Retention of transactional Web browsing data

There has always been a lower stan­dard for access by law enforce­ment to so-​​called “trans­ac­tional data.” The the­ory is that data vol­un­tar­ily pro­vided to a com­pany in order to com­plete a trans­ac­tion — like a phone num­ber given to a phone com­pany for the pur­poses of call­ing some­one — are not sub­ject to the same expec­ta­tion of pri­vacy as the actual con­tent of that tele­phone conversation.

After all, you vol­un­tar­ily pro­vided the infor­ma­tion, know­ing that some­one else would learn it, use it, and pos­si­bly store it. Thus, your level of Fourth Amendment pro­tec­tion is less­ened, and no war­rant is required (although typ­i­cally a sub­poena or sim­i­lar legal doc­u­ment is used).

This con­cept is well-​​established in the realm of tele­phony: since 1986, 47 C.F.R. § 42.6 has required tele­phone car­ri­ers to main­tain such trans­ac­tional records for 18 months.

So it should come as no sur­prise that the FBI has been seek­ing sim­i­lar reten­tion of trans­ac­tional data for Internet communications:

The FBI is press­ing Internet ser­vice providers to record which Web sites cus­tomers visit and retain those logs for two years.

via FBI wants records kept of Web sites vis­ited | Politics and Law — CNET News.

Exactly what would con­sti­tute such data is less, clear, how­ever. Would it include IP addresses on both ends, times, num­ber and length of con­nec­tions? This infor­ma­tion, while poten­tially vast, can be retained rel­a­tively eas­ily and requires lit­tle work to access. It is very sim­i­lar to the data retained for tele­phone con­ver­sa­tions, since this kind of infor­ma­tion is required to be exchanged with inter­me­di­aries (like ISPs) in order to use the Internet. (That many peo­ple don’t know this might, how­ever, speak to the ques­tion of rea­son­able expec­ta­tions of pri­vacy.)

Much more prob­lem­atic and reveal­ing would be actual Web pages viewed. Arguably, these are shared openly, but access­ing them does require packet inspec­tion beyond the sur­face, and equally most peo­ple likely have a greater expec­ta­tion of pri­vacy in that infor­ma­tion. But should they? Most sites log their vis­its, and tie in IP and cookie data to iden­tify indi­vid­u­als as best they can. Thus, is this data really pri­vate? Do you really expect it to be? Should you?

Specific and detailed pri­vacy laws tar­get­ing mod­ern tech­nol­ogy would help, but for now we’re work­ing with what we’ve got. And that makes it very likely that the FBI will get what they want — and per­haps that’s OK? Privacy rights and the Fourth Amendment are always about bal­anc­ing, not absolutes — so per­haps this is an appro­pri­ate bal­ance to deal with com­puter crimes with­out over-​​burdening everyone?

Related arti­cles by Zemanta

• FBI Pushing For 2 Year Retention of Web Traffic Logs (yro​.slash​dot​.org)
• FBI “tech­ni­cally vio­lated” wire­tap laws for years (inpro​pri​a​per​sona​.com)
• Applying the Fourth Amendment to data in the cloud (inpro​pri​a​per​sona​.com)