Legal Brief: Will the Feds Run Your Log Servers?

Google's announcement last month that it will begin "anonymizing" the information in its search logs after 18 to 24 months astonished many in both the search engine and data privacy communities. For the first time, a major search engine company directly addressed the issue of how long it will store search details, and Google's pre-eminence in the industry ensured that competitors will feel pressure to provide similar transparency into this sensitive practice.

In and of itself, the news does not raise significant issues for corporate networking professionals. But it represents a reaction from a major player to a policy movement that has been afoot for several years in the United States and will probably come to a head sometime this year--federally mandated data retention for information providers. "Information providers"? Pretty vague. But that's because the various proposals circulating around Washington vary widely as to who would be included.

At the very least, ISPs would be required to keep logs detailing which IP addresses were assigned to which accounts at particular times, letting law enforcement link an IP with a residence or place of business. For broadband service providers with network architectures that frequently change IP address assignments, this data would prove voluminous. But the incentives for complying with the rules will likely be intense, with potential criminal liability for failure to retain records.

And commercial ISPs are the lowest common denominator in the proposals floated thus far. Others include any entity that provides Internet service to its users, such as colleges and universities, and even retail businesses providing free wireless access to customers. Many of these providers probably keep logs for billing, fraud detection and other purposes. Although they may purge them after several months, cranking up the storage requirements to a year to two years--as called for by the proposals--will add only marginal costs and complexity.

But when it comes to putting data-retention requirements on search engines and other application providers, such as social networking sites and other modern modes of Internet communication--e-mail, Web forums and chat rooms--the stakes get much higher. These logging and retention requirements would mean significant application-development costs, as well as costs associated with retaining the data in a form ready to be produced in response to a federal law enforcement request. Combined with the likely lack of user enthusiasm for apps with one-to-two-year government-mandated "memories," expect to see, or even participate in, lobbying efforts against these more onerous requirements.Although the U.S. data-retention policy has yet to be determined, the European Union last March approved a directive requiring member states to adopt data-retention rules for ISPs, telephony (landline, mobile and VoIP) and e-mail. EU countries have another year to pass enabling legislation, with the option to postpone enforcement of the Internet requirements (ISP, VoIP and e-mail) for two years after that.

Against this backdrop, Google's announcement is not surprising. Granted, it's trimming back on its log retention, which it presumably kept indefinitely. Many other entities will have to do the opposite--increase data retention. But with this move, Google places itself in a position to help shape U.S. data-retention policy developments, as well as to begin the technical work that will make its announcement a reality on the back-end servers.

The writing is on the wall. Domestic requirements for data retention will be here in the next year or two. If you won't be affected by impending EU rules, you may be covered by the U.S. law, depending on its scope. Make sure you're represented at the bargaining table when the policy negotiations over these rules start to heat up.

Patrick R. Mueller, CISSP, is completing his law degree at the University of Wisconsin-Madison and will be joining the privacy compliance practice at Wildman Harrold Allen &Amp; Dixon, LLP, in Chicago. Write to him at [email protected].