Usually I’m immune to the stupid antics of politicians. They can’t help it. Most are lawyers so that’s two strikes against them. But this is just ridiculous.
I read the story on CNN.com: Bill proposes ISPs, Wi-Fi keep logs for police. The opening paragraph reads "Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations."
Did you notice those two words that say "home users?" If you have a Wi-Fi access point or you have a wired network in your home, in short, anything that assigns temporary IP addresses as machines come and go, you would be required to maintain logs for two years.
And why are we doing this? "For the children." The goal is to give law enforcement the data they need to go after people who share child porn on the Internet.
They are calling it the "Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act," or Internet Safety Act. Both the House (H.R.1076) and Senate (S.436) versions contain the same basic language: A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.
Ignoring the privacy issues for the moment, and the issues for small and big business, let’s just focus on Joe Home Owner. How do the politicians think they are going to implement this? Ok, the politicians won’t. They just pass the law and hand it off to a team of bureaucrats to implement. How are the bureaucrats going to implement it? In particular, how are they going to get owners of all those home access points to keep logs? Most people have a hard enough time configuring their Wi-Fi access point securely! How are they going to get Joe Home Owner to keep logs of IP addresses? How do you guarantee the integrity of those logs? If you can’t, I can see defense counsel getting them tossed out of court real quick.
Since we are poking holes in this boat, the bills say you have to keep the logs for at least two years. What do you do with the log when it gets to the two year point? Anyone who does security in the business world will tell you that if you have a policy – say, for email retention – you have to follow the policy. There can be serious legal consequences if you don’t. So what about these address logs? Two years and then…what? What happens if the house burns down and you don’t have offsite backups for the logs. What if a thief breaks into you house and steals the machine that holds the logs? What about when Joe Home Owner fat-fingers something and manages to delete them accidentally? And what happens when the lawyers want to use them in a messy divorce or a civil or criminal case?
Am I getting my point across? This isn’t a simple thing. You can’t just say "make it so" and have it happen. There are always unintended consequences to this kind of thing.