Mandatory data retention ‘raises serious privacy and free speech concerns’

WASHINGTON — The US Justice Department wants Internet service providers and cell phone companies to be required to hold on to records for longer to help with criminal prosecutions.

“Data retention is fundamental to the department’s work in investigating and prosecuting almost every type of crime,” US deputy assistant attorney general Jason Weinstein told a congressional subcommittee on Tuesday.

ADVERTISEMENT

“Some records are kept for weeks or months; others are stored very briefly before being purged,” Weinstein said in remarks prepared for delivery to the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security.

He said Internet records are often “the only available evidence that allows us to investigate who committed crimes on the Internet.”

Internet and phone records can be “crucial evidence” in a wide array of cases, including child exploitation, violent crime, fraud, terrorism, public corruption, drug trafficking, online piracy and computer hacking, Weinstein said, but only if the data still exists when law enforcement needs it.

“In some ways, the problem of investigations being stymied by a lack of data retention is growing worse,” he told lawmakers.

Weinstein noted inconsistencies in data retention, with one mid-sized cell phone company not keeping records, a cable Internet provider not tracking the Internet protocol addresses it assigns to customers and another only keeping them for seven days.

ADVERTISEMENT

Law enforcement is hampered by a “legal regime that does not require providers to retain non-content data for any period of time” while investigators must request records on a case-by-case basis through the courts, he said.

“The investigator must realize he needs the records before the provider deletes them, but providers are free to delete records after a short period of time, or to destroy them immediately,” Weinstein added.

The justice official said greater data retention requirements raise legitimate privacy concerns but “any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe.”

ADVERTISEMENT

John Morris, general counsel at the non-profit Center for Democracy & Technology, said mandatory data retention “raises serious privacy and free speech concerns.”

“A key to protecting privacy is to minimize the amount of data collected and held by ISPs and online companies in the first place,” he said.

ADVERTISEMENT

“Mandatory data retention laws would require companies to maintain large databases of subscribers’ personal information, which would be vulnerable to hackers, accidental disclosure, and government or other third party access.”

Kate Dean, executive director of the Internet Service Provider Association, said broad mandatory data retention requirements would be “fraught with legal, technical and practical challenges.”

Dean said they would require “an entire industry to retain billions of discrete electronic records due to the possibility that a tiny percentage of them might contain evidence related to a crime.”

ADVERTISEMENT

“We think that it is important to weigh that potential value against the impact on the millions of innocent Internet users’ privacy,” she said.