DOJ Wants ISPs to Log User Traffic UPDATED

Anonymous Coward writes "Kevin Poulson writes in an article in SecurityFocus that in an early draft of the White House's "National Strategy to Secure Cyberspace", the DOJ proposes that the US enact European style 'data retention' laws, which force ISPs to log and retain all of your email headers, as well as your Web browsing history." Nothing worse for the DOJ to be upstaged by Europe in oppressive lawmaking, they must feel like they're losing their edge. Update: 06/19 23:04 GMT by M : The SecurityFocus article has been updated with this note, saying that the U.S. denies having any plans for data-retention laws. Guess we'll have to wait until the plan is released to see.

First post?

[Paradoxish]

Maybe, I dunno. But anyway... this sucks. Doesn't anyone at the DOJ realize that keeping a history of web browsing is about the equivalent of having someone follow you around with a pen and some paper and record the address of every place you visit during the day? I don't understand how keeping track of information like this can possibly help with security or ANYTHING for that matter.

Re:First post?

[gorf]

Which is also the equivalent of putting cameras in public places...

(Emphasis mine) My web browser is certainly not in a public place.

Will they fund it?

[cardshark2001]

Logging such a huge volume of data requires massive hard-drive space, extra CPU power, extra manpower. All of those things cost money.

Considering how little money ISP's tend to make, I don't see this as at all fair, unless the government will pony up the cash.

They're the only ones NOT looking

[Ars-Fartsica]

Any ISP employee, sysadmin or free email provider admin can already look at your data any time they please. And they do.

At least the government will probably be required to disclose what they do.

Your best bet is to not send any sensitive info over email, and don't store any unencrypted sensitive or private data in online storage systems.

we need a standard "envelope" for email

[jimmcq]

You always hear the analogy that email is just sending a postcard... well, its about time that we start to make email "envelopes" (aka encryption) standard for ALL email.

I think Joe Sixpack would be more inclined to use encryption if he thought it was just an envelope to put mail into... he doesn't need to know about technojargon like PGP, GPG, SSL, S/MIME, X.509 certificates, just tell him its an "email envelope" instead of the old postcard he's used to.

The only thing that really needs to be public is the To address. Everything else could be encrypted (enclosed in the envelope) except for maybe a couple fields like the From Address and the maybe the Subject Line (but even those could be "inside").

What needs to happen before email encryption becomes a "standard" thing that everyone uses all the time?

What's the fuss?

[meta-monkey]

Many other posters have already commented that the update to the story says the Gub'ment denies attempts to do this. I'm surprised this story wasn't taken with a grain of salt in the first place...you know this wouldn't stand up to any kind of court scrutiny.

Really, the idea that the government can arbitrarily spy on anybody, but only look at later if they have a reason, violates your 4th Amendment rights against unreasonable searches (OT: sometimes I feel bad for the 3rd Amendment...it just gets completely ignored. Nobody ever takes to the streets demanding their 3rd Amendment rights be protected. Oh well). The federal government has no power to inventory your entire home, or keep a list of every person with whom you correspond by mail, and as such, they have no similar power to log your email headers or http requests. I don't see this one happening any time soon.

Love/Hate the idea

[gerardrj]

Outright I hate the idea, this is just pre-emptive search/seizure. The gov would only propose this because it's in the digital domain where it's A: feasable, B: deemed by J. Pulic to be a non-issue. The could NEVER get such a thing in to action with physical mailings.

But then I thought.... If every ISP had to monitor port 25, isolate all to and from IPs and email addresses (forged or not), and fill up all those hard drives, tapes and whatnot...
Can you image how fast SPAM would drop off as the ISPs attempted to control the now real costs of hosting spammers?

Re:Mail headers.

[jmd!]

Your ISP wouldn't do it on their mail server, they would have to sniff all outbound port 25 traffic and record that way. Scary stuff, since even PGP doesn't help much. They'd still known everyone I mail. Time to start putting the Subject: in the body of the message, people!

Misinformation

[SamMichaels]

The problem is the general populus and law makers don't understand what they're saying/hearing. A analogy would help to put things into perspective.

Logging email headers can be compared to the phone company keeping records of your incoming/outgoing phone calls.

Do they do it now? Yes...and most ISPs keep generic logs as it is.

Does the phone company retain ALL the info? No...but they CAN get the info and keep it if you're suspected of doing Bad Things...or they can tap the line. Can an ISP track the same amount of info? Sure...but they don't do it right now unless you're doing Bad Things.

Keeping track of where you go on the web can be compared to driving.

Does your state's dept of transportation keep track of what road you drive, and what time you did it? No.

Does your ISP track what sites you go to and when you go to them? No...unless you have a proxy, in which case they might keep a generic log.

Can the dept of transportation put cameras at all intersections and track your license plate number? Yes...but think of the hideous cost and hideous amount of data. Same goes for an ISP to track where you go.

It's all about perspective...

Of course they don't have any *plans*

[billstewart]

They do this sort of thing all the time, and sometimes they get away with it. *Plans* implies that they've gotten sufficiently wide internal buy-in to implement something, or at least to announce it. Simply leaking wish-list desires like this and seeing how the public reacts to it gives them deniability, and lets them pretend it was just an idea, and hey, maybe it'll take off and they'll get to push the envelope a little farther past what common sense and the Constitution actually authorize them to do. In addition, by putting a wide spectrum of proposals out there, from the reasonable to the totally totalitarian wacko, lets them not only know where the edge is, but lets them take any position they want and say "see, we've been talking about this for a long time, and we're just updating this long-discussed plan to reflect current circumstances". Remember Clipper? They got their teeth kicked in on that one. Remember CALEA? That passed, though the telcos resisted for a long time because the FBI wanted billions of dollars of infrastructure implemented in ways that disrupted the potential evolution of the telecom infrastructure and market without actually having to pay for any of it, but it's vague and fuzzy enough that they've been able to use it to gradually impmement some things, even if they're way beyond the Congressional approval level, much less the Constitutional one. Don't expect the ratchet to go back in the other direction without it getting pushed really hard - and this also means support your local so we can stop these things before they start.