TechKnowledge No. 99

Data Retention: Costly Outsourced Surveillance

By James Plummer
January 22, 2007

The Justice Department has been beating the drums since last spring for a “data retention” law that would require Internet service providers to warehouse records of their customers’ online activity for the convenience of government investigators. Most recently, FBI Director Robert Mueller called for such a measure at a law-enforcement convention last October. But the idea has found vocal proponents on both sides of the aisle. Data retention may rear its head again in the 110th Congress.

The blitz started when Attorney General Alberto Gonzales and his Department of Justice initiated a series of meetings with telecom industry executives and others about the possibility of mandated data retention. DOJ officials, raising the reliable specter of pedophiles and terrorists, were very vague about what kind of legislation they might seek. The possibilities range from merely keeping track of which Internet Protocol (IP) numbers are assigned to which users on which days, to keeping logs of all websites visited, header information of emails, instant message transmissions, and so on. If data retention proponents don’t have all this content on their wish lists now, they may soon.

The floor for such a measure may have been set in a bill introduced last year by Democrat Rep. Diana Degette (D-CO) which required retention of user IP addresses for at least a year (with authority for DOJ to make the length of time longer).

The EU passed data retention rules in February 2006 which have yet to be fully interpreted by its bureaucrats and member states or enforced by police agencies. But it was widely assumed that such a regime was beyond the ken of serious American consideration. This presumption was largely due to America’s stronger tradition of protecting privacy from government and the costs - the burden on Internet infrastructure - that would come with retaining so much information about the activities of so many Internet users.

Calculating the economic costs is not an easy task. Telecom firms have been holding those figures close to their vests, perhaps to avoid being seen as taking sides and alienating federal law enforcement officials. We do have some clues, though. Microsoft has said that data retention may threaten the future of low/no-cost Internet service.

From the EU experience, we learn that Finland’s Minister of the Interior estimated the earliest and most broad-ranging of the EU proposals would cost that nation 5.5 billion euros. The Czech Republic found that it would have to reimburse telecom firms almost 11 million euros for just six months of enforcement activity of that small country’s more modest data retention law.

Of course, no data-retention regime currently under consideration in America contemplates reimbursing firms for the costs of compliance - much of which is passed on to consumers in the form of higher bills. Of course, reimbursement would pass the costs along in the form of taxes. But cost is not measured merely in dollars and cents. Larger firms can better absorb costs for such regulations than smaller and less-established firms, raising barriers to entry and pricing smaller firms out of the market. That means less choice for the consumer and less innovation in the marketplace as a whole.

These kinds of requirements hinder not only new competitors but innovation within established firms as well. Data-retention regulations would not only make it costlier to add new hardware to existing systems, but also make it much harder to design and implement new methods for dealing with ever-increasing traffic. Those yet-to-be-discovered, innovative, nimble designs needed for a growing Internet are threatened if the state requires bit after bit after bit to be routed through devices that copy and save.

Beyond costs, there is the matter of the Fourth Amendment and its protections against unreasonable search and seizure. By mandating data retention, the federal government would essentially make ISPs act as its agents - and engage in surveillance without suspicion or a warrant.

In their normal course of business, ISPs keep some records and destroy others. These practices are hemmed in by cost, business needs, and consumer demand for privacy. Government-mandated data retention would change this as they engage in a subtly hidden form of search and seizure. This data is not something that would be available to investigators absent the blanket requirement that private firms store it first. “Data retention” laws would essentially outsource the surveillance without the bother of probable cause or presenting an application to a judge.

Beyond the constitutional implications, it should be noted that broad data-storage requirements can make individuals, firms, and even society generally less secure. Data destroyed cannot be misused. Data collected is subject to abuse - and the more data retained, the more available for “bad guys” in or out of the government.

A broad-ranging data-retention regime could threaten national security. As the Center for Democracy and Technology pointed out, “The Internet activity of Members of Congress, law enforcement officials and other government agencies would also get swept up in the proposed retention of Internet data. For instance, data about communications between agencies and undercover operatives would be retained. Retention, given the threat of unauthorized access, thus poses risks to homeland and national security.”

Given this litany of downsides, it should be noted that there is already a “data preservation” law on the books. The 1996 Electronic Communication Transactional Records Act says that firms must “preserve” any relevant data they have yet to delete upon a notice from the federal government that a subpoena may be imminent. With some firms such as Comcast already announcing increased retention of IP information, existing data preservation rules should be more than enough for legitimate, timely law enforcement activities.

The case has not been made for mandated data retention, and it is unlikely that it can be made. A data-retention law wouldn’t protect Americans from bomb-wielding pedophiles. It would just protect them from a more innovative, bigger, cheaper, and more secure Internet.

James Plummer is the research assistant for Information Policy Studies at the Cato Institute in Washington, D.C.. For all previous TechKnowledge articles, visit www.cato.org/tech/tk-index.html.