Monday, June 26, 2006 - The Progress & Freedom Foundation Blog

Mandatory Data Retention: How Much is Appropriate?

[This essay builds on Friday's blog entry on "Social Networking and Child Protection."]

At last week's National Center for Missing and Exploited Children conference entitled "A Dialog on Social Networking Web Sites," several law enforcement officials argued that expanded data retention mandates were needed to adequately police online networks and websites for potentially criminal activity. (In this case, child pornography or child predators were the concern, but data retention has also been proposed as a way to police online networks for terrorist activities among other things).

This push for expanded data retention was hardly surprising. In recent months, members of Congress and the Department of Justice have floated new proposals to require Internet Service Providers (ISP) and others (including search engines and social networking sites) to retain data on their customers and traffic flows for long periods (typically between 6 months and two years). These proposals mimic data retention laws that are being implemented in the European Union.

Let's step back and consider this issue from two very different perspectives.

The Two Sides

On one side, we have law enforcement officials telling us the data retention is an essential tool they need to have in their arsenal when they try to track down bad guys in our modern world of digital communications. In essence, imposing extensive record-keeping requirements on ISPs and others would create massive databases of information on end-user activities and traffic flows. Those records could later be searched to determine if criminal activity was plotted or carried out. For example, who did Terrorist Suspect X communicate with over a two year period? Or how many youngsters did Suspected Pedophile Y attempt to communicate with over the past year? And so on.

On the other side, there are those who are concerned about ISPs becoming "watchdogs" that are essential deputized by the state to police private networks for various activities. Will the deputization of the middleman end with terrorism and child predators, or will it grow to encompass much more activity that the state wants monitored? Even if it doesn't, how much innocent activity or speech will be monitored by companies or the government during this process? How much data is being collected overall? Where is it all being stored? Is it secure? And there are a host of other privacy-related concerns one could think of.

A Bit of Ancient History

To understand where the government is coming from and why they are asking for this authority, it's important to recall how this process worked in the past. Back in the days of regulated monopoly, the monopolist (namely, AT&T) was willing to play ball with the government on stuff like this because: (a) cost recovery was possible or even guaranteed through rate-of-return regulatory proceedings; and (2) it was more commonly understood that this was part of the regulatory compact / quid pro quo. Indeed, if you go back and read Cold War-era histories that incorporate a communications component, you almost always hear the author talking about how AT&T bent over backwards to play ball with the feds on some of this stuff. And it was an open secret that top AT&T engineers and government officials often worked together on network surveillance / data retention. (Indeed, AT&T officials would often move in and out of government positions at NSA or other agencies).

But the world changed and communications expanded to include more companies, sectors and technologies. Thus, even if you can get AT&T, Verizon and Qwest to play ball today, how far does that really get you? What about Comcast, Time Warner, Cox, Google, Yahoo, Microsoft, eBay, MySpace.,com, Facebook, Live Journal, and the countless other companies that move or retain data about users / customers? (And what about offshore sites??)

In other words, government still wants to play the game the old way but now has dozens of stakeholders they need to work with instead of just one big monopoly. This is what makes this issue so challenging. The government has legitimate national interests here (at least, in my opinion, with terrorism and child porn / predators), but does that mean it should be able to impose massive unfunded mandates on everyone to accomplish those goals? I don't think so.

A More Balanced Approach

I think the better approach here involves limited, targeted data retention mandates by government. Specifically, I certainly think the government should be able to ask an ISP (or any other Internet company) to retain data but:

(a) only through a well-established judicial subpoena process;
(b) for specific individuals who officials have probable cause to believe are engaging in illegal activities (terrorism, child porn, etc); and,
(c) for a limited period of time (officials should seek additional subpoenas for extended data retention).

There is a world of difference between this sort of data retention and the type that many lawmakers are proposing today in which ISPs and other Internet companies would be required to retain ALL CUSTOMER DATA for AN EXTENDED PERIOD OF TIME. I'm not even sure where companies would store all that data. After all, we're talking about terabytes or even petabytes of monthly data traffic flows that would have to be stored in server farms as tall as skyscrapers. God only know how they're going to protect all that data from unauthorized uses.

Incidentally, industry has already said it can live with the approach I have outlined and some companies already retain data upon request in this fashion. In fact, MySpace's Chief Security Officer told attendees at last week's conference that the company will retain data for as long as government wants if they come to them with a specific request about a problematic user.

And federal law already requires Internet providers to retain data for up to 90 days upon request from law enforcement and also report any child porn incidents to the National Center for Missing and Exploited Children so they can work with law enforcement officials to pursue those predators. This strikes me as a much more sensible approach then the sort of blanket unfunded data retention mandates that some lawmakers are currently proposing.

One Other Possibility: The "Takings" Approach

There's one other approach that could be considered: Allow full-blown mandatory data retention for as long as government wants but then force them to pay the full cost of retaining that data. In other words, treat data retention mandates like a Fifth Amendment "takings" and demand full compensation for those companies that are forced to carry out the collection requirements.

But there are serious flaws with this model. First and foremost, it assumes that government should have the right to force private companies to retain as much data as public officials desire. I can think of many good reasons why we don't want to give government unbounded authority to collect and collate information about our online activities -- specifically, I'm worried about data security since the government has proven all too often that it can't be trusted to secure our data -- but it's all the things I can't think of at this time that really concern me!

More practically speaking, forcing government to "fully fund" data retention mandates could get prohibitively expensive and many state and local governments might not be able to foot the bill. Of course, that might actually be a good reason to require payment for data retention so that they understand the true cost of the mandate and reduce the extent of the mandate as a result. But can you imagine the catfight over what constitutes "costs"? There would be endless rounds of regulatory proceedings to determine fair compensation.

Again, the better approach involves limited data retention authority on a targeted basis for brief periods of time. And it should all be conducted through well-established judicial procedures.

posted by Adam Thierer @ 2:52 PM | Free Speech