Wednesday, July 13, 2011

I Guess the ‘You Are All Criminals Act’ Didn’t Have the Same Ring

Posted by Julian Sanchez

If you thought it was the height of cynicism when legislators dubbed a massive expansion of government surveillance power the “USA Patriot Act” (recently extended—really!—under the heading of small business legislation), feast your eyes upon the Protecting Children from Internet Pornographers Act of 2011, on which the House Judiciary Committee is slated to hold a hearing next Tuesday. What kind of monster would dare be on the record opposing that bill?

As you may have already guessed, the handful of provisions in the bill that really deal specifically with child porn are a fig leaf for its true purpose: A sweeping data retention requirement meant to turn Internet Service Providers and online companies into surrogate snoops for the government’s convenience. Any provider of an “electronic communication” or “remote computing” service—meaning broadband providers like Comcast, but also companies like Google—would have to retain records of the “temporarily assigned network address” (such as an IP address) associated with each account for 18 months. Some of the other provisions in the act seem perfectly reasonable (though I don’t know enough to say whether they’re necessary), but as a hearing earlier this year made crystal clear, it’s the data retention requirement that the government really cares about.

Thanks to an unwise Supreme Court decision dating from the 70s, information about your private activites loses its Fourth Amendment protection when its held by a “third party” corporation, like a phone company or Internet provider. As many legal scholars have noted, however, this allows constitutional privacy safeguards to be circumvented via a clever two-step process. Step one: The government forces private businesses (ideally the kind a citizen in the modern world can’t easily avoid dealing with) to collect and store certain kinds of information about everyone—anyone might turn out to be a criminal, after all. No Fourth Amendment issue there, because it’s not the government gathering it! Step two: The government gets a subpoena or court order to obtain that information, quite possibly without your knowledge. No Fourth Amendment problem here either, according to the Supreme Court, because now they’re just getting a corporation’s business records, not your private records. It makes no difference that they’re only keeping those records because the government said they had to.

Current law already allows law enforcement to require retention of data about specific suspects—including e-mails and other information as well as IP addresses—to ensure that evidence isn’t erased while they build up enough evidence for a court order. But why spearfish when you can lower a dragnet? Blanket data requirements ensure easy access to a year-and-a-half snapshot of the online activities of millions of Americans—every one a potential criminal.

At the previous hearing—when they were at least honest enough to put “data retention” in the title—Internet providers made it clear they weren’t thrilled about the expense of being forced to keep those records, especially since many have sought to reassure skittish consumers by pledging to limit the amount of identifiable information they store. And despite their hunger for data, law enforcement representatives weren’t able to provide much: They offered some anecdotes about how Internet metadata had proven useful in serious investigations, but no real statistics that might establish the need for such a sweeping mandate. They might take a cue from countries that have already enacted data retention laws, which are belatedly starting to question their necessity: Europe’s data protection authority recently condemned a similar initiative (though limited to just six months of mandatory retention) as a privacy-destroying failure.

Since the bill exempts wireless connections from its requirements, of course, any criminal sophisticated enough to drag a laptop to a WiFi cafe will still be able to ensure a measure of anonymity. But retention mandates will doubtless prove useful for subpoena-wielding companies hoping to unmask less savvy file sharers or anonymous online critics.

All things considered, this might start to look like a pretty bad idea: Burdensome on technology companies, harmful to the privacy of the great majority of innocent Internet users, and unlikely to be much use against the most sophisticated cybercriminals. But haven’t you read the name of the bill? Why do you want to protect child pornographers? Sadly, there’s every reason to think this kind of cynical misdirection will successfully intimidate opponents into silence.

No comments: