It's always refreshing when a Member of Congress uses point-blank declarative statements that leave little room for misinterpretation. Such was the case today when Rep. James Sensenbrenner, (R-WI), opened a hearing on a bill that would require major ISPs, private and non-profit companies, libraries, coffee shops and diners that offer Internet services to collect and maintain records that would tie IP addresses to individual users for 18 months.
Sensenbrenner, Chairman of the House Judiciary Crime Subcommittee, pulled no punches, "I believe this bill is bad policy and I will do my best to kill it." And he was just getting warmed up. "This bill runs roughshod over the privacy rights of people who use the Internet for thousands of lawful purposes," Sensenbrenner said, adding that it "should be defeated and put in the dustbin of history." And he's right.
My organization, CDT, has long warned of the dangers lurking in so-called data retention laws. As Sensenbrenner noted, the data retention mandates imposed by this bill would threaten personal privacy at a time when the public is justifiably concerned about privacy online. A key to protecting privacy is to minimize the amount of data collected and held in the first place; a data retention law would undermine this key principle.
The European Union has had a data retention directive for several years, giving us the luxury of being able to peek back over the event horizon to see the failure of that effort. In 2006, the EU passed its Data Retention Directive, which required telecommunications services to hold detailed customer activity records for up to two years. This included phone calls made and emails sent and received. The pan-European backlash was immediate. In Europe many countries and courts are backing away from the directive. At least three national courts have now struck down their respective national implementations of the Directive on constitutional or human rights grounds, making the future of the directive uncertain.
Before even considering any kind of data retention law, we need to update current laws that deal with our data, specifically the Electronic Communications Privacy Act (ECPA) to provide more protection for digital data from government access. EPCA was a forward-looking law when it was passed... in 1986. It set rules for when law enforcement could get access to electronic communications and other data; it provided the first real protections as we entered the Internet age. But ECPA is now outdated. For example, there are no reliable guidelines for how ECPA should be applied to data stored in the cloud or how it applies to mobile location data. We need new higher standards including a showing of probable cause at least for our email and other stored content and our location, not a bill that requires service providers to collect and store more personal data.
The sensible path here is to heed Sensenbrenner's parting shot during today's hearing, the data retention bill as it stands, is "not ready for prime time."