Thanks for the link and for bringing this to the attention of your readers!

Maybe the government should be required to pay for all the storage it would require: disks of whatever kind, paper, mag tapes, the physical space to hold the stuff, the librarians, the database software, the people who will maintain the database... .

Do it properly, or don't do it at all. (Personally, I'm voting for not at all: they can get warrants, because that's what warrants are for. If they can't, then they should stop pretending this is a democratic republic and start calling it a monarchy or whatever it is they're trying to make it.

I know people keep talking about "recording emails and IMs" and so on, but the bill only seems to mention the "name and address" and so on of customers; I interpreted this as an attempt to thwart paedophiles using "free trials" from ISPs, or hopping between dial-up providers every month, and force their (former) ISPs to retain their former customers' records long enough to give the government a chance to subpoena them. Every other industry has data-retention laws, why not IT?

I realize it says "at a minimum", but the expense associated with more complete recording of users' internet activitiy, not to mention the technical challenges of automagically identifying "exploitative" material, are going to ensure this bill goes nowhere.

Much more worrisome is the reporting requirement, that an ISP tell the government when a customer has the "potential" to access exploitative content. News flash - if you're reading this, you, potentially, have access to kiddie pr0n, and your ISP has "facilitated" this access...

I believe the proper term would be "tyranny of idiots"

Maybe I'm confused, but I've just read the bill and it does not seem to mandate keeping records of user communications. It requires keeping records of who was using any given IP address, dial-up connection, or user ID. But I don't see how that's the same as keeping copies of the actual messages sent by to to each individual user.

I'm not seeing how this law has the effect described.

Section 6 requires ISP to retain lists of which subscriber is assigned which IP address, so that packets can be traced back to individual subscribers. Most ISPs already maintain such lists, as certain parts of the DMCA are unworkable without them.
Section 6 does not require the packets themselves to be logged, nor does it require ISPs to log which sites are visited (although it also does not prohibit such logging).

Section 3 would appear to make it illegal for an ISP or email service provider to forward packets containing child pornography, however, which would have the effect of requiring them to scan packets and, to some degree, assemble them (eg, images are going to be broken down into many packets, as are email messages; in order for an ISP to be able to avoid charges of facilitating access to child pornography, it's going to have to be able to reassemble the packets to see what the packets contain. This is technically infeasible, and the provision is likely to be unenforceable.

I think there's a disconnect here between what the law says explicitly must be required, and what it allows the government to require. So I feel that the Seminal (and vnunet.com) is being a little bit alarmist about what the bill actually says, but also there is a real issue here.

The bill says that ISPs must, at a minimum, match IP addresses and user names to real people. This is not an unreasonable requirement, in my opinion (though depending on the scope of what an ISP is legally defined to be, the user name side of things may be more difficult.) It's no more of an invasion of privacy than asking your phone company "who was assigned the number 555-1234 on June 23rd, 2005?"

The problem is that the law also gives the DoJ arbitrary authority to require other "records" beyond the minimum. It's clear that some legislators or DoJ people are already thinking of IMs, e-mails, and web access logs. But that doesn't mean the law as implemented would actually require that.

The law as a whole appears to be a mess of minefields... what does it mean to make a financial transaction that facilitates access to child pornography? What does it mean for an email provider to facilitate access to or possession of child pornography? What does it mean for "a provider of electronic communication services or remote computing services" to fail (either knowingly or negligently) to make a report under the Victims of Child Abuse Act?

Hmm. I wonder how they'll enforce that across national boundaries.

If they can, no problem. I lived without the web before it existed, I can do it again (since, as a non-American, I certainly can't do anything to stop it).

What would they do for people using dialup, where the address is different every time you log in? (Sounds like this guy thinks everyone has a fixed address, which ain't so.) And it's still a whole sagan of information to store.

I'm not sure that child porn is the biggest danger on the intertubes, either. It's beginning to sound like the folks who want to 'protect' us are more common.

Dynamic IP assignments have long been logged, both for dial-up users and those assigned IPs by DHCP. It's not too onerous; all you really need is to record the IP, an user ID, and the start and end time of the assignment. Some ISPs routinely keep these logs for a while, to track down abuse; others (British Telecom is one who comes to mind) only keep them for a few days (48 hours, in the case of BT).

Define "sexually explicit."

I'm no fan of porn, but JAIL? Not even for child pornography. For unlabeled "sexually explicit" material.

Given the wide range of what I've seen described as "sexually explicit" I find THIS the most disturbing aspect.

PJ Evans, Re #9: It seems like it ought to be theoretically possible for an ISP to record that, from time A to time B, it had allocated IP x to client Y. Whether or not that's implemented with the software currently in use, I don't know; but there doesn't seem to me to be any reason why it couldn't work.

Mark: I think you're right that the key problem is not what is explicitly required, but rather what is potentially allowed to be required.

It's completely not clear what facilitates access to child pornography under this law. Perhaps that's intentional; more likely, it's because the legislator doesn't understand the technology well enough to understand why it is unclear.

I think the part that bothers me most is the apparent assumption that if you use the internet, you are doing something illegal. Otherwise, why couldn't they get a normal warrant and do it in the way that they've been doing it up until now? It seems to me that it should be possible to deal with this by using the existing laws, not by adding more (and badly written) laws.

And yes, there are people in Texas who are so narrow-minded and so ignorant of the Internet that they think that the only reason to use it is to access porn or something else that offends them.

If they did require retention of all emails, the sheer weight of all that spam would break the interweb in very short order.

I think the law is designed so that it cannot be completely complied with.

For example, ISPs would not only have to reassemble the packets, but then determine whether or not they contain child porn - a determination that obviously cannot be made by computer even for unencrypted data - all *before* passing them on to the user (since otherwise they would have "facilitated" the user's conduct before they knew what it was). Goodbye to streaming audio/video, VoIP, the web, online gaming, and pretty much anything that expects a turnaround time faster than email or Usenet. Without allowing ISPs to presume content innocent until they have actual knowledge that it isn't, full compliance would essentially destroy the Internet in its present form - at least within the US.

This allows it to be selectively enforced as a tool of intimidation. "What, you don't have complete records of every bit sent to or from every one of your subscribers for as long as you have existed, together with the name and social security number of every person who was using that account at the time? Well, I guess you better give us the information we want/stop publishing that opposition blogger/etc. and we'll agree to overlook your clear violation of the SAFETY Act."

On top of that, it won't work. You can't stop the signal, whether the signal is subversive political messages or child porn. This is clearly a good thing in the former case, perhaps not so much in the latter, but it's true anyway. Any surveillance system constructed by humans can be circumvented by humans. The Catholic Church had a practical monopoly on writing for centuries and the Codex Burana still got written and - I believe - circulated. (Come to think of it, by a sufficiently aggressive definition, the Codex Burana *is* child porn. Being from the Middle Ages, it's very likely that some of the participants described are under 18 - or would have been if they existed.)

Besides, does anyone really believe that the future of Western civilization is mortally threatened by Harry Potter slash fanfic? "Child porn" has long been a category so overbroad as to be practically useless, and even if it were sensibly redefined, pursuing it is still pointless. Child abuse - whether or not it is videotaped - is of course a legitimate target for law enforcement, but "child porn" is pursued only because it's an easy target, not because any actual children could ever benefit from targeting it.

Okay, having read the silly thing, here are my thoughts:

1) It's a stupid title for an Act of Congress - have they thought of avoiding acronyms? My guess is they had the title, and needed an act to go with it.
2) It needs one hell of a lot of work done in defining terms. In particular, they have to define "knowingly" - what kind of or level of knowledge are they implying here?
3) It needs to have all of the fines written in there. As someone once said, corporations have neither bodies to be imprisoned, nor souls to be damned, and the majority of ISPs are corporate bodies. Therefore imprisonment isn't likely to work. So make the fines big, make them a percentage of gross earnings before tax, and make them enforceable. I'm not sure whether personal liability as an employee is covered under US law, but if it isn't, make certain a company can't shell the responsibility for "facilitating" transactions or communications to its employees to avoid the fines.
4) "Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information" - this is presumably the bit everyone's getting so fired up about. Looks as though the critical phrase is "at a minimum" - and the actual requirements shall be made by the Attorney General, which presumably allows a *lot* of leeway to someone who, if I remember correctly, is in the executive branch of government. To tighten things up, they're better off putting the requirements for reporting into the actual act itself; that way any changes need to be approved by Congress.
5) Section 10 needs a definition of "commercial" as well.
6) The whole "marking sexually explicit material" area raises questions of national boundaries, rather like the current Australian prohibitions on hosting X-rated material on Australian webservers. What that means is that web pornography aimed at Australians is generally hosted in Indonesia, Singapore or Malaysia, even though the company which is getting the cash is an Australian one. The US may wind up with a similar movement of material.
7) I note that the "Prescription of Marks and Notices" section doesn't yet say *where* on the page the marks have to be. I can forsee a lot of these services carefully including them... at the bottom of the page. Sort of a "Hi, just in case you hadn't become aware by the time you got here, this page includes sexually explicit content!"
8) Nowhere in this bill does it say who is allowed to have access to the records, or who isn't. So, for example, if you get a list of IP addresses matched to physical people, might you not also get commercial bodies (such as retailers, salespersons and soforth) matching the IPs which visited their site on a particular date to the information provided by the ISPs in question (it wouldn't even need to be all ISPs - just the two or three biggest) and using it to pull out names and addresses. I'm sure the rest of the contributors to this forum are well and truly capable of coming up with other examples which might or might not be more sinister.

I think there are some other questions which need to be asked as well, mostly about the nature of the threat this act is purportedly targetting. Colour me curious (and colour me callous as well) but how many children or teens are actually harmed by internet paedophiles each year? Is it greater than or lesser than the number killed in road accidents, or harmed by lack of medical services to their communities? Is it more of a threat to life and limb than poor education, poor nutrition and poverty in general? Is the response proportional to the threat?

NB: I am *not* saying that internet paedophiles are not a threat. They are, and they do need to be discouraged.

There are some dubious (and badly-organized) statistics on this page; I guess it all comes down to how you define "harmed"...

Nemo @19 -

Given that the stats are on a page for a "porn blocking" program, I'm inclined to take them with the minimum of at least one pinch of salt. For a start, there's the great "definition" problem involved in most of those headlines ("Approximately 40 million people in the United States are sexually involved with the Internet" - what the heck does this mean?[1]). Secondly, there aren't any links to the actual items and articles, which makes me think this person doesn't want their readers to do the actual research and find out they have something of a non-issue on their hands.

Of course, reading down the list is still good for a giggle ("For every 10 men in church, 5 are struggling with pornography" - Are they having problems working out the plumbing? Or maybe they need instructions on how to open a centrefold? Or is it video pr0n, and they're having problems with the VCR? Either way, this is clearly something which needs investigation).

Now, if you'll excuse me, I need to have a glass of water and find the brain bleach.

[1] I hope it doesn't mean the obvious, although it does give rise to some rather giggle-worthy images.

Yeah, I did qualify them as "dubious", which may have been an understatement, but I have great faith in the critical thinking skills of Teresa's readers. :)

Not to mention that people promoting porn-blocking software have a great incentive to make the problem look Really Big, in order to make more money themselves. (Yes, porn is a problem. It was a problem when VCRs came out, too. I'd be willing to be that it's a major factor in DVD sales, also. It will be a problem when 3D displays become practical. Should we therefore restrict the technology, to keep the narrow-minded folk from being offended?)

Every time I read something like this, my first thought is that the people who wrote it have no idea of the magnitude of what they're suggesting. It amounts to trying to find a needle in a haystack by redefining "needle" and adding infinitely more hay.

What about the First Amendment?

Jo, where have you been? We lost the first amendment in this country years ago!*

Seriously, this bill worries me, but we'll see how far it gets before I start hammering on my Rep.'s door. I'm hoping it dies in committee.

*or, at least it occationally seems that way. What I find saddest is even with the erosion of our rights, we're still a more free country than most.

Jo: there's precedent for the notion that child pornography is not protected by the first amendment, and that a law drawn narrowly, such that it is exclusively about child pornography, would be approved by the courts.

It's far from clear that this law is sufficiently narrow, however. It purports to be sufficiently narrow, but in practice the implementation couldn't possibly be.

I still think that search warrants in order to tap phones or whatever should be sufficient; wholesale information collection is complete overkill (isn't that the point of requiring warrants?). (I like JESR's way of putting it, back upthread: they'll redefine 'needle' and add more hay to the stack.)

May I simply suggest that any piece of legislation whose title has been chosen purely in order to make a good acronym is evil?

Why not cut out the middleman? I, for one, will begin voluntarily forwarding all my spam straight to Congress immediately.

I bought the March issue of Vanity Fair mainly as a way to kill time, laugh at bad fashions, and check out the article on noir, but it turns out to include a surprising amount of non-fluff. One particularly interesting piece, on the highly sinister government contractor SAIC, begins a section on the company's worst failures with accounts of intelligence-gathering programs intended for the N.S.A. and F.B.I. Since they involved the wholesale gathering of info from telephone calls and the Internet, these programs -- *if they'd worked* -- might have prevented 9/11, but they also have massive potential for abuse. Ultimately, both were botched and useless.

As others have pointed out above, wholesale spying and info-sharing among agencies is extremely difficult to pull off. ("Add more hay" indeed!) And if a big, powerful entity like this one can't pull it off, maybe there's some hope. On the other hand, they're about to try it again with a program called ExecuteLocus (see VF, page 346) -- a monicker that should have Charles N. Brown fuming!!

Faren, I disclose I'm technically on long-term disability from SAIC. The problem with programs like that is that the government entity keeps changing what they want while the design is being done. This is why the FBI file-sharing program doesn't work, and the FBI admits it. If they'd stick to the original contract design, things would work.

I worked there for three years and didn't see anything sinister.

Marilee: I didn't mean to offend, and I'm sure SAIC has some fine and competent employees. It's the people who lead it -- and keep moving in and out of the US government, granting their company the equivalent of vast pork barrel projects both here and overseas -- who worry me, especially given their ties to the current administration. I'd cite that article, but I loaned the magazine to my Mom. (Has anyone else here seen it?)

Approximately 40 million people in the United States are sexually involved with the Internet" - what the heck does this mean?

Wow, he was right. It really is a series of tubes.

It's online.

Let's see -- it talks about all the federal contracts. That's true, but more than half of them are non-defense contracts. SAIC has a lot of energy and conservation contracts. They also have a lot of state, local, and private contracts.

Second, they make a big deal of the original name, except the original name was Science Applications, Inc. It was that when I joined in 1983 and before 1986 became Science Applications International Corporation, Inc. It's never been Science Applications International Corporation, which is what they list.

Okay, I didn't know the employee-owned company started as stock options to the board, but that only lasted eight years. They admit that all defense contractors get employees from government (all the guys who worked for me came from the Navy). (Unfortunately, I had to sell all my stock to pay for getting sick. I'd be wealthy now if I hadn't had to.) I don't see a greater amount of people coming from government than other companies. And other companies are in the WashPost weekly for violating the one-year rule.

As to Beyster being against women, I dunno. I called him Bob on the one hand, and on the other hand, I was the first professional woman in that division. On the gripping hand, I was the first professional woman in the company in the first two companies I worked for.

I can't say anything about the Iraq war since I've been on long-term disability (and debriefed) since 1986.

If they mischarged, they did it elsewhere or after I was there -- I had to account for every six minutes of my time.

I'm not seeing anything that doesn't happen to other defense corporations. I don't see it as sinister. I have said repeatedly that if I suddenly got well again, I wouldn't go back to work on war projects, but that's my personal choice. The Tomahawk missiles weren't supposed to actually be used when I worked on them.

I think if they looked at other large defense contractors, they'd find similar situations. That doesn't particularly excuse SAIC, but they're trying to set it aside as more than others and I don't think that's accurate.

Marilee: Thanks for the info. Things may have gotten more crony-ish and messy there during the Bush years (which would be very appropriate!), but then *all* government contractors tend to make me nervous -- it's that "military-industrial" thing, in its latest incarnation. Still, Vanity Fair may have been scare-mongering just to make itself seem "politically aware."

In my 10th grade yearbook, the guy I had a really big crush on wrote "I hope you and your military-industrial complex move soon." I *think* he was partially kidding.

Wouldn't part of the goal here be to make it illegal to provide strong anonymizing services to internet users? And one effect of that is to make it relatively easy to link what you say with who you are on the net. This makes some law enforcement easier, and also makes it easier to retaliate against whistleblowers, monitor leaks to journalists, and punish people who take the wrong political stands in public.

Oh, but wait. The Democrats are in control of congress now. So we're safe from this kind of intrusive police-state crap for now, right? Right?

Just like we were safe from the CDA, DMCA, and Clipper.

regardless of intent, it makes me nervous. makes me want to anonymize all my traffic.

Albatross:

I think you're right here. If the DoJ decided they need to log more stuff, or decided they couldn't get accurate info just by IP addresses, anonymizing software could be made illegal in trying to enforce this law. How they would "make it illegal" is a good question, seeing as we've done a bang-up job stopping peer-to-peer software, adware, spyware, and viruses, but it is something to keep in mind.

I don't want to be treated like a criminal and watched every time I use the Internet.