Feeds

Retain or restrain access logs?

If the system ain't broke, don't fix it

Secure remote control for conventional and virtual desktops

Comment A recent proposal by the US Department of Justice that would mandate Internet Service Providers to retain certain records represents a dangerous trend of turning private companies into proxies for law enforcement or intelligence agencies against the interests of their clients or customers.

When you use the internet, a certain record of your activities is invariably created and - at least for a short time - retained by your Internet Service Provider (ISP).

For example, when you establish an account with your ISP - whether it is AOL, Comcast, Verizon, Time-Warner, or any of thousands of ISPs you generally provide the ISP with your name, address, telephone number, and if it is a paid service, some form of payment - credit card, bank account, etc. The ISP will typically retain this account information, and will also keep records that associate this account information with any accounts that you create.

Thus, while you think you are so clever creating the online persona "cyber-stud" the ISP knows that you are really a 29-year-oold permanent undergraduate engineering student living at home in your mother's basement.

This "real world" account information - associating a cyber persona with a real identity - is a gold mine for marketers, law enforcement agencies and the intelligence community, as they want to know who their customers or the users of online services really are. This information can be used for good or for evil. If there is an online pedophile or terrorist, one certainly wants the police to have the ability to, in close-to-real-time when necessary, be able to learn who these people are, and physically where they are as well. One would think that the police would need a subpoena or court order for this information, right? Well, not exactly.

Subpoenaing ISP logs

About five years ago, at a US Federal court in Virginia in a case called United States v. Habrick (PDF), the Court dealt with a situation where the government obtained a faulty subpoena for account information about a suspected purveyor of child porn. The subpoena, which all parties agreed was invalid, called for the ISP Mindspring to deliver to the government records relating to a particular online user, his Internet Protocol address, and the name, address and billing information he gave at the time of establishing the account. They also obtained his name, work and fax telephone numbers.

Now remember, because the subpoena was faulty, there was, in effect, no lawful court order in place for these records. It was as if the FBI burst into the offices of Mindspring and merely took what subscriber information they wanted - well, at least in the eyes of the law.

So the question was, when Mindspring turned over the subscriber information to the cops without an effective warrant or subpoena, did Hambrick have any cause to complain?

The answer the court gave was, well, no. You see, the Habrick court said, the Constitution protects only "legitimate" expectations of privacy. When you turn your personal information over to a third party (like the ISP) you give up your privacy rights. Similarly, when you send an email, participate in a chat, or give any information to anyone, you run the risk that the information, now in the hands of some third party, will be turned over to the cops.

So, according to the Hambrick court, you have a diminished expectation of privacy in these records. Indeed, it was this rationale that was relied upon by the Bush administration's NSA in concluding that the records of your telephone calls - who you called and when - were not your records, but rather the records of the phone company, and that you therefore had no expectation of privacy in those records. So, the government could demand, or the ISP could voluntarily produce such records - subpoena or not.

All of this is dangerous enough. But recent actions of the United States Attorney General and the director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security.

In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP's retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.

Logs are a grab bag full of goodies

In April 2006, Attorney General Gonzales, before the National Centre for Missing and Exploited Children noted that:

"...we have to make sure law enforcement has all the tools and information it needs to wage this battle [against child predators.] The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet Service Providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet Service Providers to keep records has hampered our ability to conduct investigations in this area.

As a result, I have asked the appropriate experts at the department to examine this issue and provide me with proposed recommendations. And I will reach out personally to the CEOs of the leading service providers, and to other industry leaders, to solicit their input and assistance. Record retention by Internet Service Providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed."

Apparently, this was the real purpose of the meetings with ISPs last week. The Attorney General wanted discuss why they should change their document retention policies to retain records they do not need for business purposes, solely to assist the Untied States Government. So what are the legitimate privacy rights of Americans? Or Europeans? Or Asians, Africans, South Americans, Australians, Pacific Islanders, or Antarticans?

Beginner's guide to SSL certificates

More from The Register

next story
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.