Thursday, July 28, 2011

New snooping bill: What could possibly go wrong?

House panel approves broadened ISP snooping bill :

"Internet providers would be forced to keep logs of their customers' activities for one year--in case police want to review them in the future--under legislation that a U.S. House of Representatives committee approved today.

The 19 to 10 vote represents a victory for conservative Republicans, who made data retention their first major technology initiative after last fall's elections, and the Justice Department officials who have quietly lobbied for the sweeping new requirements, a development first reported by CNET.

A last-minute rewrite of the bill expands the information that commercial Internet providers are required to store to include customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses, some committee members suggested. By a 7-16 vote, the panel rejected an amendment that would have clarified that only IP addresses must be stored."
Let's think this through (hey, somebody has to!):

  •  This is billed as a "protecting children from pornography" act.   Where is the official double-speak justification on this?  What part of this could even theoretically protect any kid from pornography? Did the spin-doctor on duty call in sick?
  • This is going to be made available for "police investigating any crime and perhaps attorneys litigating civil disputes in divorce, insurance fraud, and other cases as well".   Are we feeling secure yet?
  • Every other monitoring system of this sort has been abused on a systematic basis.  
  • Who is going to be paying for this?  I see a $6.99/month "snooped data retention" fee coming to a statement near you soon!
  • The ISP is supposed to be capturing credit card numbers, bank account numbers, personal information, which begs questions such as:
    • Who is going to be responsible for storing and safeguarding this information?  
    • Can you imagine what kind of tasty target it would be for a criminal?  How may credit card transactions are flowing through Comcast's network every day?
    • Are the ISPs going to be held to the same data confidentiality laws as everybody else?
      I see PCI, HIPAA and a few others jump out as being applicable here.   Who is going to audit these systems to ensure compliance.
    • (Luckily) nearly every website these days uses HTTPS from credit card transactions.  How is an ISP supposed to capture this information on the wire?
There are so many things wrong with this idea, and they haven't even started implementing it yet.

No comments: