Sunday, July 01, 2012

Companies may think they need to track to meet government security requirements; new bill HR 1981 requires keeping of customer logs


Electronic Frontier Foundation has another important discussion of the purpose of “do not track”.
  
On June 28, the Senate Commerce Committee took up the top (particularly the browser flag), with a number of industry experts.  Bob Liodice, of the National Association of Advertisers, was an important speaker, and surprised everyone by admitting (or claiming) that sites need to track for “cybersecurity”.  That’s a distance from the more common argument that tracking and targeting ads are an essential basis for the Internet’s business model of encouraging free and user-generated content.

Rainey Reitman and Lee Tien (who was my advisor on the COPA trial) authored the article, here
  
Liodice’s remarks may sound more understandable because the government is always toying with eroding the “downstream liability” exemptions of service providers (essential to the Internet “as we know it”) by deputizing them as copyright police, and as an adjunct to intelligence or deep law enforcement operations.
  
There’s another alarming new bill on the horizon, H.R. 1981, the “Protecting Children from Internet Pornographers Act of 2011”, introduced by Lamar Smith (R-TX), govtrack reference here

One of the troubling proposals here is that service providers would have to maintain a log of “temporarily assigned network addresses”, which could be used to identify people, although unreliably, as in intelligence investigations (particularly with respect to Wikileaks).  The process of expanding from IPv4 to v6 complicates the issue. 

Generally, when people visit any website or view any information, they don’t expect the publisher or distributor to record their consumption.  (You don’t want an author to know you bought his book, sometimes, and that is your right.  You don’t always want to make public what movies you saw, unless you have a movie review blog like mine (or Roger Ebert’s)).   Yet, webmasters have access to website log files that identify IP addresses, specific web site objects retrieved, search arguments used, and sometimes exit behaviors (and time of visit).  This was interesting to me (for “forensic” investigation of “what must have happened”) after an incident in 2005 regarding one of my sites when I was a substitute teacher.

Under HR 1981, my ISP probably would have been required to keep this log (for at least one year). 

No comments: