Law Would Increase Record-Keeping Burden on Wi-Fi Networks

Published May 1, 2009

The Internet SAFETY Act, a measure introduced in Congress this year, could make anyone who operates a wi-fi network responsible for keeping records of everyone who uses it for two years.

The bill, as written at press time, also could require any individual, business, or municipality to hand over those records to government authorities upon request.

The Senate and House versions of the bill—S. 436, sponsored by Sen. John Cornyn (R-TX), and H.R. 1076, written by Rep. Lamar S. Smith (R-TX)—would require two years’ worth of data to be stored by anyone providing “an electronic communication service or remote computing service.” Many in Congress see the measure as a way to help law enforcement track criminals, and supporters of the bill often cite child pornography cases to justify it.

Declan McCullagh, an influential reporter and blogger on the technology industry, says the proposed law would apply to every kind of network everywhere, run for any purpose by anyone.

That sweeps in not just public wi-fi access points, McCullagh says, but also networks with password protection. He warns the law would apply regardless of the cost to individuals and businesses in money, time, and privacy.

Bill Sparks Debate

There’s still much debate over the scope of the proposal as written and what a final version might look like. Ian C. Ballon, a Los Angeles-based attorney with the international law firm Greenberg Traurig LLP, says McCullagh’s concerns will likely be excised from the bill, which was introduced in mid-February.

“What the law would do is compel content providers of electronic communication services or remote computing services to retain IP address information for two years. Today, many service providers do not retain this information,” Ballon said. “[However], the act generally would only apply to Internet content hosting providers and e-mail service providers.”

Roping in Coffee Shops?

But Raymond Ku, professor of law and co-director of the Center for Law, Technology & the Arts at Case Western Reserve University School of Law in Cleveland, Ohio, is not so sure.

Ku says there’s a problem with the vague definition of “electronic communication service,” which is defined elsewhere in the bill as any network accessible to the public. That could mean coffee shops providing wi-fi or their Internet service providers (ISPs) would have to retain the records for two years.

That could increase the cost of the service and make the widely used wi-fi hotspots less prevalent or more expensive, Ku notes.

“The providers [would] pass the cost of data retention onto their users,” Ku said. “For some services, like the free access provided by small businesses, these additional costs may be prohibitive.”

Scope Could Expand Further

Earlier versions of the bill were introduced in Congress as far back as 2002, Ballon notes. The earlier versions were even broader, and their expansive scope could work its way into the current bill.

“The proposed statute compels record retention, not reporting to the government,” Ballon added. “Government entities would still need to go to court to seek a warrant for records maintained by service providers, as they do today.”

Ballon notes the impetus behind the measure is an attempt to rein in child pornography.

“The FBI had reported that child pornography had been pushed so far underground that it ceased to exist by the 1980s,” Ballon said. “The Internet made child pornography readily accessible.”

“The concern raised by this bill is whether it is a civic duty to spend limited resources to gather information for law [enforcement agencies] on the chance that a crime may occur in the future,” Ku said.

Beyond Fighting Child Porn

Another concern Ballon cites is the possibility law enforcement agencies—and litigants in civil suits—could compel companies and individuals to hand over their records for investigations of less-serious matters.

“As long as records are retained for two years, private litigants could seek to subpoena records—or the government could seek warrants for the information—in cases unrelated to child pornography,” Ballon said.

Home Networks Possibly Included

Ballon notes the law is not intended to apply to home networks unless the network owner assigned temporary access accounts to users. If a third party accessed the network without the owner’s knowledge or consent, the owner would not have any retention obligations.

However, Ku says publicly accessible home computer networks—which would include most homeowners’ networks because millions of people don’t bother to encrypt them—technically fall within the definition of a “provider of electronic communication service.”

While the current version of the proposed law seems much less onerous than earlier ones, Jeff Kalwerisky, chief security architect for Alpha Software, a Boston-based provider of software building tools, says there are still concerns it goes too far.

“Nothing is clearly defined,” Kalwerisky said. “This is clearly a Big Brother approach. You’re throwing all of the babies out with the bathwater.”

Poor Government Record

Kalwerisky is also concerned about what the government would do with the information and what efforts it would make to prevent the data from being given to unauthorized persons, precautions he says the government has a very poor record of exercising.

“There could be a lot of fishing expeditions,” Kalwerisky said.

Another concern Kalwerisky notes is the cost of such a process.

“This is an unfunded mandate,” Kalwerisky said. “Companies will be expected to store, back up, and protect this information. The information retention demands for large companies would be very cumbersome.”

Phil Britt ([email protected]) writes from South Holland, Illinois.

For more information …

S. 436: