Data retention and VPN logging in the United States

While the United States doesn’t have a mandatory data retention law, if an ISP or VPN company keeps communication records or other data from their customers, the government can request access to this information as per the Stored Communications Act (SCA). Furthermore, if the authorities manage to identify a specific user, they have the power to require a VPN provider to keep logs of that individual, including their online activities and financial details for at least 90 days.

The Digital Millennium Copyright Act (DMCA)

The DMCA is a copyright law that was implemented in 1998 and it aims to tackle copyright infringement and all attempts to circumvent actions that aim to protect copyright. DMCA Takedown Notices are the most recognized aspect of this legislation. If an ISP or VPN provider receives what is considered as a valid complaint from a copyright holder, indicating that their intellectual property has been violated, they should issues a prompt response, removing or disabling access to the content in question.

VPN companies that are able to identify the individual involved in a notice are likely to warn the user and if the activity persists, the account will be terminated. Another measure used by copyright enforcers and the entertainment industry is to present legal demands, asking a VPN provider or ISP to identify the user responsible for the copyright violation with the purpose of prosecuting them under the Digital Millennium Copyright Act. Generally, a court order has to be obtained to get a VPN to comply with this. However, these orders are very easy to obtain and since many VPN providers wouldn’t want to be involved in legal battles that take a lot of time and money, they are likely to follow the demands.

US VPN providers and logging

Many VPN providers based in the US keep logs in order to be able to comply with requests from law enforcement and entertainment industry lawyers because they can’t afford expensive and time consuming legal battles. Helping to identify the individual responsible and providing the information required by the authorities, allows a VPN to evade responsibility as the attention will be shifted to the user. As you can imagine. top tier ISPs don’t see copyright infringement with good eyes and they mat threaten to disable a VPN provider’s access to internet.

Additionally, VPN providers may face issues due to retroactive changes to the legislation. Even if a provider is acting according to the current law, it is still in danger of being prosecuted. This was the case for LimeWire as the company had to deal with a lawsuit based in their facilitation of infringement, although such crime didn’t exist when the alleged offence took place.

It should also be noted that US authorities are known for raiding servers and carrying out surveillance. As a result of this, the majority of VPN providers based in the US, aim to stay on the good side of the local authorities. To achieve this, they keep logs and are willing to cooperate whenever a copyright claim is received from law enforcement and copyright enforcers.

VPN providers that don’t keep logs

Since VPNs in the US are not required by law to keep logs, it is still possible to find companies that offer good options for privacy-focused users. The use of shared IPs is another measure that helps to protect your privacy because it makes it practically impossible to identify an individual based on their activity. Providers like Private Internet Access support a privacy policy that establishes that no activity logs are kept. In theory, this allows them to refuse to take action when a Takedown Notice (or a court order) is received because they can claim that they don’t have any information to provide and since shared IPs are used, they wouldn’t be able to identify the culprit.

That being said, PIA, as well as other VPN providers (even some not based in the US), advise their customers to only use servers in certain locations for P2P/torrent. In general, the US is one of the locations that is not recommended when it comes to choosing a server to secure P2P traffic. This shows that although many VPN companies are strongly committed to help you to keep your data protected, they are subject to the worrisome pressure that makes it difficult for them to guarantee privacy in their US servers.

Protecting Children from Internet Act of 2011

Although attempts to implement mandatory retention laws have not been successful so far, the threat is still lurking. The PCFIPA (Protecting Children From Internet Pornographers Act) and the CISPA (Cyber Intelligence Sharing and Protection Act) are some of the bills designed to introduce mandatory data retention in the US. The PCFIPA aims to increase enforcement of laws involving the prosecution of child exploitation and child pornography crimes. However, the extent of the law has raised concern regarding its implications for civil liberties. Under this bill, ISPs are required to retain data such as IP addresses, financial details, phone numbers and browsing history.

While these measures seem justified given that they aim to target such a vile crime, the percentage of known child pornography consumers is minimal when compared to amount of internet users in the United States. It is estimated that just 0.0000037% of internet users in the US are accessing this type of content. Even if there are more offenders that haven’t been identified, it seems excessive to compromise the privacy of all internet users for such a small percentage.

It should also be kept in mind that there is already legislation on place (such as the Protect Our Children Act of 2008) that is designed to give authorities the power to access and gather information on internet users suspected of participating in child pornography. This has strengthen the opposition to PCFIPA since it makes it evident that the bill is excessive and that it represents an attack on privacy and online freedom.

Law enforcement will be able to get access to all the data retained under this bill, even for issues that are not related to child exploitation and only a probable cause and a warrant would be required. Organizations like the EFF (Electronic Frontier Foundation) have expressed their concern about the legislation, indicating that this data retention mandate is a threat to online privacy and freedom of speech in the US.

Cyber Intelligence Sharing and Protection Act

As the name suggests, this law focused on the prevention of cyber-threats to national security. For this purpose, it seeks to grant technology companies the ability to share users’s private information with the NSA. Any data that is considered as potentially relevant for cyber security could be handed over to the government agency.

The most alarming aspect of the bill is that since there is not a judicial frame or public accountability, there are no restrictions in the type of information that companies are free to share with the NSA. Additionally, the ambiguity of the “cybersecurity purposes” mentioned in the bill, means that anything can be covered.

While CISPA is still in the proposed law stage, it is supported by companies like Microsoft, Facebook and IBM. Its detractors include the EFF, Free Press, Avaaz.org and the American Civil Liberties Union. These organizations oppose to the legislation due to the lack of limits on how and when the government could monitor users’ online activities. They have also raised concerns over the fact that the powers obtained will enable the NSA to spy (more effectively) on the general public. Although the bill’s future is still in doubt and it is likely that it will not be implemented, it is still a threat that re-appears from time to time, to remind internet users in the US, that their privacy can’t be taken for granted.

Conclusion

Although there are not mandatory data retention laws in the US at the moment, online privacy is under severe threat in the United States. The strict copyright infringement laws have affected the way in which ISPs and VPNs operate. Additionally, in the name of national security, authorities are looking for ways to get stronger control over internet, getting easy access to user’s confidential information and compromising their privacy.