Data Retention Memo

Increasingly, the IP addresses passed with communications through the Internet are no longer unique to a specific end-user device. Driven by a shortage of IP addresses, some Internet access providers are adopting a technique called Network Address Translation (NAT) on a large scale to assign and manage IP addresses. When NAT is used, the IP address passed with a communication to its destination (and possibly recorded at the destination point) is different from the IP address the ISP assigns to the customer on the “private” side of its network. The public-facing IP address may be shared by many users. Retroactively associating the public-facing IP address with the unique private address information that the service provider assigns to its users can be complicated and would require the collection and correlation of large amounts of data. Further compounding the situation, address information associated with individual devices may change very frequently. In addition, entities such as airports, coffee shops, and hotels, as well as businesses that provide employees with Internet access, use NAT technology to share Internet addresses. Accordingly, a data retention mandate would require the collection and management of vastly larger quantities of data than seemed necessary even a few years ago, at costs that could be prohibitive, especially for smaller and rural service providers, while yielding data less reliable in identifying end-user devices.