Policy With Respect to Collection and Retention of Subscriber Data

The US Internet Industry Association, as the primary professional association serving the Internet and online services industries, supports the requirements of law enforcement to have access to data as necessary in response to an ongoing investigation or the threat of terrorist activity.

In particular, USIIA finds the following:

  • The collection and retention of data associated with all subscribers to an Internet service on a continuing basis requires substantial resources for safe storage, including utilization of physical space and financial resources.
  • Data retention also raises serious liability concerns for ISPs and privacy concerns for consumers.   
  • The collection and retention of data associated with all subscribers to an Internet service on a continuing basis represents an impractical tool for law enforcement assistance.  The identification of individual pieces of data from a single subscriber after the fact – even for a period as short as one calendar year – would be manpower-intensive and unlikely to yield useful data for law enforcement purposes.
  • In the United States, a policy of "data preservation," i.e., preserving only data specified in a court order for a specific subscriber after the fact and in connection with a specific criminal act or act of terrorism has been found to be adequate to meet the needs of law enforcement.
  • Internet service providers are subject to subscriber agreements, contracts and laws related to the privacy rights of their subscribers, as well as more general Constitutional and legal rights with regard to protection of data.  These rights cannot in principle be violated without a court order to do so for each individual subscriber without substantial liability risk to the Internet service provider.

 

 

The USIIA therefore establishes as policy:

 

 

  • The USIIA does not support the collection and retention of data associated with all of the subscribers of all Internet service providers as such collection and retention are ineffective and unproductive.
  • The USIIA does not support the collection and retention of data associated with all of the subscribers of all Internet service providers for purposes other than law enforcement and other than requirements imposed in a court order or judicial process for a specific subscriber after the fact and in connection with a specific criminal act or act of terrorism.
  • If an Internet service provider is required by law to collect and retain subscriber data, those resources must be provided to the ISP or compensation made for the costs incurred by the ISP as well as a safe harbor from liability for the service provider's good faith compliance with such obligations.
  • The USIIA does support a policy of preserving only data for law enforcement specified in a court order or judicial process for a specific subscriber after the fact and in connection with a specific criminal act or act of terrorism as adequate for the needs of law enforcement.

 

Approved by the USIIA Board of Directors on February 17, 2005.