House Committee Passes Bill to Force ISPs to Retain User Data For 12 Months

A controversial bill that would force ISPs to retain records for up to 12 months that would allow them to identify users by IP address has cleared a key hurdle and passed the House Judiciary Committee by a wide margin, setting it up for passage by the full House.

Data retentionA controversial bill that would force ISPs to retain records for up to 12 months that would allow them to identify users by IP address has cleared a key hurdle and passed the House Judiciary Committee by a wide margin, setting it up for passage by the full House.

The bill was introduced with the purported intention of protecting children from online pornography, but it has become a lightning rod for privacy advocates and security experts who have decried the data-retention provision. Under the language currently in H.R. 1981, ISPs would be required to store the IP addresses assigned to each subscriber for 12 months. The idea behind this section is “to assist federal law enforcement in online child pornography and child exploitation investigations”, according to the committee.

But that’s not the way that many outside observers see it. Many privacy advocates and civil liberties groups say that the bill will violate user privacy.

“The data retention mandate in this bill would treat every Internet user
like a criminal and threaten the online privacy and free speech rights
of every American, as lawmakers on both sides of the aisle have
recognized. Requiring Internet companies to redesign and reconfigure
their systems to facilitate government surveillance of Americans’
expressive activities is simply un-American,” Senior Staff Attorney Kevin Bankston of the Electronic Frontier Foundation said in a statement.

“Such a scheme would be as
objectionable to our Founders as the requiring of licenses for printing
presses or the banning of anonymous pamphlets. We hope that
bipartisan opposition will grow as the bill makes its way to the House
floor and more lawmakers are educated about this anti-privacy, anti-free
speech, anti-innovation proposal.”

Retaining the IP addresses of users as they move around the Web forces ISPs to store a huge amount of data they otherwise would not need. But lawmakers in support of the bill said that the privacy concerns were overridden by the need to help law enforcement track down pedophiles.

“When investigators develop leads that might result in saving a
child or apprehending a pedophile, their efforts should not be
frustrated because vital records were destroyed simply because there was
no requirement to retain them. This bill requires ISPs to retain
subscriber records, similar to records retained by telephone companies,
to aid law enforcement officials in their fight against child sexual
exploitation,” Rep. Lamar Smith (R-TX), the sponsor of the bill, said in a statement.

“Every piece of prematurely discarded information could
be the footprint of a child predator. This bill ensures that the online
footprints of predators are not erased.”

Interestingly, several of Smith’s Republican colleagues on the committee took issue with the data-retention portion of the bill and voted against the measure. Rep. Jim Sensenbrenner (R-Wisc.) said during the markup hearing for the bill on Thursday that it would treat ordinary citizens as criminals by default.

“The problem arises when data retention is government mandated. It is the government’s role to conduct criminal investigations through the established legal process, but it is not the role of Government to mandate how private businesses arrange storage procedures independent of the legal process. Simply put, the decision to store data should be a business decision and not a government decision,” Sensenbrenner said.

“The data retention mandate imposed by this bill would also threaten personal privacy at a time when the public is already justifiably concerned about privacy online. A key to protecting privacy is to minimize the amount of data collected and held in the first place. The data retention law would undermine this key principle. The bill would establish surveillance of all Internet users, regardless of whether there is any reason to believe they have engaged in unlawful activity. Ordinary citizens would have a year’s worth of their online activity retained.”

Suggested articles


  • Lou from NH on

    Retention of that type of information should be limited to situations where an ACTIVE CRIMINAL INVESTIGATION is in progress.

    To retain everyone's information turns the presumption of innocence (a strong tenet of US law) on its ear, and that is unacceptable.

  • Anonymous on

    Another stupid bill under the auspices of the teabaggers.

  • Anonymous on

    I wonder if this ISP-retained data will be considered Personally Identifiable Information (PII) and therefore be bound by higher security standards?  Bad news: just wait until a hacker gets into the last year's worth of ISP logs and starts spamming.   Good news: I'd wager you won't have to wait very long.

  • Anonymous on

    I agree this may not be a good idea for privacy reasons, but those people (including the EFF) who say that saving this data is somehow treating regular users like criminals are missing some perspective.

    First, many ISPs already keep this info for a certain period of time for their own technical uses.  There is no regulation on its use, and they can keep that data as long as they want.  Also, in the US, this type of data has been retained on telephone calls for decades and no one complained that citizens were being treated like criminals.


  • Randy Grein on

    Anonymous is mistaken - there have been MANY complaints about retention of phone records and the abuse of such by the FBI and other law enforcement organizations. Start with the the ACLU and their 500,000 members. An assertion that 'the innocent have nothing to fear' is flat out wrong. To give way on this, especially in a matter that is tiny (no matter how monsterous) betrays a lack of rational thought.

    I have personally seen too much police activity  to ever assume they are infallible, incorruptable or somehow better than the rest of us. Without reasonable checks on their power sooner or later we will become their victims, and it will be our own fault.

  • Anonymous on

    This is exactly why tools such as TOR exsit.  If IP addresses are going to be used as a tracking and identification tool, then it is time to make sure that your tracks are erased.  Don't believe the argument of "I've got nothing to hide".  Privacy is everyone's right and the more people that excerise it the better.   For the very same reason you should be encrypting your mail with GPG.


  • Dstars311 on

    Some one please explain to me how keeping records of the IP address assigned to a specific customer for 12 months or longer is an invasion of privacy. This is just the IP address. The only way that comes into play is if evidence already exists that something dangerous such as child predation occured from that IP address. The ISP's are not recording the websites you go to the music you listen to or any other online actiity. They are merely retaining who was assigned that IP at a given time. Again other evidence has to exist in the first place for any LEA to issue a warrant or subpoena of that information.

  • Anonymous on

     I think literally everyone here is missing the actual meaning of the bill here.


    Great, we've got the out of the way. Now: recognize that all it does is match your ISP to your address. Just like all your real-life dealings involve addresses or phone numbers or actual identifying information, you are now not totally anonymous on the internet. I know, I know, now you can't get away with pirating music or posting child pornography, it's terrible. But anonymity was never an essential liberty and was never even really presumed to be a prerequisite to liberty. You have the right to do whatever you want on the internet, and the government has the right to realize that you've been pirating, actually figure out who you are, and fine/punish you proportionally.

    You have the right to read books in your home privately, and you have the right to post/read/do whatever the shit you want on the internet privately. It is not a privacy infringement purely because all it does is let authorities figure out who you are.

    When people stop trying to justify piracy (and I really hope that you understand that you can't) and actually buy things legally, these kind of actions won't be necessary.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.