Re: DOJ proposes US data-rentention law.
In message <3D11ED40.9040403@ariolimax.com>, "David G. Koontz" writes:
Trei, Peter wrote:
- start quote -
Cyber Security Plan Contemplates U.S. Data Retention Law http://online.securityfocus.com/news/486
Internet service providers may be forced into wholesale spying on their customers as part of the White House's strategy for securing cyberspace.
By Kevin Poulsen, Jun 18 2002 3:46PM
An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.
...
If the U.S. wasn't in an undeclared 'war', this would be considered an unfunded mandate. Does anyone realize the cost involved? Think of all the spam that needs to be recorded for posterity. ISPs don't currently record the type of information that this is talking about. What customer data backup is being performed by ISPs is by and large done by disk mirroring and is not kept permanently.
This isn't clear. The proposals I've seen call for recording "transaction data" -- i.e., the SMTP "envelope" information, plus maybe the From: line. It does not call for retention of content. Apart from practicality, there are constitutional issues. Envelope data is "given" to the ISP in typical client/server email scenarios, while content is end-to-end, in that it's not processed by the ISP. A different type of warrant is therefore needed to retrieve the latter. The former falls under the "pen register" law (as amended by the Patriot Act), and requires a really cheap warrant. Email content is considered a full-fledged wiretap, and requires a hard-to-get court order, with lots of notice requirements, etc. Mandating that a third party record email in this situation, in the absence of a pre-existing warrant citing probable cause, would be very chancy. I don't think even the current Supreme Court would buy it. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
Data retention is being done now by programs and services which cache data to ease loading on servers and networks. No approval needed from anybody, indeed, the service is being offered as a cost saver and expeditor of net services to ISPs and anybody else who might be eager to get around restrictions on data retention, not because of privacy and civil liberties concerns but because the increase in loading and competition is driving the technology. What will prevent an ISP from sharing its cached data retention, -- performed to remain competitive in the market -- with officials who just might ask for a favor through the legal department, knowing nobody will know what's going on, and what the hell, that nobody cares so long as the cost of services is kept low? Why not give up privacy for a cheap deal? A skeptic might wonder why all the folderole about the EuroParl and DoJ proposals and implementatios when the really good stuff is already accessible, no complicated procedures required to sample the stored produce. No evidence that anybody has taken a look, grabbed some data of the usual suspects. A sample of above-board date retention products via caching offerer, which brags all its products retain data in the interest of always marketable cost savings: http://www.soliddata.com/solutions/telecom_appbrief.html The URL sent by anonymous.
At 18:57 21/06/2002 -0700, John Young wrote:
Data retention is being done now by programs and services which cache data to ease loading on servers and networks. [...]
John, As a systems administrator @ an ISP, I can tell flat out that the software you describe has nothing to do with ISP services. The software provides caching services for telecom companies (ie. billing, WAP, voice mail alerts etc). I see nothing that mentions typical ISP services, like e-mail or web-browsing. It is software designed to impress the executive level with pie charts and promises of reduced hardware costs. No one likes spending $50k on a NAS or Fibre Channel / RAID 10 box. Next time John, I suggest you turn your sites on caching software like Squid. Know what? I'm not even afraid to provide the URL! http://www.squid-cache.org .. you may even discover it has US Intelligence Community(tm) links, dating back many years! Incredible, huh? ISP's like the one I work for use Squid to save on bandwidth costs by caching oft-visited websites. Unfortunately, we (like most if not all ISP's) cannot afford the massive disk arrays (or the space they would take up, even the electricity) that would be necessary to retain data *for one day*. Geez, I don't think the government gonna like that. That's doesn't even bring us to the technical abilities of all the different pieces of software that must be re-written (en masse) to satisfy government desires. For instance, let's try e-mail software.. There are numerous companies and individuals who offer their own versions of e-mail server software. Microsoft's Exchange and Ipswitch's IMail for the Windows crowd who like spending lots of money, or Qmail, Postfix, Exim and even Sendmail for the Unix crowd. There are dozen's more, but you get the point. All that software will need to be rewritten. Then all the e-mail servers will need to be upgraded and tested. THEN more disk space added just to handle all the extraneous information like from who and to, from where (say originating IP and from what server host and IP) etc etc etc ad nauseam. Whoops! Let's not forget tape backups! I'm buying 3M stock come Monday! But what happens if we have a disk failure and the logs are lost? Hmm... Anyway, that is just for e-mail.. Imagine what HTTP, or FTP, or whatever can't-live-without service someone invents in the future? Data retention is unworkable even to the biggest of companies. Even the NSA cannot store that kind of data without a significant (and secret) budget. The only ones deriving any benefit from this are law enforcement and computer hardware & commercial software manufacturers. Maybe its an economic stimulus package in disguise? -- Steve.
Steve, Not arguing, but the hardware cost curve for storage has a shorter halving time than the cost curve for CPU (Moore's Law) and the corresponding halving time for bandwidth is shorter still. If that relationship holds up over a period of years, today's tradeoffs between cache, re-computation, and anticipatory transmission would presumably change in the direction the economics dictates. And of course, if I really care that a particular piece of data is non-discoverable I either have to encrypt it, never transmit it, or go on one whopping search mission. Or so I think. Does the world look different from your vantage? --dan
At 17:37 22/06/2002 -0400, geer@world.std.com wrote:
Not arguing, but the hardware cost curve for storage has a shorter halving time than the cost curve for CPU (Moore's Law) and the corresponding halving time for bandwidth is shorter still.
You've got a point. Storage is becoming less and less expensive per gigabyte, especially for IDE drives. If you're using a RAID set up, IDE doesn't cut it, SCSI is the way to go (for now). SCSI is a lot cheaper than it used to be, but it's still over $1000 for a single 70gig drive in Canada. For maximum redundancy in one rack-mount server, RAID 10 is the way to go. That means for every 1 drive, there must be an an exact duplicate. Costs can increase exponentially. That said, storage isn't the only expense when creating a large, fast and redundant file server (especially for caching). The fastest way to get data from a computer to the file server is via fibre channel. And fibre channel hardware isn't cheap. Last time I looked, a DIY RAID 10 system with 15 drives (1 hot-standby), case and fibre channel capability was ~ $30-35k. For each workstation that connects to it, there is a ~1k charge for the fibre channel client card. Don't even go near a fibre channel switch, they run $10-15k apiece, and don't handle more than 10-15 connections. Plus cabling. See, it adds up -- and that's just for one unit. To do the kind of data retention proposed in th EU, that is the kind of hardware that would be necessary. Plus a rack of tape backup drives running 24x7. Perhaps this sounds extreme, and it very well could be. My concern isn't so much based on what the law says must be retained, the penalties if the data isn't retained are what worry me. Could a system or network administrator be charged if the data is unavailable? What if their is a plausible reason (ie. hardware failed a year ago, fire)? What if the company cannot afford it? What charges are brought against the company? These questions are the reality for sysadmins in the EU. If Canada implemented a data retention law, I would be extremely concerned about my personal liability as well as corporate -- Canada already can charge a network administrator who the police believe is negligent in blocking (and removing) copyrighted software from computers he/she is responsible. It has happened. My understanding it has to do with an RCMP settlement over the PROMIS software scandal, but that's another topic. -- Steve
I appreciate what an honorable ISP admin will do to abide customer rights over intrusive snoopers and perhaps cooperative administrators above the pay grade of a sysadmin. Know that a decent sysadmin is on for about 1/3 of a weekday for 24x7 systems is a small comfort but leaves unanswered what can happen: 1. During that time when a hero is elsewhere. 2. Upstream of the ISP, the router of the ISP and the nodes serving routers, as well as at a variety of cache systems serving there various levels. 3. At major providers serving a slew of smaller ISPs. In this case I reported a while back of a sysadmin telling what my ISP, NTT/Verio, is doing at its major node in Dallas: allowing the FBI to freely scan everything that passes through the Verio system under an agreement reached with NTT when it bought Verio. No matter what a local sysadmin does with data, it remains very possible that data is scanned, stored and fucked with in nasty ways coming and going such that no single sysadmin can catch it. End to end crypt certainly could help but there is still a fair abount of TA that can be done unless packets are truly disintegrated and/or camouflaged at the source before data leaves the originating box. Pumping through anonymizers, inserting within onions, subdermal pigging back on innocuous wireless packets of the financial advisor door, multiple partial sends, stego-ing, data static and traffic salting, bouncing off the moon or windowpane, what else can you do when an eager beaver industry is racing to do whatever it takes to build markets among the data controllers breathing hot about threats to national security and handing out life-saving contracts to hard-up peddlers shocked out of their skivvies with digital downturn. No patriotic act is too sleazy these days that cannot be justified by terror of red ink and looming layoffs. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
John Young wrote:
I appreciate what an honorable ISP admin will do to abide customer rights over intrusive snoopers and perhaps cooperative administrators above the pay grade of a sysadmin. Know that a decent sysadmin is on for about 1/3 of a weekday for 24x7 systems is a small comfort but leaves unanswered what can happen:
1. During that time when a hero is elsewhere.
2. Upstream of the ISP, the router of the ISP and the nodes serving routers, as well as at a variety of cache systems serving there various levels.
To expand on John Young's inquiry, I believe it would help elevate the level of the public discourse regarding potential future US data retention and interception laws if those inclined to comment on this issue were to take the time to research similar laws already passed in other countries in the course of the customary policy laundry process. Even a brief such investigation would teach the aspiring commentator that those responsible for the installation and maintenance of governmentally mandated snooping infrastructure at the ISP are largely required to hold active security clearances. To rephrase John's very valid question in a slightly more targeted fashion: how likely is it that cleared personnel working at the ISP will refuse an official request for law enforcement assistance? --Lucky Green --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
At 06:38 PM 06/22/2002 -0400, Steve Fulton wrote:
At 17:37 22/06/2002 -0400, geer@world.std.com wrote:
Not arguing, but the hardware cost curve for storage has a shorter halving time than the cost curve for CPU (Moore's Law) and the corresponding halving time for bandwidth is shorter still.
You've got a point. Storage is becoming less and less expensive per gigabyte, especially for IDE drives. If you're using a RAID set up, IDE doesn't cut it, SCSI is the way to go (for now). SCSI is a lot cheaper than it used to be, but it's still over $1000 for a single 70gig drive in Canada. For maximum redundancy in one rack-mount server, RAID 10 is the way to go. That means for every 1 drive, there must be an an exact duplicate. Costs can increase exponentially.
[more examples of expensiveness deleted; fibre channel, etc.] You're not making appropriate technology choices, so your costs are off by a factor of 5-10. IDE is just fine, especially in RAID configurations, because if you're making a scalable system, you can use as many spindles as you need, and you don't need to run fully mirrored systems - RAID5 is fine. Almost any technology you get can run 5MB/sec, which is T3 speeds, so that RAID5 system can keep up with an OC3 with no problem. Disk drive prices here in the US are about $1/GB for IDE. The problem is that's about 200 seconds of T3 time, so your 5 100GB drives will last about a day before you take them offline for tape backup. The real constraints become how fast you can copy to tape, i.e. how many tape drives you need to buy, and what fraction of data you keep. If it's 1%, you can afford it - adding $5/day = $150/month per T3 is just noise. Keeping 10% of the bits - $50/day = $1500/month/T3 - is a non-trivial fraction of your cost, so you have to go for tape. Fibre channels are useful for cutting-edge databases on mainframes, and have the entertaining property that they can go 10-20km, so you've got more choices for offsite backup, but GigE is fine here. Make sure you also keep a couple of legacy media devices so you can give the government the records they want in FIPS-specified formats, such as Hollerith cards and 9-track tape.....
At 07:02 PM 06/22/2002 -0700, John Young wrote:
.... 3. At major providers serving a slew of smaller ISPs. In this case I reported a while back of a sysadmin telling what my ISP, NTT/Verio, is doing at its major node in Dallas: allowing the FBI to freely scan everything that passes through the Verio system under an agreement reached with NTT when it bought Verio.
That's especially tacky, considering that NTT bought Verio which had bought Best which had bought The Little Garden which was the businessified version of The Little Garden internet co-op which John Gilmore and Hugh Daniel helped found....
participants (6)
-
Bill Stewart -
geer@world.std.com -
John Young -
Lucky Green -
Steve Fulton -
Steven M. Bellovin