Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
United States

DOJ Wants ISPs to Log User Traffic UPDATED 346

Posted by chrisd from the call-your-congressman dept.
Anonymous Coward writes "Kevin Poulson writes in an article in SecurityFocus that in an early draft of the White House's "National Strategy to Secure Cyberspace", the DOJ proposes that the US enact European style 'data retention' laws, which force ISPs to log and retain all of your email headers, as well as your Web browsing history." Nothing worse for the DOJ to be upstaged by Europe in oppressive lawmaking, they must feel like they're losing their edge. Update: 06/19 23:04 GMT by M : The SecurityFocus article has been updated with this note, saying that the U.S. denies having any plans for data-retention laws. Guess we'll have to wait until the plan is released to see.
This discussion has been archived. No new comments can be posted.

DOJ Wants ISPs to Log User Traffic UPDATED More

DOJ Wants ISPs to Log User Traffic UPDATED

Comments Filter:

  • I guess... (Score:4, Funny)

    by Anonymous Coward on Wednesday June 19, 2002 @06:40PM (#3732699)
    I'll have to meet real girls instead of browsing pr0n.

  • First post? (Score:4, Insightful)

    by Paradoxish ( 545066 ) <`glegeza' `at' `simparadox.com'> on Wednesday June 19, 2002 @06:42PM (#3732713) Homepage Journal
    Maybe, I dunno. But anyway... this sucks. Doesn't anyone at the DOJ realize that keeping a history of web browsing is about the equivalent of having someone follow you around with a pen and some paper and record the address of every place you visit during the day? I don't understand how keeping track of information like this can possibly help with security or ANYTHING for that matter.
    • . Doesn't anyone at the DOJ realize that keeping a history of web browsing is about the equivalent of having someone follow you around with a pen and some paper and record the address of every place you visit during the day?


      Which is also the equivalent of putting cameras in public places, which makes it easy to track someone's movements throughout the entire day. Therefore, this will not be an effective argument against such monitoring to people who already consider things like cameras in public places to be a good idea.

      • Re:First post? (Score:4, Insightful)

        by gorf ( 182301 ) on Wednesday June 19, 2002 @07:12PM (#3732928)

        Which is also the equivalent of putting cameras in public places...

        (Emphasis mine) My web browser is certainly not in a public place.

        • Re:First post? (Score:2, Interesting)

          by nsanit ( 153392 )
          My web browser is certainly not in a public place.

          Uhhh....you may be right, your browser is not, however...

          What comes into and goes out of your browser, may very well be in a public place, unless you are browsing an intranet, which since you've posted here, you're obviously not restricting yourself that much.

          If you can be absolutely sure that your traffic never touches a network that has nothing to do with the government, your statement would be true. The chances of that are pretty damned slim since a lot of big pipes in the US have some affiliation with a publicly funded university.

          However, while their motivation may be different, your ISP could monitor everything you do and it would be akin to retail stores with security cameras.

          Please understand, I dislike the idea as much as anyone, I just dont know if there's much we can do about it.

      • People who don't mind cameras in public places, and who think that there's no 'reasonable expectation of privacy' in public, probably wouldn't be the least bit bothered if someone caught them (with a camera) in an embarrassing moment (in public) and then plastered it all over the net. Or would they?
    • Even if the DoJ were to keep a log of your web browsing, who's to say it was you sitting at the keyboard?

      I can see people making scripts to go to all sorts of "undesireable sites", and when they get busted, they can prove they were nowhere near the computer at the time.

      Would also smoke out all sorts of surveillance schemes.

      • Actually, your post reminds me. Wasn't there some sort of backdoor/bug/virus which allowed remote users to view your computer video camera?

        If what I recall is correct, they could prove it was you.

        (I could be wrong however, im searching /. for the story..)
    • The way i viewed it was much akin to the Australian censorchip laws. Its probably a token political effort designed to say theyre protecting the children and stopping terrorism. Its extremely hard to pin down anything really, and if you want to remain unknown, theres always the library.

      So I'd say, its political point scoring, with no real teeth to it. But hey, it could always be that they progressed to the next chapter of 1984.
    • And who follows them around all day with a pen and paper recording everything they are recording about you?

      It's just a way for the govenerdment to make the citizens think that are doing something about security. If they were actually doing something to protect the people, the "Office of Homeland Security" would call the Department of Transport and tell them to enforce seatbelt laws. How many lives a day would that save? How many lives a day will be saved by my mail headers and URLs being monitored?


    • I don't understand how keeping track of information like this can possibly help with security or ANYTHING for that matter.
      What I don't get is this: Evidence exists that the CIA, FBI, NSA, et. al. already had enough raw data in their hands that if they had their heads on right, they could've stopped the 9/11 attack...so the amount of information they have access to already isn't the problem...it's what they do with it.

      So how the hell is giving them more data going to help? All it will do is cause information overload and all those cops will start ignoring even more than they do already...which will actually make it easier for those bent on crime and distruction.

      After all, if there are 50 average joe's to every 1 kidnapper/drug dealer/terrorist, then if I'm one of the bad guys...I'd be hoping the government is too busy watching the 50 good guys so as to be more likely to overlook me.

  • Mail headers. (Score:3, Interesting)

    by Lemmy Caution ( 8378 ) on Wednesday June 19, 2002 @06:43PM (#3732715) Homepage
    Article seems slashdotted, so I haven't read it yet... but what does this mean for those of us who run our own mail servers? Do we know have retention and reporting requirements on our systems at home?

    • Re:Mail headers. (Score:2, Redundant)

      by Bouncings ( 55215 )
      I managed to get the article. Here is a reprint of the text.

      Cyber Security Plan Contemplates U.S. Data Retention Law

      Internet service providers may be forced into wholesale spying on their customers as part of the White House's strategy for securing cyberspace. By Kevin Poulsen, Jun 18 2002 3:46PM UPDATE:U.S. Denies Data Retention Plans

      An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.

      In recent weeks, the administration has begun doling out bits and pieces of a draft of the strategy to technology industry members and advocacy groups. A federal data retention law is suggested briefly in a section drafted in part by the U.S. Justice Department.

      The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.

      While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.

      A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.

      Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, a policy analyst at the Electronic Privacy Information Center (EPIC), which opposed the directive.

      "Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech and the basic principal of the presumption of innocence."

      The draft of the U.S. plan does not specify how much data ISPs would be forced to collect, or how long they would have to store it. The White House did not return phone calls on the strategy, which is scheduled for release in September.

    • Finally got through, and ... Nothing to worry about yet. [securityfocus.com] Apparently, this is from a misreading of the report. No data retention requirements, these aren't the droids you're looking for, move along.
    • I was thinking the same thing. I find it very difficult to believe that they can force the tens of thousands of us (at least) who run our own mail/DNS servers to keep logs for x years, and then turn them over at their request. It's also not that difficult to set up your own mail/DNS server, and I don't think that terrorists/criminals capable of doing anything worth preventing would have too hard of a time with it.

    • Re:Mail headers. (Score:3, Insightful)

      by jmd! ( 111669 )
      Your ISP wouldn't do it on their mail server, they would have to sniff all outbound port 25 traffic and record that way. Scary stuff, since even PGP doesn't help much. They'd still known everyone I mail. Time to start putting the Subject: in the body of the message, people!

  • Will they fund it? (Score:4, Insightful)

    by cardshark2001 ( 444650 ) on Wednesday June 19, 2002 @06:45PM (#3732727)
    Logging such a huge volume of data requires massive hard-drive space, extra CPU power, extra manpower. All of those things cost money.

    Considering how little money ISP's tend to make, I don't see this as at all fair, unless the government will pony up the cash.

    • Re:Will they fund it? (Score:4, Interesting)

      by delta407 ( 518868 ) <slashdot@nosPAm.lerfjhax.com> on Wednesday June 19, 2002 @06:52PM (#3732786) Homepage
      Besides which, what defines an ISP? I do work for a school that shares an Internet line with a nearby company; the router is in the school, and the company can use the school's cache server and mail relay. Does the school have to log everything? They certainly can't pay for it.

      Then again, if the government would provide cash for some upgrades, I'm sure they wouldn't mind.

    • Re:Will they fund it? (Score:2, Insightful)

      by bsDaemon ( 87307 )
      It isn't fair even if they DO fund it. It is just wrong and evil. What about prsumption of innocense and, freedom of press, freedom of speech, due process? How about 'reasonable expectation of privacy'? Fuck the federal government. "...--That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, --That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it..."

      So there.

      • You're right - it isn't fair. But there's precedent. This very thing happened with the telcos already, to the tune of some $500 million that was handed out BY the FBI, to the telcos, in order to defray the cost of upgrading equipment in a manner necessary to comply with CALEA. One unintended consequence is that now the telcos have implemented MORE than was granted by the FCC (based on what the FBI and other law enforcement agencies had requested), fearing that they may be forced to add this extra functionality at some point in the future. All it takes now is a switch to activate the new goodies.
    • Sorry, when the gov't passes edicts like this on themselves, it never supplies funds for actually following the new law or policy. Somehow, the effected agencies/divisions/teams must come up with the money to meet requirements (e.g. get all the Unix folks PCs because suddenly M$ Word is the required word processor). It's certainly not going to supply funds to ISPs to expand storage and whatnot. However, what will happen is the ISPs will be forced to raise prices to cover the costs.
  • I wonder if Zero Knowledge, Inc. [zeroknowledge.com] might decide that it might be time to re-introduce their personal anonymous web browsing service.

  • They changed their mind! (Score:5, Informative)

    by I Want GNU! ( 556631 ) on Wednesday June 19, 2002 @06:45PM (#3732737) Homepage
    I visited the site, and this is what it says here [securityfocus.com]. I'm posting it in case the site gets slashdotted. [And I'm not a karma whore since I already have 50.]

    U.S. Denies Data Retention Plans

    The Justice Department refutes claims that Internet service providers could be forced to spy on their customers as part of the U.S. strategy for securing cyberspace.
    By Kevin Poulsen, Jun 19 2002 12:24PM
    An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.

    But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law.

    In recent weeks, the administration has begun doling out bits and pieces of a draft of the National Strategy to technology industry members and advocacy groups. On Tuesday, sources who had reviewed segments of the plan said a federal data retention law is suggested in a section written in part by the Justice Department.

    The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.

    While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.

    A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.

    Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, policy fellow at the Electronic Privacy Information Center (EPIC), which opposed the directive.

    "Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech," as well as the legal principal that a defendant is presumed innocent until proven guilty.

    The White House did not return phone calls on the National Strategy, which is scheduled for release in September.

    • U.S. Denies Data Retention Plans

      As Bismarck once said, "Nothing is confirmed until officially denied."

    • Please understand that the EU is quite different from the US. In most countries (except the UK), there is no judicial presumption of innocence. Free speech does not prohibit prior restraint [chilling effect]. Privacy does not include privacy from police and other authorities.

      I dislike the European plan. But I also recognize it's a different place with very different attitudes of both police and populace. EU member nations are also free _not_ to enact the plan in their countries. I expect that a number, including the UK, will not.

  • FPWL (Score:2, Funny)

    by Peridriga ( 308995 )
    Wow...

    Now the DOJ will have the biggest Free Password List on the web..

    Could you imagine the amount of money they could make from X-10 pop-under ads...

  • They're the only ones NOT looking (Score:3, Insightful)

    by Ars-Fartsica ( 166957 ) on Wednesday June 19, 2002 @06:48PM (#3732757)
    Any ISP employee, sysadmin or free email provider admin can already look at your data any time they please. And they do.

    At least the government will probably be required to disclose what they do.

    Your best bet is to not send any sensitive info over email, and don't store any unencrypted sensitive or private data in online storage systems.

    • Re:They're the only ones NOT looking (Score:4, Informative)

      by digitalsushi ( 137809 ) <slashdot@digitalsushi.com> on Wednesday June 19, 2002 @07:50PM (#3733122) Journal
      As a netadmin for a small-medium sized ISP, I'm going to have to disagree with that on two levels. First off, most of us small guys dont have all the bells and whistles, or disposable overhead to implement free tools to spy on our users. Quite a few of us pipe our customers "straight through". (That and you need to remember that the majority of us are no Vincent Cerfs.. we're smart people but we could sit here 24 hours a day and still not have enough time to learn it all- but thats another thread)


      Second, for the things that we *can* look at (easy stuff like say someone's POP mailbox, just a text file) there is (most people wont believe this) actually an honor system amongst admins. We won't edit a mailbox if its broken until we have permission. Otherwise we might see something that isnt ours to see. Privacy is THE most important thing we can promise our customers, so everything else has to take the back seat, even if it means some uptime.


      Even given that, though, I do recommend that people encrypt their email, cause just cause I wont read your mail, doesn't mean the kid who has a 60 minute kernel exploit who just rooted me wont- (the rooting being another thread, lets not talk about perfection in admining here) (So sorry to reply like this, but I just took it a little personally. We're not all sleazy. Most of us arent.)

      • I'm not posting as someone looking from the outside, I'm telling you from the inside that people with access to personal information go snooping through it all the time. Please inform every root user I've ever met about your honor system.

  • What's next? (Score:2, Insightful)

    by cardshark2001 ( 444650 )
    Perhaps the DOJ should be able to find out the title of every book I purchase, every TV show I watch, what kind of hamburger I buy.

    Wholesale spying is not justified by the war on terrorism. Especially for us non-Arab, born and raised in America types. It's just an excuse for the government to do something they've wanted to do for a long time anyway.
  • What I want to know is how this impacts those of use who own/operate our own domains and SMTP server (i.e. those of us who do not use ISP supplied SMTP servers to send out mail). Will we be forced to log our own traffic for fear mean old Uncle Ashcroft wants to know who we emailed three years ago? Will we have to enact some sort of robust long term backup of these logs (i.e. fire resistant safes and offsite backups of logs)? What if, through no fault of our own, a fire destroys the last weeks worth of backups and Uncle Bush needs yesterdays logs (i.e. how paranoid about backing things up do we need to be)?

    • The day the government touches ANY of my boxes, is the day they pry the keyboard out of my cold dead hands (or on a more practical basis, have moved overseas to a far more enlightened country). The facism being proposed in the American government is sickening, and i fear the day the majority of it is passed into law. Big brother, meet Uncle George and Cousin Ashcroft.
  • I value my privacy as much as the next guy, but I don't think the DOJ's request is at all unreasonable. In fact, most ISP's already do log their user's traffic. In fact, if you're using a major ISP such as AT&T or Earthlink to read this, your traffic is almost certainly being logged right at this moment. This isn't necessarily a bad thing. On the contrary, logging user's activities on-line allows law enforcement to catch spammers (I'm sure most Slashdotters hate spammers), virus writers and distributers, software pirates, pedophiles, and all sorts of other cyber-miscreants. This is a Good Thing. I sure as hell don't want to be on-line with those types of people, and I'm sure most other readers will agree with me here.

    It seems that the issue at hand isn't the act of logging activities themselves, but how willing your ISP is to distribute those logs. In all previous cases I am aware of, ISP's do not give out personal information about a user without first being served with a subpoena. This is no worse than the restrictions we have had on wiretapping and eavesdropping for the past 50 or so years, so I don't see any reason for anyone to get upset about this. If you aren't breaking the law, then you have nothing to worry about, and your information will remain private in the hands of your service provider, however if you're doing something illegal, then there is no reason that the FBI or such should not be able to serve your ISP with a subpoena to obtain your usage logs. Its perfectly within our Constitutional rights for the government to do this, and anyone who is made nervous because of this probably has something to hide.

    • Re:Sounds reasonable (Score:2, Insightful)

      by schon ( 31600 )
      I don't think the DOJ's request is at all unreasonable

      Of course it's unreasonable. Think about this: The logs don't show content.

      Your email headers don't show what you were talking about - you emailed "somejoeuser99@hotmail.com" asking about his lost puppy... but unbeknownst to you, he's a suspected terrorist, and all of a sudden, you're being investigated... They pull up your http traffic file, and it turns out that the HTML email he sent you has IMG tags that pull pictures from known terrorist sites.

      You'll probably change your mind once you're in an FBI interrogation chamber.. that bare bulb shining in your face, as Agent Smith says "Vhy vhere you communicating vis a known terrorist? Ve haf vays of makink you talk!"

      Or better yet, someone wants to make your life hell, so they get some anonymous web space, put some content that might interest you, and get you to view it... then then change the content to some terrorist propaganda, and place an anonymous call to the FBI. Suddenly there is PROOF that you've been visiting terrorist sites.. so you must be a terrorist!

      Think it can't happen in good ole' USofA? Just like the McCarthy witchhunts couldn't happen.
    • I sure as hell don't want to be on-line with those types of people

      If you aren't breaking the law, then you have nothing to worry about

      anyone who is made nervous because of this probably has something to hide.

      By god, Hoover! You're alive!

      Mr. Atrowe, if that is you're real name, I don't want to share the internet with your type of people, but I'm not lobbying to have the FBI come knocking on your door; Though you obviously have something to hide. The worst thing you could say I was doing to hurt your kind was that time I voted for a pro-education mayor. That doesn't even try to fix you, just save your children from your horrible fate.
    • Its perfectly within our Constitutional rights for the government to do this, and anyone who is made nervous because of this probably has something to hide.


      Congratulations Mensa-member! You've fallen into the same fallacious assumption that marks all American intellects that are both lazy and foolish - If you're innocent, then you have nothing to hide. Yes, you are in the company of esteemed patriots such as McCarthy, Hoover and Stalin (hey I didn't say American patriots). So on behalf of John Ashcroft, I would like to thank you, good citizen, for dulling your mind and accepting the dictate of your DictatH^H^H^H^H^President, who says that the only way to save liberty and justice for all, is to destroy them.

  • I have a better idea. The UN should pass a law requiring that all network traffic in the world, whether on a home LAN or through the Internet, must pass through one central checkpoint machine that will log all the traffic. This will provide a worldwide data retention center where authorities and large corporations can perform queries to figure out exactly what someone was doing. (Obviously, defendants won't be allowed to perform similar queries, because that wouldn't be fair.)

    Oh yeah... And the central machine that would fulfill this function would be a 386 SX with a tape drive serving as RAM, running Windows XP Professional, and it would be connected to the Internet through a 1200 baud modem. This will make true worldwide broadband a reality and keep the economy strong.

  • hmmm.. (Score:3, Interesting)

    by crimoid ( 27373 ) on Wednesday June 19, 2002 @06:53PM (#3732792)
    This is only slightly different than forcing telcos to retain phone records, with one exception.

    Many URL's can be used to guess WHAT data you've been looking at without actually looking at the website. For example, if someone saw the URL: http://www.nakedkids.com they would assume that it was child porn and whomever looked at it should be red-flagged and investigated. Quite possibly however this site could have NOTHING to do with porn and could simply have a questionable DNS name.

    Perhaps if ISPs were only allowed to track IP addresses....
    • Many URL's can be used to guess WHAT data you've been looking at without actually looking at the website. For example, if someone saw the URL: http://www.nakedkids.com they would assume that it was child porn and whomever looked at it should be red-flagged and investigated. Quite possibly however this site could have NOTHING to do with porn and could simply have a questionable DNS name.

      If www.nakedkids.com DIDN'T have to do with child porn, they might want to rethink their company name / marketing strategy...

      But regarding your point, I want to say things like this would be caught in the follow-up investigation. Not that I want people investigating me, but I probably won't be thrown in the back of a squad car for visiting a site with a weird name if it actually sells propane and propane accessories, for example...

      Mark
  • now I have to go down to the convenience store to buy pr0n magazines. [shudder]

    AND I have to find a place to hide the magazine instead of clearing the browser history. This sucks.
  • Does the DOJ have any idea how ridiculously large such logs will get? Have they considered the added cost to the ISP's to store these logs? (hard disk space is cheap, not free)

    It seems to me lawmakers should have "gotten" the internet, and technology in general, by now.
    • Say each user generated 10 MB of compressed logs a month (which seems high to me). Thats just URL's and header files. Thats just 120 MB year per user. All but the largest ISP's should be able to store this information without incurring too much additional cost.

      There are also benefits to this, ISP's would step up their efforts to block SPAM, as the storage overhead would be unnecessary.
      • "Say each user generated 10 MB of compressed log a month (which seems high to me)."

        Yep, that is extremely high. The URL to this article was 70 characters... 70 BYTES. It'd take 14 addresses of similar length to reach 1k. A megabyte would be like 15,000 addresses. Zip will knock that down to about half.

        I realize other stuff would get logged, but I wanted to give you an idea of how small the logs would be. 80 gig drives are $150 now. I can't imagine that it'd be that big of drain on the ISPs. Hell, ATTBI can have my 10 meg storage space to store logs of my traffic.
      • Say each user generated 10 MB of compressed logs a month (which seems high to me). Thats just URL's and header files.

        Well, if it's just headers and URL's, you might have a point. However, storing just that information isn't nearly enough to show what activities a given user has performed online. You also need to log the content (after all, just because a geocities page is innocent porn one day, that doesn't mean it wasn't terrorist propaganda the day before). So now it probably becomes a much higher number. More like 10 MB/day/user would be believable (some people spend much less time online than others, so they are less, admittedly). 300mb/month, times 12 months = 3.6Gb. Multiply by 100 users (probably the minimum for most any ISP to even get by), and you've got 360Gb per year. And don't forget that that data probably has to be backed up securely, in case of disaster, so you're now talking 720Gb/year. And how many years?

        All of that just deals with the realities of the quantity of data. Now, you've also got to deal with internal bandwidth to back that data up daily, cpu power to write that data to log files (without impacting user experience), ram to cache that data before logging, and, of course, somebody to monitor this whole process. The cost just got a lot higher, especially since you've got to keep those records intact. You've got to have an IT staff of at least one more. Add $30,000 more/year (he's only a discarded MCSE). At $20/month/subscriber, your cost just went up by another 125 subscribers. There's another 720GB+/year to store, while you're at it. And don't forget the tape costs!

        Really, would you like me to go on about this? The cost only spirals upward, out of control, quite easily, especially for the smaller ISPs. Very bad for business. So, in addition to any moral and ethical issues I may have about this, I have sound financial issues against enacting this law.

  • EU countries will probably NOT ratify it after all (Score:3, Interesting)

    by sickasfuck ( 584372 ) on Wednesday June 19, 2002 @06:59PM (#3732834)
    At least UK, it seems:

    Home Secretary David Blunkett has admitted he blundered over plans dubbed a "snooper's charter" to give a raft of public bodies in the UK access to private e-mail and mobile phone records.

    The proposals are to be put on hold indefinitely in the face of huge opposition, which the home secretary conceded his department totally failed to predict. (...)

    See http://news.bbc.co.uk/hi/english/uk_politics/newsi d_2051000/2051117.stm [bbc.co.uk] for more info.

  • we need a standard "envelope" for email (Score:4, Insightful)

    by jimmcq ( 88033 ) on Wednesday June 19, 2002 @07:00PM (#3732844) Journal
    You always hear the analogy that email is just sending a postcard... well, its about time that we start to make email "envelopes" (aka encryption) standard for ALL email.

    I think Joe Sixpack would be more inclined to use encryption if he thought it was just an envelope to put mail into... he doesn't need to know about technojargon like PGP, GPG, SSL, S/MIME, X.509 certificates, just tell him its an "email envelope" instead of the old postcard he's used to.

    The only thing that really needs to be public is the To address. Everything else could be encrypted (enclosed in the envelope) except for maybe a couple fields like the From Address and the maybe the Subject Line (but even those could be "inside").

    What needs to happen before email encryption becomes a "standard" thing that everyone uses all the time?
    • " think Joe Sixpack would be more inclined to use encryption if he thought it was just an envelope to put mail into... "

      I don't undertand why he'd need to do this. It's a computer reading the logs searching for patterns, not a human reading the emails looking for hidden meaning. If he encrypts it, it'll flag him and then a human'll look into it, which is exactly what the invasion to his privacy would be.
      • If he encrypts it, it'll flag him

        Not if everyone encrypts their mail. Does the post office flag every piece of mail enclosed in an opaque envelope for further "inspection"?
        • "Not if everyone encrypts their mail."

          They don't need to, they don't have anyting to worry about. As I said, it's a computer reading the messages, not a human.

          You're not preventing the Government the ability to read your email, instead you're opening a wider door for potential terrorists to communicate.

      • My parent post here was marked 'Overrated'. I am politely requesting information on what is 'overrated' about it? That kind of implies there's something seriously wrong with my comment, but as of yet I don't see that.

        Somebody help? Frankly, I suspect that it was modded down because the person who did it thought I don't value privacy. That's not true at all. I'm just saying I trust a computer to scan my e-mail and retain my privacy, not a human. Once a human reads my email, I get spooked.

        The internet is NOT a secure communications medium regardless of what the DOJ wants. So why make yourself stand out to them?
    • I'm all set to use PGP/GPG. It's integrated into my mail client. I have registered my public key. That's the easy part.

      The hard part is my mom, my boss, my friends, the guys on the mailing list... Until they all get PGP/GPG and make a public key, encryption doesn't do me a bit of good. I don't care how much PGP integration the current crop of mail clients have, generating valid and robust keys and then maintaining them through software upgrades, harddrive crashes and ISP changes, is something the average Joe Sixpack (as well as my mom) is not going to be able to handle.

      Think about it. The day every computer user knows how to properly maintain a set of PGP keys is the day people stop opening binary email attachments, stop using "password" and "drowssap" as passwords, and start checking the security of webpages before the start shopping online.
    • Joe Sixpack either can't understand encrypted email or doesn't care, because the twenty odd encrypted email startups in the Bay Area have all ended up on the scrap heap, and some of them had truly nice, easy to use solutions.
  • http://freenetproject.org or something like it.
  • If Kevin Poulsen [everything2.org] was still up to his old tricks [discovery.com] today, this would be exactly the sort of setup that would ensure he was busted very quickly...

  • What's the fuss? (Score:3, Insightful)

    by meta-monkey ( 321000 ) on Wednesday June 19, 2002 @07:11PM (#3732916) Journal
    Many other posters have already commented that the update to the story says the Gub'ment denies attempts to do this. I'm surprised this story wasn't taken with a grain of salt in the first place...you know this wouldn't stand up to any kind of court scrutiny.

    Really, the idea that the government can arbitrarily spy on anybody, but only look at later if they have a reason, violates your 4th Amendment rights against unreasonable searches (OT: sometimes I feel bad for the 3rd Amendment...it just gets completely ignored. Nobody ever takes to the streets demanding their 3rd Amendment rights be protected. Oh well). The federal government has no power to inventory your entire home, or keep a list of every person with whom you correspond by mail, and as such, they have no similar power to log your email headers or http requests. I don't see this one happening any time soon.

    • Re:What's the fuss? (Score:2, Interesting)

      by bnenning ( 58349 )
      sometimes I feel bad for the 3rd Amendment...it just gets completely ignored


      Actually I recall seeing a semi-serious argument against the SSSCA on 3rd Amendment grounds. The reasoning was that mandating a "cop chip" in all electronic devices to make sure you don't do anything unapproved is effectively quartering an agent of government in your residence. Obviously quite a stretch, but no more so than any number of acts Congress has tried to justify using the Commerce Clause.

      • Fascinating. I actually considered that while writing my previous post. In a way, the government forcing an ISP to monitor customers for their benefit could be considered "quarting" a government agent in the ISP's place of business. Specifically, the 3rd Amendment says the government can't quarter soldiers in people's homes, but this may well extend to businesses. Note, IANAL. However, if such legislation were enacted in support of the War on Terror (TM), then it probably wouldn't violate the 3rd Amendment, which allows the government to quarter soldiers in your home in time of war. Here's the complete text:

        Amendment III

        No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.

  • Who cares what the government logs, when all you simply do is encipher all your traffic to trusted hosts. With anonymous Proxy services being easy to use and setup... more people will simply take notice that they exist, and begin to use them. Some people might even resort to paying a premium to under the counter internet service from their Broadband having friends Finux server. I wonder if this legislation takes into consideration that IP6 can travel right atop of traditional ip4, and can trick out attempts to monitor top level protocols, like email. Besides, you opt out of the monitoring by simply opting out of your providers email facilities. Other forms of message passing exist, and are in use by motivated people.

    The USA is the top internet using place on the planet, and Europe is no doubt second, with Asia/Pac being third. So how the USA officials plan to effectively monitor the data required is interesting. Logically one is left to wonder how well the USA carnivore system is working these days, and its sister Echelon. To resort to forcing these ISP to log data on behalf of the government officials seems very controversial. Almost as if the government is passing on the burden of Carnivore on the backs of the struggling ISP's in America. The interesting thing is: who is to prevent the ISP from simply not logging all the data the government officials claim to require? How would they be able to prove the ISP otherwise?
  • How would they decide what is loggable and what is not? By looking at ports 80 and 25? The solution to that is simple, switch all your "sensitive" browsing to port 666. Use PGP for your email or perhaps use something as mundane as ICQ, or FTP drop points.
    In addition you can have a script generating spurious emails and web browsing requests all day long so that you quickly overwhelm anyone's ability to actually log anything of substance (if you are really dedicated, you could probably generate 1GB of trash data a day).
    Whoever is thinking about these moronic ideas appears to be technically ignorant.

  • Just the opportunity:

    Hey all! Has anyone seen that AL QUEDA member lurking around here? I coulda sworn I saw him with one of the few NUCLEAR BOMBS in the world.

    ... d'oh! You mean they're not monitoring content?? That takes ALL the fun out of it!

    --pi
  • From the updated article:

    But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law.

    They just have no fucking respect for our rights at all in the DOJ, do they? None whatsoever. I mean, come on - industry concerns?! Sure, industry would have concerns, but have any of these fucknuts heard of liberty and/or privacy?

    Send Lady Liberty back to France, it's over. Sell the Declaration of Independence on Ebay, clearly it has no meaning for our appointed officials.

  • I've read the proposal that passed the European Parliament, and if the policy the Bush administration is attempting to put in place is similar, then it won't pass Constitutional muster. It fails on at least three major points:

    • It attempts to require a private entity to perform an action that is explicitly forbidden to the government. The government does NOT have the right to monitor all traffic (be it email, web, internet, snail-mail, phone, or whatever) without a court-order, and can only invoke the National Security exception in narrowly-defined circumstances. In this case, the government is attempting to make an end-run around this prohibition by requiring a private source to do the collection; however, the courts have consistently ruled that the private party is acting at the behest (and defacto control) of the government, and therefore is under the same obligations and restrictions as the government.

    • A bunch of legislation passed in the 1990s grants ISPs "common carrier" status. One of the central legal tennants of Common Carrier is that it is traffic-blind. This applies not only to the carrier itself, but any organization attempting to force the carrier to become traffic-aware (ie know what is being transmitted). Common Carrier is a very well-established concept, and such a executive policy cannot overrule a legal precedent such as it without an explicit law from Congress.

    • finally, practicallity is an issue. The government can legally require that I prove I'm a green Martian before taking an airplane trip, but it won't pass a court challenge because it is an impossible requirement. A slightly less extreme standard is known as Onerous Burden, wherein a plaintiff can contend that such legislation or regulation places an unreasonable burden to comply with it; such a case would be (for example) if port fees to dock at a port exceed the value of the ship docking there.


    I don't think they really realize the volume (either the US or Europe) as to what they're requiring, either. A rough estimate is that an email header is 1k, and that a log of an http request is .5k. For an average user, 1000 http requests (remember, each picture/icon is a new request) and 10 emails per day would be typical. That's about 500k per person per day. For a mid-size ISP with 10,000 users, that's 5GB per day, 1.825 TB per year. Even assuming good compression of 90%, that's 180GB per year. Given that you would need to get a good machine and lots of redundancy for it (remember, this is a LEGAL requirement), I can easily see it costing $30k PER YEAR or more for the hardware alone for log space (plus the additional costs to upgrade the routers/mail servers/proxies and other infrastructure to allow for such vast logging in the first place). I'd estimate that it would be at least triple that, when all other factors are included. Even a $30k capital expenditure per year is a pretty good chunk of change for a company with a probable revenue stream of $3M per year. That's a 1% value of gross receipts (conservatively). And what about someone like Earthlink or similar, who has millions of customers? You're looking at requiring Terabyte storage systems costing multi-millions of dollars.

    Even though I've seen some really dubious legislation and policies over the past 10 years (e.g. DCMA), I don't think this one will fly.

    -Erik

    • I've read the proposal that passed the European Parliament, and if the policy the Bush administration is attempting to put in place is similar, then it won't pass Constitutional muster.

      DMCA?

      USA Patriot Act?

      2000 Presidential Elections?

      Since when has not passing constitutional muster been a barrier to the government doing whatever it wants? The only barrier these days are the poll numbers, and they can just make those up and put it on the news, and most people will fall into line. So the only effective barrier is what they think they can spin in the media and get away with.
  • then all they're doing is not TELLING you they are tracking email headers, dialled phone numbers and http connections. (In cryptographic circles it's called Traffic Analysis.)

    Blunkett went all uncharacteristically contrite on us, but according to the Register this just means that they're not actually formalising what they are doing anyway.

    They probably really are handing around traffic analysis data like smarties. "Oh looook what he's accessing!" Probably there's people out there being blackmailed right now; there's bound to be some bad apples with access to this data.

  • Love/Hate the idea (Score:5, Insightful)

    by gerardrj ( 207690 ) on Wednesday June 19, 2002 @07:30PM (#3733032) Journal
    Outright I hate the idea, this is just pre-emptive search/seizure. The gov would only propose this because it's in the digital domain where it's A: feasable, B: deemed by J. Pulic to be a non-issue. The could NEVER get such a thing in to action with physical mailings.

    But then I thought.... If every ISP had to monitor port 25, isolate all to and from IPs and email addresses (forged or not), and fill up all those hard drives, tapes and whatnot...
    Can you image how fast SPAM would drop off as the ISPs attempted to control the now real costs of hosting spammers?
  • .. sell your email address to the asians so that they can spam you to death...
  • So does this mean that ISP's are going to be forced to pipe ALL port 80 traffic through a proxy, because hey, how else do they get EVERY web page we go to...

    Either that or they just keep track of what connections are being made through them to port 80 of places...but then what about web sites simply not on port 80...seems an easy enough way for "terrorists" to avoid being caught.

    And then there's the issue of people who run their own mail servers...I'd LOVE to see the government FORCE me to log all my own damned emails. It's not like it's hard to setup your own sendmail box and use that instead of your isps

  • GPG (Score:2, Insightful)

    by norweigiantroll ( 582720 )
    GPG will protect you from email listening (although I guess they just get the headers, so that won't help much.) Too bad SafeWeb isn't around anymore.
  • The Internet is a public place. To say that "No one can see where I browse or who I email" is alot like Microsoft saying that it should be illegal to post discovered flaws in their products to the public.

    As far as the individual goes email content can be encrypted. But it looks like the government wants the headers of email and web traffic. Therefore I think there are some things that site maintainers can do to make things more secure.

    1. Always run a web site in SSL mode. Even if you don't have a valid site certificate at least the traffic is encrypted
    2. Run SMTP over SSL? There must be a way to get things like sendmail to try SMTP over SSL before falling back to unencrypted mode
    3. Create a secure Internet backbone? There are virtual Internets out there that run on top of the Internet like mbone and 6bone. If we setup an encrypted backbone using IPsec tunnels site to site then the ISPs wouldn't ever see unencrypted traffic and would have nothing to log. They would just be passing packets with garbage. Then if we play with routing tables if a destination is reachable over the secure backbone the packets would be dumped onto it instead of your local ISP.
  • I can just hear them now!

    Why is it this group of people all visit one web site? And it's from a Russian domain!

    Well, we've looked into it sir - it seems to be a, uhhh, proxy

    What the hell is a proxy?

    We are on it sir!

  • Misinformation (Score:3, Insightful)

    by SamMichaels ( 213605 ) on Wednesday June 19, 2002 @09:17PM (#3733459)
    The problem is the general populus and law makers don't understand what they're saying/hearing. A analogy would help to put things into perspective.

    Logging email headers can be compared to the phone company keeping records of your incoming/outgoing phone calls.

    Do they do it now? Yes...and most ISPs keep generic logs as it is.

    Does the phone company retain ALL the info? No...but they CAN get the info and keep it if you're suspected of doing Bad Things...or they can tap the line. Can an ISP track the same amount of info? Sure...but they don't do it right now unless you're doing Bad Things.

    Keeping track of where you go on the web can be compared to driving.

    Does your state's dept of transportation keep track of what road you drive, and what time you did it? No.

    Does your ISP track what sites you go to and when you go to them? No...unless you have a proxy, in which case they might keep a generic log.

    Can the dept of transportation put cameras at all intersections and track your license plate number? Yes...but think of the hideous cost and hideous amount of data. Same goes for an ISP to track where you go.

    It's all about perspective...
  • Lets require that each user of the net record all of his/her activities while on the net with monitoring software installed on thier PCs. And we all know that the good citizens have nothing to hide and will go along with anything Uncle George says.

    Now lets see, who should get the contract for that software... why MicroSoft of course, they are into trust worthy computing now a days.

  • Secure Tunneling (Score:2, Insightful)

    by Chacham ( 981 )
    Even if they do this, places like Anonymizer [anonymizer.com] will provide Secure Tunneling [anonymizer.com]. Anonymizer also has other services, and they seem to be trusted for their part.

    This can handle most web activity. Email can be encrypted, remailed, or signed up for and used through Secure Tunneling, or a similar method.

    As an example, when I browsed the web at work, I used Secure Tunneling. For my email, I used Hushmail. Hushmail encrypted all the data that I saw, so it could not be tracked until it left Hushmail's servers.

    NNTP is a problem. There are anonymous NNTP sites. Altopia [altopia.com], a site run by a staunch Libertarian, seems to be pretty reliable. You can even pay rather anonymously. More recently, Teranews [teranews.com] has offered privacy, though I don't know of many reports on their trustworthyness.

    The problem with NNTP service is you cannot encrypt the actual data stream to the NNTP server itself. Hopefully someone will provide such a service. (At another glance, it looks like the Secure Tunneling package includes "Anonymous Newsgroups". But I am not sure what that means.)

  • I can see it now...
    Programs that act like web browsers hitting pages at random generating way too much traffic to record.
    Increases in junk mail to overload the databases with uh... junk From, To, CC addresses.

    I'm sure the Security and Storage industry sectors will be happy.

  • Of course they don't have any *plans* (Score:3, Insightful)

    by billstewart ( 78916 ) on Wednesday June 19, 2002 @09:38PM (#3733533) Journal
    They do this sort of thing all the time, and sometimes they get away with it. *Plans* implies that they've gotten sufficiently wide internal buy-in to implement something, or at least to announce it. Simply leaking wish-list desires like this and seeing how the public reacts to it gives them deniability, and lets them pretend it was just an idea, and hey, maybe it'll take off and they'll get to push the envelope a little farther past what common sense and the Constitution actually authorize them to do. In addition, by putting a wide spectrum of proposals out there, from the reasonable to the totally totalitarian wacko, lets them not only know where the edge is, but lets them take any position they want and say "see, we've been talking about this for a long time, and we're just updating this long-discussed plan to reflect current circumstances". Remember Clipper? They got their teeth kicked in on that one. Remember CALEA? That passed, though the telcos resisted for a long time because the FBI wanted billions of dollars of infrastructure implemented in ways that disrupted the potential evolution of the telecom infrastructure and market without actually having to pay for any of it, but it's vague and fuzzy enough that they've been able to use it to gradually impmement some things, even if they're way beyond the Congressional approval level, much less the Constitutional one. Don't expect the ratchet to go back in the other direction without it getting pushed really hard - and this also means support your local so we can stop these things before they start. [eff.org]

  • Has anyone ever considered the effect of boycotting European websites and European goods for as long as they maintain the legislation?

    I know it's not very realistic, but hey, it's a start.
  • FidoNet reincarnation starts tomorrow.

  • Can We Put this in perspective for the courts? (Score:4, Interesting)

    by guttentag ( 313541 ) on Thursday June 20, 2002 @02:32AM (#3734483) Journal
    Let's compare:
    • DOJ wants local garbage men nationwide to store all residential and commercial trash in marked bins for 10 years so the FBI can research an individual's lifestyle
    • DOJ wants power companies to keep detailed records of household power usage so the FBI can determine what time of day is best to break in and plant listening devices
    • DOJ wants all White House officials to publish full transcripts of their meetings so the public knows just how much of Bush's energy policy was written by Enron
    • DOJ wants all ISPs to log and retain all of your email headers and browsing history so the FBI can go through your trash without feeling nauseous.
    Which of the above seems reasonable to you, your Honor?

Slashdot Top Deals

You knew the job was dangerous when you took it, Fred. -- Superchicken

Close