Log Retention Unworkable in Wireless World

New rules to force log retention have unexpected effects, writes Nigel Phair...

Under this Act, lawmakers are seeking to impose requirements on ISPs and wireless network operators to keep records about the identities of their users.

Under the law, network operators would have to retain the network addresses assigned to any users for a minimum of two years, information which law enforcement could use to track down criminals.

But the broad language of the Bill, which would apply to any "provider of an electronic communication service," could mean that coffee shops, airport lounges and even individual households would be required to keep detailed logs, and that just isn't going to happen.

The Bill is well intentioned but creates requirements that could never be enforced.

ISPs keep logs anyway -- they have to for billing purposes. All they need to do to comply with this new law is buy a few terabytes of storage, tweak a couple of settings and Bob's their mother's brother.

As for non-ISP electronic communications providers, any logging requirement placed on them wouldn't just involve storage space but also the management, development and security of the collected data.

The proposed US Bill suggests wireless networks should have capture and retention of logs. That's great in theory, but not all wireless devices have this ability. Sure, products like Microsoft Wireless Monitor allows network operators to view details about access points and wireless clients. But this is information is primarily designed to troubleshoot wireless services.

Then there are jurisdictional issues. Transactional data collected from travellers at an international airport, for example, is next to useless unless there are formal mutual legal assistance treaties between the country where the data is being retained and the country where the suspect is located. They may have been using the airport facility during their vacation.

Further, who is going to monitor compliance? All CBDs are littered with wireless networks, some public, some not. Identifying the owner of the network is one thing, finding someone to hold responsible is another. And how would such directives be enforced? Civil action would seem the most logical against those companies that refuse to comply. But this is costly, time consuming and just not very likely.

The questions pertaining to online data collection are global. While regulators bear the ultimate responsibility of ensuring markets work, consumers and businesses must be involved in the debate to determine acceptable data collection and retention standards.

Nigel Phair was the Team Leader of Investigations for the Australian High Tech Crime Centre from 2003 to 2007 and the author of Cybercrime: The Reality of the Threat. He is an active cyber crime analyst.