[10898] in cryptography@c2.net mail archive
Re: DOJ proposes US data-rentention law.
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Jun 21 00:10:03 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: koontz@ariolimax.com
Cc: "Trei, Peter" <ptrei@rsasecurity.com>,
"'cryptography@wasabisystems.com'" <cryptography@wasabisystems.com>,
"'cypherpunks@lne.com'" <cypherpunks@lne.com>
Date: Thu, 20 Jun 2002 15:19:08 -0400
In message <3D11ED40.9040403@ariolimax.com>, "David G. Koontz" writes:
>Trei, Peter wrote:
>> - start quote -
>>
>> Cyber Security Plan Contemplates U.S. Data Retention Law
>> http://online.securityfocus.com/news/486
>>
>> Internet service providers may be forced into wholesale spying
>> on their customers as part of the White House's strategy for
>> securing cyberspace.
>>
>> By Kevin Poulsen, Jun 18 2002 3:46PM
>>
>> An early draft of the White House's National Strategy to Secure
>> Cyberspace envisions the same kind of mandatory customer data
>> collection and retention by U.S. Internet service providers as was
>> recently enacted in Europe, according to sources who have reviewed
>> portions of the plan.
>>
...
>
>If the U.S. wasn't in an undeclared 'war', this would be considered
>an unfunded mandate. Does anyone realize the cost involved? Think
>of all the spam that needs to be recorded for posterity. ISPs don't
>currently record the type of information that this is talking about.
>What customer data backup is being performed by ISPs is by and large
>done by disk mirroring and is not kept permanently.
This isn't clear. The proposals I've seen call for recording "transaction
data" -- i.e., the SMTP "envelope" information, plus maybe the From:
line. It does not call for retention of content.
Apart from practicality, there are constitutional issues. Envelope
data is "given" to the ISP in typical client/server email scenarios,
while content is end-to-end, in that it's not processed by the ISP. A
different type of warrant is therefore needed to retrieve the latter.
The former falls under the "pen register" law (as amended by the
Patriot Act), and requires a really cheap warrant. Email content is
considered a full-fledged wiretap, and requires a hard-to-get court
order, with lots of notice requirements, etc. Mandating that a third
party record email in this situation, in the absence of a pre-existing
warrant citing probable cause, would be very chancy. I don't think
even the current Supreme Court would buy it.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
