Mandatory Data Retention

Summary

A recent proposal developed by Rep. Diana DeGette (D-Colo.) would require "each provider of Internet access services to retain records to permit the identification of subscribers to such services for appropriate law enforcement purposes." The proposal further states that "records shall . . . be retained for not less than one year after a subscriber ceases to subscribe to such services." Original reports suggested that the proposal would be offered as an amendment to a broad telecommunications bill in the House or as a stand-alone measure. However, the impetus for the legislation appears to be the combined influence of recently established broad data retention requirements in Europe and growing concerns about online child pornography in the U.S. Rep. Joe Barton (R-Tex.) has been holding a series of hearing recently on "Sexual Exploitation of Children Over the Internet" where he has asked the Government whether or not such a measure would aid law enforcement in its investigations. Additionally, Attorney General Alberto Gonzales recently gave a speech where he declared that data retention by Internet service providers is an "issue that must be addressed." The United States Internet Service Providers Association has expressed concern about the impact of the proposal, emphasizing their intentions to continue to cooperate with law enforcement as part of child pornography investigations.

Analysis and Implications for Institutions of Higher Education

The proposal, as written, would place new data retention requirements on colleges and universities. The proposed language defines "Internet access service" as "a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services . . . " Colleges and universities in most cases act as the Internet access service for its students, faculty, and staff. The proposed language does not include "telecommunications services". The proposal would amend Title VII of the Communications Act of 1934 (47 U.S.C. 601 et seq.) and would require the Federal Communications Commission to develop corresponding regulations. The most serious concern is the ambiguity regarding the data to be retained, ranging from subscriber information (name, address, etc.) to the identification of users associated with IP addresses to detailed logs of user behavior. The Center for Democracy and Technology has outlined a series of concerns with the current proposal that in large part reflect the interests of institutions of higher education. Most notable among the concerns are: 1) data retention laws could be burdensome and costly, 2) data retention laws are unnecessary as authority already exists to preserve records, and 3) data retention laws threaten personal privacy and pose an information security risk.

Recommendations

1) EDUCAUSE should informally survey its membership to better understand the range of data retention practices and policies currently in place and the implications of new mandatory data retention requirements.

2) The higher education policy community should continue to monitor the movement of this proposal, obtaining intelligence from Congressional staff, Department of Justice, USISPA, and other sources as necessary.

3) EDUCAUSE in collaboration with the higher education presidential associations should develop a policy position that reflects our ongoing commitment to assist law enforcement that without unnecessarily burdening our member institutions or jeopardizing the privacy of our constituents. The position or corresponding legislative proposals should be presented to Congressional staff or Committee staff at the appropriate time.