According to CNET contributor Declan McCullagh, Sergeant Frank Kardasz was scheduled to present a survey to a federal task force on law enforcement yesterday (while Kardasz appears on the meeting agenda, the notes for the actual meeting are not yet available). Sources revealed the nature of the survey. It presented questions to 100 police officers from across the United States regarding document access and the Internet.
Police officers indicated that they wanted a Web interface dedicated to law enforcement procedures. The interface would allow police officers to send requests to and receive data from ISPs without the waiting time associated with other request methods. That sounds like a reasonable request to me, assuming the ISPs verify that such requests are merited and have the proper legal backing before handing over private customer data.
But another matter worries me. According to the survey, many police would like ISPs to hold on to customer data for at least five years before expunging it. According to McCullagh, Kardasz has gone so far as to say that ISPs that don't retain customer data "are the unwitting facilitators of Internet crimes against children."
While data retention might help a police officer in the course of an investigation, it constitutes a significant risk to user privacy. Legally requiring ISPs to retain data isn't new -- the European Union passed a data retention directive in 2006. Each member of the EU may establish its own data retention policy as long as it falls within the directive's parameters. The directive calls for a minimum retention period of six months and sets the maximum at two years.
If the survey influences U.S. lawmakers to require ISPs to retain data, it would put user privacy at risk. Setting aside the non-trivial possibility that the police might investigate people without proper justification (and therefore have unprecedented access to years of private data), hackers might take the opportunity to infiltrate ISP systems to sift through the mountains of personal data that would accumulate over a five-year period.
The proposed police network also comes with problems. For one, setting up such a network among all police stations and ISPs would be a massive undertaking. For another, should the security of the police network become compromised through a hacking attack or malware, sensitive information could leak out and ruin investigations and personal lives.
There are other problems as well. If your own home network is compromised, you could be held responsible for crimes committed by other people using your Internet connection. Can you be sure that your home network has remained secure over the last five years? Even people who currently follow good security habits may not have always done so.
I think that police need to be able to access information during investigations as quickly as is legally responsible. But I also feel that claiming private companies are complicit (knowingly or otherwise) in crimes against children is using scare tactics and could lead to policies that infringe upon the liberties we enjoy. What do you think?
Tags: Computer and Internet Security, Cybercrime, Government, Internet, Issues and Ethics,
comments ( )