I wouldn't have assumed it to be pennies per user, but would it not be feasable to capture traffic at or near an ISP's uplinks, such as a border network just prior to the trunk(s) to upstream providers as one example? Admittedly I haven't yet read the requirements, which if they stipulated capture right upstream of the target's site would incure a higher cost. Still if its possible to comply by capturing traffic based on an IP address that would make it easier. On the other hand, if an ISP changed IP addresses frequently, that's a different story. Capturing onsite would at least require installing taps or a readily tappable infrastructure, which could be quite expensive, depending on how an ISP has built itself out. I could see that cost easily spelling the end for a small ISP, if it had to re-vamp its buildout. As for the added cost of the bandwidth for capturing, I would have assumed that any responsible law enforcement entity would much rather capture to storage rather than send it back over data lines. I would think there's a chance it could end up evidence, and sending it back over data lines would strike me as a bad idea in most situations.