True necessity of Records? [was: CryptoSeal]
On Mon, Oct 21, 2013 at 10:49 PM, Jim Bell <jamesdbell8@yahoo.com> wrote:
My (Bell's) comments follow: A phone company which announces that it WILL NOT record phone metadata
Would get my business. Of course many such policies are full of holes and drift anyway.
Why not x-out the last 3-4-7 digits...
There's no reason to hold CDR's more than the last fully paid billing cycle, and, yes, further limited by the type of calling plan you have. And if you believe ''exigency' is some last remaining reason to hold them, try calling in a gunfight to 911 and see how long it takes for them to come scrape up your already dead bits. Same for 'threats', unless you're prepared to hire people to keep watch. No more than a week would be necessary, 30 days if you're slow to make the call.
and that phone company was beholden to the government rather than any individual customer, now phone companies have a legitimate motivation to compete on the issue of metadata privacy.
Of course instead of fighting back and just dropping their records which they could do tomorrow (to the extent there is no affirmative law that requires keeping), all we see are these big co's 'begging' the gov if they can publish subpoena statistics. Bunch of sheep and fishy practices. Also try to match up recent whitepapers listing retention/LEA periods of major telecoms with the decade or more worth of CDR's these co's/gov seem to have. Someone's lying, or has been feeding to the secret bigdata pools all along, or both. What's the big payoff for keeping (against the cost of keeping)? Favorable regulations? Some order of magnitude more business or debugging insight beyond rollover to aggregating in RRDB? And Instead of what negatives for not keeping in absence of such laws? Any independent audits yet of some of these VPN's, services, etc that say they don't keep records that indeed do confirm no records practice as of the audit? [Substitute herein any type of record about you as appropriate.]
This one part,
Of course instead of fighting back and just dropping their records which they could do tomorrow (to the extent there is no affirmative law that requires keeping), all we see are these big co's 'begging' the gov if they can publish subpoena statistics. Bunch of sheep and fishy practices.
touches on what can and cannot be deleted as a matter of routine. It is not simple, and, if your are the General Counsel, then advising your firm to keep everything looks safer than doing any deletion even if deletion were to be done by way of some set of instructions that are airtight. The (2003) Zubulake v. UBS Warburg case is the precedential one. In one of the several rulings, there is this passage: Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a "litigation hold" to ensure the preservation of relevant documents. That has created a focus on the "reasonable anticipation of litigation" phrase such that most large firms, to my admittedly incomplete knowledge, have concluded that as they will be sued over very nearly anything hence they should keep very nearly everything lest the deletion of data, even if routine and commonsensical, be found by some Court to be willful spoilation of evidence that the firm should have expected would be crucial to some plaintiff's claim at some future date. Fast forward to 2013, and we have the multi-billion-dollar "e-Discovery" industry. In short, this is the United States -- the assignment of liability is what the government does and the plaintiff's bar has the government's ear. And balls. --dan
On Tue, Oct 22, 2013 at 10:21 PM, grarpamp <grarpamp@gmail.com> wrote:
... There's no reason to hold CDR's more than the last fully paid billing cycle, and, yes, further limited by the type of calling plan you have.
as an interesting aside, when i worked at a company providing directory assistance to cell phone providers, there were some individuals who would call DA just to be outbound dialed to the desired number. our call setup incurred a hairpin route for this outbound leg, connecting the dialed party side through our switches, to provide in-band services. this had the convenient effect of masking the origin of a caller through our network. needless to say, we were strongly encouraged to keep all CDR records for years, precisely because some many months later a request would come in asking for the calling party information associated with one of these outbound legs. this is not even considering the "data analytics" reasons why carriers keep these detail records indefinitely...
On Thu, Oct 24, 2013 at 1:53 PM, coderman <coderman@gmail.com> wrote:
this had the convenient effect of masking the origin of a caller through our network. needless to say, we were strongly encouraged to keep all CDR records for years, precisely because some many months later a request would come in asking for the calling party information associated with one of these outbound legs.
And per the topic... what was the positive/negative effect in cases where that data wasn't available for a request? Who did the encouragement? Why? And what stick did they wield? Were such requests even legal court orders?
this is not even considering the "data analytics" reasons why carriers keep these detail records indefinitely...
Putting some thought into how to aggregate and roll them up into what amounts to anonymous RRDB summary metrics is that hard and costly? No one likes deleting source data out of fear of not being able to produce some miracle report that will make them 10% more profit someday. But in the end, this is technology biz, if you can't come up with that edge within a year or less of raw data, you're already too old and slow and don't need it anyways. You could just continue keep rates higher and buying your entrenchment.
On 10/24/13 14:57 -0400, grarpamp wrote:
On Thu, Oct 24, 2013 at 1:53 PM, coderman <coderman@gmail.com> wrote:
this had the convenient effect of masking the origin of a caller through our network. needless to say, we were strongly encouraged to keep all CDR records for years, precisely because some many months later a request would come in asking for the calling party information associated with one of these outbound legs.
And per the topic... what was the positive/negative effect in cases where that data wasn't available for a request? Who did the encouragement? Why? And what stick did they wield? Were such requests even legal court orders?
For the small Telco I work for, there are a few scenarios where we "give up" information: * Customer billing dispute, in which case we'll provide or confirm information that a customer already has printed on their bill, perhaps in more detail if available. * Trap and trace. This is triggered by a customer entering a star code on their POTS phone, which stores the caller information (even if the caller attempted to block their information) of the last call only, on the switch for later retrieval. That information is only provided to local law enforcement, and they only ask for it when a customer files a police report (harassment). * We have provided CDR information to a court when subpoenaed. This was not completely information, since we only store CDR records of calls which cross tolls trunks (calls which leave our switch). Local on-switch calls are not billable, so we don't bother to store them. I assume this is standard policy for other small ILECs. We have never negotiated what information we provide to local authorities, and have never been encouraged or ordered to keep X number of days of data. The same goes for the ISP (broadband) side of the house. We've been subpoenaed for information about who used what IP and when. We keep syslog data for up to two months, for our own trouble shooting use. -- Dan White
On Thu, Oct 24, 2013 at 3:29 PM, Dan White <dwhite@olp.net> wrote:
there are a few scenarios where we "give up" information:
* Customer billing dispute, in which case we'll provide or confirm information that a customer already has printed on their bill, perhaps in
That's common sense before a bill is paid, or at least within a few fully paid billing cycles. Even beyond then, a small personal customer account in good standing could be taken care of with a few keystrokes and a word about not keeping things to ensure privacy, call it positive accomodation. So that's not really in question here.
* Trap and trace. This is triggered by a customer entering a star code on their POTS phone, which stores the caller information
The customer asked for that by punching in VSC *57 after the last call. And the average inter-call timeframe is likely never more than a week before last call becomes 2nd last. So that's not in question either.
(even if the caller attempted to block their information)
(People wrongly think VSC *67 shields them from things other than the callee's view of their end of a plain old POTS/cell line. Toll free numbers, programmed PBX trunks, etc are often set up differently in this regard.)
we only store CDR records of calls which cross tolls trunks (calls which leave our switch). Local on-switch calls are not billable, so we don't bother to store them. I assume this is standard policy for other small ILECs.
This is an interesting policy. I'd not bet on it being a universal thing, especially with the big regionals and with their history of billing for everything.
The same goes for the ISP (broadband) side of the house. We've been subpoenaed for information about who used what IP and when.
The Tor relay operators field a lot of what seem to be informal inquiries, a few subpoenas, and fewer orders and search warrants. Once Tor is explained as having no records, they go away. In that example of a provider not keeping records, there's not really a negative consequence other than time going through the process of showing that there are none. That can be troubling in some cases, but it's not really meant or directed at the provider.
On Thu, Oct 24, 2013 at 11:57 AM, grarpamp <grarpamp@gmail.com> wrote:
... And per the topic... what was the positive/negative effect in cases where that data wasn't available for a request?
we always had the data; i can't speak to negative effects.
Who did the encouragement? Why? And what stick did they wield?
the retention period was requested by carriers using our service (contractual obligation) as well as our own internal legal counsel (7 years retention with full off-site backups in IronMountain, etc.) the stick was contracts/monies externally, and legal counsel internally. to be clear, this was not a direct LEO mandate.
coderman <coderman@gmail.com> writes:
we always had the data; i can't speak to negative effects.
[...]
to be clear, this was not a direct LEO mandate.
I got the same response from talking to techies at a large telco, they kept the records just in case they needed them (not for any specific LEO use, but just in case they needed the info at some point in the future), and because it was easier to keep them than to delete them. In other words, throwing a few more drives into a server farm was relatively straightforward compared to figuring out what to delete, when, under what conditions, and how (lots of different formats, data all over the place, etc). (This issue isn't unique to telcos, it seems to be near-universal, it's always easier to keep data lying around than to figure out what to delete). Peter.
At 08:14 PM 10/24/2013, Peter Gutmann wrote:
I got the same response from talking to techies at a large telco, they kept the records just in case they needed them (not for any specific LEO use, but just in case they needed the info at some point in the future), and because it was easier to keep them than to delete them.
Back when my wife and I were in college, the US had one main telco, the Bell System. There were always lawsuits against them about one thing and another, billing disputes, anti-trust accusations, telephone poles jumping in front of cars, state public utility commission squabbles of one sort or another, etc. She had a summer job one year translating a chunk of telco billing data from a homebrew database into a commercial DBMS format just in case they needed it. Seven years later it was no longer lawsuit bait, and the commercial DBMS format was no longer supportable on any current computers either :-) (Which was a bit of a surprise, since I think it was an IBM DBMS.)
At 11:14 PM 10/24/2013, Peter Gutmann wrote:
(This issue isn't unique to telcos, it seems to be near-universal, it's always easier to keep data lying around than to figure out what to delete).
I've seen that as well. The phenomenon would seem to be a hallmark of poor design. The system should keep track of what went where and automatically delete it unless prevented from doing so. That was certainly the case with the systems and data I have personal experience with, poor design leading to irresponsible retention of user financial (credit card) data in particular.
It is not an easy problem. It is hard to make reliable and maintainable systems without keeping the kinds of logs and records that law enforcement might later want. Even if it is your policy to delete records, it is easy for a court to order you to maintain any records that you are producing. The only safe posture is to architect systems so as to never keep those records. Unfortunately that makes all kinds of other tasks more difficult. Therefor the whole service is more expensive to run, and may be less reliable. For a dedicated privacy service like Anonymizer, that is a reasonable tradeoff, but it will be a hard sell to phone companies and such. This is not to say that it would not be a good thing for these companies to have a short data retention window vs. the long period they have now, but it would not provide that much additional protection. -- Lance Cottrell loki@obscura.com On Oct 25, 2013, at 4:25 AM, Ulex Europae <europus@gmail.com> wrote:
At 11:14 PM 10/24/2013, Peter Gutmann wrote:
(This issue isn't unique to telcos, it seems to be near-universal, it's always easier to keep data lying around than to figure out what to delete).
I've seen that as well.
The phenomenon would seem to be a hallmark of poor design. The system should keep track of what went where and automatically delete it unless prevented from doing so. That was certainly the case with the systems and data I have personal experience with, poor design leading to irresponsible retention of user financial (credit card) data in particular.
On 2013-10-26 02:56, Lance Cottrell wrote:
It is not an easy problem. It is hard to make reliable and maintainable systems without keeping the kinds of logs and records that law enforcement might later want. Even if it is your policy to delete records, it is easy for a court to order you to maintain any records that you are producing. The only safe posture is to architect systems so as to never keep those records. Unfortunately that makes all kinds of other tasks more difficult. Therefor the whole service is more expensive to run, and may be less reliable. For a dedicated privacy service like Anonymizer, that is a reasonable tradeoff, but it will be a hard sell to phone companies and such.
A mountain of records is a pain, and makes stuff harder to find. Therefore automatic log rotation, where records that are unlikely to be of use are automatically deleted within a reasonable time, is optimal. How many times have you gone looking for something, and there is a pile of crap? OK, you could keep the pile of crap properly organized, but it is lot easier to just delete it than to properly organize it.
On Thu, Oct 24, 2013 at 3:57 PM, coderman <coderman@gmail.com> wrote:
the stick was contracts/monies externally
Sure, there's that, especially if smallco wants to do business with bigco. Two entities on equal footing could certainly negotiate things.
and legal counsel internally.
Yeah, seems it's always about the legal counsel. Their job is to tell you about 'risks'. Your job is to make a decision, even if that decision is to tell them to shut up for once and go prepare for the risk that you're about to ignore. https://threatpost.com/simple-bug-exposed-verizon-wireless-users-sms-history And where are the lawyers telling you that you should probably *not* keep these records because you're incompetent and the risk is that someone will sue you individually or as a class when you screw it up? Probably off cashing the fees you paid them for the first conversation.
On 2013-10-25 04:57, grarpamp wrote:
And per the topic... what was the positive/negative effect in cases where that data wasn't available for a request?
Show me the man, and I will find you the crime.
Who did the encouragement?
Unidentified authority
Why?
Authority does not answer questions. And what stick did they wield? The state
Were such requests even legal court orders?
Whatever a government employee does is legal, whatever a private citizen does is illegal.
participants (9)
-
Bill Stewart -
coderman -
Dan White -
dan@geer.org -
grarpamp -
James A. Donald -
Lance Cottrell -
Peter Gutmann -
Ulex Europae