Proposal to ban anonymous Internet access

Feb 8 15:23 UTC 2001

A WJR news report refers briefly to proposed legislation in 
Lansing to prohibit anonymous Internet access in Michigan.
The Wayne County sheriff is promoting this as a necessary tool to 
fight child pornography.

I don't have any further details.  Such a law, if passed and upheld
by the courts, would have an adverse impact on Grex -- at the minimum, 
"newuser" could no longer be run.

response 2 of 90:

Feb 8 15:59 UTC 2001

I don't see why "newuser" would be a problem, nor grex..

otoh, "newuser" would need an update, and places like the 203.197.98.6
wabbit-wingate would be a problem.

On the Gripping Hand, it still depends, (as usual), on the bureacratese
involved with this supposed "bill".

response 4 of 90:

Feb 8 18:09 UTC 2001

A detailed story is in the Detroit Free Press:
 
http://www.freep.com/money/tech/mwend8_20010208.htm
 
There is a prominent link to it on the online front page.
 
The proposal is from state rep Bob Brown, D-Dearborn Heights:
from the Free Press story:  "The legislation that Brown plans to 
sponsor would require all ISPs doing business in Michigan to obtain
a valid and verified credit card or telephone number at the
time of registration and to hold on to that data for at least one 
year."

response 6 of 90:

Feb 8 18:24 UTC 2001

Based on the superficial coverage of the article, Grex would likely be 
required to verify accounts through obtaining a verified telephone 
number or credit card number.

The issue is email exchange of illegal materials. The primary method 
that police investigators use, is to join suspect newsgroups, IRC 
groups, mailing lists, etc., and to try to get people to send (or 
exchange) illegal materials to them. The difficulty is not likely to 
arise in the exchange of illegal commodities (such as online drug 
sales), as money and the illegal product must change hands. It is not 
likely to arise in the cases where the police trick somebody into going 
to a motel to meet what they believe to be a minor, as the suspect must 
go to the motel.

However, for the pure exchange of illegal electronic files - such as 
obscene .gif images - there may not be a way for the police to track the
 suspect except through the ISP's registration information for the 
suspect's account. Obviously, a suspect may presently use multiple 
anonymous throw-away accounts, accessing them through an  anonymizing
proxy or free dial-up service, making that task even more  difficult.

Requiring the verification information, and requiring that it be held 
for a year, will help law enforcement both identify suspects, and reduce
 the use of multiple throw-away accounts by suspects. However, it will 
put a very high burden (perhaps impossibly high) on operations like Grex
 or M-Net, which lack the resources and manpower to collect, verify, and
 maintain that information.

response 8 of 90:

Feb 8 19:20 UTC 2001

I haven't read the news story.  I don't know specifically what the law says.

That said, Grex logs what IP address a user comes from, and ISPs generally
log which IP addresses their users are assigned at what times, so as a
practical matter if the intent of the law is to be able to trace people
through ISP log files, and if the law is written to match that intent, Grex
would only have to verify information through its dial-up users.  Of course,
I have no reason to believe the law is being written in any way that makes
sense.

It should be noted, though, that law enforcement really isn't lacking any
ability that this gives them.  Since ISPs exist to make money, ISPs generally
don't go around handing out accounts without some way to bill for them, which
would generally be either a credit card number or billing address.  The real
challenge for law enforcement in going from ISP biling records would be that
it can be difficult to prove that the person using the account was the person
being billed for the account.  I assume that's the usual reason these
investigations generally get handled by arranging to meet the person somewhere
and seeing who shows up.  Even without accurate ISP billing data, though, this
sort of thing isn't impossible to track down.  Even if all the ISP knows is
what phone line the modem call came in on at what time, where the call came
from should be available either from the ISP's own caller ID logs, or from
the phone company's logs, with appropriate court orders.

I'm getting the rather strong impression that child pornography is the new
communism -- something that can generate enough hysteria to justify all kinds
of civil rights violations, with anybody who challenges them considered
immediately suspect.

response 10 of 90:

Feb 8 20:33 UTC 2001

There is no law - there probably isn't even a draft bill yet. At 
present, this may be no more than a legislator with an agenda. But it 
sounds good, and our legislator has liked this type of stuff in the 
past, so I would expect this to pick up some momentum.

response 12 of 90:

Feb 8 20:49 UTC 2001

The usual USPS *mailer* of child pornography is a government agency 
conducting a sting operation. They get around the anonymity requirement 
by requiring a signature from the recipient.

The issue here really does seem to be focused on anonymous email 
accounts. That would mean, the library could offer access, as long as 
they didn't offer email. I am not sure what the proponent of this bill 
intends for companies like Microsoft/Hotmail, which are likely to argue 
that requiring them to collect and verify the phone/credit card 
information would violate the commerce clause (as an unreasonable burden
 on interstate commerce).

response 14 of 90:

Feb 9 00:01 UTC 2001

From the Free Press article, and from Aaron's resp:6, I think the
essential issue is: under this law, if the police come around asking 
where a piece of mail or a certain user came from, the answer, 
"We don't know, and the information doesn't exist," means that 
Grex has committed a crime.
 
I think what Grex would have to do if this law passes and is upheld,
is shutdown the dialins.  To my mind, the definition of an ISP 
seems to be a black box with a physical location or the telephone 
system at one side, and the Internet on the other side.
 
With the dialins gone, Grex would resemble Hotmail or other free 
email provider, web forum, what have you.  I read no hint so far 
that such entities would be required to register their users.
If the police came around, Grex could give them the IP address a 
user came from.
 
I am not advocating this solution, but I think it may be forced upon
Grex.   I am not optimistic that this law will be defeated either
in the Legislature or in the courts.   A quote from an EFF lawyer 
I saw today seems to indicate that even they do not find an 
absolute right to anonymity.        

response 16 of 90:

Feb 9 01:11 UTC 2001

  OK, so why not organize to defeat this *now*?

  At the very least, would someone like to draft a letter from the board to
  the legislator proposing the legislation making him aware of how possibly
  unintended consequences of his proposal would effect the community on Grex?

response 18 of 90:

Feb 9 02:39 UTC 2001

Why don't people write their own letters?

response 20 of 90:

Feb 9 03:12 UTC 2001

By the way, I should note that I'm a bit skeptical of the claims of how
uncooperative NetZero was.  Chances are, even if NetZero doesn't know who
their users are, the companies they are buying dial access from at least have
logs of when the person called in and on what line, which should be enough
for a sufficiently determined investigator armed with the appropriate court
orders to figure out where the person's been calling from.  An e-mail message
sent through one of the free ISPs certainly isn't any more anonymous than a
phone call, and tracking the sources of phone calls isn't a new problem for
police agencies.  If NetZero is ignoring subpoenas or wiretap orders, that's
not something that requires new law to deal with.

I find it telling that the apparrent push for this is coming from local law
enforcement, rather than Federal authorities.  The Federal authorities are
getting a pretty good grasp of Internet stuff at this point, I get the
impression.  The local authorities I dealt with in my days of working at an
ISP, on the other hand, generally seemed extremely clueless, both on the
technology they were dealing with and the procedures they would have had to
follow to be able to legally use the evidence they were asking for.  They
would call wanting to know which of our users had done something, and I would
tell them what information they needed to be looking for, confirm that I had
the information, and then hand them over to management, who would tell them
that we'd be happy to give them the information if they came back with the
appropriate court orders.  Not one of them ever did.

response 22 of 90:

Feb 9 04:18 UTC 2001

I didn't think that my opinion of Bob Ficano could go any lower, but he
has proved me wrong again.

One possible benefit of a GWB Administration is a Republican U.S. Attorney
who would be willing to bring Ficano to justice.

response 24 of 90:

Feb 9 06:30 UTC 2001

I'm curious how you read that into the Free Press article, Marcus.  The thrust
of the article seemed to be that Bluelight is good and NetZero is bad. 
They're both free dial providers.

Hotmail and various other free e-mail providers include an X-Originating-IP
line in the headers, saying where the message came from, the implication being
that if you want to track the person down you can go to the owner of that IP
address.