[148211] in North American Network Operators' Group
Re: question regarding US requirements for journaling public email
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Thu Jan 5 15:11:53 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <D830B8FE-4703-46E6-802C-8A9A0A401D3D@cisco.com>
Date: Thu, 5 Jan 2012 15:10:45 -0500
To: Fred Baker <fred@cisco.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:
>=20
> On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
>=20
>> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger =
<eesslinger@fpu-tn.com> wrote:
>>> His response was there is legislation being pushed in both
>>> House and Senate that would require journalling for 2 or 5
>>> years, all mail passing through all of your mail servers.
>>=20
>> Hi Eric,
>>=20
>> The only relatively recent thing I'm aware of in the Congress is the
>> Protecting Children =46rom Internet Pornographers Act of 2011.
>=20
> Since you bring it up, I sent this to Eric a few moments ago. Like =
you, IANAL, and this is not legal advice.
>=20
>> From: Fred Baker <fred@cisco.com>
>> Date: January 5, 2012 10:46:30 AM PST
>> To: Eric J Esslinger <eesslinger@fpu-tn.com>
>> Subject: Re: question regarding US requirements for journaling public =
email (possible legislation?)
>>=20
>> I don't know of anything on email journaling, but you might look into =
section 4 of the "Protecting Children =46rom Internet Pornographers Act =
of 2011", which asks you to log IP addresses allocated to subscribers. =
My guess is that the concern is correct, but the details have morphed =
into urban legend.
>>=20
>> http://www.govtrack.us/congress/billtext.xpd?bill=3Dh112-1981
>> =
http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hi=
de-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
>>=20
>> I'm not sure I see this as shrilly as the techdirt article does, but =
it is in fact enabling legislation for a part of Article 20 of the COE =
Cybercrime Convention =
http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a =
signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, =
CALEA, and PATRIOT. Article 20 essentially looks for retention of =
mail/web/etc logs, and in the Danish interpretation, maintaining Netflow =
records for every subscriber in Denmark along with a mapping between IP =
address and subscriber identity in a form that can be data mined with an =
appropriate warrant.
>=20
> I can't say (I don't know) whether the Danish Police have in fact =
implemented what they proposed in 2003. What they were looking for at =
the time was that the netflow records would be kept for something on the =
order of 6-18 months.=20
>=20
> =46rom a US perspective, you might peruse
>=20
> =
http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_Stat=
es
>=20
> The Wikipedia article goes on to comment on the forensic value of data =
retention. I think it is fair to say that the use of telephone numbers =
in TV shows like CSI ("gee, he called X a lot, maybe we should too") is =
the comic book version of the use but not far from the mark. A law =
enforcement official once described it to me as "mapping criminal =
networks"; if Alice and Bob are known criminals that talk with each =
other, and both also talk regularly with Carol, Carol may simply be a =
mutual friend, but she might also be something else. Further, if Alice =
and Bob are known criminals in one organization, Dick and Jane are known =
criminals in another, and a change in communication patterns is observed =
- Alice and Bob don't talk with Dick or Jane for a long period, and then =
they start talking - it may signal a shift that law enforcement is =
interested in.
>=20
Yah, but that's all "non-content records"; it's a far cry from having to =
retain the body of every email, which is what he asked about. As far as =
I know -- and I'm on enough tech policy lists that I probably would know =
-- nothing like that is being proposed. That said, for a few industries =
-- finance comes to mind -- companies are required to do things like =
that by the SEC, but not ISPs per se. See =
http://www.archivecompliance.com/Laws-governing-email-archiving-compliance=
.html for some details.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
