Current Status: The United States currently has no mandatory data retention law. However, if providers of electronic communications or remote computing services store electronic communications or communications records, the government may obtain access to the stored data under the Stored Communications Act (SCA), enacted as part of the Electronic Communications Privacy Act in 1986. The SCA also establishes mandatory data preservation, under which providers must preserve stored data for up to 180 days on government request.
Precisely how government officials may compel providers to grant access to such data depends on several variables, including the type of service the company is providing the user, the type of data, and in the case of stored communications content, the length of time the data has been in storage. The SCA also allows providers to voluntarily disclose such data to the government in emergencies where delay in disclosure involves danger of death or serious physical injury to a person. In general, compelled access to communications content requires a court order. By contrast, compelled access to data such as user/subscriber name, address, telephone number, and records of phone calls and communications requires an administrative subpoena, which is not issued by a court.
Two bills introduced in the Congress in 2009 would have required all Internet providers and operators of WiFi access points to keep records on Internet users for at least two years to assist police investigations, but neither bill became law. Some legislators and law enforcement officials continue to argue, however, that mandatory data retention is necessary to investigate online child pornography and other Internet crimes. In January 2011, the U.S. House of Representatives Judiciary Subcommittee on Crime, Terrorism, and Homeland Security held a hearing that again raised questions about whether Congress should pass legislation that would force ISPs and telecom providers to log Internet user traffic data. In May 2011, the “Protecting Children from Internet Pornographers Act of 2011” (H.R. 1981), which would require retention of such traffic data, was introduced in the House of Representatives.
Promoted as a way to crack down on child pornography, H.R. 1981 uses the potential abuse of children as a pretext to order Internet companies to spy on users, and force ISPs to retain data about innocent Internet subscribers in the hopes that it might one day be useful to law enforcement. Under H.R. 1981, ISPs would have to maintain “temporarily assigned network addresses” to enable the identification of a subscriber. At a minimum, this refers to the IP addresses assigned by ISPs, including the Internet services associated with mobile phones. It could also potentially include mobile phone numbers or other forms of cell phone identification, such as the three major mobile device identifiers: IMEI, IMSI, TMSI. These IDs for mobile devices are unique identifiers that mobile phone companies use to track handsets and the accounts associated with them.
Even individual U.S. states are not immune from attempts to pass data retention bills that could have dire consequences for online privacy. In January 2012, Hawaiian state legislators held a hearing on state bill HB 2288 that would force any company that provides Internet access to consumers in Hawaii to keep undefined “consumer records” for two years, including historical records on the sites a user visited as well as assigned IP addresses. The bill, which was withdrawn after strong opposition, would have affected any business or anyone using the Internet in Hawaii, not just those suspected of a crime. HB 2288 would have required that any ISP that provides Internet service to a Hawaiian user retain consumer records for no less than two years including subscriber information and destination history. The destination information would feature the user’s IP address, domain name or host name. The legislation would have forced ISPs to keep records on every website a person visits and associate that with their ISP address.
Public Discussion: The language of H.R. 1981 is disturbingly vague, but it would require a network to maintain an historical log of IP addresses. It’s still unclear whether ISPs believe it also requires them to maintain detailed records on customers’ addresses, credit card, and bank information. This would create a honeypot of sensitive data vulnerable to ambitious law enforcement agents, malicious hackers, or accidental disclosures. Law enforcement is discovering that IP addresses are a powerful way to unlock location data and track people's movements over time. To make this data most useful, authorities need ISPs and mobile carriers to keep records of who is assigned to which IP addresses, and when. The U.S. Supreme Court ruled that tracking a car with a GPS device for months without a search warrant is unconstitutional. But if H.R. 1981 is passed, law enforcement could amass a large collection of data that will allow the location tracking of anyone who uses the Internet, if that person is under suspicion for any reason in the coming year.
Opponents of the proposed H.R. 1981 data retention bill point out that the legislation could be used to target a group of Internet users could share a single IP address. They note there are only a limited number of IPv4 addresses, the current schema most ISPs use to allocate IP addresses. While a single IP address is not a perfect identifier, a collection of IP addresses assigned to a user can be combined with other data elements to create a detailed map of a person’s location over time. Law enforcement could review the IP addresses used by a person to log onto her email account over the period of several months to create a detailed picture of that person’s daily routine. IP addresses can also indicate information about a user's physical proximity to other users. If two people are using the same IP address at the same time, they are likely at the same location.
Those who oppose H.R. 1981 also note that law enforcement could use the proposed law to demand that a social network hand over the IP addresses and logged-in times of an individual using its service. Law enforcement could then combine this information with data from an ISP or mobile carrier to determine who was assigned to each of those IP addresses. For mobile providers, each entry could be combined with data about one’s GPS location. This would give law enforcement the ability to know when an individual was posting to a social network as well as her location. While data from ISPs would be slightly less exact, it could still provide a detailed portrait of an individual’s physical location each time she logged in. The U.S. government attempted to gather this kind of information when it pressured Twitter to hand over data about Icelandic parliamentarian Birgitta Jónsdóttir’s as part of the WikiLeaks investigation. There have been numerous other occasions where law enforcement have pressured Internet companies to hand over the IP addresses and times that individuals used their services.
Activists at Demand Progress, have noted that H.R. 1981 might force Internet companies to retain even more data, including detailed banking information. The proposed bill is an amendment to 18 USC § 2703 which defines the terms under which companies that store electronic customer data must disclose it to the government. H.R. 1981 would amend and expand this law in a way that “enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section.” Subsection (c)(2) would require companies to turn over to the government without a warrant detailed information including customer’s name, address, records of session times and durations, the length of service (including start date) and types of service utilized plus credit card or bank account number.