First Europe, now the US?

07 February 2007

Another bill's been put into circulation that I think everyone should know about. Representative Lamar Smith of Texas has put forth legislation that would require every ISP to keep records of what their users do on the Net to assist. For every customer an ISP has, every IP address they are given, every DNS request they make, every outgoing connection, and every incoming connection attempt would be recorded and archived on the off chance that a subpoena came in. Failure to do so would mean fines and jail time for not complying with this proposed law. On top of that, people who run sexually explicit websites would have to label their sites as such (as if you couldn't tell within the first thirty seconds of following a link). This act (called the SAFETY Act) is a rerun of a bill submitted in 2006 that died before being voted on.

The bill is supposed to help law enforcement get the information they need to hunt down and prosecute net.criminals these days. Speaking as someone that's done incident reseponse a couple of times in the past, this bill is a waste of time and mental compute cycles. Given how criminal law is adapting to the Net, companies and other organisations these days have considerable pressure put upon them to at least make an attempt at implementing information security measures and intrusion countermeasures. There are two problems with this, though: First of all, convincing the admins of a given company that they've got a breach that is making life interesting for other people on the Net. Finding an e-mail address for their security officer, if indeed there is one on staff there, can be like getting the formula for Coca-Cola out of a loading dock worker, i.e., good bloody luck. Second, assuming that you have done your homework, contacted the security officers of the org whose network has been infiltrated (or maybe you are the director of information security and your network has been compromised), and assuming that you've done the information forensics song and dance, confirmed the breach, and started backtracking... law enforcement often isn't interested in your case.

Yes, that's right. If one of your boxes has been cracked and you try to call the FBI or the Secret Service, chances are they're not going to want to persue the case for a number of reasons. First of all, unless more than $100kus of damage has been done, it's really not a big enough crime for them to persue it. Second, unless a major federal law like HIPAA has been violated, unless it's a part of something greater going on you'll probably have a hard time getting their help. Assuming that your org is the one that broke said laws, in which case you're doubly screwed.

There is also the fact that there is no evidence anywhere that any ISP has dragged its feet when presented with a subpoena.

The specific requirements of data retention have yet to be set by Attorney General Gonzalez.