Re: question regarding US requirements for journaling public email (possible legislation?)

[Steven Bellovin <smb () cs columbia edu>]

On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:

> On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
>
> > On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger () fpu-tn com> wrote:
> > > His response was there is legislation being pushed in both
> > > House and Senate that would require journalling for 2 or 5
> > > years, all mail passing through all of your mail servers.
> >
> > Hi Eric,
> >
> > The only relatively recent thing I'm aware of in the Congress is the
> > Protecting Children From Internet Pornographers Act of 2011.
>
> Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.
>
> > From: Fred Baker <fred () cisco com>
> > Date: January 5, 2012 10:46:30 AM PST
> > To: Eric J Esslinger <eesslinger () fpu-tn com>
> > Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
> >
> > I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From 
> > Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that 
> > the concern is correct, but the details have morphed into urban legend.
> >
> > http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
> > http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
> >
> > I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part 
> > of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a 
> > signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially 
> > looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every 
> > subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data 
> > mined with an appropriate warrant.
>
> I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they 
> were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. 
>
> From a US perspective, you might peruse
>
>    http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States
>
> The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the 
> use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book 
> version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal 
> networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, 
> Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known 
> criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns 
> is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may 
> signal a shift that law enforcement is interested in.
Yah, but that's all "non-content records"; it's a far cry from having to retain the body of every email, which is what 
he asked about.  As far as I know -- and I'm on enough tech policy lists that I probably would know -- nothing like 
that is being proposed.  That said, for a few industries -- finance comes to mind -- companies are required to do 
things like that by the SEC, but not ISPs per se.  See 
http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html for some details.


                --Steve Bellovin, https://www.cs.columbia.edu/~smb