Feeds

Retain or restrain access logs?

If the system ain't broke, don't fix it

High performance access to file storage

Comment A recent proposal by the US Department of Justice that would mandate Internet Service Providers to retain certain records represents a dangerous trend of turning private companies into proxies for law enforcement or intelligence agencies against the interests of their clients or customers.

When you use the internet, a certain record of your activities is invariably created and - at least for a short time - retained by your Internet Service Provider (ISP).

For example, when you establish an account with your ISP - whether it is AOL, Comcast, Verizon, Time-Warner, or any of thousands of ISPs you generally provide the ISP with your name, address, telephone number, and if it is a paid service, some form of payment - credit card, bank account, etc. The ISP will typically retain this account information, and will also keep records that associate this account information with any accounts that you create.

Thus, while you think you are so clever creating the online persona "cyber-stud" the ISP knows that you are really a 29-year-oold permanent undergraduate engineering student living at home in your mother's basement.

This "real world" account information - associating a cyber persona with a real identity - is a gold mine for marketers, law enforcement agencies and the intelligence community, as they want to know who their customers or the users of online services really are. This information can be used for good or for evil. If there is an online pedophile or terrorist, one certainly wants the police to have the ability to, in close-to-real-time when necessary, be able to learn who these people are, and physically where they are as well. One would think that the police would need a subpoena or court order for this information, right? Well, not exactly.

Subpoenaing ISP logs

About five years ago, at a US Federal court in Virginia in a case called United States v. Habrick (PDF), the Court dealt with a situation where the government obtained a faulty subpoena for account information about a suspected purveyor of child porn. The subpoena, which all parties agreed was invalid, called for the ISP Mindspring to deliver to the government records relating to a particular online user, his Internet Protocol address, and the name, address and billing information he gave at the time of establishing the account. They also obtained his name, work and fax telephone numbers.

Now remember, because the subpoena was faulty, there was, in effect, no lawful court order in place for these records. It was as if the FBI burst into the offices of Mindspring and merely took what subscriber information they wanted - well, at least in the eyes of the law.

So the question was, when Mindspring turned over the subscriber information to the cops without an effective warrant or subpoena, did Hambrick have any cause to complain?

The answer the court gave was, well, no. You see, the Habrick court said, the Constitution protects only "legitimate" expectations of privacy. When you turn your personal information over to a third party (like the ISP) you give up your privacy rights. Similarly, when you send an email, participate in a chat, or give any information to anyone, you run the risk that the information, now in the hands of some third party, will be turned over to the cops.

So, according to the Hambrick court, you have a diminished expectation of privacy in these records. Indeed, it was this rationale that was relied upon by the Bush administration's NSA in concluding that the records of your telephone calls - who you called and when - were not your records, but rather the records of the phone company, and that you therefore had no expectation of privacy in those records. So, the government could demand, or the ISP could voluntarily produce such records - subpoena or not.

All of this is dangerous enough. But recent actions of the United States Attorney General and the director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security.

In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP's retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.

Logs are a grab bag full of goodies

In April 2006, Attorney General Gonzales, before the National Centre for Missing and Exploited Children noted that:

"...we have to make sure law enforcement has all the tools and information it needs to wage this battle [against child predators.] The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet Service Providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet Service Providers to keep records has hampered our ability to conduct investigations in this area.

As a result, I have asked the appropriate experts at the department to examine this issue and provide me with proposed recommendations. And I will reach out personally to the CEOs of the leading service providers, and to other industry leaders, to solicit their input and assistance. Record retention by Internet Service Providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed."

Apparently, this was the real purpose of the meetings with ISPs last week. The Attorney General wanted discuss why they should change their document retention policies to retain records they do not need for business purposes, solely to assist the Untied States Government. So what are the legitimate privacy rights of Americans? Or Europeans? Or Asians, Africans, South Americans, Australians, Pacific Islanders, or Antarticans?

SANS - Survey on application security programs

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Ex–Apple CEO John Sculley: Ousting Steve Jobs 'was a mistake'
Twenty-nine years later, post-Pepsi exec has flat-forehead moment
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.