There are laws in place regarding people’s information on the internet as Internet Service Providers (ISPs) are sometimes required by law to give information, but this is not always the case. Smaller ISPs may not have the resources that larger internet service providers do to fight for their users.
Data Retention Laws
Currently, there are no laws regarding mandatory data retention by internet service providers in the United States. These laws are commonplace throughout most other first world countries, and are a hot button issue. There are many sides to the story, but most fall into two general camps.
Those who support data retention laws claim that mandatory data retention allows for safeguarding of the public. This comes in the form of increased information about subscribers who may be involved when a crime occurs, specifically hacking, fraud, general online crimes, and threats to the general public or loss of life.
Those who oppose data retention laws claim that mandatory data retention increases overall risk for the general public. This specifically comes in the form of hacking of the ISP database where the data is kept. As personal information can be hacked at any time, if there is a database with a large cache of personal information, this would be a cyber goldmine for any malicious hackers.
Many internet service providers already preserve some personal data for a certain amount of time, and are required by law to provide this preserved data to law enforcement (police investigators, FBI, etc.) if a warrant or subpoena is issued to the ISP for it.
Internet service providers normally function under Dynamic Host Configuration Protocol (DHCP). This means they assign specific IP addresses for a predetermined timeframe, then will reassign a new IP address to the subscriber. They keep the following information about the subscriber:
- Name of subscriber
- Billing address and/or service address of subscriber
- Contact information including phone number and email of subscriber
- Time and date for when a specific IP address was assigned to subscriber
- Account number and status for any specific time frame
- Hardware details (modem, etc.)
Under data retention laws, all of this information would be stored for a specified timeframe after you terminate your subscription. In addition, your ISP would also store information about which websites you visited, and which email service you used. Then law enforcement would be capable of not only viewing your browsing history, but also obtaining your email history as well.
Other Views on Data Retention Guidelines
This American Thinker article discusses the current state of data retention in the United States. It also takes a look at what has been happening across the globe. It clearly opposes any further requirements for internet service provider data retention.
This article on CNET gives an overview of the stance of Representative F. James Sensenbrenner, who is the chair for a security subcommittee within the United States House of Representatives. Although he supports data retention, there was vast opposition to it within the House. He attempted to attach it to an heavily endorsed privacy bill that would effectively rewrite the Electronic Communications Privacy Act (ECPA), originally signed into law in 1986.
The nearly three decade old ECPA was indeed in need of an update, but the opposition it would receive if it had data retention requirements attached would result in failure for the bill. Sensenbrenner’s statements regarding data retention were later clarified by his aides. They claim that he was referring to existing data preservation requirements, not a new data retention mandate.
Eli Dourado discusses the current state of internet security, and where it could go if laws come into place holding internet service providers accountable for their subscribers. He proposes that the current system of voluntary policing of infractions results in lower overall costs to the user, while still providing security at or above the level that would be mandated by law. Currently, large ISPs have a reduced exposure when compared to what could be mandated by laws, and have more incentive to share data and foster relationships with smaller internet service providers.
Dourado also explains that the internet could be more secure now than if legal requirements are imposed. With the informal cooperation, there is incentive to share data about malicious users between internet service providers, and violators can be dealt with quickly. This would not necessarily be the case if all issues needed to be addressed at a formal judicial proceeding.
As an internet subscriber, you need to make sure you are well informed about any legal issues that could impact your privacy and ability to access the internet. Smaller internet service providers may not be able to adequately protect their subscribers if they feel a request for subscriber data is not permissible.
About the author: Sam Freeman has worked in the IT security industry for the past 15 years. Currently he works as a forensic IT consultant and attorney. Over the years he has helped solve countless cyber crimes. In his spare time he enjoys golf and spending time with his family on the weekends.