Data Retention: Costly Outsourced Surveillance


The Justice Department has been beating the drums since lastspring for a "data retention" law that would require Internetservice providers to warehouse records of their customers' onlineactivity for the convenience of government investigators. Mostrecently, FBI Director Robert Mueller called for such a measure ata law-enforcement convention last October. But the idea has foundvocal proponents on both sides of the aisle. Data retention mayrear its head again in the 110th Congress.

The blitz started when Attorney General Alberto Gonzales and hisDepartment of Justice initiated a series of meetings with telecomindustry executives and others about the possibility of mandateddata retention. DOJ officials, raising the reliable specter ofpedophiles and terrorists, were very vague about what kind oflegislation they might seek. The possibilities range from merelykeeping track of which Internet Protocol (IP) numbers are assignedto which users on which days, to keeping logs of all websitesvisited, header information of emails, instant messagetransmissions, and so on. If data retention proponents don't haveall this content on their wish lists now, they may soon.

The floor for such a measure may have been set in a bill introduced last year by Democrat Rep.Diana Degette (D-CO) which required retention of user IP addressesfor at least a year (with authority for DOJ to make the length oftime longer).

The EU passed data retention rules in February 2006 which haveyet to be fully interpreted by its bureaucrats and member states orenforced by police agencies. But it was widely assumed that such aregime was beyond the ken of serious American consideration. Thispresumption was largely due to America's stronger tradition ofprotecting privacy from government and the costs - the burden onInternet infrastructure - that would come with retaining so muchinformation about the activities of so many Internet users.

Calculating the economic costs is not an easy task. Telecomfirms have been holding those figures close to their vests, perhapsto avoid being seen as taking sides and alienating federal lawenforcement officials. We do have some clues, though. Microsoft has said that data retention may threatenthe future of low/no-cost Internet service.

From the EU experience, we learn that Finland's Minister of theInterior estimated the earliest and most broad-ranging of the EUproposals would cost that nation 5.5 billion euros. The Czech Republicfound that it would have to reimburse telecom firms almost 11million euros for just six months of enforcement activity of thatsmall country's more modest data retention law.

Of course, no data-retention regime currently underconsideration in America contemplates reimbursing firms for thecosts of compliance - much of which is passed on to consumers inthe form of higher bills. Of course, reimbursement would pass thecosts along in the form of taxes. But cost is not measured merelyin dollars and cents. Larger firms can better absorb costs for suchregulations than smaller and less-established firms, raisingbarriers to entry and pricing smaller firms out of the market. Thatmeans less choice for the consumer and less innovation in themarketplace as a whole.

These kinds of requirements hinder not only new competitors butinnovation within established firms as well. Data-retentionregulations would not only make it costlier to add new hardware toexisting systems, but also make it much harder to design andimplement new methods for dealing with ever-increasing traffic.Those yet-to-be-discovered, innovative, nimble designs needed for agrowing Internet are threatened if the state requires bit after bitafter bit to be routed through devices that copy and save.

Beyond costs, there is the matter of the Fourth Amendment andits protections against unreasonable search and seizure. Bymandating data retention, the federal government would essentiallymake ISPs act as its agents - and engage in surveillance withoutsuspicion or a warrant.

In their normal course of business, ISPs keep some records anddestroy others. These practices are hemmed in by cost, businessneeds, and consumer demand for privacy. Government-mandated dataretention would change this as they engage in a subtly hidden formof search and seizure. This data is not something that would beavailable to investigators absent the blanket requirement thatprivate firms store it first. "Data retention" laws wouldessentially outsource the surveillance without the bother ofprobable cause or presenting an application to a judge.

Beyond the constitutional implications, it should be noted thatbroad data-storage requirements can make individuals, firms, andeven society generally less secure. Data destroyed cannot bemisused. Data collected is subject to abuse - and the more dataretained, the more available for "bad guys" in or out of thegovernment.

A broad-ranging data-retention regime could threaten nationalsecurity. As the Center for Democracy and Technology pointed out, "The Internet activity of Members ofCongress, law enforcement officials and other government agencieswould also get swept up in the proposed retention of Internet data.For instance, data about communications between agencies andundercover operatives would be retained. Retention, given thethreat of unauthorized access, thus poses risks to homeland andnational security."

Given this litany of downsides, it should be noted that there isalready a "data preservation" law on the books. The 1996 ElectronicCommunication Transactional Records Act says that firms must"preserve" any relevant data they have yet to delete upon a noticefrom the federal government that a subpoena may be imminent. Withsome firms such as Comcast already announcing increased retentionof IP information, existing data preservation rules should be morethan enough for legitimate, timely law enforcement activities.

The case has not been made for mandated data retention, and itis unlikely that it can be made. A data-retention law wouldn'tprotect Americans from bomb-wielding pedophiles. It would justprotect them from a more innovative, bigger, cheaper, and moresecure Internet.