ISP Tracking Legislation Hits the House

cnet-declan writes "CNET News.com reports that Republicans in the U.S. House of Representatives announced yesterday legislation to force ISPs to keep track of what their users are doing. It's part of the Republicans 'law and order agenda,' with other components devoted to the death penalty, gangs, and terrorists. Attorney General Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, and e-mail conversations indefinitely. The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages. The idea enjoys bipartisan support: a Colorado Democrat has been the most ardent supporter in the entire Congress."

Good luck

[ivan256]

They may as well legislate that gravity be lessened to solve the obesity problem. It's just as feasible from a technical sense.

Re:Good luck

[doublem]

Shhhhhh!

Don't give them ideas.

the problem is, they don't realize the massive hardware costs that would be involved.

What's more if they did understand the expense and barriers of such a plan, they wouldn't care.

Re:Good luck

[ivan256]

Screw the hardware costs. It's just plain impossible. How can the ISP know which data is e-mail, IMs, etc?

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits? Are they going to force people to use their ISP's mail server? Who is an ISP? Anybody who resells bandwidth? How will they know you're reselling bandwidth? Etc...

Re:Good luck

[ivan256]

That would be an interesting theory if the growth of power was actually fueled by those in power. In reality, it is fueled by the citizens demanding more from their government under the delusion that it will help them. People don't understand that when the government gives you something, it has to take it from you first. Even with progressive taxation, it comes out of everybody's pockets. Giving money to the rich may not cause it to "trickle-down" to the lower classes, but if you stick it to the rich, they'll figure out (Actually there isn't any figuring out involved, but...) how to pass the costs down the chain.

If an idea starts with "The government should..." and doesn't end with something about providing infrastructure or protecting you from physical harm, it's a bad idea... And even some things that fit the formula are bad ideas too.

Re:Good luck

[Sancho]

You're thinking of "ISP" in the wrong light.

Whoever your e-mail provider is is also an ISP. They provide an Internet service. Therefore, they are required to maintain whatever logs are mandated by the government. If that includes storing backups of e-mails, so be it. The company that provides you access to the Internet doesn't have to maintain that information--they're just a conduit.

Of course, the government might try to claim this, and then they will simply shut down any ISP for which they go after this information. It's pretty well impossible to capture and maintain all of the traffic that crosses the ISP's gateway for any useful length of time.

Re:Good luck

but there's nothing in the clear language of the bill that would give the AG the power to force ISPs to track browsing, etc.

Why you're absolutely right! And there's nothing in the constitution that says we have a right to habeus corpus either, only that it cannot be taken away. All these people trying to be so liberal in their interpretation of things, so silly! The fact that it permits the AG to ask for anything he wants, as long as he collects at least that much information is such a niggling little detail.

You should only go by exactly what the letters on the paper spell out. Unless its the powers of the executive branch in the constitution, for some reason that's more like a vague guideline.

Re:Good luck

[MoxFulder]

I don't know about you, but I connect to a mail server using SSL, and the server is not operated by my ISP. Are they going to log some unintelligible bits? Are they going to force people to use their ISP's mail server? Who is an ISP? Anybody who resells bandwidth? How will they know you're reselling bandwidth? Etc...

Bingo. Even if the government gives you bad SSL certs and otherwise attacks and cripples every KNOWN secure protocol, it'll only get them so far.

If that happens, some company will spring up outside the USA that will charge a monthly fee to tunnel your Internet traffic through their servers via SSH. And they'll send you the server's public key fingerprint via postal mail so that you can verify that there's no man-in-the-middle attack. That will be foolproof unless the US govt decides to start opening mail and altering anything that looks like a public key fingerprint or SHA sum or whatever. And then the foreign companies will start broadcasting their public keys via short-wave radio. And then the govt could ban short-wave radios. And then... this is beginning to look like North Korea...

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run. I think the proposed policy is destined to fail and is the result of (a) a power-hungry administration (whose time is up in 2 years anyway) and (b) a desire to catch terrorists and (c) an extraordinarily bad understanding of technology.

It's amazing to me how legislators and policy-makers fail to understand crucial points about technology. They believe that DRM can be effective (or, failing that, they make it illegal to break), they blithely ignore the global reach of the Internet, and they don't know how easy it is to use strong encryption. They need to pick and choose their battles differently.

Re:Good luck

[Kjella]

Note that I do not believe any of this will really happen. I do not believe we Americans will accept a totalitarian government. I don't even believe we'll accept small steps in that direction in the long run.

How about a little bipartisan power grab, who'll continue to pass the ball back and forth every four or eight years. They'll keep the people entertained by focusing on social issues (are we pro-gay or anti-gay this year?) while the actual running of government is left to Party lead... sorry, political families like the Kennedys, Bushs and Clintons putting relatives in key positions whenever their side wins an election. Presumably in close cooperation with corporations who run large lobby groups and are the only ones with a considerable sway in day-to-day politics and pay attention to rider bills and the like. Between an election system where it's almost impossible to create a third party and so much of the mass media controlled by corporate interests, it'll seem like the will of the people. I don't think the question is "would people oppose a totalitarian government" as much as "would Americans recognize a totalitarian government before they were neck deep in one?".

Guess it's time to stop using the internet

[the_humeister]

You know, I'd like find out what kind of porn or other illicit sites these legislators are surfing and then dredge that up those records to news agencies. See how that flies in their faces.

Re:Guess it's time to stop using the internet

[db32]

When they refuse to examine election fraud on the grounds of "it would damage voter confidence" I think it would be safe to assume they will find a way to keep themselves out of this. In fact, it would probably even extend protection to them after they are out of office. My first guess would be seeing this tossed out on grounds of national security given that this administration has classified more crap than any other administration.

Won't somebody please think of the children!

[aborchers]

This is just sick. Every time I hear this shrill siren about protecting the children I know they're coming for another liberty.

I, for one, don't want my kids growing up in a country run by the thought police.

Re:Won't somebody please think of the children!

[sconeu]

Didn't you know that "Child Porn" is the root password to the US Constitution?

With "Terrorism" and "Think of the Children" as the alternates?

Option Labeling of Non-Sexual Content

The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages.

What they need is exactly the opposite: optional Web labeling for non-sexually explicit content.

If you think your site is safe for children then you can add a label to that effect. There could even be a well defined process where, if you labeled your site as safe-for-children and it wasn't, then you could be required to take down the safe-for-children label.

Ideally, there wouldn't just be one safe-for-children label but a variety of specific government defined labels that identified a site as being free of specific types of content (e.g. no nude photos versus no sex photos).

This would change the way people use the web.

[topical_surfactant]

I imagine many people would simply start tunneling all their traffic to countries without such idiocy.

Oh, Congress won't pay for it.

[khasim]

This will be another "unfunded mandate" where they'll just fine you if you fail to spend the money to comply.

All in the name of "protecting the children" and "War against Terror".

The question will be, how much money will an ISP have to spend to record everything, in a secure fashion, for years and years? And at what point will the that expense be LESS than any fine that will be levied for non-compliance?

Re:Oh, Congress won't pay for it.

[Wateshay]

Well here's a quick, very unscientific, estimation:

A quick look at my Firefox history (which stores 9 days of info) shows that it's a little under 1 meg in size. That means that over a month I'd generate 3 megs of history. However, since most web page hits actually result in dozens of actual HTTP requests and most of my browsing is to pages I've already visited, it's reasonable to say that a complete log of my browsing would be at least 10x that, so let's say 30MB/month, or 360MB/year.

My email (which goes back 3.5 years) is about 1GB, but I'd say it's safe to assume that between spam and messages that I didn't need, I've only kept 1% of the email I've received in that time, so 100GB/3.5years would give us about 30GB/year.

I don't keep logs of my instant messaging, but let's just round up to an even 50GB/year for the whole thing. Of course, I'm probably an atypically heavy user of the internet, so for the sake of discussion let's say that the average user is really only 10% of that, or 5GB/year (which is probably very low).

5GB/year * 200Million U.S. internet users is 953 Petabytes of generated data every year. At a current storage cost of about $4M/petabyte, ISPs would (under this law) have to bear a combined total of almost $4 billion / year just to buy storage space for all of this data (which doesn't even begin to take into account the physical space to store the storage servers, the people to run them, the electricity to run them, the backups, etc., etc.).

Conclusion: This is completely infeasible, regardless of whether the law is passed. After all of the costs are factored in, you'd probably end up seeing a doubling (if not more) in the cost of Internet access just to support this.

Nice work

[Amoeba]

I can only imagine how politicians think:

"Hey how can we kill off a lot of small businesses so our big behemoth telecomm contributors can make more money in the long run? Ooh! increased operating costs! Our friends have the coffers to handle this while their smaller competitors die off. We'll have to make it look like something else though. Tie it to crime. Everyone hates criminals."

Re:My logs aren't going to be very interesting

[arthurpaliden]

Then they will just make it illegal to use proxie servers.

constitution

[mobydobius]

we havent had a decent amendment in a while. time for a push for an explicit right to privacy?

Re:From the draft...

[grimJester]

Does fiber count as electromagnetic transmission? Junk legislation like this shows why they shouldn't write new laws for the Internet.

Re:huh?

[Tackhead]

> Why don't they just put everyone in prison? Then we wouldn't have any crime at all. Problem solved.

The Party's goal isn't to eliminate crime by throwing everyone in jail -- it's to eliminate people who piss it off by merely being able to throw anyone in jail.

"Did you really think that we want those laws to be observed?" said Dr. Ferris. "We want them broken. You'd better get it straight that it's not a bunch of boy scouts you're up against - then you'll know that this is not the age for beautiful gestures. We're after power and we mean it. You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens' What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted - and you create a nation of law-breakers - and then you cash in on guilt."

- Ayn Rand, Atlas Shrugged, 1957

You don't have to like Rand to apppreciate that she was onto something when it came to how governments think during the design phase of legislation.

This is just stupid

Once again, we have legislation being proposed which is only going to affect legitimate internet users, and will barely help at all to prevent criminal acts. Even if they do pass this law, and even if the ISPs could (from a technical standpoint) log everything their users do, it's not like anyone planning a crime is going to be stupid enough to fall into the trap. They'll use proxies. They'll use encrypted connections that even the ISP simply can't peer into. And this will all have been for nothing.

I wish lawmakers were obliged to take a few courses in various information technology topics before being permitted to try to regulate them. Nobody in the House seems to understand how the internet works, and this is going to cause real damage if they're allowed to go ahead and pretend they do.

No

[rodentia]

Here is how politicians think:

"What sort of grandstanding can I do to get my name in today's local/state media cycle? Let's see, my likely opponent has introduced a bill in the statehouse mandating that sex offenders register their online accounts. . . . Hrm, what trumps pedophiles? Sure, Terror, domestic Terror! that's the ticket!"

Actually, that is the politician's Chief of Staff thinking; the politician is thinking:

"Does this tie make me look soft on crime? If that minxy little intern thinks she's going to get that last donut, she's got another thing coming. Hrm, I wonder who's scheduled to buy me lunch today. It better not be seafood, them shellfish gives me the burpies."

Re:From the draft...

How does a post from someone thinking that light isn't an electromagnetic transmission get modded as insightful?

Re:First Reaction and Real reaction.

[Tackhead]

> In many respects it reminds me of East Germany. At the height of their power the East German Stasi employed one in fifty members of the population as full or part-time spies. This doesn't count the large beureucratic staff that they had or the massive infrastructure that was built and run just to sort through it all. The social costs were enormous as any infraction was targeted for no good reason. The economic costs in turn were insane and deprived the state budget of much of the money that might have been spent say building an infrastructure or feeding the population. No nation on earth had more complete information on its citizens and no nation on earth spent more obtaining it.

Ah, but that's the point. East Germany failed because neither powerful computers nor large databases existed.

Without powerful computers and large databases, STASI-level surveillance required that one in fifty people work for it. If we use the ratio of 300,000 informants to 100,000 employees, we get a pretty "human" number: one agent can process the intelligence from three informants.

> None of the objectives of the Stasi were acheived and East Germany fell, it fell and noone misses it.

Evidently, someone misses it, or we wouldn't be rebuilding it here.

East Germany's STASI was the alpha test; it failed due to massive manpower requirements.

The PRC's Great Firewall of China appears to be a beta test; now that manpower requirements are alleviated by the use of technology, let's see if it scales. The test is ongoing, and has been a useful proving ground (and sales opportunity!) for US-based manufacturers of networking gear. If we consider the collapse of the USSR in the face of the free flow of information, we must also consider the survival of the Communist Party in the PRC in the face of the same free flow of information. Part of the reason the government of China held power has to do with cultural leanings that tend towards collectivism, but part of it has something to do with the Chinese state's ability to track, target, and eliminate its opposition's leading figures before they have a chance to do harm. Tienanmen Square gave the PRC's government a wake-up call, and unlike the Soviet Union, the Chinese government adapted, survived, and maintained control over its population.

East Germany's alpha test demonstrated the proof of concept (but failed due to scaling issues). China's beta test has demonstrated both the concept, and proved scalability. It's time to move to the implementation phase.

Re:You think this is bad!

[Kyrka]

Now THAT is some scary shit man... do the pricks on The Hill know something about invading Iran the rest of us don't?

Re:reference to IM and chat records misleading

[nhudson35]

I interpret bills for a major civil rights lobby, and this bill's language is ambiguous. It requires, at a minimum, the retention of personal identification linked to IPs. Whereas I do see your point, that it does not enumerate retention of IM and chat logs, this draft bill is STILL scary. If the legislation passes, it is up to Alberto Gonzales to interpret it. This, the man that recently advocated the revoke of Habeus Corpus, citing the lack of its specific constitutional enumeration. The problem is that the bill's language is broad, and the AG could ASSSUME that it gives him certain powers. The bill would be less scary if it was amended with language that limits the amount of liberal interpretation that could take place. In the end, this draft represents a common problem, and a scary possibility. Politicians struggle balancing individual liberty and safety, and if passed, this bill could establish a precedent of invasion of personal privacy. All of this must be qualified by the following-- I understand the desire to protect our children at all costs. It is an emotionally charged issue, but we must not allow rational thought to be trampled by emotionally charged debate. I do not believe this bill will make us safer. I'd be interested to see how many times and ISP could not produce personal information on the IPs they regulate, and how many times failure of an ISP to produce personal information translated into the loss of a conviction for child predators. This bill represents the beginning of a slippery slope for internet privacy, and a more general affront on free speech.

Serves Broader Agenda

[mpapet]

From the ISP's side, they will take the time/effort to simply provide a way for the data to be delivered in bulk to a gov't contractor. From there the contractor does the actual storage. The ISP's will jump at that because it's costs practically nothing. On the contractor's side, when you are buying storage by the petabyte, it's pretty cheap.

It still boggles my mind that this is somehow offensive behavior in the /. echo-chamber. The time to have done something about it was maybe 10 years ago.

Most of us have *no* clue about the scale and scope of data collection is like in the U.S. right now and I believe most would be very nervous if we actually knew besides what's already been leaked. What brings me some comfort is gov't agencies are not known for their effectiveness or ability to coordinate much beyond a luncheon.

Re:You think this is bad!

[Reziac]

I don't think the *concept* of required national service is necessarily bad; certainly the younger generation would get a better picture of the Real World if they were forced to go forth and help construct it. (Frex, this could be a way to get kids back into the many entry-level, farm labour, and general labour jobs that kids used to do, but are now the province of illegal aliens.) It'd also be a good way for them to earn a nest egg for higher education.

However, in the current political climate, I foresee it being used not only to provide cannon fodder for useless wars, but far more likely, to create a huge corps of civilian "police aides" in the name of keeping the rest of us Under Better Police Control.

Re:Good luck - SSL?

[ivan256]

I do have something to hide.

It's my password. If anybody learns what it is they can use my server as a spam relay, read my mail, etc.

Re:An Affront On Privacy

[alshithead]

"Lamar Smith's bill's language is ambiguous."

Of course it is! It's written by a technologically ignorant fuck. Also, it's not as if the US government has never passed ambiguous laws/rules. The burden placed on ISPs and possibly others is so onerous as to be laughable, if it wasn't so sad. To put it in a context some elected officials MIGHT understand, it's similar to telling the US government to document every work conversation for every government elected official and worker. I told my politically and technologically apathetic wife about this and she just about went through the roof just over the privacy implications. She used to work for the Department of Navy as a civilian so she already knows the bureaucratic implications better than most.

Reagan Turning in His Grave

[bill_mcgonigle]

Real conservatives would have nothing to do with this stupid bill, which places way too heavy a load on small businesses. And no, I don't consider any of the supporters of the bill conservative in the fiscal sense.

Oh, the conservatives are pissed. But like you said, it all comes down to whether they'll stop strategizing long enough to not elect another Bush.

Its been nice...

[Grinin]

The internet was fun when the government didn't really understand or know how to use it... Now with every keystroke being run through heuristic scans and filters and all sorts of other "Big Brother" type algorithms, we have lost yet another freedom. See, the U.S. got upset when China wouldn't let their users search for the term "Democracy" or "Freedom" etc. We said it wasn't right, and that the people should be able to search for anything they want, yet we do the same thing, only in the reverse order. We let the users search for whatever they want, but then they get in trouble for it once they have done so.

It must be really nice to tell everyone else how they should do things, while we're making the same mistakes, only in different ways.

Re:If this law can actually be feasably implemente

[0x0000]

how does the government plan to address the issue of unsecure wifi?

There has been some hinting around - mostly at the state level - a couple years ago that open WiFi will be made illegal - the rationale was [from the published articles, which unfortunately I don't have a cite for at hand] to "protect" the owner of the back-haul connection from "liability". The context here was the state of Michigan, who - it was my understanding - had just become the first state to successfully prosecute war-drivers.

Obviously the "protection" pretext was bogus - this fact was re-inforced by the information that in no case, of the several on record of individuals having been prosecuted criminally for use of an open WiFi hotspot, had the owner of the hotspot been thoght to be the perpetrator of illegal activity. Nevertheless, the "legal eagles" - as usual - choose to penalize the innocent as a "deterrent" to actual criminals, while creating loud, high pitched whining noises about protecting people from themselves...

There should be some Constitutional protection to prevent lawmakers from passing laws based on the idea that they are protecting us from ourselves - even if it's our own [purported] stupidity, imo.

Furthermore, Open Mail Relays have not been outlawed, despite all the legal activity [allegedly] against SPAM email - it seems to me that, before we accept that the people who push these kinds of brain-dead legislation are qualified to do so, we should get an explanation from them concerning how and why it's a plausible defense against "terrorism" and "child porN" to ban open WiFi when they did not find it useful to outlaw open mail relays. If they can explain that, we might have a basis for conversation with the morons who like to claim they represent the citizens as "lawmakers"... of course, if they could do that, the situation that now exists almost certainly wouldn't.

If anonymity is made illegal, only criminals will have anonymity.