U.S. ISP Data Retention Bill Goes to House for Debate

A House committee approved a bill that would require Internet service providers to retain details of customer online activity for 12 months for law enforcement use.

The House Judiciary Committee approved a controversial bill that would require Internet service providers to retain customer data for 12 months.

The data retention clause would require ISPs to keep subscriber information including IP addresses for 12 months for use to investigate cases of child exploitation. After two days of intense negotiations, committee members voted 19 to 10 on July 28 to send the amended bill to the full House of Representatives for debate.

The data retention bill has the backing of law enforcement organizations and the National Cable and Telecommunications Association. Along with IP addresses, law enforcement will have access to full subscriber records that can be tied to the Websites each person visited as well as any content posted without having to first obtain a court order.

"When investigators develop leads that might result in saving a child or apprehending a pedophile, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them," said Chairman Lamar Smith, R-Texas, the bill's co-sponsor.

The original version of the bill had requested 18 months. Smith offered an amendment to cut time to 12 months, which passed. Zoe Lofgren, D-Calif., proposed one to strike the data retention requirements from the bill entirely, which failed by a 15-8 vote.

Opponents to the bill, both Republican and Democrat, added various amendments to block the legislation, arguing it would place an unfair burden on smaller ISPs and would essentially create a trove of consumer data that law enforcement officials would be able to freely access.

Lofgren proposed an amendment to rename the bill the "Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act."

Privacy advocates noted that increasing data retention requirement runs counter to best practices in data security and would actually increase the risks of data breaches.

"We live in an age where our devices and the way we use the Internet are constantly generating records-what we read, where we go, who our friends are," the Electronic Frontier Foundation said in a statement. By saving those records for future use, "they become a persistent and pervasive assault on" privacy and pose an "irresistible temptation to law enforcement," the EFF said.

As it stands, the bill would also protect ISPs from liability for retaining the data. Lofgren tried to minimize the blanket immunity so that ISPs could be held liable if the data was hacked due to negligence in securing the data.

Lofgren argued that a targeted approach is better than a database of "every digital act by every American." She proposed an amendment to require the ISPs to inform the courts when faced with requests from law enforcement, similar to how phone companies currently have to report wiretapping requests. She also sought to specify that ISPs can't add other types of consumer data to be collected and retained.

All of Lofgren's amendments were defeated.

Lofgren said the bill wouldn't achieve its goals because the data retention applies to only "commercial" providers. Criminals would simply go to libraries or Starbucks coffeehouses and use the Web anonymously, while law-abiding Americans would have their activities recorded, she said. The ISPs would know criminals used library machines but law enforcement would not be able to identify the user, while all the activity from a home computer would be retained, she said.

"I oppose this bill. It can be amended, but I don't think it can be fixed," said Rep. F. James Sensenbrenner, R-Wis., adding that "numerous risks" outweigh any benefits and will probably not do much toward protecting children.