Useful Links
SMBlog
RSS feed RSS icon
About this blog
About me
Archives of Dave Farber's IP list
Archives of RISKS Digest
The Legal Information Institute at Cornell University
Thinking Security
Firewalls and Internet Security: Repelling the Wily Hacker
The Electronic Frontier Foundation
The Tor Project
The Center for Democracy and Technology
Freedom to Tinker blog
Bruce Schneier's blog
Matt Blaze's blog
Matthew Green's A Few Thoughts on Cryptographic Engineering
Krebs on Security
March 2009
The White House Removes Videos from YouTube (2 March 2009)
EFF's Surveillance Self-Defense Website (3 March 2009)
Access to Old Information (8 March 2009)
Internet Records Retention Bill (19 March 2009)
Recent Posts
Brief Notes on Computer Word and Byte Sizes (7 March 2023
In Memoriam: Frederick P. Brooks, Jr. --- Personal Recollections (18 November 2022
Attacker Target Selection (5 July 2021
Where Did "Data Shadow" Come From? (26 June 2021
Vaccine Scheduling, APIs, and (Maybe) Vaccination Passports (2 April 2021
Security Priorities (25 February 2021
Covid-19 Vaccinations, Certificates, and Privacy (13 August 2020
Hot Take on the Twitter Hack (15 July 2020
Trust Binding (11 June 2020
Facebook, Abuse, and Metadata (24 May 2020
Archive
2007 (43)
2008 (39)
2009 (21)
2010 (15)
2011 (16)
2012 (14)
2013 (6)
2014 (16)
2015 (14)
2016 (6)
2017 (17)
2018 (16)
2019 (17)
2020 (15)
2021 (4)
2022 (1)
2023 (1)
 
Full Index
Tag Index

Internet Records Retention Bill

19 March 2009

A lot of pixels have been spilled lately over an Internet records retention bill recently introduced in both the House and the Senate. The goal is to fight child pornography. That’s a worthwhile goal; however, I think these bills will do little to further it. Worse yet, I think that at least two of the provisions of the bill are likely to have bad side effects. Unfortunately, the text is quite bad; we will have to wait for regulatory action and/or overzealous prosecutors to see just how far the language will stretch.

The first troublesome provision is Section 3, which amends Chapter 95 of Title 18 of the U.S. Code to add

(a) Offense— Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 10 years, or both.
This might criminalize things like onion routing, an important privacy-preserving technology. (Ironically, onion routing got its start at a government agency, the Navy Research Lab.) Since the clause is limited to "Internet content hosting providers" and "email service providers", most Tor nodes won’t affected. Besides, very many Tor nodes are outside the country, so this provision likely won’t hinder any would-be viewers of child pornography.

There are other infelicities in the definitions. "Internet content hosting provider" is defined broadly enough to include web caches; "Email service provider" requires that the site provide "transmission" and "retrieval" services, which excludes companies that offer only one. Besides, any networking technology "facilitates access to" all sorts of content, good and bad. Is the Internet being outlawed?

The records retention provision adds

(h) Retention of Certain Records and Information— A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’.
to the end of 18 U.S.C. 2703. The problems start with the definitions. Given the location of the clause, the relevant definitions are in 18 U.S.C. 2510 and 18 U.S.C. 2711. These define "electronic communication service" and "remote computing service" but not a "provider" of those services. What does the clause mean? Is it intended just to cover ISPs? Probably not; elsewhere in that part of the law, there are explicit references to "providers … to the public". Who else is covered? Employers? Hotels? Universities? WiFi hotspots, free or not? Almost certainly, all of the above are included. Home users? Many people (myself included) have wireless routers or access points in our houses; clearly, any guest of mine or my family’s is more than welcome to use our Internet connection. How am I supposed to "retain" logs of what IP addresses they get? By chance, I happened to need information just two days ago on what machines were associated with which access points. The logs kept by the devices were utterly useless for this purpose. Am I required to install a (currently non-existent) newer firmware release? for this purpose? Does anyone believe that the average home user is even slightly capable of finding such a thing, let alone installing it? By the way — as best I can tell, installing new firmware erases all of the current log information on my boxes… And of course, even if I do have such logs, all they would include are timestamps and MAC addresses. I do not retain records on who visits my house when (do I need a log book at the front door?); I have no idea what their devices’ MAC addresses are. These people are my friends; I just give them the SSID and encryption key.

Of course, the law requires providers to "retain" records. Does that imply "create"? What if providers have no records? Must they start creating them? If not, home users would be excluded, but some ISPs may decide they don’t need to create them, either.

The most troublesome provision of this clause is the restriction to "temporarily assigned network address the service assigns to that user". Presumably, this is intended to cover IP addresses assigned by DHCP or PPP. From a technical perspective, however, that clause is often useless, technically infeasible, or both. Many ISPs, some employers, and virtually all hotels and home WiFi routers use a technology known as Network Address Translation (NAT). When NAT is in use, the address assigned by DHCP is visible only within the provider’s network. Law enforcement officials would have no access to this network until after they had identified a suspect. Log files or wiretaps from a child pornographer’s site would reveal the external address of the client downloading the material, but that address implicates all users of provider during that period. The internal IP address is not visible on the outside.

Now — for every connection, a unique IP address and port number is allocated by the NAT box. This, coupled with accurate timestamps and DHCP records, would indeed identify the particular MAC address involved. However, this would require tracking every TCP connection of that user. Apart from being a gross invasion of privacy — does every hotel I stay at need to know every web site I visit? — it is probably infeasible to collect this data; there would be far too much of it. The Internet was never designed for this sort of fine-grained record-keeping.

There’s another problem: what if the offender is using a Web proxy service? Many hotels and ISPs require use of these; any corporation with an application-level firewall does as well. In that case, the "guilty" IP address would be that of the proxy. Must proxies keep logs? No — the bill applies to "temporarily assigned network addresses", not proxy devices.

Then there’s IPv6. It has a feature known as the Privacy Extensions for Stateless Address Autoconfiguration in IPv6. If this extension is in use, a computer can generate new IP addresses any time it wants to, precisely to avoid linkage across different transactions. This feature is not covered by the law, since the addresses are self-generated and not temporarily assigned by a provider.

I could go on, but I think the point is clear: the bill is poorly drafted, affects legitimate users, creates impossible requirements, leaves too much wiggle room for law enforcement mission creep — and doesn’t do what it’s intended to do.

https://www.cs.columbia.edu/~smb/blog/2009-03/2009-03-19.html