Reactions to the proposed Internet SAFETY Act

There’s a great deal of hand-wringing and outrage expressed over new legislation proposed in both the House and the Senate intended to add all sorts of requirements to Internet and other electronic communication service providers in order to do more to prevent trafficking in child pornography and generally protect children from exploitation over the Internet. The central point drawing a lot of attention is a provision in the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act (“Internet SAFETY Act”) that requires any provider of an “electronic communication service” to log and maintain records about any users temporarily granted access to that service. According to many articles, the implication is that the law would impose record retention requirements not just on ISPs and wireless hotspot providers, but on individual home network users as well. It’s this last part that just doesn’t make sense.

The key passage in the text of the bills (both the House and Senate versions include the same wording in Section 5) is “Retention of Certain Records and Information – A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.” That’s the whole requirement. So to figure exactly what that means, you have to parse out the words and look at the official definitions of some key terms appearing in Title 18 of the US Code. One important definition is that of “electronic communication service”: electronic communication service means any service which provides to users thereof the ability to send or receive wire or electronic communications. (18 USC §2510 (15)) If you stop here, you might conclude that by standing up a wireless access point in your home, you become an electronic communication service provider. But in the same list of definitions is one for “electronic communication”: electronic communication means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce (18 USC §2510 (12)) (emphasis added). No question this applies to an ISP, and most likely to public or paid network access providers including your local Starbucks. It’s another matter entirely to say that a decision by a home user to connect a few computers to an Internet access account provided by an ISP is affecting interstate commerce. It seems this interpretation would equate anyone who lets someone (family member, neighbor, intruder) connect to their home network to be considered the same as the ISP whose infrastructure the home network is attached to.

A separate point of contention arises from the term “temporarily assigned network address.” From a monitoring, investigation, and law enforcement perspective, you would expect this to mean an IP address that allows some association to be made between network activity and the computer performing that activity. For most home users, the network addresses assigned to client computers are “non-addressable” private network addresses (such as the familiar 10.x.x.x and 192.x.x.x). It’s unclear how tracking the assignment of these private addresses is of any investigative value, particularly without an accurate association to the device receiving the assignment, or more importantly the user controlling that device. The idea that a typical home user (most of whom can’t be bothered to learn enough to turn on the security features included in their routers) would be held to a) be aware of and b) keep persistent records to account for anyone intentionally or unintentionally connecting to the Internet through their home access point is a non-starter. Leaving all the valid privacy concerns completely out of the discussion, would anyone suggest that a consumer should be required to acquire the necessary technical acumen to maintain network access logs for their home? If not, perhaps the suggestion is that consumer network equipment vendors would need to build in these access logging features, enable them by default, and prevent consumers from turning them off?

Separate but related, several articles have also suggested that this rule would apply to VOIP communications over home and business networks, but the federal definition of electronic communication explicitly exclude any “wire or oral communication” so it seems pretty clear that VOIP phone calls are out of bounds. Regardless of legal interpretations on that issue, the reaction so far to this proposed legislation suggests that those in Congress would be wise to spell out more explicitly just who is and is not covered by the provisions in the bill, much as they have done for major oversight laws relevant to privacy like HIPAA, GLBA, Sarbanes-Oxley, FERPA, and COPPA.