So here is a nice and scary development. It appears that the FBI wants Internet Service Providers (ISPs) to keep a log of the url's visited by consumers. Wait it gets better. This log would be retained for two years. AND, a complete url listing would require deep packet inspection, which is a no-no under the Wiretap Act.
The FBI says not to worry, we won't collect this information without a warrant. This of course would inspire more confidence if the FBI had not been caught repeatedly violating the warrant requirements of the Wiretap Act and other domestic spying restrictions.
I imagine that this request will not be granted but there are a few ways the request could be modified to become more palatable. First, the FBI could request a domain log rather than a url log; this would remove the requirement for deep packet inspection. Second, Congress could remove or weaken sections of the telecom immunity statute, which would then give ISPs at least some reason to keep the FBI honest. Third, the FBI could lower its retention period to 3 months (90 days have a much better ring to it than 2 years). However, step 2 is almost certainly not going to happen, as the administration has abandoned its hostile position to telecom immunity. (That's not the kind of transparency I expected.)
ISPs are resisting the request, not due to privacy concerns but due to infrastructure demands. Logging urls for every user would require an immense amount of storage. Of course, if the ISP has a pay-per-view system, and the FBI can finally start paying its spying fee promptly, I'm sure the spy infrastructure could be paid for with taxpayers' money.
The whole discussion calls to mind the greater debate over user privacy/anonymity in the online world. The crime doing most of the work here is child pornography (we need to know who visited a site in order to make charges stick etc.), but this is almost certainly a McGuffin. There's no reason to believe that these types of warrants will be limited to crimes of child exploitation. Congress has little incentive to keep the list of triggering offenses short; soon your search history could be used to prove you cheated on your taxes or want to buy non-market Cialis. For an example of the incredible-growing offense list in a domestic spying bill, see the Wiretap Act, which now includes essentially every federal offense.
But still, the potential for abuse is enormous. Users typically explore very personal topics online and even a domain log could expose individuals to a great deal of embarrassment. Further, the domain log might not even reflect a user's preferences. Rickrolling is all well and good, but those users in it for the lulz have been known to link to far more disturbing (and even incriminating) images. Goatsee comes to mind (though no link provided here). All this information has a way of getting out; let's not forget the AOL search data debacle.
While the exploitation of children is especially heinous, this approach is simply too much. But, in light of the fact that the government is eager to engage in mass spying, I'm willing to meet the FBI halfway here. At least one court has okayed the government's use of a key-logging virus on a suspect's computer. Surely a wiretap authorized url-logging virus (think of it as a really nasty cookie) could be cooked up. While that approach does not thrill me, it could allow the government to observe online criminal behavior without involving ISPs or countless innocent individuals. The government would also have a strong incentive to keep the virus contained; the more computers it infected, the more likely it would be detected and quarantined, with an anti-virus sure to follow. While many horror stories start with a government created virus, we can hope that this story ends with one.
(Andrew Moshirnia is a second-year law student at Harvard Law School and a CMLP blogger. He has read The Zombie Survival Guide ... you know ... just in case. )