Re: packet inspection and privacy
Steven M. Bellovin wrote: Mark Kent writes: I recently claimed that, in the USA, there is a law that prohibits an ISP from inspecting packets in a telecommunications network for anything other than traffic statistics or debugging. Was I correct? No. Or at least you weren't; the Patriot Act may have changed it. (I assume you're talking about U.S. law.) There was a quirk in the wording of the law -- what you say is correct for *telephone* companies, but not ISPs. You're referring to common carrier status, I think. This isn't exclusively restricted to phone companies, but that's the way it is right now. I think it may also apply to non-voice carriers that sell circuits. I'm pretty certain that it does not apply to ISPs. A common carrier is not allowed to monitor/filter traffic on customer circuits. They also can't be held responsible for the traffic on those circuits. -- David
Re: packet inspection and privacy
In message [EMAIL PROTECTED], David Charlap writes: Steven M. Bellovin wrote: Mark Kent writes: I recently claimed that, in the USA, there is a law that prohibits an ISP from inspecting packets in a telecommunications network for anything other than traffic statistics or debugging. Was I correct? No. Or at least you weren't; the Patriot Act may have changed it. (I assume you're talking about U.S. law.) There was a quirk in the wording of the law -- what you say is correct for *telephone* companies, but not ISPs. You're referring to common carrier status, I think. No, I'm referring to the wiretap act. And this is based on conversations with various Federal prosecutors. This isn't exclusively restricted to phone companies, but that's the way it is right now. I think it may also apply to non-voice carriers that sell circuits. I'm pretty certain that it does not apply to ISPs. A common carrier is not allowed to monitor/filter traffic on customer circuits. They also can't be held responsible for the traffic on those circuits. I'm referring to 18 USC 2510 and 2511, which you can find at http://www4.law.cornell.edu/uscode/18/2510.html and 2511.html. In particular, 18 USC 2511(2)(a)(i) says: It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks. Note that the ban on random monitoring applies to a provider of wire service communication services. 2510(1) defines wire communication as aural transfer, i.e., voice. ISPs provide electronic communication services, as defined in 2510(12); ''electronic communication'' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include - (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device (as defined in section 3117 of this title); or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds; I'll let a real lawyer tell me what category VoIP or EFT over the Internet falls under... Btw, I referred to Eckenwiler's presentation. See http://www.nanog.org/mtg-0010/justice.html for the full thing; see especially slide 12, which discusses what system operators can do, and the part that says phone companies more restricted than ISPs. Eckenwiler is an attorney at DoJ. And yes, I was the one who suggested that he speak at NANOG, precisely to clear up some of these points. Oh yes -- since I have the statute in front of me, see 2511(2)(a)(ii)(B): No provider of wire or electronic communication service, officer, employee, or agent thereof, or landlord, custodian, or other specified person shall disclose the existence of any interception or surveillance or the device used to accomplish the interception or surveillance with respect to which the person has been furnished a court order or certification under this chapter, except as may otherwise be required by legal process and then only after prior notification to the Attorney General or to the principal prosecuting attorney of a State or any political subdivision of a State, as may be appropriate. Any such disclosure, shall render such person liable for the civil damages provided for in section 2520.
Re: packet inspection and privacy
On Mon, 24 Jun 2002, Mark Kent wrote: :I recently claimed that, in the USA, there is a law that prohibits an :ISP from inspecting packets in a telecommunications network for :anything other than traffic statistics or debugging. A similar sentiment was expressed in a presentation at a conference recently by a lawyer, in regards to Canadian law. He(?) suggested that IDS in its current form contravened data interception laws, and maybe some labour laws, I can't remember off hand. Also, debugging and meta-data (mail and packet headers) may be an exception, but only because of of a possible interpretation of this meta-data as equivalent to a postal address or or phone caller information. This may ultimately be the correct interpretation, but it will depend on the influence of the person whose opinion it is. :) It doesn't matter whether you or I think that packet instpection is a legitimate form of network debugging. It matters whether a judge does. Or maybe in this case, a lawyer. -- batz
Re: packet inspection and privacy
At 02:29 PM 6/24/2002, you wrote: Point 3) is just about the same as 1), but it does imply a slightly different motivation behind the inspection. I know informing a suspect of a phone tap, in the telecom business will get you hard time. SO again, check with your law people...a lot's changed since 9.11 and the police state is doing things that havent been ruled legal or illegal by the USSC. So beware and get competent legal council before implementing anything. I do know that when I've gotten supoenas for information (logs, etc), I was instructed by language in the document not to disclose its existance. I always suspected this included informing the customer! It makes sense when you think about it - if you know your data's being inspected, you're not going to send that message about whatever illegal activity you're involved in. So authorities investigating something, even pre-9/11, don't want the subject of that investigation to know they're being looked at. I think that beyond including in your TOS that you may from time to time inspect data, etc, for system/network security and/or performance reasons, you can't inform customers every time you start looking at things. IANAL, though, so do seek competent legal counsel on the issue before implementing anything.
Re: packet inspection and privacy
In message [EMAIL PROTECTED], Mark Kent writes: I recently claimed that, in the USA, there is a law that prohibits an ISP from inspecting packets in a telecommunications network for anything other than traffic statistics or debugging. Was I correct? No. Or at least you weren't; the Patriot Act may have changed it. (I assume you're talking about U.S. law.) There was a quirk in the wording of the law -- what you say is correct for *telephone* companies, but not ISPs. I'ld also like to get opinions on privacy policies for network operators. It has been suggested that we should adopt a policy that says that we'll notify customers if: 1) we inspect traffic, 2) we're aware that an upstream is inspecting traffic 3) we're required to inspect traffic (by anyone). Point 3) is just about the same as 1), but it does imply a slightly different motivation behind the inspection. Point 3 is explicitly prohibited by U.S. wiretap law, if it's a legal, court-approved wiretap under either the regular wiretap statute or the Foreign Intelligence Surveillance Act. Btw -- see the slides from Mark Eckenwiler's tutorial on wiretapping at a recent NANOG (October 2000, as I recall, and definitely in D.C.) --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book)
