I was reading today's issue of SANS Newsbites (Vol. 9 Num. 13) and I came across the article abstract entitled "Proposed Legislation Would Require ISPs to Retain Customer Data Indefinitely". I read the abstract and followed the link to the article.
The article did not surprise me. It was typical of someone who reads other articles and does not look up the source. However, what did surprise me was the fact that at least one of the SANS Newsbites editors (Johannes Ullrich) was taken in by the claims in the article and apparently did not look up the original source. He stated, "Why not ask the USPS to make and retain a copy of all letters and postcards? It's about as feasible and invasive as this Safety Act."
The original article is regarding H. R. 837 "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act (SAFETY) of 2007". The news story put a definite spin on the issue. The article stated websites "which failed to keep full records" would be fined.
This is what the text of the bill actually says:
"(a) Regulations- Not later than 90 days after the date of the enactment of this section, the Attorney General shall issue regulations governing the retention of records by Internet Service Providers. Such regulations shall, at a minimum, require retention of records, such as the name and address of the subscriber or registered user to whom an Internet Protocol address, user identification or telephone number was assigned, in order to permit compliance with court orders that may require production of such information." (Sec. 6. RECORD RETENTION REQUIREMENTS FOR INTERNET SERVICE PROVIDERS. H. R. 837)
The bill in and of itself does not specify "full" records. Neither does it specify the length of time those records need to be kept. It allows the Attorney General to specify those regulations. Attorney General regulations are quicker and easier to change in the face of public backlash than a Congressional Act.
The bill does specify a minimum requirement. Subscriber information and what IP address or telephone number they were assigned at what time. It is likely that nearly all ISPs already keep that information for monthly billing purposes.
My ISP has all of their DSL and Fiber Optic customers on static IP addresses, so which IP address I have been assigned has changed only 2 times in the last 4 years. (That is trivial amount of data to keep.)
The analogy that Johannes Ullrich put forth breaks down. It is more like the post office being asked to keep track of who was at each postal address or rented each postal box each day.
Since this data changes infrequently in most cases the data generated is small and easily kept.
The data of which user is assigned which IP address at what time (the minimum requirement set forth by the bill) seems useless to the identity thief. The subscriber's payment information on file is much more valuable. It also violates my privacy less than getting a tacking cookie from a service like Webtrends. And will not likely be used to track my surfing habits.
In my opinion, it was a lack of good editing.