question regarding US requirements for journaling public email (possible legislation?)

Steven Bellovin smb at cs.columbia.edu
Thu Jan 5 14:10:45 CST 2012


On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:

> 
> On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
> 
>> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger at fpu-tn.com> wrote:
>>> His response was there is legislation being pushed in both
>>> House and Senate that would require journalling for 2 or 5
>>> years, all mail passing through all of your mail servers.
>> 
>> Hi Eric,
>> 
>> The only relatively recent thing I'm aware of in the Congress is the
>> Protecting Children From Internet Pornographers Act of 2011.
> 
> Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.
> 
>> From: Fred Baker <fred at cisco.com>
>> Date: January 5, 2012 10:46:30 AM PST
>> To: Eric J Esslinger <eesslinger at fpu-tn.com>
>> Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
>> 
>> I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend.
>> 
>> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
>> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
>> 
>> I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant.
> 
> I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. 
> 
> From a US perspective, you might peruse
> 
>    http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States
> 
> The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in.
> 
Yah, but that's all "non-content records"; it's a far cry from having to retain the body of every email, which is what he asked about.  As far as I know -- and I'm on enough tech policy lists that I probably would know -- nothing like that is being proposed.  That said, for a few industries -- finance comes to mind -- companies are required to do things like that by the SEC, but not ISPs per se.  See http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html for some details.


		--Steve Bellovin, https://www.cs.columbia.edu/~smb








More information about the NANOG mailing list