Back to previous post: A Marine in Iraq

Go to Making Light's front page.

Forward to next post: Unaccountable violence

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

February 12, 2007

Universal Wiretap
Posted by Jim Macdonald at 03:36 PM * 39 comments

Action: Congress wants to monitor all emails, IMs, etc. (via The Seminal)

First, the proposed law itself, the so-called “SAFETY Act” (for Stopping Adults Facilitating the Exploitation of Today’s Youth Act), H.R. 837, February 6, 2007.

SEC. 6. RECORD RETENTION REQUIREMENTS FOR INTERNET SERVICE PROVIDERS.

(a) Regulations- Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information.

As described here, this proposed law is:

A bill introduced to the US House of Representatives [that] would require ISPs to record all users’ surfing activity, IM conversations and email traffic indefinitely.

The bill, dubbed the Safety Act by sponsor Lamar Smith, a republican congressman from Texas, would impose fines and a prison term of one year on ISPs which failed to keep full records.

In addition to sweeping up and permanently recording all of the conversations and letters of terrorists and kiddie-porn purveyors, this would sweep up everything by everyone else as well — without a warrant, without probable cause, without recourse, without exception, and without reason.

As the folks at Ars Technica point out, there’s no reason to think that law enforcement and private companies will limit themselves to looking for terrorists and pedophiles. The music industry (for example) is also very interested in exactly who goes where and says what to whom on the Internet.

Please, drop over by The Seminal and read their entire post. They’ve got suggestions for what action individuals can take next.

Comments on Universal Wiretap:
#1 ::: Josh Nelson ::: (view all by) ::: February 12, 2007, 03:53 PM:

Thanks for the link and for bringing this to the attention of your readers!

#2 ::: P J Evans ::: (view all by) ::: February 12, 2007, 04:05 PM:

Maybe the government should be required to pay for all the storage it would require: disks of whatever kind, paper, mag tapes, the physical space to hold the stuff, the librarians, the database software, the people who will maintain the database... .

Do it properly, or don't do it at all. (Personally, I'm voting for not at all: they can get warrants, because that's what warrants are for. If they can't, then they should stop pretending this is a democratic republic and start calling it a monarchy or whatever it is they're trying to make it.

#3 ::: Nemo ::: (view all by) ::: February 12, 2007, 04:44 PM:

I know people keep talking about "recording emails and IMs" and so on, but the bill only seems to mention the "name and address" and so on of customers; I interpreted this as an attempt to thwart paedophiles using "free trials" from ISPs, or hopping between dial-up providers every month, and force their (former) ISPs to retain their former customers' records long enough to give the government a chance to subpoena them. Every other industry has data-retention laws, why not IT?

I realize it says "at a minimum", but the expense associated with more complete recording of users' internet activitiy, not to mention the technical challenges of automagically identifying "exploitative" material, are going to ensure this bill goes nowhere.

Much more worrisome is the reporting requirement, that an ISP tell the government when a customer has the "potential" to access exploitative content. News flash - if you're reading this, you, potentially, have access to kiddie pr0n, and your ISP has "facilitated" this access...

#4 ::: Greg London ::: (view all by) ::: February 12, 2007, 04:44 PM:

I believe the proper term would be "tyranny of idiots"

#5 ::: Tom S. ::: (view all by) ::: February 12, 2007, 04:48 PM:

Maybe I'm confused, but I've just read the bill and it does not seem to mandate keeping records of user communications. It requires keeping records of who was using any given IP address, dial-up connection, or user ID. But I don't see how that's the same as keeping copies of the actual messages sent by to to each individual user.

#6 ::: robert west ::: (view all by) ::: February 12, 2007, 04:51 PM:

I'm not seeing how this law has the effect described.

Section 6 requires ISP to retain lists of which subscriber is assigned which IP address, so that packets can be traced back to individual subscribers. Most ISPs already maintain such lists, as certain parts of the DMCA are unworkable without them.
Section 6 does not require the packets themselves to be logged, nor does it require ISPs to log which sites are visited (although it also does not prohibit such logging).

Section 3 would appear to make it illegal for an ISP or email service provider to forward packets containing child pornography, however, which would have the effect of requiring them to scan packets and, to some degree, assemble them (eg, images are going to be broken down into many packets, as are email messages; in order for an ISP to be able to avoid charges of facilitating access to child pornography, it's going to have to be able to reassemble the packets to see what the packets contain. This is technically infeasible, and the provision is likely to be unenforceable.

#7 ::: Mark Gritter ::: (view all by) ::: February 12, 2007, 04:53 PM:

I think there's a disconnect here between what the law says explicitly must be required, and what it allows the government to require. So I feel that the Seminal (and vnunet.com) is being a little bit alarmist about what the bill actually says, but also there is a real issue here.

The bill says that ISPs must, at a minimum, match IP addresses and user names to real people. This is not an unreasonable requirement, in my opinion (though depending on the scope of what an ISP is legally defined to be, the user name side of things may be more difficult.) It's no more of an invasion of privacy than asking your phone company "who was assigned the number 555-1234 on June 23rd, 2005?"

The problem is that the law also gives the DoJ arbitrary authority to require other "records" beyond the minimum. It's clear that some legislators or DoJ people are already thinking of IMs, e-mails, and web access logs. But that doesn't mean the law as implemented would actually require that.

The law as a whole appears to be a mess of minefields... what does it mean to make a financial transaction that facilitates access to child pornography? What does it mean for an email provider to facilitate access to or possession of child pornography? What does it mean for "a provider of electronic communication services or remote computing services" to fail (either knowingly or negligently) to make a report under the Victims of Child Abuse Act?

#8 ::: Zander ::: (view all by) ::: February 12, 2007, 04:54 PM:

Hmm. I wonder how they'll enforce that across national boundaries.

If they can, no problem. I lived without the web before it existed, I can do it again (since, as a non-American, I certainly can't do anything to stop it).

#9 ::: P J Evans ::: (view all by) ::: February 12, 2007, 05:13 PM:

What would they do for people using dialup, where the address is different every time you log in? (Sounds like this guy thinks everyone has a fixed address, which ain't so.) And it's still a whole sagan of information to store.

I'm not sure that child porn is the biggest danger on the intertubes, either. It's beginning to sound like the folks who want to 'protect' us are more common.

#10 ::: Nemo ::: (view all by) ::: February 12, 2007, 05:34 PM:

Dynamic IP assignments have long been logged, both for dial-up users and those assigned IPs by DHCP. It's not too onerous; all you really need is to record the IP, an user ID, and the start and end time of the assignment. Some ISPs routinely keep these logs for a while, to track down abuse; others (British Telecom is one who comes to mind) only keep them for a few days (48 hours, in the case of BT).

#11 ::: Ragnell ::: (view all by) ::: February 12, 2007, 07:04 PM:

Define "sexually explicit."

I'm no fan of porn, but JAIL? Not even for child pornography. For unlabeled "sexually explicit" material.

Given the wide range of what I've seen described as "sexually explicit" I find THIS the most disturbing aspect.

#12 ::: aphrael ::: (view all by) ::: February 12, 2007, 08:19 PM:

PJ Evans, Re #9: It seems like it ought to be theoretically possible for an ISP to record that, from time A to time B, it had allocated IP x to client Y. Whether or not that's implemented with the software currently in use, I don't know; but there doesn't seem to me to be any reason why it couldn't work.

#13 ::: aphrael ::: (view all by) ::: February 12, 2007, 08:20 PM:

Mark: I think you're right that the key problem is not what is explicitly required, but rather what is potentially allowed to be required.

It's completely not clear what facilitates access to child pornography under this law. Perhaps that's intentional; more likely, it's because the legislator doesn't understand the technology well enough to understand why it is unclear.

#14 ::: P J Evans ::: (view all by) ::: February 12, 2007, 09:34 PM:

I think the part that bothers me most is the apparent assumption that if you use the internet, you are doing something illegal. Otherwise, why couldn't they get a normal warrant and do it in the way that they've been doing it up until now? It seems to me that it should be possible to deal with this by using the existing laws, not by adding more (and badly written) laws.

#15 ::: P J Evans ::: (view all by) ::: February 12, 2007, 09:37 PM:

And yes, there are people in Texas who are so narrow-minded and so ignorant of the Internet that they think that the only reason to use it is to access porn or something else that offends them.

#16 ::: Zeborah ::: (view all by) ::: February 13, 2007, 01:14 AM:

If they did require retention of all emails, the sheer weight of all that spam would break the interweb in very short order.

#17 ::: Chris ::: (view all by) ::: February 13, 2007, 01:34 AM:

I think the law is designed so that it cannot be completely complied with.

For example, ISPs would not only have to reassemble the packets, but then determine whether or not they contain child porn - a determination that obviously cannot be made by computer even for unencrypted data - all *before* passing them on to the user (since otherwise they would have "facilitated" the user's conduct before they knew what it was). Goodbye to streaming audio/video, VoIP, the web, online gaming, and pretty much anything that expects a turnaround time faster than email or Usenet. Without allowing ISPs to presume content innocent until they have actual knowledge that it isn't, full compliance would essentially destroy the Internet in its present form - at least within the US.

This allows it to be selectively enforced as a tool of intimidation. "What, you don't have complete records of every bit sent to or from every one of your subscribers for as long as you have existed, together with the name and social security number of every person who was using that account at the time? Well, I guess you better give us the information we want/stop publishing that opposition blogger/etc. and we'll agree to overlook your clear violation of the SAFETY Act."


On top of that, it won't work. You can't stop the signal, whether the signal is subversive political messages or child porn. This is clearly a good thing in the former case, perhaps not so much in the latter, but it's true anyway. Any surveillance system constructed by humans can be circumvented by humans. The Catholic Church had a practical monopoly on writing for centuries and the Codex Burana still got written and - I believe - circulated. (Come to think of it, by a sufficiently aggressive definition, the Codex Burana *is* child porn. Being from the Middle Ages, it's very likely that some of the participants described are under 18 - or would have been if they existed.)

Besides, does anyone really believe that the future of Western civilization is mortally threatened by Harry Potter slash fanfic? "Child porn" has long been a category so overbroad as to be practically useless, and even if it were sensibly redefined, pursuing it is still pointless. Child abuse - whether or not it is videotaped - is of course a legitimate target for law enforcement, but "child porn" is pursued only because it's an easy target, not because any actual children could ever benefit from targeting it.

#18 ::: Meg Thornton ::: (view all by) ::: February 13, 2007, 02:06 AM:

Okay, having read the silly thing, here are my thoughts:

1) It's a stupid title for an Act of Congress - have they thought of avoiding acronyms? My guess is they had the title, and needed an act to go with it.
2) It needs one hell of a lot of work done in defining terms. In particular, they have to define "knowingly" - what kind of or level of knowledge are they implying here?
3) It needs to have all of the fines written in there. As someone once said, corporations have neither bodies to be imprisoned, nor souls to be damned, and the majority of ISPs are corporate bodies. Therefore imprisonment isn't likely to work. So make the fines big, make them a percentage of gross earnings before tax, and make them enforceable. I'm not sure whether personal liability as an employee is covered under US law, but if it isn't, make certain a company can't shell the responsibility for "facilitating" transactions or communications to its employees to avoid the fines.
4) "Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information" - this is presumably the bit everyone's getting so fired up about. Looks as though the critical phrase is "at a minimum" - and the actual requirements shall be made by the Attorney General, which presumably allows a *lot* of leeway to someone who, if I remember correctly, is in the executive branch of government. To tighten things up, they're better off putting the requirements for reporting into the actual act itself; that way any changes need to be approved by Congress.
5) Section 10 needs a definition of "commercial" as well.
6) The whole "marking sexually explicit material" area raises questions of national boundaries, rather like the current Australian prohibitions on hosting X-rated material on Australian webservers. What that means is that web pornography aimed at Australians is generally hosted in Indonesia, Singapore or Malaysia, even though the company which is getting the cash is an Australian one. The US may wind up with a similar movement of material.
7) I note that the "Prescription of Marks and Notices" section doesn't yet say *where* on the page the marks have to be. I can forsee a lot of these services carefully including them... at the bottom of the page. Sort of a "Hi, just in case you hadn't become aware by the time you got here, this page includes sexually explicit content!"
8) Nowhere in this bill does it say who is allowed to have access to the records, or who isn't. So, for example, if you get a list of IP addresses matched to physical people, might you not also get commercial bodies (such as retailers, salespersons and soforth) matching the IPs which visited their site on a particular date to the information provided by the ISPs in question (it wouldn't even need to be all ISPs - just the two or three biggest) and using it to pull out names and addresses. I'm sure the rest of the contributors to this forum are well and truly capable of coming up with other examples which might or might not be more sinister.

I think there are some other questions which need to be asked as well, mostly about the nature of the threat this act is purportedly targetting. Colour me curious (and colour me callous as well) but how many children or teens are actually harmed by internet paedophiles each year? Is it greater than or lesser than the number killed in road accidents, or harmed by lack of medical services to their communities? Is it more of a threat to life and limb than poor education, poor nutrition and poverty in general? Is the response proportional to the threat?

NB: I am *not* saying that internet paedophiles are not a threat. They are, and they do need to be discouraged.

#19 ::: Nemo ::: (view all by) ::: February 13, 2007, 02:27 AM:

There are some dubious (and badly-organized) statistics on this page; I guess it all comes down to how you define "harmed"...

#20 ::: Meg Thornton ::: (view all by) ::: February 13, 2007, 03:41 AM:

Nemo @19 -

Given that the stats are on a page for a "porn blocking" program, I'm inclined to take them with the minimum of at least one pinch of salt. For a start, there's the great "definition" problem involved in most of those headlines ("Approximately 40 million people in the United States are sexually involved with the Internet" - what the heck does this mean?[1]). Secondly, there aren't any links to the actual items and articles, which makes me think this person doesn't want their readers to do the actual research and find out they have something of a non-issue on their hands.

Of course, reading down the list is still good for a giggle ("For every 10 men in church, 5 are struggling with pornography" - Are they having problems working out the plumbing? Or maybe they need instructions on how to open a centrefold? Or is it video pr0n, and they're having problems with the VCR? Either way, this is clearly something which needs investigation).

Now, if you'll excuse me, I need to have a glass of water and find the brain bleach.

[1] I hope it doesn't mean the obvious, although it does give rise to some rather giggle-worthy images.

#21 ::: Nemo ::: (view all by) ::: February 13, 2007, 12:36 PM:

Yeah, I did qualify them as "dubious", which may have been an understatement, but I have great faith in the critical thinking skills of Teresa's readers. :)

#22 ::: P J Evans ::: (view all by) ::: February 13, 2007, 01:01 PM:

Not to mention that people promoting porn-blocking software have a great incentive to make the problem look Really Big, in order to make more money themselves. (Yes, porn is a problem. It was a problem when VCRs came out, too. I'd be willing to be that it's a major factor in DVD sales, also. It will be a problem when 3D displays become practical. Should we therefore restrict the technology, to keep the narrow-minded folk from being offended?)

#23 ::: JESR ::: (view all by) ::: February 13, 2007, 01:17 PM:

Every time I read something like this, my first thought is that the people who wrote it have no idea of the magnitude of what they're suggesting. It amounts to trying to find a needle in a haystack by redefining "needle" and adding infinitely more hay.

#24 ::: Jo Walton ::: (view all by) ::: February 13, 2007, 01:57 PM:

What about the First Amendment?

#25 ::: Sisuile ::: (view all by) ::: February 13, 2007, 05:04 PM:

Jo, where have you been? We lost the first amendment in this country years ago!*

Seriously, this bill worries me, but we'll see how far it gets before I start hammering on my Rep.'s door. I'm hoping it dies in committee.

*or, at least it occationally seems that way. What I find saddest is even with the erosion of our rights, we're still a more free country than most.

#26 ::: aphrael ::: (view all by) ::: February 13, 2007, 05:16 PM:

Jo: there's precedent for the notion that child pornography is not protected by the first amendment, and that a law drawn narrowly, such that it is exclusively about child pornography, would be approved by the courts.

It's far from clear that this law is sufficiently narrow, however. It purports to be sufficiently narrow, but in practice the implementation couldn't possibly be.

#27 ::: P J Evans ::: (view all by) ::: February 13, 2007, 05:35 PM:

I still think that search warrants in order to tap phones or whatever should be sufficient; wholesale information collection is complete overkill (isn't that the point of requiring warrants?). (I like JESR's way of putting it, back upthread: they'll redefine 'needle' and add more hay to the stack.)

#28 ::: Alex ::: (view all by) ::: February 14, 2007, 04:41 AM:

May I simply suggest that any piece of legislation whose title has been chosen purely in order to make a good acronym is evil?

#29 ::: JohnD ::: (view all by) ::: February 14, 2007, 09:34 AM:

Why not cut out the middleman? I, for one, will begin voluntarily forwarding all my spam straight to Congress immediately.

#30 ::: Faren Miller ::: (view all by) ::: February 14, 2007, 10:00 AM:

I bought the March issue of Vanity Fair mainly as a way to kill time, laugh at bad fashions, and check out the article on noir, but it turns out to include a surprising amount of non-fluff. One particularly interesting piece, on the highly sinister government contractor SAIC, begins a section on the company's worst failures with accounts of intelligence-gathering programs intended for the N.S.A. and F.B.I. Since they involved the wholesale gathering of info from telephone calls and the Internet, these programs -- *if they'd worked* -- might have prevented 9/11, but they also have massive potential for abuse. Ultimately, both were botched and useless.

As others have pointed out above, wholesale spying and info-sharing among agencies is extremely difficult to pull off. ("Add more hay" indeed!) And if a big, powerful entity like this one can't pull it off, maybe there's some hope. On the other hand, they're about to try it again with a program called ExecuteLocus (see VF, page 346) -- a monicker that should have Charles N. Brown fuming!!

#31 ::: Marilee ::: (view all by) ::: February 14, 2007, 07:43 PM:

Faren, I disclose I'm technically on long-term disability from SAIC. The problem with programs like that is that the government entity keeps changing what they want while the design is being done. This is why the FBI file-sharing program doesn't work, and the FBI admits it. If they'd stick to the original contract design, things would work.

I worked there for three years and didn't see anything sinister.

#32 ::: Faren Miller ::: (view all by) ::: February 15, 2007, 09:09 AM:

Marilee: I didn't mean to offend, and I'm sure SAIC has some fine and competent employees. It's the people who lead it -- and keep moving in and out of the US government, granting their company the equivalent of vast pork barrel projects both here and overseas -- who worry me, especially given their ties to the current administration. I'd cite that article, but I loaned the magazine to my Mom. (Has anyone else here seen it?)

#33 ::: ajay ::: (view all by) ::: February 15, 2007, 09:32 AM:

Approximately 40 million people in the United States are sexually involved with the Internet" - what the heck does this mean?

Wow, he was right. It really is a series of tubes.

#34 ::: Marilee ::: (view all by) ::: February 15, 2007, 08:12 PM:

It's online.

Let's see -- it talks about all the federal contracts. That's true, but more than half of them are non-defense contracts. SAIC has a lot of energy and conservation contracts. They also have a lot of state, local, and private contracts.

Second, they make a big deal of the original name, except the original name was Science Applications, Inc. It was that when I joined in 1983 and before 1986 became Science Applications International Corporation, Inc. It's never been Science Applications International Corporation, which is what they list.

Okay, I didn't know the employee-owned company started as stock options to the board, but that only lasted eight years. They admit that all defense contractors get employees from government (all the guys who worked for me came from the Navy). (Unfortunately, I had to sell all my stock to pay for getting sick. I'd be wealthy now if I hadn't had to.) I don't see a greater amount of people coming from government than other companies. And other companies are in the WashPost weekly for violating the one-year rule.

As to Beyster being against women, I dunno. I called him Bob on the one hand, and on the other hand, I was the first professional woman in that division. On the gripping hand, I was the first professional woman in the company in the first two companies I worked for.

I can't say anything about the Iraq war since I've been on long-term disability (and debriefed) since 1986.

If they mischarged, they did it elsewhere or after I was there -- I had to account for every six minutes of my time.

I'm not seeing anything that doesn't happen to other defense corporations. I don't see it as sinister. I have said repeatedly that if I suddenly got well again, I wouldn't go back to work on war projects, but that's my personal choice. The Tomahawk missiles weren't supposed to actually be used when I worked on them.

I think if they looked at other large defense contractors, they'd find similar situations. That doesn't particularly excuse SAIC, but they're trying to set it aside as more than others and I don't think that's accurate.

#35 ::: Faren Miller ::: (view all by) ::: February 16, 2007, 10:18 AM:

Marilee: Thanks for the info. Things may have gotten more crony-ish and messy there during the Bush years (which would be very appropriate!), but then *all* government contractors tend to make me nervous -- it's that "military-industrial" thing, in its latest incarnation. Still, Vanity Fair may have been scare-mongering just to make itself seem "politically aware."

#36 ::: Marilee ::: (view all by) ::: February 16, 2007, 04:28 PM:

In my 10th grade yearbook, the guy I had a really big crush on wrote "I hope you and your military-industrial complex move soon." I *think* he was partially kidding.

#37 ::: albatross ::: (view all by) ::: February 17, 2007, 09:23 AM:

Wouldn't part of the goal here be to make it illegal to provide strong anonymizing services to internet users? And one effect of that is to make it relatively easy to link what you say with who you are on the net. This makes some law enforcement easier, and also makes it easier to retaliate against whistleblowers, monitor leaks to journalists, and punish people who take the wrong political stands in public.

Oh, but wait. The Democrats are in control of congress now. So we're safe from this kind of intrusive police-state crap for now, right? Right?

Just like we were safe from the CDA, DMCA, and Clipper.

#38 ::: Paul McGillivary ::: (view all by) ::: February 18, 2007, 06:55 PM:

regardless of intent, it makes me nervous. makes me want to anonymize all my traffic.

#39 ::: J-Ro ::: (view all by) ::: February 23, 2007, 12:06 PM:

Albatross:

I think you're right here. If the DoJ decided they need to log more stuff, or decided they couldn't get accurate info just by IP addresses, anonymizing software could be made illegal in trying to enforce this law. How they would "make it illegal" is a good question, seeing as we've done a bang-up job stopping peer-to-peer software, adware, spyware, and viruses, but it is something to keep in mind.

I don't want to be treated like a criminal and watched every time I use the Internet.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Jim Macdonald, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

If you are a spammer, your fate is in the hands of Jim Macdonald, and your foot shall slide in due time.

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 by Patrick & Teresa Nielsen Hayden. All rights reserved.