Why data retention legislation would do more harm than good

Do you remember every Web site you visited, every email you sent, and every word you Googled during the last two years? Probably not, but your Internet service provider might—especially if a proposal currently popular in Washington becomes law.


In September, U.S. Attorney General Alberto Gonzales called for a law to force Internet service providers (ISPs) to store customer information for one to two years. Rep. Dianne DeGette, D-Colo., plans to introduce such a “data retention” bill this coming spring.


Mandated data retention, as proposed by Gonzales and DeGette, would be extremely costly for Internet providers and their customers and would severely harm individual privacy rights—without doing any good.


Advocates of mandated data retention argue that it would aid the prosecution of child pornographers, that tracking every step a pedophile makes online is vital to achieve a conviction. Thus, they want all ISPs, search engines, and social networking sites to store their users’ IP addresses. Moreover, some suggest also tracking the identities of e-mail correspondents and recipients of instant messages. DeGette once even suggested making this information available not only to the police but also to civil litigants.


Requiring the tracking and storing of every move of every Internet user would impose enormous costs on Internet service providers. Those costs would hurt prospering high tech companies and their employees, as consumers would turn away from online transactions and communications because they would consider them less secure.


Meanwhile, consumers would be hurt by seeing their online options limited.


In addition to economic harm, governmentally mandated data retention poses serious threats to individual privacy rights. People value their privacy; few intend to save a record of all e-mails written or all Web sites visited. The mandated storage of e-mail addresses, URLs, or IP addresses could easily be abused to analyze Internet users’ personalities, preferences and habits—creating a potential jackpot for hackers and spammers.


Even worse, such a data repository would be a treasure trove for identity thieves. A series of recent scandals involving lost or involuntarily published confidential data has shown how serious this problem is. For example, Internet giant AOL accidentally published 20 million search queries—including subscribers’ Social Security, credit card or telephone numbers—while the U.S. Department of Commerce admitted that more than 1,100 of its laptops have “vanished” since 2001. Some of these laptops contained less-than-fully encrypted personalized information on citizens, mostly from the Census Bureau. If these vulnerabilities exist for the government and a leading Internet company like AOL, why should we trust the security of a Gonzales or a DeGette data retention plan?


A data retention mandate’s adverse impact on Internet users’ privacy is clear. At the same time, it is unclear that such a bill would improve authorities’ ability to fight online child pornography. Federal law already allows investigators legitimate access to data collected by Internet providers without undue restrictions. These access laws are seen as fully adequate—if not already threatening privacy—by many experts.


Moreover, because of the vast amount of data that would eventually be collected under a data retention bill, it is doubtful whether this data could ever be effectively analyzed by law enforcement authorities. Data mining is not a perfect science, and many innocents can be swept up along with criminal suspects.


The objectives stated by Attorney General Gonzales, DeGette, and other mandatory data retention supporters might be noble. But it is unlikely that such a bill would achieve these goals. Given the huge costs and threat to consumers’ privacy and liberties, obligatory data retention should be rejected.