RE: DOJ proposes US data-rentention law.
I tried sending this last week, but it did not seem to go through: Two points: 1. According to Poulson, the DOJ proposal never discussed just what would be logged. Poulson compared it to the European Big Brother legislation, which required storage to Web browsing histories and email header data (NOT email body text or IP traffic). 2. After I posted the same info to /. http://slashdot.org/articles/02/06/19/1724216.shtml?tid=103 (I'm the 'Anonymous Coward' in this case), Kevin updated his article. The new version may be found at: http://online.securityfocus.com/news/489 The relevant portions read: - start quote - U.S. Denies Data Retention Plans The Justice Department disputes claims that Internet service providers could be forced to spy on their customers as part of the U.S. strategy for securing cyberspace. By Kevin Poulsen, Jun 19 2002 12:24PM [...] But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law. [...] - end quote - Peter Trei
RE: DOJ proposes US data-rentention law.
John Young wrote: > I appreciate what an honorable ISP admin will do to abide > customer rights over intrusive snoopers and perhaps > cooperative administrators above the pay grade of a sysadmin. > Know that a decent sysadmin is on > for about 1/3 of a weekday for 24x7 systems is a small > comfort but leaves unanswered what can happen: > > 1. During that time when a hero is elsewhere. > > 2. Upstream of the ISP, the router of the ISP and the nodes > serving routers, as well as at a variety of cache systems > serving there various levels. To expand on John Young's inquiry, I believe it would help elevate the level of the public discourse regarding potential future US data retention and interception laws if those inclined to comment on this issue were to take the time to research similar laws already passed in other countries in the course of the customary policy laundry process. Even a brief such investigation would teach the aspiring commentator that those responsible for the installation and maintenance of governmentally mandated snooping infrastructure at the ISP are largely required to hold active security clearances. To rephrase John's very valid question in a slightly more targeted fashion: how likely is it that cleared personnel working at the ISP will refuse an official request for law enforcement assistance? --Lucky Green
Re: DOJ proposes US data-rentention law.
At 18:57 21/06/2002 -0700, John Young wrote: >Data retention is being done now by programs and services >which cache data to ease loading on servers and networks. >[...] John, As a systems administrator @ an ISP, I can tell flat out that the software you describe has nothing to do with ISP services. The software provides caching services for telecom companies (ie. billing, WAP, voice mail alerts etc). I see nothing that mentions typical ISP services, like e-mail or web-browsing. It is software designed to impress the executive level with pie charts and promises of reduced hardware costs. No one likes spending $50k on a NAS or Fibre Channel / RAID 10 box. Next time John, I suggest you turn your sites on caching software like Squid. Know what? I'm not even afraid to provide the URL! http://www.squid-cache.org .. you may even discover it has US Intelligence Community(tm) links, dating back many years! Incredible, huh? ISP's like the one I work for use Squid to save on bandwidth costs by caching oft-visited websites. Unfortunately, we (like most if not all ISP's) cannot afford the massive disk arrays (or the space they would take up, even the electricity) that would be necessary to retain data *for one day*. Geez, I don't think the government gonna like that. That's doesn't even bring us to the technical abilities of all the different pieces of software that must be re-written (en masse) to satisfy government desires. For instance, let's try e-mail software.. There are numerous companies and individuals who offer their own versions of e-mail server software. Microsoft's Exchange and Ipswitch's IMail for the Windows crowd who like spending lots of money, or Qmail, Postfix, Exim and even Sendmail for the Unix crowd. There are dozen's more, but you get the point. All that software will need to be rewritten. Then all the e-mail servers will need to be upgraded and tested. THEN more disk space added just to handle all the extraneous information like from who and to, from where (say originating IP and from what server host and IP) etc etc etc ad nauseam. Whoops! Let's not forget tape backups! I'm buying 3M stock come Monday! But what happens if we have a disk failure and the logs are lost? Hmm... Anyway, that is just for e-mail.. Imagine what HTTP, or FTP, or whatever can't-live-without service someone invents in the future? Data retention is unworkable even to the biggest of companies. Even the NSA cannot store that kind of data without a significant (and secret) budget. The only ones deriving any benefit from this are law enforcement and computer hardware & commercial software manufacturers. Maybe its an economic stimulus package in disguise? -- Steve.
Re: DOJ proposes US data-rentention law.
At 17:37 22/06/2002 -0400, [EMAIL PROTECTED] wrote: >Not arguing, but the hardware cost curve for storage has a shorter >halving time than the cost curve for CPU (Moore's Law) and the >corresponding halving time for bandwidth is shorter still. You've got a point. Storage is becoming less and less expensive per gigabyte, especially for IDE drives. If you're using a RAID set up, IDE doesn't cut it, SCSI is the way to go (for now). SCSI is a lot cheaper than it used to be, but it's still over $1000 for a single 70gig drive in Canada. For maximum redundancy in one rack-mount server, RAID 10 is the way to go. That means for every 1 drive, there must be an an exact duplicate. Costs can increase exponentially. That said, storage isn't the only expense when creating a large, fast and redundant file server (especially for caching). The fastest way to get data from a computer to the file server is via fibre channel. And fibre channel hardware isn't cheap. Last time I looked, a DIY RAID 10 system with 15 drives (1 hot-standby), case and fibre channel capability was ~ $30-35k. For each workstation that connects to it, there is a ~1k charge for the fibre channel client card. Don't even go near a fibre channel switch, they run $10-15k apiece, and don't handle more than 10-15 connections. Plus cabling. See, it adds up -- and that's just for one unit. To do the kind of data retention proposed in th EU, that is the kind of hardware that would be necessary. Plus a rack of tape backup drives running 24x7. Perhaps this sounds extreme, and it very well could be. My concern isn't so much based on what the law says must be retained, the penalties if the data isn't retained are what worry me. Could a system or network administrator be charged if the data is unavailable? What if their is a plausible reason (ie. hardware failed a year ago, fire)? What if the company cannot afford it? What charges are brought against the company? These questions are the reality for sysadmins in the EU. If Canada implemented a data retention law, I would be extremely concerned about my personal liability as well as corporate -- Canada already can charge a network administrator who the police believe is negligent in blocking (and removing) copyrighted software from computers he/she is responsible. It has happened. My understanding it has to do with an RCMP settlement over the PROMIS software scandal, but that's another topic. -- Steve
Re: DOJ proposes US data-rentention law.
I appreciate what an honorable ISP admin will do to abide customer rights over intrusive snoopers and perhaps cooperative administrators above the pay grade of a sysadmin. Know that a decent sysadmin is on for about 1/3 of a weekday for 24x7 systems is a small comfort but leaves unanswered what can happen: 1. During that time when a hero is elsewhere. 2. Upstream of the ISP, the router of the ISP and the nodes serving routers, as well as at a variety of cache systems serving there various levels. 3. At major providers serving a slew of smaller ISPs. In this case I reported a while back of a sysadmin telling what my ISP, NTT/Verio, is doing at its major node in Dallas: allowing the FBI to freely scan everything that passes through the Verio system under an agreement reached with NTT when it bought Verio. No matter what a local sysadmin does with data, it remains very possible that data is scanned, stored and fucked with in nasty ways coming and going such that no single sysadmin can catch it. End to end crypt certainly could help but there is still a fair abount of TA that can be done unless packets are truly disintegrated and/or camouflaged at the source before data leaves the originating box. Pumping through anonymizers, inserting within onions, subdermal pigging back on innocuous wireless packets of the financial advisor door, multiple partial sends, stego-ing, data static and traffic salting, bouncing off the moon or windowpane, what else can you do when an eager beaver industry is racing to do whatever it takes to build markets among the data controllers breathing hot about threats to national security and handing out life-saving contracts to hard-up peddlers shocked out of their skivvies with digital downturn. No patriotic act is too sleazy these days that cannot be justified by terror of red ink and looming layoffs.
Re: DOJ proposes US data-rentention law.
Steve, Not arguing, but the hardware cost curve for storage has a shorter halving time than the cost curve for CPU (Moore's Law) and the corresponding halving time for bandwidth is shorter still. If that relationship holds up over a period of years, today's tradeoffs between cache, re-computation, and anticipatory transmission would presumably change in the direction the economics dictates. And of course, if I really care that a particular piece of data is non-discoverable I either have to encrypt it, never transmit it, or go on one whopping search mission. Or so I think. Does the world look different from your vantage? --dan
Re: DOJ proposes US data-rentention law.
Data retention is being done now by programs and services which cache data to ease loading on servers and networks. No approval needed from anybody, indeed, the service is being offered as a cost saver and expeditor of net services to ISPs and anybody else who might be eager to get around restrictions on data retention, not because of privacy and civil liberties concerns but because the increase in loading and competition is driving the technology. What will prevent an ISP from sharing its cached data retention, -- performed to remain competitive in the market -- with officials who just might ask for a favor through the legal department, knowing nobody will know what's going on, and what the hell, that nobody cares so long as the cost of services is kept low? Why not give up privacy for a cheap deal? A skeptic might wonder why all the folderole about the EuroParl and DoJ proposals and implementatios when the really good stuff is already accessible, no complicated procedures required to sample the stored produce. No evidence that anybody has taken a look, grabbed some data of the usual suspects. A sample of above-board date retention products via caching offerer, which brags all its products retain data in the interest of always marketable cost savings: http://www.soliddata.com/solutions/telecom_appbrief.html The URL sent by anonymous.
Followup: [RE: DOJ proposes US data-rentention law.]
Two points: 1. According to Poulson, the DOJ proposal never discussed just what would be logged. Poulson compared it to the European Big Brother legislation, which required storage to Web browsing histories and email header data. 2. After I posted the same info to /. http://slashdot.org/articles/02/06/19/1724216.shtml?tid=103 (I'm the 'Anonymous Coward' in this case), Kevin updated his article. The new version may be found at: http://online.securityfocus.com/news/489 The relevant portions read: - start quote - U.S. Denies Data Retention Plans The Justice Department disputes claims that Internet service providers could be forced to spy on their customers as part of the U.S. strategy for securing cyberspace. By Kevin Poulsen, Jun 19 2002 12:24PM [...] But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law. [...] - end quote - Peter Trei > -- > From: David G. Koontz[SMTP:[EMAIL PROTECTED]] > Sent: Thursday, June 20, 2002 10:57 AM > To: [EMAIL PROTECTED] > Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' > Subject: Re: DOJ proposes US data-rentention law. > > Trei, Peter wrote: > > - start quote - > > > > Cyber Security Plan Contemplates U.S. Data Retention Law > > http://online.securityfocus.com/news/486 > > > > Internet service providers may be forced into wholesale spying > > on their customers as part of the White House's strategy for > > securing cyberspace. > > > > By Kevin Poulsen, Jun 18 2002 3:46PM > > > > An early draft of the White House's National Strategy to Secure > > Cyberspace envisions the same kind of mandatory customer data > > collection and retention by U.S. Internet service providers as was > > recently enacted in Europe, according to sources who have reviewed > > portions of the plan. > > > > In recent weeks, the administration has begun doling out bits and > > pieces of a draft of the strategy to technology industry members > > and advocacy groups. A federal data retention law is suggested > > briefly in a section drafted in part by the U.S. Justice Department. > > > > If the U.S. wasn't in an undeclared 'war', this would be considered > an unfunded mandate. Does anyone realize the cost involved? Think > of all the spam that needs to be recorded for posterity. ISPs don't > currently record the type of information that this is talking about. > What customer data backup is being performed by ISPs is by and large > done by disk mirroring and is not kept permanently. > > I did a bit of back of the envelope calculation and the cost in the > U.S. approaches half a billion dollars a year in additional backup > costs a year without any CALEA type impact to make it easy for law > enforcment to do data mining. The estimate could easily be low by a > factor of 5-10. AOL of course would be hit by 40 percent of this > though, not to mention a nice tax on MSN. Call it ten cents a day > per customer in fee increases to record all that spam for review by > big brother. I feel safer already. > > Whats next, censorship?
Re: CDR: Re: DOJ proposes US data-rentention law.
On Thu, 20 Jun 2002, David G. Koontz wrote: > Whats next, censorship? Yes. -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
Re: DOJ proposes US data-rentention law.
In message <[EMAIL PROTECTED]>, "David G. Koontz" writes: >Trei, Peter wrote: >> - start quote - >> >> Cyber Security Plan Contemplates U.S. Data Retention Law >> http://online.securityfocus.com/news/486 >> >> Internet service providers may be forced into wholesale spying >> on their customers as part of the White House's strategy for >> securing cyberspace. >> >> By Kevin Poulsen, Jun 18 2002 3:46PM >> >> An early draft of the White House's National Strategy to Secure >> Cyberspace envisions the same kind of mandatory customer data >> collection and retention by U.S. Internet service providers as was >> recently enacted in Europe, according to sources who have reviewed >> portions of the plan. >> ... > >If the U.S. wasn't in an undeclared 'war', this would be considered >an unfunded mandate. Does anyone realize the cost involved? Think >of all the spam that needs to be recorded for posterity. ISPs don't >currently record the type of information that this is talking about. >What customer data backup is being performed by ISPs is by and large >done by disk mirroring and is not kept permanently. This isn't clear. The proposals I've seen call for recording "transaction data" -- i.e., the SMTP "envelope" information, plus maybe the From: line. It does not call for retention of content. Apart from practicality, there are constitutional issues. Envelope data is "given" to the ISP in typical client/server email scenarios, while content is end-to-end, in that it's not processed by the ISP. A different type of warrant is therefore needed to retrieve the latter. The former falls under the "pen register" law (as amended by the Patriot Act), and requires a really cheap warrant. Email content is considered a full-fledged wiretap, and requires a hard-to-get court order, with lots of notice requirements, etc. Mandating that a third party record email in this situation, in the absence of a pre-existing warrant citing probable cause, would be very chancy. I don't think even the current Supreme Court would buy it. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
Re: DOJ proposes US data-rentention law.
Trei, Peter wrote: > - start quote - > > Cyber Security Plan Contemplates U.S. Data Retention Law > http://online.securityfocus.com/news/486 > > Internet service providers may be forced into wholesale spying > on their customers as part of the White House's strategy for > securing cyberspace. > > By Kevin Poulsen, Jun 18 2002 3:46PM > > An early draft of the White House's National Strategy to Secure > Cyberspace envisions the same kind of mandatory customer data > collection and retention by U.S. Internet service providers as was > recently enacted in Europe, according to sources who have reviewed > portions of the plan. > > In recent weeks, the administration has begun doling out bits and > pieces of a draft of the strategy to technology industry members > and advocacy groups. A federal data retention law is suggested > briefly in a section drafted in part by the U.S. Justice Department. > If the U.S. wasn't in an undeclared 'war', this would be considered an unfunded mandate. Does anyone realize the cost involved? Think of all the spam that needs to be recorded for posterity. ISPs don't currently record the type of information that this is talking about. What customer data backup is being performed by ISPs is by and large done by disk mirroring and is not kept permanently. I did a bit of back of the envelope calculation and the cost in the U.S. approaches half a billion dollars a year in additional backup costs a year without any CALEA type impact to make it easy for law enforcment to do data mining. The estimate could easily be low by a factor of 5-10. AOL of course would be hit by 40 percent of this though, not to mention a nice tax on MSN. Call it ten cents a day per customer in fee increases to record all that spam for review by big brother. I feel safer already. Whats next, censorship?