There is no legislation in the US that can be used to do this [1]. Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.
[1] https://en.wikipedia.org/wiki/Data_retention#Failed_mandator...
Less extreme, Lavabit was hit in court. Lavabit said giving their private key to the government would expose all their users' data. They said it would be bad for their business. The FBI countered that there would be no damage if nobody knew they did that. So, they just wouldn't tell anyone what the judge had ordered. Judge went along with that idea. So, that's how legislation and liability in the U.S. works. Especially when there's secrecy orders.
Pro tip: don't host anything that's supposed to be private in the U.S.. It's a surveillance/police state slash plutocracy disguised as a democracy. Anything that might be private can be ordered to not be private secretly with immunity.
http://www.msnbc.com/msnbc/us-government-threatened-yahoo-bi...
They certainly can, and will, go after any company they want to, without referencing any specific US legislation.
I repeat, after having evaluated this quite deeply, that there are no mandatory data retention laws in the US, period, for ISPs and VPNs. This is contrast to quite a few jurisdictions, and the poor actions taken by ISPs and VPNs in said areas seem to speak louder than words.
That being said, I can relate to the author. Trusting a random service without any reason to trust is definitely blind. However, trust can be earned, over time, and validated, but should never be absolute. Trust is earned, daily, forever.
That being said, at the end of the day, the best bet is to remove trust from the equation - to get closer to a zero knowledge state, thus creating zero trust.
We're working toward that, every single day, and I would love to hear from anyone that's interested in helping or has thoughts.
They could require this in several ways. They could store the data directly on government servers, or set up a third party server and store the data on there, where both parties could access it. Either way, there is no technical reason the data can NOT be collected, so if the big boys want it, they will get it.
Until I see something to convince me otherwise, I assume any sizable organization that is operating within the United States shares any/all data requested. No loophole will protect them. If they don't collect the data, guess what, time to start collecting.
