The amount of data that Internet Service Providers (ISPs) retain regarding their users will increase if a new bill in the House of Representatives becomes law. That bill, coupled with a bill before the Senate that proposes high standards for the protection of sensitive personal electronic information, could significantly raise costs for ISPs and consumers, and result in more data insecurity, not less.
Controversy Regarding Data Retention Bill
The data retention bill has been ruffling feathers around the Internet since its introduction last week as part of the Republican "Law and Order Agenda." The bill, sponsored by Texas Republican Lamar Smith, focuses mainly on labeling requirements for pornographic websites. Buried within its text, however, is a section that would allow the Attorney General to issue regulations requiring ISPs to retain, at a minimum, the name and address that corresponds to every IP address or user identification assigned by the ISP.
The bill only sets a minimum, however, and the AG would have the capability to require ISPs to retain even more data, including traffic and location information, or even the content of electronic communications. This data would then be available under any court order requiring its production.
Potential Impact of Data Retention
This could potentially amount to a lot of data, especially since the bill contains no time limit for the storage. ISPs will likely have to add new equipment and procedures for storing all those ones and zeroes. This will mean added costs that will most likely be passed on to consumers and business, making Internet access a more expensive commodity.
That potential added cost could be even more if the Senate bill on data security for sensitive personal information also goes through. Senators Patrick Leahy (D-Vt.) and Bernie Sanders (I-Vt.) introduced the bill after a Vermont state agency suffered a breach of the financial data for at least 69,000 residents.
The Senate privacy bill would require business entities (other than those already covered by specific privacy laws, such as HIPAA) that collect "sensitive personally identifiable information" for over 10,000 people in the U.S. to provide "protection equal to industry standards, as identified by the Federal Trade Commission." The type of security would vary according to the particular type of data that the business gathers.
Personally Identifiable Information
The data that the House bill would require ISPs to keep could potentially fall under the Senate bill's definition of sensitive personally identifiable information, since the minimum requirements already include the user's name and address. If the AG's regulations require ISPs to retain communications, the contents of those communications could contain other elements of the definition, which would bring ISPs under the purview of the privacy act.
Consequently, implementing the industry standard security measures could cost a pretty penny, if the ISPs do not already have them in place.
Creating More Problems for Users?
Which brings up a good point: Many businesses that have experienced data breaches were operating at the industry standard for security when the breaches occurred. Thus, while the privacy act contains many admirable steps towards establishing stricter security requirements, data breaches will continue to occur.
Together with the retention act, the two bills would only create more problems for consumers. The House retention bill will create more data that will attract more data thieves. The Senate privacy bill, while containing good privacy measures, will not be able to prevent every data break-in, and will only increase the cost of doing business for ISPs yet again -- a cost, we may assume, that will very quickly shift to their customers.
Thus, the business and consumers that rely on ISPs for Internet access will have a greater likelihood of having sensitive information fall into the hands of cybercriminals if the retention act passes. And, under either bill, they'll probably have to pay more to get on the Internet as well.