19 March 2009
A lot of pixels have been spilled lately over an Internet records retention bill recently introduced in both the House and the Senate. The goal is to fight child pornography. That's a worthwhile goal; however, I think these bills will do little to further it. Worse yet, I think that at least two of the provisions of the bill are likely to have bad side effects. Unfortunately, the text is quite bad; we will have to wait for regulatory action and/or overzealous prosecutors to see just how far the language will stretch.
The first troublesome provision is Section 3, which amends Chapter 95 of Title 18 of the U.S. Code to add
(a) Offense— Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 10 years, or both.This might criminalize things like onion routing, an important privacy-preserving technology. (Ironically, onion routing got its start at a government agency, the Navy Research Lab.) Since the clause is limited to "Internet content hosting providers" and "email service providers", most Tor nodes won't affected. Besides, very many Tor nodes are outside the country, so this provision likely won't hinder any would-be viewers of child pornography.
There are other infelicities in the definitions. "Internet content hosting provider" is defined broadly enough to include web caches; "Email service provider" requires that the site provide "transmission" and "retrieval" services, which excludes companies that offer only one. Besides, any networking technology "facilitates access to" all sorts of content, good and bad. Is the Internet being outlawed?
The records retention provision adds
(h) Retention of Certain Records and Information— A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.'.to the end of 18 U.S.C. 2703. The problems start with the definitions. Given the location of the clause, the relevant definitions are in 18 U.S.C. 2510 and 18 U.S.C. 2711. These define "electronic communication service" and "remote computing service" but not a "provider" of those services. What does the clause mean? Is it intended just to cover ISPs? Probably not; elsewhere in that part of the law, there are explicit references to "providers … to the public". Who else is covered? Employers? Hotels? Universities? WiFi hotspots, free or not? Almost certainly, all of the above are included. Home users? Many people (myself included) have wireless routers or access points in our houses; clearly, any guest of mine or my family's is more than welcome to use our Internet connection. How am I supposed to "retain" logs of what IP addresses they get? By chance, I happened to need information just two days ago on what machines were associated with which access points. The logs kept by the devices were utterly useless for this purpose. Am I required to install a (currently non-existent) newer firmware release? for this purpose? Does anyone believe that the average home user is even slightly capable of finding such a thing, let alone installing it? By the way — as best I can tell, installing new firmware erases all of the current log information on my boxes… And of course, even if I do have such logs, all they would include are timestamps and MAC addresses. I do not retain records on who visits my house when (do I need a log book at the front door?); I have no idea what their devices' MAC addresses are. These people are my friends; I just give them the SSID and encryption key.
Of course, the law requires providers to "retain" records. Does that imply "create"? What if providers have no records? Must they start creating them? If not, home users would be excluded, but some ISPs may decide they don't need to create them, either.
The most troublesome provision of this clause is the restriction to "temporarily assigned network address the service assigns to that user". Presumably, this is intended to cover IP addresses assigned by DHCP or PPP. From a technical perspective, however, that clause is often useless, technically infeasible, or both. Many ISPs, some employers, and virtually all hotels and home WiFi routers use a technology known as Network Address Translation (NAT). When NAT is in use, the address assigned by DHCP is visible only within the provider's network. Law enforcement officials would have no access to this network until after they had identified a suspect. Log files or wiretaps from a child pornographer's site would reveal the external address of the client downloading the material, but that address implicates all users of provider during that period. The internal IP address is not visible on the outside.
Now — for every connection, a unique IP address and port number is allocated by the NAT box. This, coupled with accurate timestamps and DHCP records, would indeed identify the particular MAC address involved. However, this would require tracking every TCP connection of that user. Apart from being a gross invasion of privacy — does every hotel I stay at need to know every web site I visit? — it is probably infeasible to collect this data; there would be far too much of it. The Internet was never designed for this sort of fine-grained record-keeping.
There's another problem: what if the offender is using a Web proxy service? Many hotels and ISPs require use of these; any corporation with an application-level firewall does as well. In that case, the "guilty" IP address would be that of the proxy. Must proxies keep logs? No — the bill applies to "temporarily assigned network addresses", not proxy devices.
Then there's IPv6. It has a feature known as the Privacy Extensions for Stateless Address Autoconfiguration in IPv6. If this extension is in use, a computer can generate new IP addresses any time it wants to, precisely to avoid linkage across different transactions. This feature is not covered by the law, since the addresses are self-generated and not temporarily assigned by a provider.
I could go on, but I think the point is clear: the bill is poorly drafted, affects legitimate users, creates impossible requirements, leaves too much wiggle room for law enforcement mission creep — and doesn't do what it's intended to do.