[kazen44]

this is not how most of these laws works. As an ISP, you are required to have this bookkeeping, and are audited for it in (most) countries.

Usually, the law has specific procedures about how this information is requested, what responsibilities are with which party, and how long the response time should be for suchs a request.

When starting (or already being an ISP). You already know what kind of system you need to build that matches all these requirements by law. Simply saying, we do not have the required information wouldn't work because the law has very specific details about the requested information.*

* this is in a european country, so no clue if this is applicable to the US.

[t0mas88]

In my European country the law very specifically tells ISPs what to record. It doesn't require them to produce any conclusions or other data, so if you ask for a subscriber name without enough details (port and destination in this example) the response I gave is totally legal. I have in fact seen that kind of thing happen and compliance departments tend to favor exactly this, do what the letter of the law said, not a byte more unless a court orders them. The risk otherwise is that you're illegally violating the privacy of a customer just to please some law enforcement agency.

As a follow-up the agency, with the right court order, could get all the raw connection records and try to figure it out themselves. But if you don't know the exact time and (source IP, port, destination IP, port) combination you're not going to figure it out in a network with large scale NAT.