For years, Rep. Lamar Smith (R-TX) has been pressing for legislation that would require Internet Service Providers to retain user data in order to aid law enforcement in hunting down child porn peddlers and downloaders. Last week, he introduced his most recent effort, and today was joined at a press conference in Austin by Sen. John Cornyn (R-TX), who sponsored the Senate's companion bill, to make the case for the 2009 edition of the Internet Safety Act.

Smith is hardly the only member of Congress enthusiastic about Internet regulation aimed at protecting children: a 2008 analysis produced jointly by the Center for Democracy and Technology and the Progress and Freedom Foundation counted 30 such bills introduced in a single year. But he is one of the more persistent.

Language requiring ISPs to preserve user data for two years—as this most recent bill would—first appeared in the ambitious Child Pornography and Obscenity Prevention Act of 2002, which passed the House by an overwhelming margin but stalled in the Senate. A series of subsequent attempts—most recently the Internet SAFETY Act (that's "Stop Adults Facilitating the Exploitation of Youth")—have all died in committee.

Many of the earlier bills, however, were far broader in scope, packed with provisions that drew objections that wouldn't be applicable to the narrower legislation introduced last week. The 2002 proposal, for example, earned the ire of the American Civil Liberties Union due to constitutionally dubious language banning "virtual" child porn (made without actual children) and the presentation of adult porn as though it depicted minors (i.e. 40-year-old actresses in pigtails and high school cheerleading outfits).

The 2007 version of the SAFETY Act was far narrower and more similar to the present bill, but also included a provision requiring commercial sites containing "sexually explicit" material to include government-approved watermarks. It established penalties for ISPs that fail to report child porn when they discover it—language that might have placed providers in the awkward position of trying to gauge the ages of actors in online porn. The data retention provision of that legislation was also more broadly worded, tasking the Attorney General with developing regulations that "shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information."

Most of that gone is in the current proposal. A press release on Cornyn's site implicitly touts the exclusion of the reporting requirement as a feature by emphasizing that the bill will "target those who deliberately endanger our children—not those internet service providers who work with law enforcement to protect them." The retention language is also somewhat more narrowly tailored: ISPs must "retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user." It sounds as though the intent is just to require them to keep a record of which subscriber account was assigned a dynamic IP address at a particular time—though there's certainly some ambiguity there as well. If many people share a single connection, an e-mail sent from a particular account might arguably be "information pertaining to the identity" of the specific user. But it's also clearly less vague and potentially overbroad than the parallel language in predecessor bills.

That doesn't mean objectors have fallen silent. CDT's Greg Nojeim calls the data retention language "invasive, risky, unnecessary, and likely to be ineffective."

The bill's sponsors, of course, argue that it is necessary. "Federal, state and local law enforcement officials have reached a digital dead end in their battle against the online sexual exploitation of children," Cornyn claimed at Thursday's press conference. "Investigators need the assistance of Internet Service Providers to identify users and distributors of online child pornography."

But Nojeim questions that assertion, saying that law enforcement "has adequate authority now to require providers to preserve the records it needs." Though many ISPs discard user records after a few months, they must keep data if they're informed by police that a particular user is under investigation. And of course, if data is retained for all users, rather than only those who've already caught the eye of the kiddie porn cops, it may prove useful for purposes utterly unrelated to porn prosecutions—identifying purported copyright infringers springs readily to mind.

In addition to the data retention requirement, the bill increases penalties for those found guilty of trafficking in child porn—up to a maximum of life in prison—and allocates $30 million to fund the FBI's "Innocent Images" initiative.