Bill to curb child porn may feed hacking frenzy, critic says

A bill aimed at combating child pornography will meet strong opposition on Tuesday from privacy advocates who say it could serve up a buffet of personal data for hacker groups who have become more active and dangerous in recent months.

At issue in the bill offered in May by House Judiciary Chairman Lamar Smith, R-Texas, and Rep. Debbie Wasserman Schultz, D-Fla., is a mandate that Internet service providers retain the IP addresses of their customers for 18 months so that law enforcement can figure out who has visited illegal websites.

Law-enforcement officials can currently find out which IP addresses have visited a website, but they struggle to match those addresses with the names of actual people, a process this bill aims to facilitate.

But forcing phone and cable companies to keep more data on file makes it vulnerable to hacking and theft, according to the Electronic Privacy Information Center's Marc Rotenberg. At Tuesday's hearing, he will cite as an example the hacker group LulzSec, which claimed responsibility for temporarily shutting down a CIA website and other high-profile hacks.

"Minimizing stored user data reduces incentives for hackers to attack data storage systems by reducing the amount of data available to steal. Minimization also reduces the costs of data breaches," Rotenberg says in his prepared testimony.

Rotenberg plans to announce his opposition to the data-retention sections of the bill at the hearing, which is scheduled to gather broad input from both critics and supporters.

It's not just privacy advocates and civil-liberties groups who have expressed concern about the data retention rules. The U.S. Internet Service Provider Association, which includes AT&T and Verizon, testified at a hearing in January on data retention that the approach is "dramatically overbroad and fraught with legal, technical, and practical challenges."

A House Judiciary aide said the committee is working closely with phone and cable companies on the bill but that none have endorsed the legislation so far.

Proponents say the bill is crucial to bridge gaps in the law enforcement toolbox and target a crime that has become more pervasive since the rise of the Internet.

Smith, who has focused on the issue since becoming chairman last year, says incidents of child-pornography crimes increase an average of 150 percent per year. He says data retention could help officials during long-term investigations.

"When investigators develop leads that might result in saving a child or apprehending a pedophile, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them," Smith said when he released his bill in May.

Michael Brown, the former sheriff of Bedford County, Va. will testify in favor of the bill during Tuesday's hearing, noting that some phone and cable companies throw out subscriber info within hours.

"Child predators have become technologically savvy and are able to skillfully conceal their identities. As such, it can take law enforcement time to comb through the multitude of online information to successful identify and locate the child pornographer," Brown says in his prepared testimony.

The legislation tweaks the Electronic Communications Privacy Act, a 25-year-old law widely seen as inadequate for the digital age. It gained a companion bill from Sens. Orrin Hatch, R-Utah, and Amy Klobuchar, D-Minn., last month, and has not yet been scheduled for a markup.

Senate Judiciary Chairman Patrick Leahy, D-Vt., introduced a bill in May to tailor the privacy act to modern realities without the focus on child pornography.