The TSA are idiots with no common sense. While I worked for a national security related police agency I was sent to Mexico to train their federal police officers. I had a plane change in New Jersey. Well the TSA decided that the 40 USBs in my bag, all brand new and still sealed in their packages, were "suspicious". So my plane left the US without any of my computer equipment - and of course no one told me. Everything was clearly labeled, I was travelling on a special government passport, and my police business card was attached to the bag with the equipment. The TSA folks opened all the USB wrappers and scanned every single one of the 40 blank USBs before sending them the next day on another plane. I now avoid the US on international flights as well as for tourism in general.

I think the point that a lot of people/hactivists miss when they focus on privacy and get their knickers in a twist is that data retention regulations aren't primarily intended as surveillance enabling mechanisms, they are intended as evidence preservers so that once a law enforcement officer has enough evidence to go before a judge and get a warrant there will be something there to seize. From a forensic perspective, they mandate the architecting of digital exchange into systems they target. In the physical world this isn't necessary, we leave fingerprints everywhere we go, we pick up carpet fibers on our shoes, and we leave trace evidence behind. When it comes to digital systems such as those run by ISPs, unless there is software and hardware explicitly designed and configured to log, retain user info, etc, it isn't going to happen; transfer evidence is not going to exist. A lot of this type of legislation has been enacted because countries, even non-European ones, are signatories of the European convention on cybercrime, and the convention directs countries to have this type of capacity in place. The International Telecommunications Union, part of the UN, is also pushing countries to enact similar legislation. The trick is to make sure that the legislation is enacted in a way that doesn't infringe on privacy or other rights. If you read the convention, it specifically mandates that privacy and human rights be respected. There is also a retention time and a secure deletion directive, at least insofar as the European convention is concerned (directive 2006/24/EC of the European Parliament). Having said that, user activity data certainly needs to be better protected. And to all those who will probably jump on me and point out that the legislation and the convention also requires ISPs to have surveillance capability, that surveillance can only to be started with the proper judicial authorization, otherwise it is a criminal offence. It's just like taping a phone conversation. In most countries we also have enough case law and constitutional protection to mitigate abuse (e.g. 4th amendment in the US, or Charter s.8 in Canada.)