Summary of Manager's Amendment to Data Retention Bill, 7/26/2011.

Summary of Manager's Amendment to Data Retention Bill

July 26, 2011. The House Judiciary Committee (HJC), which is scheduled to begin a three day mark up of bills on July 27, 2011. The first item on the agenda is HR 1981 [LOC | WW], the "Protecting Children from Internet Pornographers Act of 2011", also know as the data retention bill. The HJC released a manager's amendment on July 26, 2011.

The bill as introduced would create a mandate that all "electronic communication service" (ECS) and "remote computing service" (RCS) providers retain for 18 months "the temporarily assigned network addresses the service assigns to each account". For a summary of the bill as introduced, see story titled "Summary of HR 1981, Data Retention Bill" and "Summary of Existing Data Retention Mandates" both also in TLJ Daily E-Mail Alert No. 2,257, July 13, 2011.

The manager's amendment makes numerous significant changes. It reduces the minimum retention period from 18 to 12 months. It deletes the exemption for wireless service providers. It adds exemptions for not for a fee providers, such as coffee shops and libraries that offer free wireless connections. It adds an exemption for service not offered to the public. It clarifies that only internet access service providers are covered. It broadly expands the types of data that must be retained. It limits who can gain access to the data retained under the bill's mandate. It allows covered services providers six months to come into compliance with the data retention mandate.

The mark up session is scheduled to begin at 11:15 AM on Wednesday, July 27. The HJC usually takes up items in the order in which they are listed on the agenda.

Rep. Lamar Smith (R-TX), the Chairman of the HJC, introduced this bill on May 25, 2011. The HJC held a hearing on July 12, 201l. See, story titled "House Crime Subcommittee Holds Hearing on Data Retention Bill" in TLJ Daily E-Mail Alert No. 2,257, July 13, 2011.

The bill, even as amended by this manager's amendment, is full of undefined phrases and words, and fraught with vague meanings. Yet, it does not bear the attributes of hasty or inexpert authorship. Rather, it appears to be a careful and thoughtful work, drafted with calculated uncertainty, to give law enforcement authorities and prosecutors maximum interpretational leeway, and leverage over service providers.

What Data Must Be Retained. The manager's amendment addresses what data must be retained. The base bill provides that covered entities must retain "the temporarily assigned network addresses the service assigns to each account".

The manager's amendment provides that covered entities "shall retain ... a log of the temporarily assigned network addresses the provider assigns to a subscriber to or customer of such service that enables the identification of the corresponding customer or subscriber information under subsection (c)(2) of this section". (Language of the manager's amendment is shown in red.)

The data retention mandate is in Section 4 of the bill. The clause, "under subsection (c)(2) of this section", is not a reference to a subsection (c)(2) of section 4 of the bill. (There is not one.) Rather, this is a reference to subsection (c)(2) of 18 U.S.C. § 2703, which is the section of the Stored Communications Act (SCA) that requires disclosure of stored communications to the government. Section 4 of this bill amends Section 2703, by adding a new subsection (h).

(There is already one data retention mandate in Subsection 2703(f). See, story titled "Summary of Existing Data Retention Mandates" both also in TLJ Daily E-Mail Alert No. 2,257, July 13, 2011.)

Subsection 2703(c)(2) lists the things that and ECS or RCS must give to the government, if it has them. The manager's amendment, which lacks clarity, could be construed to mandate that covered service providers must collect the items on this (c)(2) list.

The list is "name", "address", "local and long distance telephone connection records, or records of session times and durations", "length of service (including start date) and types of service utilized", "telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address", and "means and source of payment for such service (including any credit card or bank account number)." (Parentheses in original.)

Proponents of this bill have argued that when law enforcement authorities find child pornography (CP) online, they often have the photographic evidence, and internet protocol (IP) addresses, but not the identity of the person who used those IP addresses. The bill is necessary, they argue, to identify the user of those IP addresses.

For example, Rep. Smith wrote in his opening statement for the HJC's July 12 hearing that "Often, the only way to identify a pedophile who operates a website or exchanges child pornography images with other pedophiles is by an Internet Protocol address. Law enforcement officials must obtain a subpoena and then request from the Internet Service Provider the name and address of the user of the IP address."

However, if the manager's amendment requires retention of all the items on the (c)(2) list, then retention would go far beyond that required for the stated purpose of the bill. For example, the (c)(2) list includes phone call records.

Also, mandating the retention of names, addresses, phone numbers, bank account numbers, and credit card numbers would require service providers to build and maintain a treasure trove of information for hackers and other data thieves intent on committing large scale financial fraud.

Shall Retain. The bill as introduced, and the manager's amendment, use the words "shall retain". This is another undefined phrase, and another component of the bill that may lead to conflicting interpretations.

Proponents of the bill have discussed retention as the act of not destroying or deleting data or records already in the service provider's possession.

However, the actual language of the bill may give rise to the argument (which is likely to be advanced by law enforcement and prosecutorial entities) that "shall retain" both requires that certain data be collected and stored, whether or not the service provider wants to do so, or whether or not it has done so in the past, and that once so collected and stored, not be destroyed or deleted for the minimum time period.

That is, the bill may entail two mandates: to collect data, and to keep that data for one year.

Regulated Entities. While the bill as introduced exempted wireless providers, the manager's amendment expands the class of covered entities by dropping that exemption.

In addition, the manager's amendment narrows the covered entities from all ECS and RCS providers, which are broad and ambiguous terms, to any "commercial provider of an electronic communication service".

The manager's amendment defines this as "a provider of electronic communication service that offers Internet access capability for a fee to the public or to such classes of users as to be effectively available to the public, regardless of the facilities used".

This definition has several key components. First, the clause, "for a fee", would exempt coffee shops, libraries, hotels and other entities that provide internet access service at no charge. However, if those same coffee shops, libraries and hotels charged for internet access, then they may be required to collect, store and retain data on their customers. Notably, many of these entities would not collect certain data but for the mandate. For example, a coffee shop that charges for internet access may also have to collect personal information from the customer.

The clause, "offers Internet access", provides that the mandate applies only to internet access service providers, and not to any current or future service that makes use of IP numbers that the government could assert is an ECS or RCS.

The clause, "to the public", would appear to exempt private services. However, the bill does not elaborate, or provide a definition.

Limitation on Who Can Access Retained Data. Next, the base bill imposes no limitations upon who can obtain access to the data retained pursuant to the mandate of the bill. Such data would be business records, and available to a wide range of requestors in civil, criminal and administrative proceedings or investigations.

The manager's amendment provides that "Access to a record or information required to be retained under this subsection may not be compelled by any person or other entity that is not a governmental entity".

This clause may be in need of clarifying language, first to make clear that the bill preempts state procedural law to the contrary, and second to make clear that in private litigation, when a litigant who obtains a subpoena or discovery order from a court, that does not qualify as compulsion by "a governmental entity".

Financial Institutions. The base bills also contains provisions related to the targeting of financial institutions. The base bill would add a new section to the criminal code, to be codified at a new 18 U.S.C. § 1960A, that would provide that "Whoever knowingly conducts, or attempts or conspires to conduct, a financial transaction (as defined in section 1956(c)) in or affecting interstate or foreign commerce, knowing that such transaction will facilitate access to, or the possession of, child pornography (as defined in section 2256) shall be fined under this title or imprisoned not more than 20 years, or both." (Parentheses in original.)

The manager's amendment adds that "This section does not apply to a financial transaction conducted by a person in cooperation with, or with the consent of, any Federal, State, or local law enforcement agency".

The testimony at the HJC's July 12 hearing revealed CP is being distributed via peer to peer file sharing, and not by commercial transactions. Hence, there is no articulated reason for including a section targeting financial institutions, even as amended.