DoJ Data Retention Plan Fatally Flawed, Watchdogs Say

About a dozen DoJ officials, including Deputy Asst. Attorney Gen. Richard Hertling and Chief Privacy Officer Jane Horvath, met with Rotenberg and representatives of the Center for Democracy & Technology (CDT), Center for American Progress (CAP) and Cato Institute. “We felt this was clearly opening the door to a much broader range of criminal investigations than had been described originally,” Rotenberg said. Discussion among privacy advocates, industry leaders and law enforcement is crucial and must continue, he said. The practical problems that DoJ’s concepts would create are “substantial” and “troubling,” he told us: “This will need a lot of work.”

On the upside, DoJ appears to be engaging in “a rational, deliberative process and genuinely wanted to hear from us,” said Cato Institute Information Policy Studies Dir. Jim Harper: “It’s a nice change of pace from the usual.” The meeting was “amicable” but worrisome, he told us: “I don’t think they understand the scope of what they're getting started.” Although DoJ didn’t divulge precisely how much data it wanted or what retention period officials had in mind, Harper said “any power of this kind will expand in both breadth and length of time they ask for.”

DoJ officials floated 30- or 60-day retention requirements at the meeting, but proposals circulating on Capitol Hill already mention a year, Harper said. The effort will inevitably evolve into a “long-term corporate surveillance mandate,” he said. The kind of information DoJ wants to cull from ISPs doesn’t matter either, Harper said. When it comes to collecting personally identifiable information, there’s no real difference between logging content and traffic data, like “who logged on and when,” he said: “Traffic data is substantive personal information, too.”

A working group has been set up in DoJ, and it will likely relay recommendations to Attorney Gen. Alberto Gonzales soon, Rotenberg said. Meanwhile, “there’s obviously a process on the Hill. We need to see if a legislative proposal is put forward,” he said. House Judiciary Committee Chmn. Sensenbrenner (R-Wis.) was reportedly drafting a data retention bill several weeks ago but withdrew it, cancelling a hearing he had tentatively scheduled on the matter (WID May 17 p3). Some Congress watchers said Sensenbrenner’s language differed from what the Administration had in mind. Gonzales first talked about his plans for ISP collaboration at an April speech at the National Center for Missing & Exploited Children (WID April 21 p1).

It was apparent during the DoJ discussion that govt. officials “haven’t done enough work to establish adequate privacy safeguards,” Rotenberg said. “There’s a real risk of storing data on Internet users that DoJ simply hasn’t considered,” he told us. Rotenberg said the talks felt a lot like battles that activists had with the agency 10 years ago over “key escrow” encryption requirements. According to CDT reports, deploying the technology the govt. sought then would have resulted in “substantial sacrifices in security” and higher costs for end users.

“Building the secure computer-communication infrastructures necessary to provide adequate technological underpinnings demanded by these requirements would be enormously complex and is far beyond the experience and current competency of the field,” CDT said. Efforts of such “breathtaking scale and complexity” were beyond the experience and competency of the field, and could have introduced “ultimately unacceptable risks and costs.” DoJ eventually decided not to pursue that scheme, Rotenberg said.

The mounting effort to “persuade or compel ISPs and other communications companies to keep detailed information on their customers” met criticism in a CDT memo issued Fri. The proposal is particularly worrisome given weak privacy standards that apply to personal information stored by ISPs and other companies, CDT said. The group highlighted questions about the cost, impact on privacy and effectiveness of such mandates. A data retention requirement isn’t likely to contribute significantly to protecting children and fighting terrorism, CDT said. The plan would pose risks that would outweigh possible benefits, critics said. “ISP data retention policies are totally counterproductive,” CAP Fellow Carl Malamud said: “Encouraging ISPs to keep large amounts of customer tracking information makes them a sitting duck for hackers and terrorists. The benefits to law enforcement are only slight, and the risks to Internet users are huge.” Several meeting participants were unsure whether their participation was a one-shot deal or they would be invited back for more talks.

Internet companies that met with DoJ to discuss data retention Fri. were mum after their meeting. Calls to several companies weren’t returned and others responded with basic statements about their commitment to work among themselves and with DoJ to fight terrorism and child pornography crimes. DoJ and the FBI think a solution could come from a minimum 2 year data retention requirement (WID June 2 p3). A Google spokesman told us he was aware of a number of proposals in the U.S. and Europe regarding data retention and data preservation requirements for ISPs. “We believe these proposals require careful review and must balance the legitimate interests of individual users, law enforcement agencies and Internet companies,” he said.