Feeds

Retain or restrain access logs?

If the system ain't broke, don't fix it

Security for virtualized datacentres

Comment A recent proposal by the US Department of Justice that would mandate Internet Service Providers to retain certain records represents a dangerous trend of turning private companies into proxies for law enforcement or intelligence agencies against the interests of their clients or customers.

When you use the internet, a certain record of your activities is invariably created and - at least for a short time - retained by your Internet Service Provider (ISP).

For example, when you establish an account with your ISP - whether it is AOL, Comcast, Verizon, Time-Warner, or any of thousands of ISPs you generally provide the ISP with your name, address, telephone number, and if it is a paid service, some form of payment - credit card, bank account, etc. The ISP will typically retain this account information, and will also keep records that associate this account information with any accounts that you create.

Thus, while you think you are so clever creating the online persona "cyber-stud" the ISP knows that you are really a 29-year-oold permanent undergraduate engineering student living at home in your mother's basement.

This "real world" account information - associating a cyber persona with a real identity - is a gold mine for marketers, law enforcement agencies and the intelligence community, as they want to know who their customers or the users of online services really are. This information can be used for good or for evil. If there is an online pedophile or terrorist, one certainly wants the police to have the ability to, in close-to-real-time when necessary, be able to learn who these people are, and physically where they are as well. One would think that the police would need a subpoena or court order for this information, right? Well, not exactly.

Subpoenaing ISP logs

About five years ago, at a US Federal court in Virginia in a case called United States v. Habrick (PDF), the Court dealt with a situation where the government obtained a faulty subpoena for account information about a suspected purveyor of child porn. The subpoena, which all parties agreed was invalid, called for the ISP Mindspring to deliver to the government records relating to a particular online user, his Internet Protocol address, and the name, address and billing information he gave at the time of establishing the account. They also obtained his name, work and fax telephone numbers.

Now remember, because the subpoena was faulty, there was, in effect, no lawful court order in place for these records. It was as if the FBI burst into the offices of Mindspring and merely took what subscriber information they wanted - well, at least in the eyes of the law.

So the question was, when Mindspring turned over the subscriber information to the cops without an effective warrant or subpoena, did Hambrick have any cause to complain?

The answer the court gave was, well, no. You see, the Habrick court said, the Constitution protects only "legitimate" expectations of privacy. When you turn your personal information over to a third party (like the ISP) you give up your privacy rights. Similarly, when you send an email, participate in a chat, or give any information to anyone, you run the risk that the information, now in the hands of some third party, will be turned over to the cops.

So, according to the Hambrick court, you have a diminished expectation of privacy in these records. Indeed, it was this rationale that was relied upon by the Bush administration's NSA in concluding that the records of your telephone calls - who you called and when - were not your records, but rather the records of the phone company, and that you therefore had no expectation of privacy in those records. So, the government could demand, or the ISP could voluntarily produce such records - subpoena or not.

All of this is dangerous enough. But recent actions of the United States Attorney General and the director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security.

In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP's retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.

Logs are a grab bag full of goodies

In April 2006, Attorney General Gonzales, before the National Centre for Missing and Exploited Children noted that:

"...we have to make sure law enforcement has all the tools and information it needs to wage this battle [against child predators.] The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet Service Providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet Service Providers to keep records has hampered our ability to conduct investigations in this area.

As a result, I have asked the appropriate experts at the department to examine this issue and provide me with proposed recommendations. And I will reach out personally to the CEOs of the leading service providers, and to other industry leaders, to solicit their input and assistance. Record retention by Internet Service Providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed."

Apparently, this was the real purpose of the meetings with ISPs last week. The Attorney General wanted discuss why they should change their document retention policies to retain records they do not need for business purposes, solely to assist the Untied States Government. So what are the legitimate privacy rights of Americans? Or Europeans? Or Asians, Africans, South Americans, Australians, Pacific Islanders, or Antarticans?

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.