DOJ Wants ISPs to Log User Traffic UPDATED 346
Anonymous Coward writes "Kevin Poulson writes in an article in
SecurityFocus that in an early draft of the
White House's "National Strategy to Secure Cyberspace", the DOJ proposes that the US
enact European style 'data retention' laws,
which force ISPs to log and retain all of your
email headers, as well as your Web browsing
history." Nothing worse for the DOJ to be upstaged by Europe in oppressive lawmaking, they must feel like they're losing their edge. Update: 06/19 23:04 GMT by M : The SecurityFocus article has been updated with this note, saying that the U.S. denies having any plans for data-retention laws. Guess we'll have to wait until the plan is released to see.
I guess... (Score:4, Funny)
First post? (Score:4, Insightful)
Re:First post? (Score:2)
Which is also the equivalent of putting cameras in public places, which makes it easy to track someone's movements throughout the entire day. Therefore, this will not be an effective argument against such monitoring to people who already consider things like cameras in public places to be a good idea.
Re:First post? (Score:4, Insightful)
Which is also the equivalent of putting cameras in public places...
(Emphasis mine) My web browser is certainly not in a public place.
Re:First post? (Score:2, Interesting)
Uhhh....you may be right, your browser is not, however...
What comes into and goes out of your browser, may very well be in a public place, unless you are browsing an intranet, which since you've posted here, you're obviously not restricting yourself that much.
If you can be absolutely sure that your traffic never touches a network that has nothing to do with the government, your statement would be true. The chances of that are pretty damned slim since a lot of big pipes in the US have some affiliation with a publicly funded university.
However, while their motivation may be different, your ISP could monitor everything you do and it would be akin to retail stores with security cameras.
Please understand, I dislike the idea as much as anyone, I just dont know if there's much we can do about it.
Re:First post? (Score:2)
Only if they have a cameera (Score:2, Interesting)
I can see people making scripts to go to all sorts of "undesireable sites", and when they get busted, they can prove they were nowhere near the computer at the time.
Would also smoke out all sorts of surveillance schemes.
Re:Only if they have a cameera (Score:2)
If what I recall is correct, they could prove it was you.
(I could be wrong however, im searching
Not first post. (Score:2)
So I'd say, its political point scoring, with no real teeth to it. But hey, it could always be that they progressed to the next chapter of 1984.
Re:Not first post. (Score:2)
Re:Not first post. (Score:2)
Re:First post? (Score:2)
It's just a way for the govenerdment to make the citizens think that are doing something about security. If they were actually doing something to protect the people, the "Office of Homeland Security" would call the Department of Transport and tell them to enforce seatbelt laws. How many lives a day would that save? How many lives a day will be saved by my mail headers and URLs being monitored?
Re:First post? (Score:2)
What I don't get is this: Evidence exists that the CIA, FBI, NSA, et. al. already had enough raw data in their hands that if they had their heads on right, they could've stopped the 9/11 attack...so the amount of information they have access to already isn't the problem...it's what they do with it.
So how the hell is giving them more data going to help? All it will do is cause information overload and all those cops will start ignoring even more than they do already...which will actually make it easier for those bent on crime and distruction.
After all, if there are 50 average joe's to every 1 kidnapper/drug dealer/terrorist, then if I'm one of the bad guys...I'd be hoping the government is too busy watching the 50 good guys so as to be more likely to overlook me.
Re:First post? (Score:2)
Correction...for the illusion of security. It's nothing more than a PR pill given to the public in order to mask the underlying problem.
Mail headers. (Score:3, Interesting)
Re:Mail headers. (Score:2, Redundant)
Cyber Security Plan Contemplates U.S. Data Retention Law
Internet service providers may be forced into wholesale spying on their customers as part of the White House's strategy for securing cyberspace. By Kevin Poulsen, Jun 18 2002 3:46PM UPDATE:U.S. Denies Data Retention Plans
An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.
In recent weeks, the administration has begun doling out bits and pieces of a draft of the strategy to technology industry members and advocacy groups. A federal data retention law is suggested briefly in a section drafted in part by the U.S. Justice Department.
The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.
While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.
A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.
Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, a policy analyst at the Electronic Privacy Information Center (EPIC), which opposed the directive.
"Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech and the basic principal of the presumption of innocence."
The draft of the U.S. plan does not specify how much data ISPs would be forced to collect, or how long they would have to store it. The White House did not return phone calls on the strategy, which is scheduled for release in September.
Update. (Score:2)
Re:Update. (Score:2)
Re:Mail headers. (Score:2)
Re:Mail headers. (Score:3, Insightful)
Will they fund it? (Score:4, Insightful)
Considering how little money ISP's tend to make, I don't see this as at all fair, unless the government will pony up the cash.
Re:Will they fund it? (Score:4, Interesting)
Then again, if the government would provide cash for some upgrades, I'm sure they wouldn't mind.
Re:Will they fund it? (Score:2, Insightful)
So there.
Re:Will they fund it? (Score:2)
You're right - it isn't fair. But there's precedent. This very thing happened with the telcos already, to the tune of some $500 million that was handed out BY the FBI, to the telcos, in order to defray the cost of upgrading equipment in a manner necessary to comply with CALEA. One unintended consequence is that now the telcos have implemented MORE than was granted by the FCC (based on what the FBI and other law enforcement agencies had requested), fearing that they may be forced to add this extra functionality at some point in the future. All it takes now is a switch to activate the new goodies.
Re:Will they fund it? (Score:2)
Since when has the lack of an expectation of privacy conveyed a right to log, track, spy on, profile, or otherwise stalk an individual - ESPECIALLY by the government, and ESPECIALLY without cause?
Re:Will they fund it? (Score:2)
I wonder.. (Score:2)
They changed their mind! (Score:5, Informative)
U.S. Denies Data Retention Plans
The Justice Department refutes claims that Internet service providers could be forced to spy on their customers as part of the U.S. strategy for securing cyberspace.
By Kevin Poulsen, Jun 19 2002 12:24PM
An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.
But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law.
In recent weeks, the administration has begun doling out bits and pieces of a draft of the National Strategy to technology industry members and advocacy groups. On Tuesday, sources who had reviewed segments of the plan said a federal data retention law is suggested in a section written in part by the Justice Department.
The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.
While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.
A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.
Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, policy fellow at the Electronic Privacy Information Center (EPIC), which opposed the directive.
"Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech," as well as the legal principal that a defendant is presumed innocent until proven guilty.
The White House did not return phone calls on the National Strategy, which is scheduled for release in September.
Re:They changed their mind! (Score:2)
As Bismarck once said, "Nothing is confirmed until officially denied."
Re:They changed their mind! (Score:2)
I deny that I have tens of billions of dollars in Microsoft. (-:
No seriously, I don't.
Not "Innocent until proven guilty" in EU (Score:2)
I dislike the European plan. But I also recognize it's a different place with very different attitudes of both police and populace. EU member nations are also free _not_ to enact the plan in their countries. I expect that a number, including the UK, will not.
Re:once a karma whore always a karma whore (Score:2)
I just try to write good comments when/where they will get noticed, so that I have the greatest impact on the greatest # of people, that's all.
FPWL (Score:2, Funny)
Now the DOJ will have the biggest Free Password List on the web..
Could you imagine the amount of money they could make from X-10 pop-under ads...
They're the only ones NOT looking (Score:3, Insightful)
At least the government will probably be required to disclose what they do.
Your best bet is to not send any sensitive info over email, and don't store any unencrypted sensitive or private data in online storage systems.
Re:They're the only ones NOT looking (Score:4, Informative)
Second, for the things that we *can* look at (easy stuff like say someone's POP mailbox, just a text file) there is (most people wont believe this) actually an honor system amongst admins. We won't edit a mailbox if its broken until we have permission. Otherwise we might see something that isnt ours to see. Privacy is THE most important thing we can promise our customers, so everything else has to take the back seat, even if it means some uptime.
Even given that, though, I do recommend that people encrypt their email, cause just cause I wont read your mail, doesn't mean the kid who has a 60 minute kernel exploit who just rooted me wont- (the rooting being another thread, lets not talk about perfection in admining here) (So sorry to reply like this, but I just took it a little personally. We're not all sleazy. Most of us arent.)
Honor system? Don't make me laugh (Score:2)
Re:They're the only ones NOT looking (Score:2)
It's perfectly legal for them to look at any information on their servers. Whether or not they actually do is a different question. There are absolutely no restrictions on what an ISP can or cannot do with your personal data beyond what they put in their privacy policy. Hell, even the phone companies, who are heavily regulated by the FCC, can tap anyone's phone at anytime and listen, as long as it is for "quality assurance" or "maintenence purposes". They just can't give out the info to the police without a supoena.
What's next? (Score:2, Insightful)
Wholesale spying is not justified by the war on terrorism. Especially for us non-Arab, born and raised in America types. It's just an excuse for the government to do something they've wanted to do for a long time anyway.
Personal domains (Score:2)
Re:Personal domains (Score:2)
Sounds reasonable (Score:2, Troll)
It seems that the issue at hand isn't the act of logging activities themselves, but how willing your ISP is to distribute those logs. In all previous cases I am aware of, ISP's do not give out personal information about a user without first being served with a subpoena. This is no worse than the restrictions we have had on wiretapping and eavesdropping for the past 50 or so years, so I don't see any reason for anyone to get upset about this. If you aren't breaking the law, then you have nothing to worry about, and your information will remain private in the hands of your service provider, however if you're doing something illegal, then there is no reason that the FBI or such should not be able to serve your ISP with a subpoena to obtain your usage logs. Its perfectly within our Constitutional rights for the government to do this, and anyone who is made nervous because of this probably has something to hide.
Re:Sounds reasonable (Score:2, Insightful)
Of course it's unreasonable. Think about this: The logs don't show content.
Your email headers don't show what you were talking about - you emailed "somejoeuser99@hotmail.com" asking about his lost puppy... but unbeknownst to you, he's a suspected terrorist, and all of a sudden, you're being investigated... They pull up your http traffic file, and it turns out that the HTML email he sent you has IMG tags that pull pictures from known terrorist sites.
You'll probably change your mind once you're in an FBI interrogation chamber.. that bare bulb shining in your face, as Agent Smith says "Vhy vhere you communicating vis a known terrorist? Ve haf vays of makink you talk!"
Or better yet, someone wants to make your life hell, so they get some anonymous web space, put some content that might interest you, and get you to view it... then then change the content to some terrorist propaganda, and place an anonymous call to the FBI. Suddenly there is PROOF that you've been visiting terrorist sites.. so you must be a terrorist!
Think it can't happen in good ole' USofA? Just like the McCarthy witchhunts couldn't happen.
Re:Sounds reasonable (Score:2)
If you aren't breaking the law, then you have nothing to worry about
anyone who is made nervous because of this probably has something to hide.
By god, Hoover! You're alive!
Mr. Atrowe, if that is you're real name, I don't want to share the internet with your type of people, but I'm not lobbying to have the FBI come knocking on your door; Though you obviously have something to hide. The worst thing you could say I was doing to hurt your kind was that time I voted for a pro-education mayor. That doesn't even try to fix you, just save your children from your horrible fate.
Re:Sounds reasonable (Score:2)
Congratulations Mensa-member! You've fallen into the same fallacious assumption that marks all American intellects that are both lazy and foolish - If you're innocent, then you have nothing to hide. Yes, you are in the company of esteemed patriots such as McCarthy, Hoover and Stalin (hey I didn't say American patriots). So on behalf of John Ashcroft, I would like to thank you, good citizen, for dulling your mind and accepting the dictate of your DictatH^H^H^H^H^President, who says that the only way to save liberty and justice for all, is to destroy them.
This is how Gray Davis would do it. (Score:2)
I have a better idea. The UN should pass a law requiring that all network traffic in the world, whether on a home LAN or through the Internet, must pass through one central checkpoint machine that will log all the traffic. This will provide a worldwide data retention center where authorities and large corporations can perform queries to figure out exactly what someone was doing. (Obviously, defendants won't be allowed to perform similar queries, because that wouldn't be fair.)
Oh yeah... And the central machine that would fulfill this function would be a 386 SX with a tape drive serving as RAM, running Windows XP Professional, and it would be connected to the Internet through a 1200 baud modem. This will make true worldwide broadband a reality and keep the economy strong.
hmmm.. (Score:3, Interesting)
Many URL's can be used to guess WHAT data you've been looking at without actually looking at the website. For example, if someone saw the URL: http://www.nakedkids.com they would assume that it was child porn and whomever looked at it should be red-flagged and investigated. Quite possibly however this site could have NOTHING to do with porn and could simply have a questionable DNS name.
Perhaps if ISPs were only allowed to track IP addresses....
Re:hmmm.. (Score:2)
If www.nakedkids.com DIDN'T have to do with child porn, they might want to rethink their company name / marketing strategy...
But regarding your point, I want to say things like this would be caught in the follow-up investigation. Not that I want people investigating me, but I probably won't be thrown in the back of a squad car for visiting a site with a weird name if it actually sells propane and propane accessories, for example...
Mark
I guess this means one thing... (Score:2, Funny)
AND I have to find a place to hide the magazine instead of clearing the browser history. This sucks.
Idiots (Score:2)
It seems to me lawmakers should have "gotten" the internet, and technology in general, by now.
Re:Idiots (Score:2)
There are also benefits to this, ISP's would step up their efforts to block SPAM, as the storage overhead would be unnecessary.
Re:Idiots (Score:2)
Yep, that is extremely high. The URL to this article was 70 characters... 70 BYTES. It'd take 14 addresses of similar length to reach 1k. A megabyte would be like 15,000 addresses. Zip will knock that down to about half.
I realize other stuff would get logged, but I wanted to give you an idea of how small the logs would be. 80 gig drives are $150 now. I can't imagine that it'd be that big of drain on the ISPs. Hell, ATTBI can have my 10 meg storage space to store logs of my traffic.
Re:Idiots (Score:2)
Well, if it's just headers and URL's, you might have a point. However, storing just that information isn't nearly enough to show what activities a given user has performed online. You also need to log the content (after all, just because a geocities page is innocent porn one day, that doesn't mean it wasn't terrorist propaganda the day before). So now it probably becomes a much higher number. More like 10 MB/day/user would be believable (some people spend much less time online than others, so they are less, admittedly). 300mb/month, times 12 months = 3.6Gb. Multiply by 100 users (probably the minimum for most any ISP to even get by), and you've got 360Gb per year. And don't forget that that data probably has to be backed up securely, in case of disaster, so you're now talking 720Gb/year. And how many years?
All of that just deals with the realities of the quantity of data. Now, you've also got to deal with internal bandwidth to back that data up daily, cpu power to write that data to log files (without impacting user experience), ram to cache that data before logging, and, of course, somebody to monitor this whole process. The cost just got a lot higher, especially since you've got to keep those records intact. You've got to have an IT staff of at least one more. Add $30,000 more/year (he's only a discarded MCSE). At $20/month/subscriber, your cost just went up by another 125 subscribers. There's another 720GB+/year to store, while you're at it. And don't forget the tape costs!
Really, would you like me to go on about this? The cost only spirals upward, out of control, quite easily, especially for the smaller ISPs. Very bad for business. So, in addition to any moral and ethical issues I may have about this, I have sound financial issues against enacting this law.
EU countries will probably NOT ratify it after all (Score:3, Interesting)
Home Secretary David Blunkett has admitted he blundered over plans dubbed a "snooper's charter" to give a raft of public bodies in the UK access to private e-mail and mobile phone records.
The proposals are to be put on hold indefinitely in the face of huge opposition, which the home secretary conceded his department totally failed to predict. (...)
See http://news.bbc.co.uk/hi/english/uk_politics/newswe need a standard "envelope" for email (Score:4, Insightful)
I think Joe Sixpack would be more inclined to use encryption if he thought it was just an envelope to put mail into... he doesn't need to know about technojargon like PGP, GPG, SSL, S/MIME, X.509 certificates, just tell him its an "email envelope" instead of the old postcard he's used to.
The only thing that really needs to be public is the To address. Everything else could be encrypted (enclosed in the envelope) except for maybe a couple fields like the From Address and the maybe the Subject Line (but even those could be "inside").
What needs to happen before email encryption becomes a "standard" thing that everyone uses all the time?
Re:we need a standard "envelope" for email (Score:2)
I don't undertand why he'd need to do this. It's a computer reading the logs searching for patterns, not a human reading the emails looking for hidden meaning. If he encrypts it, it'll flag him and then a human'll look into it, which is exactly what the invasion to his privacy would be.
Re:we need a standard "envelope" for email (Score:2)
Not if everyone encrypts their mail. Does the post office flag every piece of mail enclosed in an opaque envelope for further "inspection"?
Re:we need a standard "envelope" for email (Score:2)
They don't need to, they don't have anyting to worry about. As I said, it's a computer reading the messages, not a human.
You're not preventing the Government the ability to read your email, instead you're opening a wider door for potential terrorists to communicate.
Overrated? Why? (Score:2)
Somebody help? Frankly, I suspect that it was modded down because the person who did it thought I don't value privacy. That's not true at all. I'm just saying I trust a computer to scan my e-mail and retain my privacy, not a human. Once a human reads my email, I get spooked.
The internet is NOT a secure communications medium regardless of what the DOJ wants. So why make yourself stand out to them?
Re:we need a standard "envelope" for email (Score:2)
Show me one time when that has happened. They're doing a much better job than that.
"Second, it's not really an invasion of priacy to see someone else's encrypted message. "
I never claimed it was. What I said was that the people's privacy is safe. All that's happening is that a computer is recording the messages. So what? A program reads the message, does a pattern match, and moves on. Virtually nobody's message is going to get read by somebody who could care about it.
If you encrypt it, though, what good is that going to do besides make somebody say "Wtf is so important that they are encrypting their message this heavily?"
The only good you are doing by encyrpting your messages is making it easier for September 11th part II to come along.
Re:we need a standard "envelope" for email (Score:2)
Re:we need a standard "envelope" for email (Score:2)
The hard part is my mom, my boss, my friends, the guys on the mailing list... Until they all get PGP/GPG and make a public key, encryption doesn't do me a bit of good. I don't care how much PGP integration the current crop of mail clients have, generating valid and robust keys and then maintaining them through software upgrades, harddrive crashes and ISP changes, is something the average Joe Sixpack (as well as my mom) is not going to be able to handle.
Think about it. The day every computer user knows how to properly maintain a set of PGP keys is the day people stop opening binary email attachments, stop using "password" and "drowssap" as passwords, and start checking the security of webpages before the start shopping online.
No encrypted email company has ever made it (Score:2)
Re:we need a standard "envelope" for email (Score:2)
I'm all for an "email envelope" that is protected just the same as a realspace envelope... but that's not the same as the broad scope anti-circumvention clause. It is only illegal to open envelopes that have been sent through federal postal system, but anyone is free to open any other envelopes that haven't been submitted to the Post Office.
Re:we need a standard "envelope" for email (Score:2, Insightful)
Another good reason to use freenet (Score:2)
Irony (Score:2)
What's the fuss? (Score:3, Insightful)
Really, the idea that the government can arbitrarily spy on anybody, but only look at later if they have a reason, violates your 4th Amendment rights against unreasonable searches (OT: sometimes I feel bad for the 3rd Amendment...it just gets completely ignored. Nobody ever takes to the streets demanding their 3rd Amendment rights be protected. Oh well). The federal government has no power to inventory your entire home, or keep a list of every person with whom you correspond by mail, and as such, they have no similar power to log your email headers or http requests. I don't see this one happening any time soon.
Re:What's the fuss? (Score:2, Interesting)
Actually I recall seeing a semi-serious argument against the SSSCA on 3rd Amendment grounds. The reasoning was that mandating a "cop chip" in all electronic devices to make sure you don't do anything unapproved is effectively quartering an agent of government in your residence. Obviously quite a stretch, but no more so than any number of acts Congress has tried to justify using the Commerce Clause.
Re:What's the fuss? (Score:2)
Re:What's the fuss? (Score:2)
seriously, though, yes, that's why the price of freedom has always been eternal vigilence. It comes from all sides, though. The Right uses external boogeymen, like Reds and A-rabs, to remove your civil rights. Hey, I've got no problem with the government fighting terrorists, but please do it by going into other countries and shooting bad guys, not by spying on me, thanks. The Left, however, uses internal boogymen. Corporate America (tm) is so evil, sorry, we gotta ignore that whole "free speech" thing so we can enact Campaign Finance Reform (insert angels singing here). Property rights? Well, gee, sure, gosh, but come on, Please Think of the Children/Poor/Snail Darters so we gotta take more of your money, 'k, thanks. Sigh. Tends to get one awful depressed...
Encryption? (Score:2)
The USA is the top internet using place on the planet, and Europe is no doubt second, with Asia/Pac being third. So how the USA officials plan to effectively monitor the data required is interesting. Logically one is left to wonder how well the USA carnivore system is working these days, and its sister Echelon. To resort to forcing these ISP to log data on behalf of the government officials seems very controversial. Almost as if the government is passing on the burden of Carnivore on the backs of the struggling ISP's in America. The interesting thing is: who is to prevent the ISP from simply not logging all the data the government officials claim to require? How would they be able to prove the ISP otherwise?
Seems impossible to do (Score:2)
In addition you can have a script generating spurious emails and web browsing requests all day long so that you quickly overwhelm anyone's ability to actually log anything of substance (if you are really dedicated, you could probably generate 1GB of trash data a day).
Whoever is thinking about these moronic ideas appears to be technically ignorant.
Great (Score:2)
Hey all! Has anyone seen that AL QUEDA member lurking around here? I coulda sworn I saw him with one of the few NUCLEAR BOMBS in the world.
... d'oh! You mean they're not monitoring content?? That takes ALL the fun out of it!
--pi
Industry concern?! (Score:2)
But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law.
They just have no fucking respect for our rights at all in the DOJ, do they? None whatsoever. I mean, come on - industry concerns?! Sure, industry would have concerns, but have any of these fucknuts heard of liberty and/or privacy?
Send Lady Liberty back to France, it's over. Sell the Declaration of Independence on Ebay, clearly it has no meaning for our appointed officials.
It won't pass a court challenge here... (Score:2)
I've read the proposal that passed the European Parliament, and if the policy the Bush administration is attempting to put in place is similar, then it won't pass Constitutional muster. It fails on at least three major points:
I don't think they really realize the volume (either the US or Europe) as to what they're requiring, either. A rough estimate is that an email header is 1k, and that a log of an http request is .5k. For an average user, 1000 http requests (remember, each picture/icon is a new request) and 10 emails per day would be typical. That's about 500k per person per day. For a mid-size ISP with 10,000 users, that's 5GB per day, 1.825 TB per year. Even assuming good compression of 90%, that's 180GB per year. Given that you would need to get a good machine and lots of redundancy for it (remember, this is a LEGAL requirement), I can easily see it costing $30k PER YEAR or more for the hardware alone for log space (plus the additional costs to upgrade the routers/mail servers/proxies and other infrastructure to allow for such vast logging in the first place). I'd estimate that it would be at least triple that, when all other factors are included. Even a $30k capital expenditure per year is a pretty good chunk of change for a company with a probable revenue stream of $3M per year. That's a 1% value of gross receipts (conservatively). And what about someone like Earthlink or similar, who has millions of customers? You're looking at requiring Terabyte storage systems costing multi-millions of dollars.
Even though I've seen some really dubious legislation and policies over the past 10 years (e.g. DCMA), I don't think this one will fly.
-Erik
Re:It won't pass a court challenge here... (Score:2)
DMCA?
USA Patriot Act?
2000 Presidential Elections?
Since when has not passing constitutional muster been a barrier to the government doing whatever it wants? The only barrier these days are the poll numbers, and they can just make those up and put it on the news, and most people will fall into line. So the only effective barrier is what they think they can spin in the media and get away with.
If they're following the UK... (Score:2)
Blunkett went all uncharacteristically contrite on us, but according to the Register this just means that they're not actually formalising what they are doing anyway.
They probably really are handing around traffic analysis data like smarties. "Oh looook what he's accessing!" Probably there's people out there being blackmailed right now; there's bound to be some bad apples with access to this data.
Love/Hate the idea (Score:5, Insightful)
But then I thought.... If every ISP had to monitor port 25, isolate all to and from IPs and email addresses (forged or not), and fill up all those hard drives, tapes and whatnot...
Can you image how fast SPAM would drop off as the ISPs attempted to control the now real costs of hosting spammers?
and then they will... (Score:2)
Forced proxies and such... (Score:2)
Either that or they just keep track of what connections are being made through them to port 80 of places...but then what about web sites simply not on port 80...seems an easy enough way for "terrorists" to avoid being caught.
And then there's the issue of people who run their own mail servers...I'd LOVE to see the government FORCE me to log all my own damned emails. It's not like it's hard to setup your own sendmail box and use that instead of your isps
GPG (Score:2, Insightful)
Time for a secure Internet backbone? (Score:2, Interesting)
As far as the individual goes email content can be encrypted. But it looks like the government wants the headers of email and web traffic. Therefore I think there are some things that site maintainers can do to make things more secure.
Oh no! (Score:2)
Why is it this group of people all visit one web site? And it's from a Russian domain!
Well, we've looked into it sir - it seems to be a, uhhh, proxy
What the hell is a proxy?
We are on it sir!
Misinformation (Score:3, Insightful)
Logging email headers can be compared to the phone company keeping records of your incoming/outgoing phone calls.
Do they do it now? Yes...and most ISPs keep generic logs as it is.
Does the phone company retain ALL the info? No...but they CAN get the info and keep it if you're suspected of doing Bad Things...or they can tap the line. Can an ISP track the same amount of info? Sure...but they don't do it right now unless you're doing Bad Things.
Keeping track of where you go on the web can be compared to driving.
Does your state's dept of transportation keep track of what road you drive, and what time you did it? No.
Does your ISP track what sites you go to and when you go to them? No...unless you have a proxy, in which case they might keep a generic log.
Can the dept of transportation put cameras at all intersections and track your license plate number? Yes...but think of the hideous cost and hideous amount of data. Same goes for an ISP to track where you go.
It's all about perspective...
What they (the govt) shoud do.. (Score:2)
Now lets see, who should get the contract for that software... why MicroSoft of course, they are into trust worthy computing now a days.
Secure Tunneling (Score:2, Insightful)
This can handle most web activity. Email can be encrypted, remailed, or signed up for and used through Secure Tunneling, or a similar method.
As an example, when I browsed the web at work, I used Secure Tunneling. For my email, I used Hushmail. Hushmail encrypted all the data that I saw, so it could not be tracked until it left Hushmail's servers.
NNTP is a problem. There are anonymous NNTP sites. Altopia [altopia.com], a site run by a staunch Libertarian, seems to be pretty reliable. You can even pay rather anonymously. More recently, Teranews [teranews.com] has offered privacy, though I don't know of many reports on their trustworthyness.
The problem with NNTP service is you cannot encrypt the actual data stream to the NNTP server itself. Hopefully someone will provide such a service. (At another glance, it looks like the Secure Tunneling package includes "Anonymous Newsgroups". But I am not sure what that means.)
Wont work (Score:2)
Programs that act like web browsers hitting pages at random generating way too much traffic to record.
Increases in junk mail to overload the databases with uh... junk From, To, CC addresses.
I'm sure the Security and Storage industry sectors will be happy.
Of course they don't have any *plans* (Score:3, Insightful)
Boycott (Score:2)
I know it's not very realistic, but hey, it's a start.
Fido. (Score:2)
Can We Put this in perspective for the courts? (Score:4, Interesting)
Re:Curious (Score:2, Interesting)
Drown them in their own sauce. Before long, they'll be telling all the ISPs in the country "UNCLE!"
If nothing else, we'll get a BIG increase in the capacity of the Internet backbone before it's all over. Note for the humor-impaired: This suggestion is a joke. I think the bozo at DoJ who proposed this should be fired/recalled for constitutional abuse of power for even suggesting this.
Re:Time to switch to anonymous proxies... (Score:2)
There used to be anonymous re-mailers like penet and some by cypherpunks (C2) that would be nice to have around. I think spam usage killed off those remailers that survived the suits by the Church of Scientology.
What the U.S. government doesn't realize is that the same unreasonable searches of your cyberhome that they think will do "something" to combat terrorism (it's arguable just how much genuine security this gains), are also the same policies that, as they are mimicked worldwide, will make it easier for oppressive regimes (North Korea, Iraq, China, Saudi Arabia, etc.) to clamp down on political dissent and the free exchange of ideas in their nations.
I can only presume that the Bush administration has decided for us that some small amount of potential security under hypothetical circumstances is worth the cost in freedom of expression, not only in the United States but around the world.
And here was I, thinking that the U.S. was a standard bearer promoting democracy and the principles of human rights embodied in the U.S. Constitution.
Re:*sigh* (Score:2)
Yeah, that's a good plan: Give them a reason to think you're up to no good. That'll keep'em from investigating ya.
Re:*sigh* (Score:2)
Works both ways...do you think that a t3rr0rlst would be stupid enough to put the kind of revealing information in their e-mail that will flag Carneyvore, or reveal anything substantive in the logs retained by ISPs? Hasn't it been stated that one of the methods used consisted of common phrases that had secondary meanings to those using them? Who knows what "Let's do a picnic tomorrow" could actually mean? Hell, they could throw someone for an even bigger loop be creating a diversion - one dude's subject might read
Re:*sigh* (Score:2)
I mean seriously, who cares if they read our e-mail? What are they going to get from it? They already have my social security #. THey have my date of birth, mother's maiden name, the city I was born in, how much money I've made in my life, where I've lived all my life, who I've worked for, what kind of car I drive, my physical description, and so on. What is going to be revealed in e-mail that they aren't privvy to now? Who cares?
I don't care if some gov't agent is reading my overly-affectionate emails to my GF. I'll never even meet the guy!
Fight corporations when they try to peek into your lives, but don't fight the Gov't. They're out to protect you.
It's called Peek-A-Booty (Score:2)
It was originally designed to help Chinese Internet users get around the Great Firewall Of China.
Looks like the US and EU will be needing it too...[sigh]
Re:As long as data goes in the clear ... (Score:4, Informative)
Re:As long as data goes in the clear ... (Score:2, Interesting)
OK, let's look at those, shall we?
Re:As long as data goes in the clear ... (Score:2)
For example, if the FBI comes, arrests you, throws you in jail for a month, then you get out (due to lack of evidence (see above)) - did they have to do anything else to destroy you? what happened to your house (who paid your rent/mortgage), what happened to your community respect/standing? what happened to your friends, your sig. other., what happened to your raise, your promotion, your job?
see?