Data retention laws in the United States
What you need to know
Currently, the US does not have any blanket law compelling ISPs to retain customer data, as the EU does. But US ISPs are required to hand over any data they have on customers, including address, credit card information, and logs of what websites you’ve been visiting, if they are legally obliged via a court order from US law-enforcement1.
Individual ISPs are essentially free to keep or delete your data as they see fit, with little regulations in place. Because ISPs are private companies, they’re not obligated to reveal how long they keep customer data. So it’s hard to find out what each ISP’s individual policy on data retention actually is. Some may delete the data after 30 days, some may hold onto it for longer.
Given that ISP customer data has been used in the US to prosecute individuals through the Copyright Alert system, you can be sure that your ISP is tracking you to some extent right now. IP addresses may be anonymous, but because your ISP can link your IP address to the real-world address your account is registered at, it’s not difficult for them to find out your identity.
Fourth Amendment doesn’t apply
The Fourth Amendment, which protects Americans from unwarranted searches and seizures, will not protect your personal emails from being spied on. While emails stored on your computer are safe, those stored on a server somewhere are not protected under the Fourth Amendment and not subject to a warrant requirement. In fact, as Digital Due Process points out, the Electronic Communications Privacy Act – the bill that set standards for how law enforcement can access electronic communication data, is incredibly unclear (it was enacted in 1986) and is in dire need of reform2.
While the concerted efforts of online privacy advocates and politicians have helped the USA avoid Europe’s draconian data retention laws, the last two years have seen a number of bills introduced that threaten the status quo.
Protecting Children From Internet Pornographers Act has already been approved by the House Judiciary Committee and it won’t be long before it’s debated in the House of Representatives3. Although it faces opposition, if passed the bill would require ISPs to retain all customers’ web-browsing data, address, credit card information and other forms of personal data, for at least one year after they leave. The bill also potentially allows law enforcement agencies to access the data without a warrant.
The other piece of US legislation that could drastically affect online privacy in the US is The Cyber Information Security Protection Act4. CISPA was passed by the House of Representatives and will now be voted on in the Senate. The bill is specifically designed to facilitate the sharing of personal data between private companies and government law enforcement and would be a disaster for online privacy if it passes into law.