A new set of bills suggested in the US House and Senate is here to reassure us that Congress-persons are completely at sea where technology is concerned.
“Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act”, S.436 and H.R.1076 actually call for some positive and useful initiatives. It adds criminal penalties for child pornography and exploitation of minors. It allocates addition funds for the FBI’s activities in these areas. These are good things, even if the implementers aren’t always completely rational and have to be watched. That’s what citizen participation is about.
However, as is frequently the case with technology bills written by non-technical bureaucrats, the bills go off the rails with regard to technical requirments. (From the THOMAS system at the Library of Congress)
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
`(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’.
On the face of it, this also seems fairly useful. Just like purveyors of other potentially harmful services, like car rentals, have to keep records, ISPs, WiFi providers and the like should probably be required to as well. The issue comes from the definition of “provider of electronic communication service.” From the US Code referenced above:
(15) “electronic communication service” means any service which provides to users thereof the ability to send or receive wire or electronic communications;
That’s right, any service. As written, the law applies to every home user with a DHCP server, which includes pretty much everyone who uses an internet router rather than plugging their computer straight into a DSL/Cable modem. Most of those routers a) don’t have the ability to keep logs for 2 years, and b) are a pain in the butt (at the least) to configure to store their logs on another computer or device. I think that most people won’t have a lot of data, since the law requires you to log identity, not net traffic, but a small but popular wi-fi hotspot (like a mom and pop coffee shop or such) could end up with a decent amount.
Quite aside from the expense implied by the law, which could range from trivial to substantial, is its uselessness. There really is no such thing as “identity” as it pertains to a DHCP server. The DHCP server records your MAC address and your computer’s hostname. However, hostname can be changed at will, and it’s easy to spoof a MAC. Even without these facts, MAC addresses are not recorded in any sort of database linking them to owners. And they are linked to communications devices, not computers, so a group could be sharing a network card or other identifiable hardware. In short, this is a lot of expense and trouble for some people for a pretty feeble amount of usefulness. And we won’t even get into the additional resources and expense implied by having to log every single network request if one wants to be able to relate the remote requests to an individual user inside a private network. Because if I don’t log every request, your trail will lead back to my router and I won’t be able to tell you who inside that network made that particular request. And woe betide you if you don’t have your network secured, because you have no idea of knowing who belongs to a particular app if you don’t have to give them access directly.
I know that this will probably not be enforced on home users. However, I am sure it will be used as a bludgeon against home users. If you are suspected of some sort of illegal activity, I am sure this law would get tacked on to any other investigation. Sort of like broken taillights and other “warning” offenses on top of a speeding ticket, but much worse.
So, US readers, write your congress-beings and suggest that they take a hard look at this bill and alter it to exclude non-commercial networks from this clause.
(I was tipped off to these bills by CNet news.)