she wants to know if you are a pedophile. DeGette can’t quite grasp why the 99.99% of people that don’t traffic in child pornography might have a problem with the government looking over their shoulder at every aspect of their personal lives.

But her proposal is fatally flawed. It is a shining example of what happens when legislators who do not understand technology try to legislate its use.

Rather than cornering a bunch of child pornographers, it is much more likely that DeGette’s proposal would lead to privacy invasions for average, law abiding citizens. Since DeGette’s rule change does not specify that the government can’t use the data collected for other purposes, mission-creep is almost a certainty.

Moreover, it is highly unlikely that the consequences of collecting this data can be foreseen. Questions about who would store the data, who would have access to it, and what security measures ISP’s would have to take to prevent it from being hacked into would all have to be determined. If hackers managed to get access to such data, could this lead to identity theft or blackmail?

A recent incident points out the folly of allowing the government to assemble large databases of information on the general public. A reporter in London spotted the discarded airline ticket stub of a British Airways passenger in a dumpster. His curiosity got the better of him so he pulled the stub out of the trash and contacted a friend of his that was involved with computer security. Shown on the stub were the passenger’s name and his frequent flyer number.

Armed only with that information, it took only 15 minutes to determine the passport number, access to credit card information, future travel plans, the street address and phone number of the passenger. The reporter was also able to find out how many people the passenger lived with and their names.

The reason that all of this information was available is because the US Government forces airlines to collect this data on passengers who travel internationally. A database known as the Advanced Passenger Information System (APIS) is used to screen all international passengers entering the United States, including American Citizens.

In this case, British Airways had a security hole in their system that allowed anyone with a little computer knowledge to steal the identities of their US bound passengers. There is no reason to believe that similar vulnerabilities would not lead to significant privacy problems for ISP customers if DeGette’s proposal actually becomes law.

ISP’s seem to agree that this is a bad idea. This type of data storage would increase costs that would ultimately be passed onto customers. It may also lead to liability issues for the ISP’s in the event the data is hacked. Most ISP’s are concerned about the privacy of their customers.

But DeGette’s comments indicate that she really doesn’t understand all of the issues surrounding data retention. She said, "I am horrified that the provider community is not working with us on this, because it seems to me to be a very simple piece of legislation, and I'm going to continue to fight for it."

That’s what the Justice Department thought too, until they started meeting with ISP’s. Alice Fisher, assistant attorney general for the Justice Department's criminal division said after meeting with several large ISP’s said that data retention issues are "very complex".

Under current US law, ISP’s must retain data for up to 90 days when requested to do so by law enforcement officials. It is not clear that DeGette’s proposal would assist law enforcement authorities in combating child pornography; her stated reason for making the proposal. What is clear is that she expects everyone else to put up with government intrusions and bear the financial burden of establishing a large database that may be used for somewhat nefarious purposes.

Only registered users can write comments.
Please login or register.