DOJ Wants Two Year ISP User Data Retention

Wednesday, January 26, 2011



The United States Department of Justice is lobbying for the passage of legislation that would require Internet service providers to retain customer usage records for up to two years.

Currently, ISPs are only required to retain data for specific users after receiving a request from law enforcement officials.

The issue was raised at subcommittee hearings chaired by Rep. James Sensenbrenner, who had introduced similar legislation four years before subsequently withdrawing the proposal.

Jason Weinstein, deputy assistant attorney general at the Department of Justice, argues the legislation is needed in order to more effectively investigate and prosecute Internet-based crime, particularly child exploitation.

"There is no doubt among public safety officials that the gaps between providers' retention policies and law enforcement agencies' needs, can be extremely harmful to the agencies' investigations," Weinstein offered in prepared testimony.

The proposal has strong support from the International Association of Chiefs of Police as well. "Clearly, preserving digital evidence is crucial in any modern-day criminal investigation," testified John Douglas, a representative for the organization.

Privacy advocates worry that this sort of legislation may threaten the privacy rights of law-abiding Internet users.

"In the privacy realm, the bottom line is that law enforcement is talking about having a massive amount of information on 230 million presumably innocent Americans using the Internet, being tracked and retained," offered John Morris of the Center for Democracy and Technology in testimony.


Possibly Related Articles:
Privacy Headlines legislation ISP Congress DOJ Law Enforcement Data Retention
Post Rating I Like this!
Robert Gezelter This type of requirement previously appeared in the so-called Internet SAFETY Act in 2009. At that time, I posted a blog article entitled "Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?" (this article is available at,

There are numerous issues here, not the least of which is the reliability of these records. MAC addresses can be cloned, and a variety of other issues, including privacy, are affected. Also, as I raised in my article, the definition of "Service Provider" is an important question. Imposing this requirement on every SOHO/home WiFi access point is a major escalation of record keeping, with relatively low-likelihood of the data ever being requested from an individual site.

Misuse of this data for unauthorized purposes is also a matter of concern.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked