Some tech firms and public interest groups say the bill's data-retention section is too broad. | REUTERS Child porn bill raises privacy fears

A bill that seeks to clamp down on online child pornography is raising some alarms in the tech and privacy communities because of a provision that would require Internet service providers to store users' IP addresses for 18 months.

The legislation, spearheaded by House Judiciary Committee Chairman Lamar Smith (R-Texas) and Rep. Debbie Wasserman Schultz (D-Fla.), would require Internet providers and possibly other entities to retain that information to aid law enforcement investigations of child exploitation.


The bill already has some notable support, namely from the National Center for Missing and Exploited Children.

However, it also faces tough criticism from tech companies and public interest groups, which believe the section on data retention is too broad, threatens Web users' privacy and may not accomplish its stated goal of cracking down on child pornography.

Those two sides may clash over the bill Tuesday, when Smith's committee holds its first legislative hearing since the legislation was introduced. Among the panelists scheduled to testify are Ernie Allen, president and CEO of NCMEC; Sheriff Michael Brown, who sits on the National Sheriffs’ Association board; and Marc Rotenberg, president of the Electronic Privacy Information Center.

Ahead of the hearing, Smith told POLITICO the proposal already has bipartisan support, as it seeks to "address what may be the fastest growing crime in America."

“House Judiciary Committee staff has been working to make sure that we have a bill that balances privacy concerns and the needs of Internet service providers. We all agree that more needs to be done to protect children from sexual predators," Smith said in a statement.

“If telephone companies are already required to retain certain information to aid in the investigation of a crime, why shouldn’t Internet service providers be expected to do the same?" he continued. "H.R. 1981 is a common sense bill that will reduce child pornography on the Internet and spare thousands of children from being sexually exploited. It is hard to believe that anyone would stand in the way of protecting our children from sexual predators."

Data retention has proven to be a controversial topic in the privacy community. And it arrives as Congress is weighing new online privacy rules that would limit the information Web companies could collect while reexamining the long-standing laws governing how law enforcement can access digital records.

For Smith, though, data retention has been a key element in a number of bills he's authored over several sessions of Congress designed to fight child pornography.

The committee chairman held a hearing on the issue in January and introduced his bill with the help of Wasserman Schultz months later. The first hearing on the bill — a session tech leaders are watching closely — is on Tuesday.

NCMEC's Allen plans to tell the committee that the center supports the legislation. Allen also will praise lawmakers for striking the right balance on data retention, noting information stored and shared by Internet providers is a "major source of leads for law enforcement."

"Our argument on that part is there is a reasonable, balanced way to accomplish what we think needs to be accomplished, and that is not full blown data retention," Allen told POLITICO ahead of the hearing. Instead, he added, it only involves "having companies maintain connectivity logs so that you can prove a particular individual or a particular IP address was connected to a particular [incident]."

Others, however, are less supportive of the committee's approach to data retention. These include EPIC's Rotenberg, who will question the privacy and security implications of storing that data and sharing it with law enforcement in the manner prescribed by the bill.

"It would give the government sweeping authority to mandate the collection and retention of personal information obtained by business from their customers, or generated by the business in the course of providing services, for subsequent examination without any reason to believe that information is relevant or necessary for a criminal investigation," Rotenberg will say, according to prepared remarks obtained by POLITICO.

At the same time, the EPIC leader will criticize the bill's immunity provision, which would shield companies retaining potentially more information than just IP addresses.

"By extending blanket immunity and a good faith defense to these ISPs, Congress would foreclose the ability for consumers to seek damages under [the Electronic Communications Privacy Act] for violations of that law," Rotenberg notes in prepared testimony. "Instead, ISPs would be free to share their retained IP address information with law enforcement at any time, even if the current legal exceptions, such as those for voluntary disclosure, are not met."

Many others in the tech community have also questioned the bill's language, including the Center for Democracy and Technology. According to John Morris, CDT's general counsel, the bill may not be as effective at stopping child pornography as supporters anticipate because it exempts wireless broadband and Wi-Fi networks from a data retention mandate.

More than that, Morris said the bill poses serious privacy and security concerns — two areas that ought to be addressed before Congress wades back into the waters on data retention.

"ECPA was passed in 1986, and it provides extremely little protection for information ISPs have. And so our starting off position is that we need to fix ECPA before we even think about having a mandate to retain even more data," he said. Morris is not testifying Tuesday.

An aide to the House Judiciary Committee, however, said the current bill must come before any re-examination of the 1986 law.

"Our focus right now is on H.R. 1981 and data retention. Any additional revisions to ECPA will be considered after we complete our work on H.R. 1981," the source said.

This article first appeared on POLITICO Pro at 5:35 a.m. on July 12, 2011.