[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

question regarding US requirements for journaling public email (possible legislation?)

Subject: question regarding US requirements for journaling public email (possible legislation?)
From: fred at cisco.com (Fred Baker)
Date: Thu, 5 Jan 2012 11:16:15 -0800
In-reply-to: <CAP-guGUXKVf6q1Nvs-pwUefz5DEVaiTiSrFmN++AyeNehd-Uag@mail.gmail.com>
References: <D2D37F15EBBD524693E9F3CB32D02080430C79A5C9@exchange.corp.fpu-tn.com> <CAP-guGUXKVf6q1Nvs-pwUefz5DEVaiTiSrFmN++AyeNehd-Uag@mail.gmail.com>

On Jan 5, 2012, at 10:42 AM, William Herrin wrote:

> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger at fpu-tn.com> wrote:
>> His response was there is legislation being pushed in both
>> House and Senate that would require journalling for 2 or 5
>> years, all mail passing through all of your mail servers.
> 
> Hi Eric,
> 
> The only relatively recent thing I'm aware of in the Congress is the
> Protecting Children From Internet Pornographers Act of 2011.

Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.

> From: Fred Baker <fred at cisco.com>
> Date: January 5, 2012 10:46:30 AM PST
> To: Eric J Esslinger <eesslinger at fpu-tn.com>
> Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
> 
> I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend.
> 
> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
> 
> I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant.

I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months.

Follow-Ups:
- question regarding US requirements for journaling public email (possible legislation?)
  - From: smb at cs.columbia.edu (Steven Bellovin)

References:
- question regarding US requirements for journaling public email (possible legislation?)
  - From: eesslinger at fpu-tn.com (Eric J Esslinger)
- question regarding US requirements for journaling public email (possible legislation?)
  - From: bill at herrin.us (William Herrin)

Prev by Date: AD and enforced password policies
Next by Date: question regarding US requirements for journaling public email (possible legislation?)
Previous by thread: question regarding US requirements for journaling public email (possible legislation?)
Next by thread: question regarding US requirements for journaling public email (possible legislation?)
Index(es):
- Date
- Thread