Re: ISPs' information on users
At 8:18 PM 9/24/96, Robert Hettinga wrote:
--- begin forwarded text
------------------------------ Brave Old World: Reflections on Europe in the Digital Age by Steven Carlson; 20 Sep 1996 ------------------------------
** So Much Fuss About A Bottle Of Ketchup
Hungarian police recently sent a fax around to the local Internet service providers (ISPs) asking them to provide lists of their users in Esztergom, a small town outside of Budapest. It seems somebody had planted a bomb in a bottle of ketchup. Since everyone knows you can download bomb-making instructions from the Internet, the police figured they should investigate the local users. No, I'm not making this up.
So, Hungary has GAK -- Government Access to Ketchup. Good to know the 57 Varieties are now considered munitions. On a more serious note, perhaps legal experts here could comment on something I've been wondering about. Could ISPs in the UlS. be compelled to report on the browsing and net surfing habits of their customer base? To make this clear, I don't mean in a specific criminal case, where the records are searchable under a warrant. I mean a blanket order that all ISPs compile and forward records. Were I an ISP, I would probably say, "Hell no! They're my records and the Fourth Amendment says my records are to be secure unless a proper court order is issued. Besides, my fee for generating each kilobyte of records is $100,000, nonnegotiable." (I think I've answered my own question, namely, ISPs would be under no obligation to report on customer activities, absent a proper warrant, and consistent with the ECPA.) However, ISPs are _not_ accorded the same status as priests, lawyers, and others with such privacy privileges (and obligations). Would it be legal for an ISP to offer for sale such records? Or to voluntarily go to the cops? (There's a certain new ISP with tight links to a quasi-religious group much in the news lately, and some have speculated that this ISP may be monitoring certain users....) --Tim May We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On a more serious note, perhaps legal experts here could comment on something I've been wondering about. Could ISPs in the UlS. be compelled to report on the browsing and net surfing habits of their customer base?
To make this clear, I don't mean in a specific criminal case, where the records are searchable under a warrant. I mean a blanket order that all ISPs compile and forward records.
Lets get some of the cypherpunk legal types to comment on the following idea which is probably completely wrong: It is probably illegal for the ISP to keep such records in the first place! When I open a link to a remote WEB page or use FTP to retrieve a remote file, the software on my computer first forms a network connection between a program on my local computer and a remote "server" program at the remote site. The ISP provides hardware and software "in the middle" that allows this connection to take place. After this connection is established, the connection itself is used to negotiate the precise data I want (i.e. the filename in the case of FTP or the non-site portion of the URL in the case of the WEB). In order for the ISP to keep records of my browsing, it would have to snoop on this connection. But the connection is an electronic communication within the meaning of the Electronic communications privacy act (ECPA). Thus it is not legal for the ISP to keep such information. Thus the ISP can not report on the browsing habits and net surfing habits of its user base by complying with the law and never keeping the records in the first place. Perhaps the above does not apply to the site name of the connections. OK, cypherpunk legal types, tell me if I got the above wrong? -- Paul Elliott Telephone: 1-713-781-4543 Paul.Elliott@hrnowl.lonestar.org Address: 3987 South Gessner #224 Houston Texas 77063
On Tue, 24 Sep 1996, Timothy C. May wrote:
At 8:18 PM 9/24/96, Robert Hettinga wrote:
--- begin forwarded text
** So Much Fuss About A Bottle Of Ketchup
Hungarian police recently sent a fax around to the local Internet service providers (ISPs) asking them to provide lists of their users in Esztergom, a small town outside of Budapest. It seems somebody had planted a bomb in a bottle of ketchup. Since everyone knows you can download bomb-making instructions from the Internet, the police figured they should investigate the local users. No, I'm not making this up.
So, Hungary has GAK -- Government Access to Ketchup.
Good to know the 57 Varieties are now considered munitions.
On a more serious note, perhaps legal experts here could comment on something I've been wondering about. Could ISPs in the UlS. be compelled to report on the browsing and net surfing habits of their customer base?
To make this clear, I don't mean in a specific criminal case, where the records are searchable under a warrant. I mean a blanket order that all ISPs compile and forward records.
Were I an ISP, I would probably say, "Hell no! They're my records and the Fourth Amendment says my records are to be secure unless a proper court order is issued. Besides, my fee for generating each kilobyte of records is $100,000, nonnegotiable."
(I think I've answered my own question, namely, ISPs would be under no obligation to report on customer activities, absent a proper warrant, and consistent with the ECPA.)
However, ISPs are _not_ accorded the same status as priests, lawyers, and others with such privacy privileges (and obligations). Would it be legal for an ISP to offer for sale such records? Or to voluntarily go to the cops?
Worse for the ISP (and better for its customers), such interception would violate ECPA, as the 18 U.S.C. Section 2511(2)(a)(i) exception for interceptions by electronic communications services would not apply to protect the ISP. One could hardly (successfully) argue that selling out its customers was a "necessary incident" to the rendition of the ISP's services. Indeed, the exception also states "that a provider ... shall not utilize service observing or random monitoring except for mechanical or service quality control checks. I know. They could use the exception to give away a little bit, but not the whole enchilada. EBD
(There's a certain new ISP with tight links to a quasi-religious group much in the news lately, and some have speculated that this ISP may be monitoring certain users....)
--Tim May
We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
On Tue, 24 Sep 1996, Timothy C. May wrote:
(There's a certain new ISP with tight links to a quasi-religious group much in the news lately, and some have speculated that this ISP may be monitoring certain users....)
--Tim May
Which ISP and religious group is this? Phil Fraering The above is the opinion of neither my internet pgf@acadian.net service provider nor my employer. 318/261-9649
tcmay@got.net (Timothy C. May) sez:
Could ISPs in the UlS. be compelled to report on the browsing and net surfing habits of their customer base?
Such as when the police/feds/Big Brother's Helpers come in, seize every piece of computer equipment on the site for "investigation", put it in a warehouse for 2 years so they can read everything and save whatever appeals to them in their private databases? As Steve Jackson Games found out, it can be slow and expensive to get the "evidence" back and the satisfaction of watching a judge ream BBH is no guarantee that such shenanigans will cease. I hope the ISP used strong encryption on all their disks and tapes. Sadly, I have no idea how to make sure an ISP I use does that properly or how to get an exhaustive list of what kind of records they keep. tcmay@got.net (Timothy C. May) sez:
To make this clear, I don't mean in a specific criminal case, where the records are searchable under a warrant. I mean a blanket order that all ISPs compile and forward records.
How many pieces of thread does it take to make a blanket? Stephen
participants (5)
-
Brian Davis -
Paul Elliott -
Phil Fraering -
Stephen Humble -
tcmay@got.net