Unlike Europe with its draconian Data Retention Directive, the United States does not have a mandatory data retention law. However, if an ISP or VPN provider does retain any data relating to its customers (i.e. it keeps logs) then according to the Stored Communications Act it is required to hand these over on receipt of a court order from a law enforcement agency. In addition to this, if investigators or prosecutors are able to identify an individual, they can require a VPN company to keep records of that individual’s on-line activity, credit card payments etc. for a limited amount of time (90 days, renewable for another 90 days).
The Digital Millennium Copyright Act (DMCA)
This copyright law came into force in 1998 and criminalises all infringement of copyright material and any attempts to bypass copyright protection measures (i.e. DRM Digital Rights Management), even if no actual copyright infringement takes place.
The most well-known facet of this act is the DMCA Takedown Notice, which exempts an ISP (or VPN provider) from the Act as long as, upon receiving a valid complaint from a copyright holder that their intellectual property is has been violated, it “responds expeditiously to remove, or disable access to, the material that is claimed to be infringing.”
Most VPN companies who can identify the customer responsible for a notice will threaten the user with termination of service (and if the behavior continues will carry out this threat).
In addition to a Takedown Notice, lawyers (most notably working on behalf of the entertainment industry or copyright trolls) may demand that a VPN provider (or ISP) identify the individual in order to prosecute them under the Digital Millennium Copyright Act. In theory a court order needs to be obtained to force a VPN provider into doing this, but because these orders are quite easy to get, and because VPN providers do want costly and time wasting legal wrangles, many choose to comply without a fight.
Most US VPN companies keep logs
They do this for a number of reasons:
- By co-operating with the authorities and with legal requests they avoid lengthy and expensive legal wrangling, and by identifying individual offenders they move the responsibility away from themselves onto the offender
- Higher tier internet providers unhappy with accusations of copyright infringement and other illegal activity can cut off (or threaten to cut off) a VPN provider’s internet access
- To protect themselves from retroactive changes to the law. Just because a provider is acting within the law as it stands, does not guarantee it will not face prosecution. A good example of this LimeWire, who were successfully sued for “inducing infringement”, even through no such crime existed at the time of the ‘offence’ taking place
- US authorities have a bad track record for raiding servers and performing surveillance(most notoriously highlighted by the NSA ‘warrantless wiretapping’ scandal)
As a consequence of these pressures, most US VPN providers prefer to keep in the good books of the authorities, and therefore keep logs and co-operate with both copyright enforcement lawyers and law enforcement organizations.
Companies who keep no logs and use shared IPs
As we noted at the beginning, there is no requirement in the US for VPN providers to keep logs. It is also possible to use shared IPs, which makes it impossible to individually identify an individual with copyright abuse or other online activity. Some companies (such as Private Internet Access) do take advantage of this, and can quite legitimately refuse to take any action when presented with a Takedown Notice or court order, citing the fact that they have no records to hand over and, thanks to use of shared IPs, cannot identify an individual anyway.
The following statement from a spokesperson at Private Internet Access is telling however,
“The future of the Internet is at risk, with many entities all around the world attempting to take away the freedoms and liberties of the citizens of the world, including people like ourselves and our clients. Our ultimate dream is to protect these freedoms and liberties, as well as the rights to free speech and uncensored access to data on the Internet, which has helped drive prosperity unbeknownst to society.
However, the MPAA has cast a dark shadow on the Internet. We are regretful to inform our subscribers that any BitTorrent activity must now be conducted on our Swiss and other offshore gateways. We have received too many abuse and copyright infringement complaints on our US and UK gateways which has forced us, in order to protect our customers, to this policy change. We do not log our users’ network traffic in any way, shape, or form. Your privacy and anonymity is our absolute #1 priority.
However, please rest assured! We still allow P2P activity, including BitTorrent amongst other protocols, to occur on our network. However, if you wish to engage in P2P, once again, please use our offshore gateways.”
Some companies, even when based overseas, have gone even further and exempt US servers from their normal no logs policy (PrivatVPN for example is a Swedish company that normally “don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user our service” but has stated that “we’re logging IP addresses and time stamp on the incoming connection for our U.S. servers. We offer no anonymity on our U.S. servers”).
The message is clear: even companies dedicated to maintaining their user’s anonymity are facing huge and mounting pressure in the US, to the point where they can no longer guarantee protection for their customers when using US servers.
The future (is looking dark)
Attempts to introduce mandatory data retention laws have so far failed, but it comes as no surprise that further attempts are in the works, the most notable of which are PCFIPA and CISPA.
Protecting Children from Internet Pornography Act of 2011
Riding a wave of public anxiety about paedophilia, the PCFIPA’s scope has deeply worried civil liberties groups (including the Electronic Frontier Foundation, The American Library Association and the American Civil Liberties Union). It will require ISPs to retain customers IP addresses, phone numbers, credit card details, bank account numbers, dynamic IP addresses and information on all web sites visited.
While these may on the face of it seem reasonable measures aimed at preventing a heinous crime, it should be noted that of the 272.1 million internet users in the United States, only 10,000 child pornography consumers are known to exist (0.0000037%). Even assuming that many more exist undetected, this is still ridiculously small percentage of the nation’s internet users.
When you also consider that legislation (e.g. the Protect Our Children Act of 2008) is already in force which allows police to access and collect information on suspected child pornographers, it becomes clear that this bill is wildly disproportionate in its sweeping attack on the personal freedoms of US citizens.
Data retained under the bill will be available to law enforcement officials for any issue (i.e. not limited to issues relating to child pornography), requiring only probable cause and a warrant. As Kevin Bankson, attorney for the EEF (Electronic Frontiers Foundation) said, “The data retention mandate in this bill would treat every Internet user like a criminal and threaten the online privacy and free speech rights of every American…”
How the PCFIPA will affect VPN services located inside the US is unclear at this point, but it is likely they will be subject to it should the bill be passed into law. At present the bill has passed the United States Judiciary Committee, and awaits a debate in the House of Representatives.
Cyber Intelligence Sharing and Protection Act
As the name suggests, CISPA is nominally aimed at preventing cyber-threats to national security by allowing technology companies to freely share private user information deemed related to ‘cyber security’ with the National Security Agency (NSA).
The main problem with the bill is that there is no public accountability or judicial oversight, leaving companies free to share whatever information they like with an organisation that acts in secret (the NSA). This is due to the bill’s use of language which is so broad that pretty much anything could be defined as be ‘cybersecurity purposes’.
Although it was defeated in Congress last year (2012), CISPA raised its head again when it was passed by Congress, 2828 votes to 127, in April this year. Alarmed, the Whitehouse threatened to veto the bill if it passed the Senate, but it appears this will not be necessary as the Senate has decided not to vote on it.
What happens now is unclear, although it is believed that legislators are looking into alternative legislation to address national cybersecurity concerns but which pose less of a threat to civil liberties. However, CISPA has already been though a dead duck, only to return with a vengeance before, and it is entirely possible that we have not seen the last of it.
Despite having no data retention laws (yet), the United States remains very problematical when it comes to on-line privacy. Thanks to legal pressure from anti-piracy lawyers and lobbyists, and heavy handed treatment at the hands of law enforcement and national security organisations, most US VPN providers have opted for the easy route, keeping logs and handing them over to interested parties with little or no resistance.
This is not universally the case however, as there are some VPN providers who do stick to their guns and refuse to keep logs (Private internet Access is prominent in this regard). However as noted above, even these companies are struggling under the legal pressure placed on them, and it is highly recommended that P2P or other activity you would prefer remain anonymous be performed using servers outside the US.