How Internet Companies Would Be Forced to Spy on You Under H.R. 1981

BY RAINEY REITMAN, The Electronic Frontier Foundation
EFF.org
Feb. 24, 2012

Online commentators are pointing to the Internet backlash against H.R. 1981 as the new anti-SOPA movement. While this bill is strikingly different from the Stop Online Piracy Act, it does have one thing in common: it's a poorly-considered legislative attempt to regulate the Internet in a way experts in the field know will have serious civil liberties consequences. This bill specifically targets companies that provide commercial Internet access -- like your ISP -- and would force them to collect and maintain data on all of their customers, even if those customers have never been suspected of committing a crime.

Under H.R. 1981, which has the misleading title of Protecting Children From Internet Pornographers Act of 2011, Congress would force commercial Internet access providers to keep for one year a "log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section."  Let's break that down into simple terms.

Temporarily Assigned Network Addresses: More than IP Addresses

Under this proposal, ISPs would have to maintain "temporarily assigned network addresses" to enable the identification of a subscriber. At a minimum, this refers to the IP addresses assigned by ISPs, including the Internet services associated with mobile phones.  It could also potentially include mobile phone numbers or other forms of cell phone identification, such as the three major mobile device identifiers: IMEI, IMSI, TMSI. These are the tracking IDs for your mobile devices, the unique identifiers that mobile phone companies use to track handsets and the accounts associated with them.

IP Addresses Aren't a Perfect Identifier

An IP address is like a street address or a phone number; it's the arrow that points packets of information your way when people send you things over the Internet. But it cannot tell you who is actually sitting behind a computer screen, typing at a computer.

Currently IP addresses by themselves aren't a perfect way to identify individuals. One reason is because there are only a limited number of IPv4 addresses (the current schema most ISPs use to allocate IP addresses), and so there are many situations in which a bunch of Internet users are sharing a single IP address. This strategy, called Network Address Translation (NAT), is a creative way to deal with the shortage of IP addresses while we are still in the protracted process of transitioning to IPv6. All of which is to say: H.R. 1981 mandates that companies keep a log of assigned network addresses in order to identify customers, but IP addresses are only one clue in figuring out a user's identity.

IP Addresses: Useful for Location Tracking

But there's another element many commentators are forgetting: even if a single IP address isn't a perfect identifier, a collection of IP addresses assigned to a user can be combined with other data elements to create a frighteningly detailed map of a person's location over time. For example, law enforcement could review the IP addressses an individual used to log onto her email account over the period of several months to create a detailed picture of when she was at home, when she went to work, when she was in transit, and when she went to sleep - and whether there were certain days she deviated from her typical schedule.

IP addresses can also indicate information about a user's physical proximity to other users. For example, if two people are using the same IP address at the same time, they are likely at the same location. Law enforcement might be very interested in how IP addresses can indicate one's associations in this way.

Law enforcement could also demand that a social network hand over the IP addresses and logged-in times of an individual using its service. Law enforcement could then combine this information with data from an ISP or mobile carrier to figure who was assigned to each of those IP addresses. For mobile providers, each entry could be combined with data about one's GPS location. So a law enforcement agent could know when an individual was posting to a social network as well as her location. ISPs will be slightly less exact but still provide a detailed portrait of an individual's physical location each time she logged in. 

This is no nightmare scenario. This is exactly what the U.S. government attempted when it pressured Twitter to hand over Icelandic parliamentarian Birgitta Jónsdóttir's data as part of the WikiLeaks investigation. And we've seen numerous other occasions where law enforcement pressured Internet companies to hand over the IP addresses and times of individuals using their services.

Law enforcement is coming to understand that IP addresses are a powerful key to location data and to tracking people's movements over time. But in order for this data to be most useful to them, they need ISPs and mobile carriers to keep records of who is assigned to which IP addresses, and when.

The Supreme Court has already decided that tracking an individual's car with a GPS device for months at a time without a search warrant is blatantly unconstitutional.  But by passing H.R. 1981, law enforcement hopes to create a mountain of data that will facilitate the location tracking of anyone who uses the Internet, if that person is under suspicion for any reason in the coming year.

Detailed Banking Information

Because the actual language of the bill is somewhat vague, activists at Demand Progress have correctly noted that this legislation might force Internet companies to retain even more data just to be on the safe side. The proposed bill is an amendment to 18 USC § 2703, the law currently defining the circumstances under which companies that store electronic data on customers must disclose it to the government. H.R. 1981 is attempting to amend and expand this law in a way that "enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section."

So what is subsection (c)(2)?  It requires a provider to turn over to the government without a warrant:
  • Name
  • Address
  • Records of session times and durations
  • Length of service (including start date) and types of service utilized
  • Credit card or bank account number
The language of H.R. 1981 is dangerously unclear -- it would definitely require a network to maintain an historical log of IP addresses, but will ISPs believe it also requires them to maintain detailed records on customers' addresses, credit card, and bank information? Such an interpretation would create a honeypot of sensitive data ripe for overly ambitious law enforcement agents, malicious hackers, or even accidental disclosures.

This Attack on the Internet Has Nothing to Do With Child Pornography

H.R. 1981 is touted as a way to crack down on child pornography, but the data retention mandates of this bill will affect every Internet user who uses a U.S. ISP.  It's sad to see our legislators using the mantle of child pornography to order Internet companies to spy on users, forcing ISPs to keep mountains of unnecessary data about innocent Internet subscribers in the hopes that it might one day be useful to law enforcement.  That's exactly why Representative Zoe Lofgren proposed an amendment to rename the bill the 'Keep Every American's Digital Data for Submission to the Federal Government Without a Warrant Act of 2011.'

This type of legislation goes against the fundamental values of our country where individuals are treated as innocent until proven guilty. H.R. 1981 would uproot this core American principle, forcing ISPs to treat everyone like a potential criminal. 

Help us defeat the Internet spying bill. Contact Congress today.













All original InformationLiberation articles CC 4.0



About - Privacy Policy