According to this breathless story on CNET, sinister congressional forces are afoot attempting to impose a record-keeping requirement on home networks. But as I warn my Internet Law students every year, you just can’t rely on CNET posts on legislative developments, particularly the more sensational the headline. And that turns out to be true here as well. I doubt anyone in Congress actually intends to require home network users to maintain visitor logs. If that unexpected result does come about, it’s because Congress and the courts are miscommunicating. There’s a deeper problem with the relevant statutory language here, but it’s one that’s been around for a while.

Here’s the situation: wrongdoing on the Internet is often difficult to track down, because often the only reliable traces a malfeaser leaves behind is their computer’s IP address. It’s a bit like having someone’s phone number show up on caller ID. But unlike phone numbers, IP addresses often change. If the phone company didn’t keep any track of who had what phone numbers, the police or victims of harassment wouldn’t have any way of using the number to track the perpetrator down. It’s the same with IP addresses. Usually internet access providers keep track of who they assign IP addresses to, but there’s no requirement that they do so. There’s also no requirement that they keep such information for any particular length of time—it’s purely up to them, and storing data costs money, so ISPs purge their logs on a regular basis. So suppose a kidnapper logs into Gmail and sends an email with a ransom demand to the victim’s family. If Google chooses not to keep any access logs, there may be no way for the police to track the kidnapper down, even if the kidnapper took no steps to cover his or her tracks.

Enter the Internet SAFETY Act, yet another in the long line of recent Congressional bills with cutesy acronyms.

The Internet SAFETY Act (S.423, H.R.1076) has been bandied around for a while; an early variant was first introduced in 2006. The basic idea is to combat a particular problem—in this case, child pornography—by, in part, imposing a record-keeping requirement on ISPs. Of course, once those records are retained, they can be used for more than just combatting child pornography. They’ll also be useful in investigating other crimes, or even as evidence in civil lawsuits (e.g., copyright infringement suits). As long as there’s sufficient legal process protecting the disclosure of these records, however, that doesn’t seem that troubling to me (your mileage may vary—but that’s not my issue right now).

“That’s great,” you might say, “but what does that have to do with home networks?” The record-keeping requirement would be imposed via an addition to the Stored Communications Act, 18 U.S.C. § 2702. Here’s the new subsection that would get added:

(h) Retention of Certain Records and Information.—A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user.

The problem here is in the definitions of “electronic communication service” provider and “remote computing service” provider. Call them “ECS providers” and “RCS providers” for short. These terms aren’t new to the Internet SAFETY Act; they’re from the Electronic Communications Privacy Act, a law passed in 1986, when Congress understandably was a bit foggy on this newfangled Internet technology. (Not that they’re such big experts now, but they had more excuse back then.) It’s clear from the legislative history that Congress envisioned ECS providers and RCS providers as, essentially, big telecommunications companies that provide commercial internet access or data storage/processing service to paying subscribers. Indeed, from the statements of legislators concerning the Internet SAFETY Act quoted in the CNET story, it’s clear that members of Congress still view ECS providers and RCS providers that way.

The problem is that the statutory language doesn’t make that crystal clear. Here’s the definition of an ECS:

(15) “electronic communication service” means any service which provides to users thereof the ability to send or receive wire or electronic communications;

Read broadly, that means that any device that provides to users the ability to send or receive voice or data communications provides an “electronic communication service.” That would include routers, web servers, telephones, fax machines—indeed, every device connected to a telephone or computer network. And since every such device allows other users on the network to “send” communications to that device, then every owner of a networked device is an ECS provider to the public, subject to the nondisclosure requirements of the ECPA in Section 2702—the very same provision that would get the record-keeping obligations above.

That sounds ridiculous, but another portion of the ECPA gives courts a reason to interpret “ECS” broadly, in order to reach certain bad actors. Section 2701 provides that breaking into a “facility” through which ECS is provided in order to obtain electronic communications violates the statute. So, can you break into someone’s home computer to read their email? What if you access the hidden area of a website? Some courts have held that home computers and web servers are ECS facilities, making those unarguably bad actions violations of the statute. But if they are ECS facilities, aren’t their owners ECS providers?

Most courts have rejected the argument that web servers and home computer users are ECS providers, but they’ve never really offered a good explanation of why. One theory that’s been bandied about is the idea that you don’t pay home network or website operators to allow you to send or receive messages. But there’s nothing in the statute that limits ECS’s to commercial services.

A better distinction, it seems to me, hinges on the meaning of the word “provide.” “Providing” a service in this context seems to me to entail providing it directly to someone else. As I’ve written in a treatise chapter on the ECPA, a provider of ECS is therefore someone who provides to someone else the ability to send or receive messages; it’s the next link up from the “user” in the chain from endpoint to endpoint. If you think of a network as being like a spider web, a provider of ECS can only be towards the middle, where several strands come together, and never at the margins, where a single thread ends. A home network is at the edge of the network; although multiple individuals may use a home network, they are all members of a single group (a household), and therefore are not “providing” ECS to anyone. Read this way, the record-keeping requirement above would not apply to home networks.

This creates a tension with the cases saying that businesses provide ECS to their employees, but I’ll save that issue for another day.