Congress Revisits Mandatory Data Retention
On January 25th, the House Judiciary Committee’s Crime Subcommittee held a hearing on the topic of mandatory data retention by service providers. The Subcommittee chairman, Representative Sensenbrenner, who declared himself a fan of the “carrot and stick” approach, offered industry a “carrot” if they were willing to come together to develop voluntary standards for data retention, but threatened a “stick” if they were unable to do so. His sentiments were echoed by House Judiciary Chairman and author of last Congress’ data retention bill H.R. 1076, Lamar Smith.
The hearing, entitled “Data Retention as a Tool for Investigating Internet Child Pornography and other Online Crimes,” included testimony from the Department of Justice, the International Chiefs of Police, the United States Internet Service Provider Association and the Center for Democracy and Technology. While DOJ did not bring a specific proposal to the hearing, it is clear that they support legislation in this area. State law enforcement officials were willing to be more specific and indicated that providers holding data for six months to a year would be immensely helpful to law enforcement.
In addition to lacking a specific proposal, DOJ also failed to offer any statistics to back up its claims that investigations are impeded by data that has disappeared before the government can issue preservation requests. One witness noted that with the more than one hundred thousand industry reports of apparent incidents of child pornography sent to NCMEC each year, less than two percent of the tips seemed to be followed up with an investigation or prosecution. Accordingly, the question asked by some Subcommittee members was whether additional data is needed or additional resources.
The hearing left many unanswered questions regarding the types of providers that are intended to be covered by data retention requirements, what types of data would need to be retained, for how long, whether new laws would be required to put in place privacy and security protections, and how much all of this is likely cost and who is going to pay.
It also remains to be seen whether Chairman Smith and other advocates of retention legislation will hold off on offering data retention legislation to see if Subcommittee Chair Sensenbrenner’s call for industry self-regulation is headed.
The Subcommittee likely has not finished with this issue, but it has a packed agenda. In February, their attention is likely to shift to CALEA.