Legislation and its effects in our world

After having a brief conversation with a friend of mine over the weekend
about this new proposed legislation I was horrified to find that I could not
dig anything up on it in NANOG. Surely this sort of short minded legislation
should have been a bit more thought through in its effects on those that
would have to implement these changes. My major concern is not just for
myself but for a much broader picture.

"Republican politicians on Thursday called for a sweeping new federal law
that would require all Internet providers and operators of millions of Wi-Fi
access points, even hotels, local coffee shops, and home users, to keep
records about users for two years to aid police investigations."

http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html

I understand and agree that minors should be protected and I think child
pornography is awful, however I think how the government is going about
catching these criminals with this new legislation will not really be any
more efficient than there current methods. Having a log of all IP's that
come across my or anyone in America's "home" Wi-Fi for two years is not
going to help "police investigations" but will cause me to have to go buy a
more expensive router.

So I'm just wondering, how would this legislation effect some of you on the
NANOG list?

-Jim

Another issue is civil rights. Do we want to create a surveillance society? It has already happened to a large extent in the UK and the US, but this is significant step forward ...

I'll leave it at that since I am writing on corporate email and I do not represent my company on this issue.

Regards,

Roderick.

After having a brief conversation with a friend of mine over the weekend
about this new proposed legislation I was horrified to find that I could not
dig anything up on it in NANOG. Surely this sort of short minded legislation
should have been a bit more thought through in its effects on those that
would have to implement these changes. My major concern is not just for
myself but for a much broader picture.

"Republican politicians on Thursday called for a sweeping new federal law
that would require all Internet providers and operators of millions of Wi-Fi
access points, even hotels, local coffee shops, and home users, to keep
records about users for two years to aid police investigations."

http://www.cnn.com/2009/TECH/02/20/internet.records.bill/index.html

I understand and agree that minors should be protected and I think child
pornography is awful, however I think how the government is going about
catching these criminals with this new legislation will not really be any
more efficient than there current methods. Having a log of all IP's that
come across my or anyone in America's "home" Wi-Fi for two years is not
going to help "police investigations" but will cause me to have to go buy a
more expensive router.

So I'm just wondering, how would this legislation effect some of you on the
NANOG list?

-Jim

Hi Jim,
Avoiding the politics of this issue, I suspect that many more home users
will be affected than corporate or backbone admins. I already log all
access to my wireless, though currently I don't keep outgoing access logs
for that long. I suspect that if this were to become law, the logging
mechanisms in the provided home wireless routers would need a revamp. Or at
least their storage method would.
-DS

If it's at all like the EU Date Retention provisions, it would be in the ISP, not the home router. The Danish want the moral equivalent of a netflow trace for each user (log of the kind of information netflow records for a session for each TCP/UDP/SCTP session the user initiates or terminates, produced on presentation of a warrant or subpoena), but the EU provisions are more application layer - when did the user "sign on" to the wireless network, and when did "s/he sign off", to whom did they send emails via the ISP's servers, and so on?

Without commenting on police states and such, instantiating legislation is required in each country signatory to the Cybercrime Treaty. Both major parties have been on deck during that discussion...

Sorry to intrude, but it is based on the reading of the law and at least
according to ars technica's article (
http://arstechnica.com/tech-policy/news/2009/02/are-you-an-electronic-communication-service-provider.ars)
that excludes home routers. That's not to say it couldn't be reinterpreted
in the future.
Also worth noting is that this is a Republican proposition and both sides
still seem a bit bitter about the stimulus.

~Sean

I agree - Although this isn't legal advice and I'm not a lawyer:

It amends 18 U.S.C. §2703 which is entitled "Required Disclosure of Customer Communications or Records" which refers to providers, not home users...

Better question:
1) Is there a reasonable expectation of privacy in the communications between end users and their providers so as to give rise to a 4th amendment issue? (Might have already been asked and answered...)

I am not a lawyer; I am a person that can read something that is written in the English language, and considered by some to be a "reasonable man". So please don't consider this to be legal advice. Also, although I am posting from a Cisco account, this note represents my understanding based on a reading of the text of the bill, not an opinion of or advice by Cisco. Further, I do not represent myself as either for or against the legislation or the implied technology. I have opinions on all that, but I'll save them for another email.

#include <any other disclaimers that are important>

The text of the bill, which is in committee, is at Text of S. 436 (111th): Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2009 (Introduced version) - GovTrack.us. Read the text of the bill before continuing with my comments on it or on Declan's article.

Most of the bill is about defining "child pornography", such as " inserting ‘1466A (relating to obscene visual representation of the abuse of children),’ before ‘section 1708’", or about changing penalties. Data retention is discussed in section 5:

SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
‘(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’.

In context, this is about providers of a service. BTW, it doesn't talk about *creating* a record that doesn't exist, it talks about *retaining* records that have already been created, such as billing records or other records that would support billing and maintenance. IANAL, so run this by your lawyers, but a provider of a service is in the FCC definitions someone that sells a service to random purchasers, not someone that provides communications to his own employees, students, or family members. This came up during the discussion by the FCC about lawful intercept and what constituted a network that had to implement it several years ago. This is confirmed, says the "reasonable man", by the definition of the offense in Section 3:

‘(a) Offense- Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 10 years, or both.

Note the lack of reference to home routers, wireless in any form, or any of the other stuff Declan mentions in his article:

(CNET) -- Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.

I would ask you, how many local coffee shops or hotels that you know of operate their own Internet access? How many instead contract with T-Mobile or some other provider? Since the billing record is done with the provider (you somehow pay a bill to T-Mobile-or-whoever for use of the wifi and you identify yourself to them at the time you access the service), whom would you expect might be required to "retain" those records?

I would also be a trifle careful with Declan's repeated references to the party of the person who submitted the bill. The bill is, or at least looks like, enabling legislation required by the Cybercrime Treaty (http://tinyurl.com/6m9ey, Article 20 of which calls for what is now called "Data Retention"), and is pretty much in line with the current EU directive on the topic (http://tinyurl.com/2maatj). Both major parties in the US have been on deck during the negotiation of the CyberCrime Treaty, and whatever your opinion of it might be, this bill is in line with Obama campaign promises and actions as president as I understand them.

I personally tend to ignore stuff written by Declan. It requires too much work to drill through the political activism and sensationalism-portrayed-as-journalism to find the germ of truth that inspired the article.

ha, funny you should say that; do a quick search for "plain language of the statute" and let me know how many dissenting views in court opinions you find.

Big fallacy to say that even though it's 'plain English' it means *one* thing...

This is a big tangled web of statutory and common law; plain English will get you as far as a nickel in a dime store...

Doing a thorough analysis of this bill is on my to-do list, possibly
for a flight home on Friday. For now, I think the applicability
remains ambiguous, because it's amending a law that was written ~25
years ago, when the concept of home computers was fairly new, let alone
home providers of services...

That said – the definitions for 18 USC 2703 are in 18 USC 2510
(http://www4.law.cornell.edu/uscode/18/2510.html) and 18 USC 2711
(http://www4.law.cornell.edu/uscode/18/usc_sec_18_00002711----000-.html).
The former includes the following:

  (15) �electronic communication service� means any service which
  provides to users thereof the ability to send or receive wire
  or electronic communications;

the latter says

  (2) the term �remote computing service� means the provision to
  the public of computer storage or processing services by means
  of an electronic communications system;

Now -- the remote computing definition includes "to the public", which
pretty clearly excludes home users. The definition of "electronic
communication service� is not limited to those serving "the public".
In other parts of the statute, the phrase "to the public" is sometimes
used, sometimes not; see, for example, 18 USC 2511(2)(a)(i) and 18 USC
2702(a)(1).

I'm not a lawyer, either, but as I understand things where parts of a
statute use a qualifier and parts don't the courts tend to conclude
that Congress knew what it was doing when it differentiated the two
cases.

    --Steve Bellovin, http://www.cs.columbia.edu/~smb

The people on NANOG mostly deal with moving packets around the network.
Log files are kept on servers, or on SAN farms, and the NANOG folks
generally don't deal with that so the legislation will have little to no
impact on them.

Specifically, NANOGers probably won't have to implement this change. That
task will fall to ISP management and to the people who run storage systems
and SANs.