The Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate, CNET News.com has learned.
That proposal surfaced Wednesday in a private meeting during which U.S. Department of Justice officials, including Assistant Attorney General Rachel Brand, tried to convince industry representatives such as AOL and Comcast that data retention would be valuable in investigating terrorism, child pornography and other crimes. The discussions were described to News.com by several people who attended the meeting.
A second purpose of the meeting in Washington, D.C., according to the sources, was to ask Internet service providers how much it would cost to record details on their subscribers for two years. At the very least, the companies would be required to keep logs for police of which customer is assigned a specific Internet address.
Only universities and libraries would be excluded, one participant said. "There's a PR concern with including the libraries, so we're not going to include them," the participant quoted the Justice Department as saying. "We know we're going to get a pushback, so we're not going to do that."
Attorney General Alberto Gonzales has been lobbying Congress for mandatory data retention, calling it a "national problem that requires federal legislation." Gonzales has convened earlier private meetings to pressure industry representatives. And last month, Republicans introduced a mandatory data retention bill in the U.S. House of Representatives that would let the attorney general dictate what must be stored and for how long.
Supporters of the data retention proposal say it's necessary to help track criminals if police don't immediately discover illegal activity, such as child abuse. Industry representatives respond by saying major Internet providers have a strong track record of responding to subpoenas from law enforcement.
Wednesday's meeting represents the latest effort by the Bush administration to increase the ability of law enforcement and intelligence agencies to monitor Internet users. Since 2001, the administration has repeatedly pushed for more surveillance capabilities in the form of the Patriot Act and a follow-up proposal that--if it had been enacted--would have given the FBI online eavesdropping powers without a court order for up to 48 hours.
Often invoking terrorism and child pornography as justifications, the administration has argued that Internet providers must install backdoors for surveillance and has called for routers to be redesigned for easier eavesdropping. President Bush's electronic surveillance program, which was recently modified, has drawn an avalanche of lawsuits.
ISP snooping timeline
In events first reported by CNET News.com, Bush administration officials have said Internet providers should keep track of what Americans are doing online. Here's the timeline:
June 2005: Justice Department officials quietly propose data retention rules.
December 2005: European Parliament votes for data retention of up to two years.
April 14, 2006: Data retention proposals surface in Colorado and the U.S. Congress.
April 20, 2006: Attorney General Alberto Gonzales says data retention "must be addressed."
April 28, 2006: Democrat proposes data retention amendment, followed by a Republican.
May 26, 2006: Gonzales and FBI Director Robert Mueller pressure Internet and telecom companies.
September 26, 2006: Politicians suggest that Web hosts and registrars might have to comply. Search engines are also mentioned.
January 18, 2007: Gonzales says administration will ask Congress for new laws.
February 6, 2007: Republicans introduce mandatory data retention "Safety Act."
The Justice Department's request for information about compliance costs echoes a decade-ago debate over wiretapping digital telephones, which led to the 1994 Communications Assistance for Law Enforcement Act. To reduce opposition by telephone companies, Congress set aside $500 million for reimbursement and the legislation easily cleared both chambers by voice votes.
Once Internet providers come up with specific figures, privacy advocates worry, Congress will offer to write a generous check to cover all compliance costs and the process will repeat itself.
The Justice Department did not respond to a request for comment on Thursday. The U.S. Internet Service Provider Association, which has been critical of data retention proposals before, declined to comment.
Because the Justice Department did not circulate a written proposal at the private meeting, it's difficult to gauge the effects on Web sites that would be forced to record information on image uploads for two years. Meeting participants said that Justice officials (including Brand, the assistant attorney general for legal policy and a former White House attorney) did not answer questions about anonymously posted content and whether text comments on a blog would qualify for retention.
In practice, some Web businesses already make it a practice to store personal information forever. Google stores search terms indefinitely, for instance, while AOL says it deletes them after 30 days.
David Weekly, a San Francisco-area entrepreneur who founded popular Wiki-creation site PBWiki.com, said the Justice Department's proposal would be routinely evaded by people who use overseas sites to upload images. (PBWiki, which recently raised $2 million from Mohr Davidow Ventures, lets people embed photographs on pages they create with a point-and-click editor.)
If the proposal were to become law, PBWiki would already be in compliance, Weekly said. "We already keep all that data pretty much indefinitely because it's invaluable for us to mine and figure out how people use services," he said. "How do they use services now versus a year ago? Was February a bad month for traffic?...We already have the data there. It's already searchable. It's already indexed."