Retention of transactional Web browsing data

By Kristopher A. Nelson
in February 2010

500 words / 3 min.
Tweet Share
The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years.


Please note that this post is from 2010. Evaluate with care and in light of later events.

There has always been a lower standard for access by law enforcement to so-called “transactional data.” The theory is that data voluntarily provided to a company in order to complete a transaction — like a phone number given to a phone company for the purposes of calling someone — are not subject to the same expectation of privacy as the actual content of that telephone conversation.

After all, you voluntarily provided the information, knowing that someone else would learn it, use it, and possibly store it. Thus, your level of Fourth Amendment protection is lessened, and no warrant is required (although typically a subpoena or similar legal document is used).

This concept is well-established in the realm of telephony: since 1986, 47 C.F.R. § 42.6 has required telephone carriers to maintain such transactional records for 18 months.

So it should come as no surprise that the FBI has been seeking similar retention of transactional data for Internet communications:

The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years.

via FBI wants records kept of Web sites visited | Politics and Law – CNET News.

Exactly what would constitute such data is less, clear, however. Would it include IP addresses on both ends, times, number and length of connections? This information, while potentially vast, can be retained relatively easily and requires little work to access. It is very similar to the data retained for telephone conversations, since this kind of information is required to be exchanged with intermediaries (like ISPs) in order to use the Internet. (That many people don’t know this might, however, speak to the question of reasonable expectations of privacy.)

Much more problematic and revealing would be actual Web pages viewed. Arguably, these are shared openly, but accessing them does require packet inspection beyond the surface, and equally most people likely have a greater expectation of privacy in that information. But should they? Most sites log their visits, and tie in IP and cookie data to identify individuals as best they can. Thus, is this data really private? Do you really expect it to be? Should you?

Specific and detailed privacy laws targeting modern technology would help, but for now we’re working with what we’ve got. And that makes it very likely that the FBI will get what they want — and perhaps that’s OK? Privacy rights and the Fourth Amendment are always about balancing, not absolutes — so perhaps this is an appropriate balance to deal with computer crimes without over-burdening everyone?