FBI Pushing For 2-Year Retention of Web Traffic Logs

suraj.sun writes to tell us that the FBI is pushing to have ISPs keep detailed records of what web sites customers have visited for up to two years. Claiming a desire to combat "child pornography and other serious crimes," the FBI and others are pressing for increased data retention, which they have been doing since as early as 2006. "If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant. What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html. While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States."

Before someone says it

This goes beyond the data retention laws in the EU, and even those are under a lot of public pressure and currently being looked at by the highest courts. What you'll see is that your guys will back down from requiring access logs and make ISPs "just" keep a log of the IPs of their customers for two years, like the EU requires, and they'll call it a compromise.

Re:Won't someone please think of the children

[Nadaka]

Don't kid yourself, Most of Asia (and by that I mean China) is just as quick to "think of the children" as America.

Host names

[unix1]

Host names cannot be logged without packet inspection unless they assume that a corresponding request against the ISP's DNS services constitutes to "visiting" the resolved host name. You are also free to use DNS servers of your choice that are different from your ISP's. You can run your own DNS server too.

When a client "visits" a URI it:

1. resolves the host name to IP address via a DNS service
2. makes a connection to the said IP address
3. if connection uses SSL, proceeds with the "handshake"
4. sends host name, URI, and other request info via the above connection

ISPs can log #2, but cannot log #4 without packet inspection. It's even more complicated if the connection is encrypted (e.g. https).

Re:How many PB?

[Wesley+Felter]

Even better when people start using a program that for example does random searches on Google and does a request to every search result.

What if one of those results happens to be an illegal Web page? Maybe you should call this program the Auto-Incriminator.

Chaff traffic may defeat human observers, but I doubt grep will bat an eye. And your ISP will pass the costs of tracking your chaff traffic on to you.

Re:Won't someone please think of the children

Won't someone please think of the photographs?

In the UK they are the terrorists.

http://www.theregister.co.uk/2010/01/12/police_search_illegal/
http://www.theregister.co.uk/2009/12/11/police_quiz_itn_reporter/
http://www.theregister.co.uk/2009/11/26/kent_police_tall_explanation/

Re:Won't someone please think of the children

[tomhudson]

"Businesses like Level 3, Google, etc., are far less likely to be cooperative.:

Wrong about google. Google has said that they don't need a subpoena, just a belief that the cops *could* get a subpoena, and they'll roll over on you.

And google has a LOT of data on you.

Re:Just make it permanent

[the+eric+conspiracy]

Uh I thought the US Constitution had the concept that laws could not be retroactive.

Just sayin'