If Congress had to name laws honestly, it would be called the “Forcing Your Internet Provider to Spy On You Just In Case You’re a Criminal Act of 2011” — a costly, invasive mandate that even the co-author of the Patriot Act, Rep. James Sensenbrenner (R-Wisc.), says “runs roughshod over the rights of people who use the Internet.”
But because it’s disguised as the “Protecting Children from Internet Pornographers Act,” the House Judiciary Committee approved it last week by a wide margin — even though it’s got little to do with child porn and won’t do much to protect kids.
The centerpiece of this ill-conceived law is a sweeping requirement that commercial Internet providers retain a one-year log of all the temporary Internet Protocol addresses they assign to their users, along with customer-identification information. The Justice Department says this will help track down child-porn peddlers by linking online activity and real-world identities. But the government would be able to access that sensitive data for all kinds of investigations, most of which would have nothing to do with child porn.
Traditionally, citizens in a free society are presumed innocent. If the police want to look through your computer files, the Fourth Amendment requires them to show a judge that there’s “probable cause” to suspect wrongdoing. The PCIPA turns that assumption on its head, treating every Internet user as a presumptive criminal and exploiting a serious Fourth Amendment loophole.
The Constitution protects privacy against government intrusion, but it doesn’t stop the government from forcing private companies to do its dirty work. Records held by a corporation don’t enjoy the same Fourth Amendment protection as does the data on your personal computer — so a search warrant isn’t necessary.
But there’s no evidence that law enforcement has a systematic problem obtaining Internet records in child-porn investigations. A Government Accountability Office report released in March concluded that Internet providers usually could provide subpoenaed records — and in the few cases where they couldn’t, investigators could often obtain them by other means.
Moreover, the government gets more than 100,000 tips volunteered by Internet Service Providers each year — typically, with user information already attached — although it can only investigate a small fraction of those. The true bottleneck in such investigations, the GAO suggests, isn’t a records shortage but delays in doing forensic analysis of computers.
In fact, the Justice Department still hasn’t finished a mandatory study of the information-sharing system established by the last major child-porn legislation, in 2008. That means Congress is rushing to impose costly legislation on the basis of a few anecdotes about pedophiles who eluded police, without a serious, evidence-based understanding of what works (or doesn’t) about the existing system.
Ironically, this is happening even as many European countries are rejecting the invasive and ineffective data-retention mandates they’ve established in recent years — mandates that the Bush administration wisely criticized when they were introduced.
Unfortunately, nobody has explained to Congress that tech-savvy criminals can easily evade detection even if ISPs are required to retain data, by using such anonymity tools as proxy servers or software like TOR, which routes communications through dozens of relay points.
The real costs will be borne by innocent Internet users, whose data pile up in ever-larger databases that are sure to make an attractive target for hackers and identity thieves.
They’re also apt to show up on your wireless bill, as carriers scramble to overhaul mobile networks that may assign dozens of IP addresses to the same device over the span of a few minutes — or share a single IP address across hundred of phones and tablets.
Going forward, the architecture of data networks will be determined not by what makes the best business or engineering sense, but by the legal mandate to facilitate centralized tracking. The design of the Internet used by the vast innocent majority will be determined by a guilty few, who will still evade detection.
In short, the PCIPA is an intrusive, costly, confused “solution” that won’t work to a “problem” it’s not even clear exists. But there’s no idea so misguided or ineffective that it can’t become a law if it’s “for the children.”
Julian Sanchez, a Cato Insitute research fellow, is the author of “Leashing the Surveillance State: How to Reform Patriot Act Surveillance Authorities.”