House introduces bill to require ISPs to monitor, archive everything forever

CNet: "All Internet service providers would need to track their customers' online activities to aid police in future investigations under legislation introduced Tuesday as part of a Republican 'law and order agenda.'

Employees of any Internet provider who fail to store that information face fines and prison terms of up to one year, the bill says. The U.S. Justice Department could order the companies to store those records forever."

"Because there is no limit on how broad the rules can be, Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, or e-mail conversations indefinitely."

"That broad wording also would permit the records to be obtained by private litigants in noncriminal cases, such as divorces and employment disputes. That raises additional privacy concerns, civil libertarians say."


It's a given that this is a bad idea for several reasons - from 'this completely guts the notion of personal privacy' to 'the law of unintended consequences'. While surely a boon for storage companies, it pretty much sucks for everyone else.

1. Tremendous privacy implications for individuals, small business, anyone using an ISP for any reason.

2. Giant cyber-criminal target (crack, mine, build profiles for spearphishing, compromise unencrypted passwords, find legal but extortable information, etc)

3. Will trap data of normal people and do exactly zero to trap info on criminals (who are using encryption, other people's connections, blah blah)

4. IP and behavioral data doesn't prove identity or intent. Functionally useless. (see Splunk'd AOL Search Info, wardriving, RIAA/MPAA dragnets, log poisoning and rewriting, etc.)

So how do people (law enforcement, divorce lawyers, lawyers) access the traffic? where is it stored? how is it secured? how does one review the data for accuracy? will slightly different system-times wrongly implicate individuals based on timestamps and IPs ? (See 'DHCP for Dummies). How do we treat wifi hotspots? Open home and business wifi access points? Rogue ISP employees? Worms, botnets and malware infected computers (and whatever they might do)? Compromised law enforcement logins? We could do this all night.

It's retarded, impractical, an abhorrent breach of privacy, and dangerous for everyone.

On the plus side, maybe this will finally negate the 'net neutrality' argument (treating different bits differently) as users start using Tor, anonymizers, tunneling to Russian VPNs, etc. to encrypt all traffic - leaving nothing for ISP logs to grab or interpret. Maybe this is a good thing.

This is the litmus test for "do everyday people value their own privacy - and is the government still of, by, and for the people"...