Proposed Child Pornography Laws Raise Data Retention Concerns

However, industry observers complain that the proposed changes are unclear and hard to enforce, and completely change the way subscriber information is retained.

Rep. Lamar Smith (R-Texas) and Sen. John Cornyn (R-Texas) jointly introduced legislation requiring Internet service providers to retain subscriber information for up to two years.

The Internet Stopping Adults Facilitating the Exploitation of Today's Youth (SAFETY) Act of 2009 is covered in the House version by Smith as H.R. 1076 and in the Senate version by Cornyn as S.436.

The two officially unveiled the bills to the public on Thursday.

Smith, in a statement on his Web site, cited issues with graphic child pornography as the reason for the bills.

"Of the nearly 600,000 images of graphic child pornography found online and reported to law enforcement officials, only 2,100 of these children have been identified and rescued... Investigators need the assistance of Internet Service Providers to identify users and distributors of online child pornography," Smith wrote in his statement.

Cornyn released a statement in which he cited the move by MySpace to identify and remove about 90,000 sex offenders from its Web site as a reason for the need for the bills.

"While the Internet has generated many positive changes in the way we communicate and do business, its limitless nature offers anonymity that has opened the door to criminals looking to harm innocent children. Keeping our children safe requires cooperation on the local, state, federal and family level," Cornyn wrote in his statement.

The Internet Safety Act aims to change Title 18 of the United States Code in a number of ways.

One key provision of the bills reads, "Whoever knowingly conducts, or attempts or conspires to conduct, a financial transaction ... knowing that such transaction will facilitate access to, or the possession of, child pornography" shall be fined and/or imprisoned not more than 20 years.

Another reads, "Whoever, being an Internet content hosting provider or email service provider, knowingly engages in any conduct the provider knows or has reason to believe facilitates access to, or the possession of, child pornography" shall be fined and/or imprisoned not more than 10 years.

Several government observers and bloggers say that a problem with these provisions is that the definition of "Internet service provider" is so vast that it can include anyone with a Wi-Fi hotspot.

Another key provision reads that providers of electronic communication or remote computing services must "retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."

Berin Szoka, fellow and director of the Center for Internet Freedom at the Progress and Freedom Foundation, a Washington, D.C.-based nonprofit educational research think tank focused on the digital revolution, said the bills do not discriminate between commercial ISPs and other Wi-Fi hotspot providers.

Furthermore, he said, they lack information about fines to enforce the retention of data.

"This is a new thing," he said. "Instead of on a case-by-case basis, it makes ISPs or anyone with a Wi-Fi hotspot retain data on an ongoing basis. But because this includes a large number of people, you need to ask, 'What is the penalty for not retaining the data?' It doesn't specify the penalties for ignoring the two-year retention requirement."

More important is the change in how ISPs retain data on subscribers, said Sidney Rosenzweig, visiting fellow at the Progress and Freedom Foundation.

Current government regulations do not require ISPs to retain data about subscribers except on a case-by-case basis, Rosenzweig said.

"Instead, the government can send a letter to an ISP to tell them to retain the information for 90 days," he said. "This buys the government enough time to get a subpoena or a warrant. ISPs are not currently required to retain information unless they are actually requested to do so by the government."

At a higher level, Szoka said, is how the bills seem to contradict other trends in data retention. For instance, he cited Facebook's recent move to change its terms of service in the face of protests that the company wanted to own all the content created by its users.

"It's ironic that the government is trying to impose new data requirements at the same time when others are trying to get companies to retain less data," he said. "Look at the Facebook brouhaha. Now the government is coming and setting a minimum retention, not a maximum."