[HCoop-Discuss] Federal legislation affecting HCoop operations

Nathan Kennedy ntk at hcoop.net
Fri Feb 20 12:32:17 EST 2009 

On Fri, 20 Feb 2009 12:01:27 -0500, Adam Chlipala <adamc at hcoop.net> wrote:
> Nathan Kennedy wrote:
>>      "SEC. 5. RETENTION OF RECORDS BY ELECTRONIC COMMUNICATION SERVICE
>> PROVIDERS.
>>
>>      "Section 2703 of title 18, United States Code, is amended by adding
> at
>> the end the following:
>>          "`(h) Retention of Certain Records and Information- A provider
> of
>> an electronic communication service or remote computing service shall
>> retain for a period of at least two years all records or other
> information
>> pertaining to the identity of a user of a temporarily assigned network
>> address the service assigns to that user.'."
> 
> My understanding is that we are already in compliance with this
> legislation.  It is _the_service_assigning_the_temporary_address_ that
> is responsible for the logging.  We assign no temporary addresses.
...

I guess the words "the service assigns" mean, as you say, that we don't
need to keep records if we're not assigning the address, which would limit
its impact.  I agree that our static IP assignments should not be
considered temporary.  Assuming that a common-sense plain reading of the
law would mean we're already in compliance at present, I still feel that
this bill treads dangerously close to our turf and could have a direct
impact if we were to change our services or network topology in the future
to include dynamic address allocation.

It obviously would directly affect us if we wanted to branch out into ISP
services (which we have no plans for), and could potentially be interpreted
to apply to caching/proxy services.  Where federal law is concerned and
we're talking about statutory, legal interpretation in of a new law with no
precedent, we have to be concerned with conservative, broad implications.

But are we REALLY in compliance with this proposed law?  Is a user logged
into a shell server, for instance, "temporarily assigned" the server's
network address within the meaning of proposed 18 USC 2703(h)?  If so that
WOULD require us to backup server access logs.  I don't think that is a
far-fetched interpretation even if it doesn't mesh with common sysadmin
intuition.  Scenario: FBI is investigating access attempts to XYZ Corp.
servers from 69.90.123.68 (mire.hcoop.net).  Under existing law, the FBI
can get a warrant or subpoena for our access log to determine the users
logged in at that time, their shell logs, and their identities.  Fair
enough.  Would a new 18 USC 2703(h) require us to retain that data for two
years?  You or I might not think it should, but I have no idea if any given
federal judge, much less the FBI, would agree.

And even if it didn't, I still think it is a bad law affecting our members
and could encroach on HCoop's future options.

Any further thoughts/reactions?

To be clear, I don't think that HCoop should take a position on legislation
that does not directly affect it or that are unimportant or unlikely to
pass, but I think this is a pretty important and unprecedented bill that
has bipartisan support and lots of law & order "child porn" provisions that
could fast-track it.

-Nathan

More information about the HCoop-Discuss mailing list