Sunday, January 30, 2011
Stupid is as stupid does, and that means, in this case, that the House GOP is in great peril of being stupid.
A House panel chaired by Rep. F. James Sensenbrenner of Wisconsin is scheduled to hold a hearing tomorrow morning to discuss forcing Internet providers, and perhaps Web companies as well, to store records of their users' activities for later review by police.
There are a lot of things wrong with this idea, including particularly that its putative benefit, catching more actual criminals, pales in comparison to the potential for abuse. But never mind the obvious civil liberties implications -- really, the police? -- this is also yet another dubious regulatory burden on business. We elected these people to reduce the regulation on business, not saddle it with onerous new requirements that will cost money, redirect incremental earnings to dead-weight loss rather than new employment, and benefit only the political class. Stop it!
The worst part of this is that criminals will quickly learn how to hide the information via VPN services. The price of storing all of this data is also passed on to the customers so we'll be paying more for our own loss of privacy for a law that does nothing because the criminals know how to hide their activities.
Established DC politicians in power face the same anxiety over the flow of information critical of their efforts that despots and dictators around the world face. It is annoying to see them looking at the same statist solutions to suppressing the source of their fears.
I'd like to see a lot more courage and confidence in the strengths of our system which holds as a basic belief that a free people will make adequate choices, right and functional more often than the choices of those who think they know what is best for us.
ISPs are already required by law to retain these records. My understanding is that this bill increases the mandatory retention time.
These records have been used successfully to convict a lot of bad people, especially pedophiles.
These records describe who used a particular IP (Internet Protocol) addresses, in a specific time range. They do not contain logs of what you accessed. They are used to establish identity -- if you know that IP address N.N.N.N was downloading kiddie porn at time X, then you trace down the ISP that is responsible for N.N.N.N and you ask them which customer was using that address at time X.
None of this impedes your ability to encrypt your own traffic. You can use HTTP/S, or VPNs, or whatever.
I really don't see what's wrong with extending these records. Disk space is basically free, and the procedures are already in place for this. This is how the ISP business has worked for more than a decade, and it has not been an impediment to operating ISPs.
I actually know this from direct experience; I helped found a small mom-and-pop ISP that served a few thousand customers. We had a regular contact at the FBI, and we had well-understood legal requirements for what kind of information we could give them, and what we could not. We participated directly in the take-down of some very nasty people, and I feel the world is a better place for that. (Yes, even in a customer pool of only a few thousand people, there were some people who regularly downloaded kiddie porn.)
So I would encourage you to tone down the knee-jerk reaction. Speaking as someone who founded a small business, whose rent depended directly on the success of that business, these records had minimal economic impact. And there was the direct, obvious social benefit of catching bad people. Yes, this can be abused, but so can wiretapping, and the phone companies are required by law to provide wiretap access to the police, so really that has more to do with accountability and oversight, rather than whether or those records should be kept *at all*.
Again, these records basically help police identify people, once the police have *already* identified a particular IP address. They are *not* records of web sites you have browsed, or emails that you have sent, etc.
I am with TH. The politics of this is very bad.
Snoopervision should not be a policy of the GOP.
Liberty loving men will have no problem living with the incremental risk posed by not pursuing this initiative.
Although it is not explicit, Stack Trace, it sounds as if they are expanding the requirements to store the content of the tranmissions and possibly UNencrypted.
Even allowing encrypted doesn't mean much unless it allows one-way encryption.
It isn't too much of an overreaction if this is the case.
Your sentiment of the cost incurred by ISP's sounds about right though.
Their specialty is traffic data management, so storage of it seems pretty intrinsic and therefore not very burdensome.
"Yes, this can be abused, but so can wiretapping, and the phone companies are required by law to provide wiretap access to the police, so really that has more to do with accountability and oversight, rather than whether or those records should be kept *at all*."
But, in the case of wiretapping, a) every phone conversation that occurs is not recorded and stored for later perusal, and b) a court order is required before a wiretap can be put into place.
The specifics matter, of course. It's not clear whether the proposed law would require ISPs to change the type of information, or merely to increase the retention time. If the proposal does include retaining new kinds of information, such as the set of IP addresses that you communicated with during specific times, then that certainly is a qualitative increase, and it should be subject to serious scrutiny. But if it is a quantitative increase in data retention times, then I don't think it's that big of a deal.
About encryption. If your computer encrypts information on your behalf, and you do not give decryption keys to your ISP, there is not much your ISP can do, provided you are not using outdated encryption. Even the most casual users have access to fairly good crypto. It probably won't stop a committed, well-funded effort to break it, but then, if you have a state actor *that* interested in your behavior, then your IP traffic is probably the least interesting thing being monitored.
However, regardless of the strength of crypto you use, the fact that you are using crypto at all is information. These days, it's pretty innocuous, since crypto is so widely available. However, it certainly is another bit of information. If the proposed law does require gathering information about whether or not the ISPs' users are using crypto, or with whom they are exchanging encrypted information, then that too is a serious widening of the law, and would need a serious justification.
Part of the reason that I am OK with increasing the retention times, is that unencrypted information has so often been used to catch heinous crimes, of the most lazy people. If you are arrested and your home computer is seized, forensic analysis of that computer can turn up an astonishing amount of information. Including and especially if you try to delete information. Destroying information on a PC, without the experience of a professional or access to professional tools, is actually quite difficult. And even then, covering up the fact that you attempted to delete information is also quite difficult. Similarly, a lot of bad, lazy people have been caught, through ISP records. I'm fine with that, so long as abuse is minimized.
For example, recently a man was arrested and charged with poisoning his wife, and police found that he had done quite a few searches for "glycol poisoning", and that the guy had then tried to clear his browser history, etc. His footprint on his own computer was far more damning than anything that will come out of his ISP. However, if there *are* useful correlations with data from ISPs, all the better.
One *last* point. The most important thing is oversight / accountability. ISPs are capable of retaining information for a long time, with strong protections against abuse. (Read up on asymmetric encryption -- you can use one key to encrypt information, and a different key to decrypt it. That way, the ISP can continually encrypt older records, without access to the decryption keys. The decryption keys can then be held in escrow, and only released by a much more closely-watched group of people.) You have to trust your ISP to do this correctly, but you have to trust them *anyway*. An unscrupulous ISP could abuse your information, regardless of the law. I would rather have a balance -- laws which protect us (by catching bad people), along with responsible implementation by ISPs. Unfortunately, it's much harder to guarantee responsible implementation via legislation, without seriously heavyweight bureaucratic standards, such as HIPAA or similar. I doubt the ISP regs are anywhere near as onerous as HIPAA.
I don't know much about this proposed ISP requirement.
But I do recall that a few years back Sensenbrenner was the sponsor of a bill that would have required the family members of any drug abuser to report him/her to the police. See this link on HR 1528, which he introduced in 2005.
You can make a strong case that this a good idea, of course. I think you can also make a strong case that the families involved ought to have some discretion in the matter. Sensenbrenner's proposed law would have removed that discretion.
The man's attempts to "legislate morality" scare me.
Thanks Stack Trace for the valuable perspective. I maybe did over react. My concern is not just with this specific proposal, but with other ideas which are geared to give government greater control over the internet, where common security can become confused with control of information. In particular I note proposals to give the POTUS special power to shut down the internet for periods of time. Already we see the Chinese government limiting searches and filtering content. We see the government of Egypt removing the tools of communication. In this country we see calls on the left to restrict right wing blogs and cable news via the "fairness doctrine." In Russia democracy was killed in incremental steps, some would say one journalist at a time. In this country it is just a step at a time. Already fearful of the trend, it is possible to find particular steps to be less innocuous than they really are.
So the governing class feels threatened by the free flow of ideas outside of their direct control. Goodness, what do they expect? The education system is their design.