Summary of HR 1981, Data Retention Mandate Bill

July 12, 2011. Rep. Lamar Smith (R-TX) and Rep. Debbie Schultz (D-FL) introduced HR 1981 [LOC | WW], the "Protecting Children from Internet Pornographers Act of 2011", on May 25, 2011.

The House Judiciary Committee's (HJC) Subcommittee on Crime, Terrorism and Homeland Security held a hearing on this bill on July 12. See, related story in this issue titled "House Crime Subcommittee Holds Hearing on Data Retention Mandate Bill".

Background on ECPA and SCA. The Electronic Communications Privacy Act (ECPA), which was enacted in 1986, includes the Stored Communications Act (SCA). The data retention provisions of HR 1981 contain amendments to the SCA.

The Congress has amended various parts of the ECPA since 1986, but the ECPA has not kept pace with technological changes. The terms used in the ECPA were included in 1986 based upon the drafters' understanding of technologies that existed in 1986. Law enforcement agents and prosecutors now rely on these 1986 terms when dealing with new technologies not foreseen when the ECPA was drafted.

This bill does nothing to address underlying obsolescence of the ECPA. It adds to the foundation of the ECPA, without clarifying what that foundation means in the context of new technologies developed since 1986, or in the context of the new mandates that would be imposed by this bill.

In March of 2010 a coalition named Digital Due Process (DDP) announced a set of four principles which the DPP members argue should be incorporated into the federal statutes that regulate government searches and seizures of stored communications and data.

These DPP principles state, for example, that the "government should obtain a search warrant based on probable cause before it can compel a service provider to disclose a user's private communications or documents stored online" and it "should obtain a search warrant based on probable cause before it can track, prospectively or retrospectively, the location of a cell phone or other mobile communications device".

See also, story titled "Digital Due Process Coalition Proposes Changes to Federal Surveillance Law" in TLJ Daily E-Mail Alert No. 2,068, March 31, 2010.

Law enforcement entities, and particularly the Department of Justice (DOJ), oppose such principles. Moreover, the DOJ opposes the notion of clarity. It exploits uncertainty to exercise broader powers to obtain intercepts and data, and under lesser standards.

Hence, while there have been repeated calls for updating the ECPA for years, neither the House nor the Senate, nor the HJC or Senate Judiciary Committee (SJC), have passed an ECPA reform bill.

Data Retention Mandate. The bill would amend 18 U.S.C. 2703, which is the section of the SCA that requires disclosure of stored communications to the government. HR 1981 would also require the retention and storage of certain data.

There are already two data retention mandates. See, related story in this issue titled "Summary of Existing Data Retention Mandates". HR 1981 would greater expand the requirements imposed upon service providers.

It would add a new subsection (h): "Retention of Certain Records -- A provider of an electronic communication service or remote computing service shall retain for a period of at least 18 months the temporarily assigned network addresses the service assigns to each account, unless that address is transmitted by radio communication (as defined in section 3 of the Communications Act of 1934)." (Parentheses in original. In this article, language that would be added by HR 1981 is shown in red.)

This provision only requires retention of the IP addresses assigned to an account. A service provider has the name and other account information of its subscribers. Proponents argue that this bill does not require disclosure of content.

However, a law enforcement official or other person requesting retained data would possess an IP address of an internet user, and information regarding content on the web. The requestor who obtains retained data from the service provider would then be able to associate content with a particular user. In this sense, this bill is content related.

This provision exempts wireless service providers. This exemption is inconsistent with the stated purpose of the bill, because people are using their internet connected cell phones and other wireless devices to view child pornography (CP).

This bill imposes its data retention mandate on any "electronic communications service" (ECS) and "remote computing service" (RCS) provider. These 1986 terms are no longer clear, and in the hands of a DOJ lawyer, could be quite elastic and expansive. It should be noted that the definitions, which are found mainly in 18 U.S.C. 2510, provide that this data retention mandate would apply to a "paging device", "tracking device", and "electronic funds transfer information".

Section 2510 also provides that the term "electronic communications system" means "any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of wire or electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications".

18 U.S.C. 2711 provides that the term "remote computing service" means "the provision to the public of computer storage or processing services by means of an electronic communications system".

Innovative developers are including internet connectivity into, and assigning IP addresses to, all manner of devices. The proponents of this bill speak about individuals who look at CP by using their computers and laptops with broadband internet access service (BIAS). However, nothing in this bill states that only BIAS providers (or even BIAS and dial-up service providers) are required to save data for 18 months. The DOJ could seek to compel any entity that it asserts is either an RCS or ECS provider to retain data.

This bill could be amended to clarify whether it would only impose data retention mandates on internet access service providers, or also apply to other services providers, including voice over internet protocol service providers, e-mail service providers, or providers of text based services.

Immunity. HR 1981 would amend 18 U.S.C. 2703 by inserting the words "retaining records or" into subsection (e). This is the provision that provides immunity for providing law enforcement entities stored information.

As amended, this section would provide that "No cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for retaining records or providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter."

Similarly, this bill would also amend 18 U.S.C. 2707 by adding to subsection (e)(1) the phrase "or the requirement to retain records under section 2703(h)".

As amended, this section would provide that "A good faith reliance on (1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703(f) or the requirement to retain records under section 2703(h) of this title) ... is a complete defense to any civil or criminal action brought under this chapter or any other law."

These are inducements to service providers to diligently retain data, and to follow instructions from the DOJ.

They are also an inducement to support this bill, because they could immunize service providers from a broad range of claims. For example, if this bill were enacted, a service provider retained data, and a hacker accessed that data, and injured subscribers sued the service provider, the service provider would assert this immunity provision as a defense.

Just as this bill builds onto the ECPA without addressing the obsolescence of the ECPA, it imposes broad data retention mandates without addressing data security or privacy.

Similarly, if the DOJ were to make broad demands, either regarding services covered, or data to be retained, legal counsel for the service provider would have little incentive to scrutinize the underlying legality of the demands, because of this grant of immunity.

There is perhaps some comparison to made between these clauses, and the legislative grant of immunity in 2008 to service providers who were sued after cooperating with the government in facilitating surveillance under the Foreign Intelligence Surveillance Act (FISA). The plaintiffs and other critics of that surveillance program asserted that its was an illegal warrantless wiretap program. That immunity was enacted in HR 6304 (110th Congress), the "FISA Amendments Act of 2008", Public Law No. 110-261, at Title II, Section 201.

That act provides that "Notwithstanding any other provision of law, a civil action may not lie or be maintained in a Federal or State court against any person for providing assistance to an element of the intelligence community, and shall be promptly dismissed, if the Attorney General certifies to the district court of the United States in which such action is pending that ..."

Access to Retained Data: No Limitations on Purposes. The title of this bill, "Protecting Children from Internet Pornographers Act", is not descriptive of its consequences. Mandating data retention would assist law enforcement officers and prosecutors in tracking down and obtaining convictions of men of look at CP on their desktop and laptop computers. However, this would likely be only a minor consequence of the bill.

It would enable law enforcement officers and prosecutors to access retained data to investigate all types of activity, not just those related to sex or CP.

It should be recalled that DOJ officials sought and obtained many broad new surveillance powers in the huge bill that was enacted rapidly after the terrorist attacks of September 11, 2001. The DOJ officials argued that the new powers were necessary to fight terrorism. The bill was named the "USA PATRIOT Act" to assert its terrorism related purpose.

However, statistical data on use of some of the provisions of the 2001 Act, such as sneak and peak searches, reveal that the DOJ has used that new power almost exclusively in non-terrorism related cases.

It is possible that the data retention mandate of HR 1981 could be enacted under the guise of fighting CP, and then used extensively, and almost exclusively, for other purposes.

Sneak and peak is the common term for the authority contained in  213 of the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001". It was passed by the 107th Congress as HR 3162. It became Public Law 107-56 on October 26, 2001.  213 pertains to "Authority for delaying notice of the execution of a warrant".

It was not one of the sunsetted provisions. However, it was controversial, and some legislators, such as former Sen. Russ Feingold (D-WI), sought for years to attach a sunset provision to it.

It would be very easy to impose a limit on purposes. HR 1981 could be amended with a clause that lists predicate offenses for the issuance of a court order, or administrative subpoena, that authorizes access to retained data. See for example, 18 U.S.C. 2516, regarding predicate offenses for the issuance of a wiretap order.

Access to Retained Data: No Limitations on Who Can Access Retained Data. HR 1981 merely requires service providers to retain data. It imposes no limitations upon who can then obtain access to that data. Such data would be business records, and available to a wide range of requestors in civil, criminal and administrative proceedings or investigations.

This mandate would benefit federal, state and local governments agencies that seek such data.

Also, with the US entering into more and more, and broader, international law enforcement cooperation agreements, it would expand the power of foreign governments to surveil the activities of people in the U.S., or who use U.S. based services.

Nor would anything in the bill prevent civil litigants from subpoenaing retained data. It could be requested in tort cases, contract disputes, or divorce actions.

Corporations and public figures could seek such retained data to attempt to learn who is engaging in First Amendment protected activities that is critical of such corporations or public figures. Employers could seek retained data in litigation arising out of termination of employment.

There is also the matter of the cost and inconvenience to the service providers of complying with the torrent of subpoenas that would follow the enactment of a data retention mandate without a limitation upon those who can subpoena the data.

Access to Retained Data: No Requirement for Judicial Involvement. HR 1981 imposes a data retention mandate, but does not address how the DOJ or any other person or entity can obtain such retained data.

The SCA addresses how one obtains stored content under the SCA. But, the SCA is basically a statute regarding protection of stored content of the subscriber, and government access to that stored content. In contrast, the data which must be retained under HR 1981 would be business records of the service provider.

Current law allows the Attorney General to issue administrative subpoenas in CP investigations. But, the data that would be retained under the bill would likely be sought mostly for other matters.

The bill is silent regarding whether or when a court order would be required for accessing data retained pursuant to this bill, and if so, what standards the court would apply, and when and under what circumstances the subscriber would be notified of the order and the seizure of the data.

Access to Retained Data: Administrative Subpoenas. This bill would change the administrative subpoena process for obtaining access to retained data, as well as other records and testimony. The Attorney General already has authority to issue administrative subpoenas to investigate CP.

This bill would also give administrative subpoena power to the Unites States Marshals Service (USMS) to investigate unregistered sex offenders. The USMS is the unit of the DOJ that protects courts, judicial personnel, and judicial processes, and finds and arrests fugitives. This bill would not extend administrative subpoena authority to anyone to access the data retained by service providers for purposes unrelated to sex crimes.

18 U.S.C. 3486 already provides that "In any investigation of ... a Federal offense involving the sexual exploitation or abuse of children, the Attorney General ... may issue in writing and cause to be served a subpoena requiring the production and testimony" that is "relevant to the investigation".

This section also enumerates the offenses that involve "sexual exploitation or abuse of children". It includes 18 U.S.C. 2252 and 18 U.S.C. 2252A, which are the two main sections used to prosecute people who distribute or view child pornography online.

HR 1981 provides that the USMS shall also "issue administrative subpoenas in accordance with section 3486 of title 18, solely for the purpose of investigating unregistered sex offenders". It adds that "sex offender" means "an individual required to register under the Sex Offender Registration and Notification Act".

This section might be employed, not only to further a targeted investigation directed at one individual, but also to engage in broad and periodic data aggregation activities by the USMS.

Online Financial Transactions. Law enforcement entities long ago shut down brick and mortar commercial CP sales operations. But then, the development and widespread adoption of the internet provided a new venue for commercial CP operations.

However, in recent years, groups such as the National Center for Missing & Exploited Children (NCMEC) and the Financial Coalition (which includes banks, credit card companies, electronic payment networks, third party payments companies and internet access providers), working with law enforcement entities, have largely shut down commercial CP distribution on the internet.

Ernie Allen, head of the NCMEC, wrote in his prepared testimony [PDF] for the July 12 hearing that "What once was believed to be a multi-billion dollar global industry has recently been estimated to be less than a million dollar a year industry worldwide". He made similar statements in response to questions.

CP is still being viewed, but via free platforms, particularly through peer to peer file sharing programs.

Yet, despite these developments, HR 1981 includes sections that appear on their face to target financial intermediaries to commercial CP transactions. That is, they address a problem that has already been solved.

Allen, who is often regarded by members of Congress as an authority on fighting CP, expressed concern about the provision, which is set out below. He said that voluntary action has had a dramatic effect, and he is concerned that this provision could change that.

First, the bill would add a new section to the criminal code, to be codified at a new 18 U.S.C. 1960A, that would provide that "Whoever knowingly conducts, or attempts or conspires to conduct, a financial transaction (as defined in section 1956(c)) in or affecting interstate or foreign commerce, knowing that such transaction will facilitate access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 20 years, or both." (Parentheses in original.)

This new section would come immediately after 18 U.S.C. 1960, which prohibits unlicensed money transmitting businesses.

Second, the bill would add several crimes to the list of predicate offenses for money laundering under 18 U.S.C. 1956. (CP under 18 U.S.C. 2252A is already on the list.) The bill would add the proposed Section 1960A.

One possible consequence of enactment of these provisions of HR 1981 would be that the DOJ might use them to stop financial intermediaries from processing financial transaction in which a registered sex offender attempts to purchase a computer, or seeks to subscribe to broadband internet access.

If such a program were implemented, members of Congress, and the organized interests that lobby the Congress, might seek to apply a similar regime to persons convicted of violation of other internet related crimes, such as hacking under 18 U.S.C. 1030, or criminal copyright infringement under 17 U.S.C. 506 and 18 U.S.C. 2319.

Non-Technology Related Changes to CP Law. HR 1981 also includes some changes to CP law that do not implicate information or communications technologies.

It would provide for increased prison time. It would raise the maximum prison sentence under both 18 U.S.C. 2252 and 18 U.S.C. 2252A for mere viewing of CP online (first time possession with intent to view) to 20 years.

The bill would also direct the U.S. Sentencing Commission to amend its guidelines and policies to cause CP offenders to receive longer prison sentences.

Finally, HR 1981 would amend 18 U.S.C. 1514 which pertains to "Civil action to restrain harassment of a victim or witness". Like the data retention mandate, it could assist the investigation of CP cases, but likely would be used in other situations.

The bill would amend this section to provide that "the court shall issue a protective order prohibiting harassment or intimidation of the minor victim or witness if the court finds evidence that the conduct at issue is reasonably likely to adversely affect the willingness of the minor witness or victim to testify or otherwise participate in the Federal criminal case or investigation".

The bill does not elaborate, but "protective order" would include such things as removing children from the home of a person under investigation. Such orders would be issued ex parte, without notice or opportunity to be heard. The grounds would be minimal, such as "fear or apprehension". The bill also would create a rebuttable presumption in favor of the government, but in an ex parte hearing, there is no one present to rebut.

Children and adult family members of persons under investigation may have a reluctance to provide truthful information to law enforcement agencies that would contribute to a conviction of a family member. This provision would assist law enforcement agencies in overcoming such a reluctance.

On the other hand, children and adult family members of persons under investigation may have a reluctance to provide false or perjurious information to law enforcement agencies that would contribute to a wrongful conviction of a family member. This provision would assist overzealous law enforcement agencies in overcoming such a reluctance.

The Wenatchee, Washington prosecutions of the 1990s serve as the leading example of overzealous law enforcement in child sex cases, See for example, July 31, 2001, story in the Seattle Post Intelligencer titled "Jury finds city, county negligent in child sex ring case", and Wikipedia article titled "Wenatchee child abuse prosecutions".