Posted by: Troy Tate
House, identity management, IP address management, ISP, Law, logging, Security, Senate, service providers
There is a recent bill introduced in both the House and Senate to strengthen current legislation addressing online child predators. The bill is known as the ‘Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act of 2009’ There are several provisions in the proposed bill, but one that causes me to stop and wonder how effective the legislation will really be.
The particular section I am referring to is shown below.
SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE PROVIDERS.
Section 2703 of title 18, United States Code, is amended by adding at the end the following:
‘(h) Retention of Certain Records and Information- A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.’.
This section places a lot of responsibility on the “provider of an electronic communication service or remote computing service.” Where does this actual responsibility lie? Is it with the ISP (top end – think ATT) or is it with the reseller or commercial user of those reseller’s services? Does this include your organization or mine?
What I am also concerned about is the requirement to track the “identity of a user of a temporarily assigned network address that the service assigns to that user.” Is the address assigned to a user or a device? Can it be confirmed who the actual user of the device was at the time of the event(s) in question? Wiretapping is one thing with voice recognition, but how can you tell who was specifically using a device at a particular time? Sure there might be system logs showing who was logged in, but what was the authentication method? Was it just username & password? How strong of evidence is that?
I hope this bill to update the law gets some very careful consideration about the definitions and what identity really means in this case. It seems like the intent is to gain better documentation but I don’t think this particular language or technology is ready to support this.
Thanks for reading & let’s continue to be good network citizens.