I am writing in opposition to HB 2288, which if enacted will impose onerous reporting requirements on anyone providing Internet access in the State of Hawaii and expose the citizens of Hawaii to the possible exposure of their online habits.
This Bill requires any "company that provides access to the Internet" (sec. 1, line 6-7) to "retain customer records" including "each subscriber's information and internet destination history information" for "no less than two years" (sec. 1, lines 14-17). The "internet destination history information" is to include the Internet protocol address, domain name, or host name of every destination contacted by a subscriber.
It is no business of the State (or my Internet provider, for that matter) what sites I visit on the Internet. Most Internet providers currently have their subscribers' information, but very few record the destination of the subscribers' connections. This Bill would impose a requirement on all Internet providers to record and retain this information, which would require a large investment in equipment and network configuration expertise to achieve.
It is also unclear to whom this Bill would apply. Clearly the intent is for it to apply to Internet Service Providers, but given the language of "company that provides access to the Internet", it could be held to apply to coffe shops, hotels, Internet cafes, or even the individual who fails to secure a wireless home Internet router. For even moderately busy providers, this would be a huge amount of data which must be recorded and stored.
More importantly, there is no provision in this Bill to safeguard the information collected. Data on an individual's Internet traffic habits could be extremely sensitive - for example, an employer might be able to discover that an employee participates in workplace safety discussions from his/her home, information that the individual might not want the employer to know about. Under this Bill, there is no prohibition against Internet providers selling this sensitive customer information to anyone,
nor are there any provisions requiring judicial review before the State (police, prosecutors, etc.) acquire these records.
As the manager of a corporate Internet-connected network, would this Bill require me to monitor all of my organization's users' Internet traffic? That would be a huge invasion of their privacy. If not, then the Bill is useless, since all traffic from my organization appears (to my upstream provider) to come from a single Internet address. How would this Bill accomplish anything in this case?
In summary, this is a poorly thought out, fundamentally flawed Bill that would do nothing to solve any current or even perceived problem, would impose onerous data retention and reporting requirements on all providers of Internet connectivity, and would expose the citizens of Hawaii to an unprecedented invasion of their privacy. I urge you to reject this Bill.