ISAFETY Bill Would Require ISPs to Keep User Data

Tod Hunter
WASHINGTON — A proposed federal law would require all Internet service providers and operators of millions of Wi-Fi access points — including hotels, local coffee shops, and home users — to keep records about users for two years to aid police investigations.

The Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act of 2009, or ISAFETY Act, was introduced Thursday by Rep. Lamar Smith (R-Texas) and Sen. John Cornyn (R-Texas) as H.R. 1076 and S. 436.

"While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children," Cornyn said at a press conference. "Keeping our children safe requires cooperation on the local, state, federal and family level."

Both bills contains the same language, requiring that "A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."

The act applies not just large ISPs but also to homes and businesses with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses known as Dynamic Host Configuration Protocol, or DHCP.)

Under the Internet Safety Act, all of those would have to keep logs for at least two years. It "covers every employer that uses DHCP for its network," said Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in electronic privacy law. "It covers Aircell on airplanes — those little pico cells will have to store a lot of data for those in-the-air Internet users."

Bush administration Attorney General Alberto Gonzales had called for a similar proposal, saying that subscriber information and network data should be logged for two years. After Gonzales left the Justice Department, interest in data retention legislation slowed down until FBI Director Robert Mueller resumed lobbying efforts last spring.

A 1996 federal law called the Electronic Communication Transactional Records Act regulates data preservation. It requires Internet providers to retain any "record" in their possession for 90 days "upon the request of a governmental entity." Internet service providers are required by another federal law to report child pornography sightings to the National Center for Missing and Exploited Children, which is in turn charged with forwarding that report to the appropriate police agency.

Besides its recordkeeping provisions, the ISAFETY Act adds criminal penalties to other child pornography-related offenses, increase penalties for sexual exploitation of minors, and give the FBI an extra $30 million for the "Innocent Images National Initiative."