On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:
>
> On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
>
>> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslin...@fpu-tn.com>
>> wrote:
>>> His response was there is legislation being pushed in both
>>> House and Senate that would require journalling for 2 or 5
>>> years, all mail passing through all of your mail servers.
>>
>> Hi Eric,
>>
>> The only relatively recent thing I'm aware of in the Congress is the
>> Protecting Children From Internet Pornographers Act of 2011.
>
> Since you bring it up, I sent this to Eric a few moments ago. Like you,
> IANAL, and this is not legal advice.
>
>> From: Fred Baker <f...@cisco.com>
>> Date: January 5, 2012 10:46:30 AM PST
>> To: Eric J Esslinger <eesslin...@fpu-tn.com>
>> Subject: Re: question regarding US requirements for journaling public email
>> (possible legislation?)
>>
>> I don't know of anything on email journaling, but you might look into
>> section 4 of the "Protecting Children From Internet Pornographers Act of
>> 2011", which asks you to log IP addresses allocated to subscribers. My guess
>> is that the concern is correct, but the details have morphed into urban
>> legend.
>>
>> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
>> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
>>
>> I'm not sure I see this as shrilly as the techdirt article does, but it is
>> in fact enabling legislation for a part of Article 20 of the COE Cybercrime
>> Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is
>> a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA,
>> CALEA, and PATRIOT. Article 20 essentially looks for retention of
>> mail/web/etc logs, and in the Danish interpretation, maintaining Netflow
>> records for every subscriber in Denmark along with a mapping between IP
>> address and subscriber identity in a form that can be data mined with an
>> appropriate warrant.
>
> I can't say (I don't know) whether the Danish Police have in fact implemented
> what they proposed in 2003. What they were looking for at the time was that
> the netflow records would be kept for something on the order of 6-18 months.
>
> From a US perspective, you might peruse
>
>
> http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States
>
> The Wikipedia article goes on to comment on the forensic value of data
> retention. I think it is fair to say that the use of telephone numbers in TV
> shows like CSI ("gee, he called X a lot, maybe we should too") is the comic
> book version of the use but not far from the mark. A law enforcement official
> once described it to me as "mapping criminal networks"; if Alice and Bob are
> known criminals that talk with each other, and both also talk regularly with
> Carol, Carol may simply be a mutual friend, but she might also be something
> else. Further, if Alice and Bob are known criminals in one organization, Dick
> and Jane are known criminals in another, and a change in communication
> patterns is observed - Alice and Bob don't talk with Dick or Jane for a long
> period, and then they start talking - it may signal a shift that law
> enforcement is interested in.
>
Yah, but that's all "non-content records"; it's a far cry from having to retain
the body of every email, which is what he asked about. As far as I know -- and
I'm on enough tech policy lists that I probably would know -- nothing like that
is being proposed. That said, for a few industries -- finance comes to mind --
companies are required to do things like that by the SEC, but not ISPs per se.
See
http://www.archivecompliance.com/Laws-governing-email-archiving-compliance.html
for some details.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
