DOJ Wants ISPs to Log User Traffic UPDATED

Anonymous Coward writes "Kevin Poulson writes in an article in SecurityFocus that in an early draft of the White House's "National Strategy to Secure Cyberspace", the DOJ proposes that the US enact European style 'data retention' laws, which force ISPs to log and retain all of your email headers, as well as your Web browsing history." Nothing worse for the DOJ to be upstaged by Europe in oppressive lawmaking, they must feel like they're losing their edge. Update: 06/19 23:04 GMT by M : The SecurityFocus article has been updated with this note, saying that the U.S. denies having any plans for data-retention laws. Guess we'll have to wait until the plan is released to see.

I guess...

I'll have to meet real girls instead of browsing pr0n.

First post?

[Paradoxish]

Maybe, I dunno. But anyway... this sucks. Doesn't anyone at the DOJ realize that keeping a history of web browsing is about the equivalent of having someone follow you around with a pen and some paper and record the address of every place you visit during the day? I don't understand how keeping track of information like this can possibly help with security or ANYTHING for that matter.

Re:First post?

[gorf]

Which is also the equivalent of putting cameras in public places...

(Emphasis mine) My web browser is certainly not in a public place.

Mail headers.

[Lemmy+Caution]

Article seems slashdotted, so I haven't read it yet... but what does this mean for those of us who run our own mail servers? Do we know have retention and reporting requirements on our systems at home?

Re:Mail headers.

[jmd!]

Your ISP wouldn't do it on their mail server, they would have to sniff all outbound port 25 traffic and record that way. Scary stuff, since even PGP doesn't help much. They'd still known everyone I mail. Time to start putting the Subject: in the body of the message, people!

Will they fund it?

[cardshark2001]

Logging such a huge volume of data requires massive hard-drive space, extra CPU power, extra manpower. All of those things cost money.

Considering how little money ISP's tend to make, I don't see this as at all fair, unless the government will pony up the cash.

Re:Will they fund it?

[delta407]

Besides which, what defines an ISP? I do work for a school that shares an Internet line with a nearby company; the router is in the school, and the company can use the school's cache server and mail relay. Does the school have to log everything? They certainly can't pay for it.

Then again, if the government would provide cash for some upgrades, I'm sure they wouldn't mind.

They changed their mind!

[I+Want+GNU!]

I visited the site, and this is what it says here. I'm posting it in case the site gets slashdotted. [And I'm not a karma whore since I already have 50.]

U.S. Denies Data Retention Plans

The Justice Department refutes claims that Internet service providers could be forced to spy on their customers as part of the U.S. strategy for securing cyberspace.
By Kevin Poulsen, Jun 19 2002 12:24PM
An early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.

But a Justice Department source said Wednesday that data retention is mentioned in the strategy only as an industry concern -- ISPs and telecom companies oppose the costly idea -- and does not reflect any plan by the department or the White House to push for a U.S. law.

In recent weeks, the administration has begun doling out bits and pieces of a draft of the National Strategy to technology industry members and advocacy groups. On Tuesday, sources who had reviewed segments of the plan said a federal data retention law is suggested in a section written in part by the Justice Department.

The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.

While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.

A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.

Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, policy fellow at the Electronic Privacy Information Center (EPIC), which opposed the directive.

"Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech," as well as the legal principal that a defendant is presumed innocent until proven guilty.

The White House did not return phone calls on the National Strategy, which is scheduled for release in September.

They're the only ones NOT looking

[Ars-Fartsica]

Any ISP employee, sysadmin or free email provider admin can already look at your data any time they please. And they do.

At least the government will probably be required to disclose what they do.

Your best bet is to not send any sensitive info over email, and don't store any unencrypted sensitive or private data in online storage systems.

Re:They're the only ones NOT looking

[digitalsushi]

As a netadmin for a small-medium sized ISP, I'm going to have to disagree with that on two levels. First off, most of us small guys dont have all the bells and whistles, or disposable overhead to implement free tools to spy on our users. Quite a few of us pipe our customers "straight through". (That and you need to remember that the majority of us are no Vincent Cerfs.. we're smart people but we could sit here 24 hours a day and still not have enough time to learn it all- but thats another thread)

Second, for the things that we *can* look at (easy stuff like say someone's POP mailbox, just a text file) there is (most people wont believe this) actually an honor system amongst admins. We won't edit a mailbox if its broken until we have permission. Otherwise we might see something that isnt ours to see. Privacy is THE most important thing we can promise our customers, so everything else has to take the back seat, even if it means some uptime.

Even given that, though, I do recommend that people encrypt their email, cause just cause I wont read your mail, doesn't mean the kid who has a 60 minute kernel exploit who just rooted me wont- (the rooting being another thread, lets not talk about perfection in admining here) (So sorry to reply like this, but I just took it a little personally. We're not all sleazy. Most of us arent.)

hmmm..

[crimoid]

This is only slightly different than forcing telcos to retain phone records, with one exception.

Many URL's can be used to guess WHAT data you've been looking at without actually looking at the website. For example, if someone saw the URL: http://www.nakedkids.com they would assume that it was child porn and whomever looked at it should be red-flagged and investigated. Quite possibly however this site could have NOTHING to do with porn and could simply have a questionable DNS name.

Perhaps if ISPs were only allowed to track IP addresses....

EU countries will probably NOT ratify it after all

[sickasfuck]

At least UK, it seems:

Home Secretary David Blunkett has admitted he blundered over plans dubbed a "snooper's charter" to give a raft of public bodies in the UK access to private e-mail and mobile phone records.

The proposals are to be put on hold indefinitely in the face of huge opposition, which the home secretary conceded his department totally failed to predict. (...)

See http://news.bbc.co.uk/hi/english/uk_politics/newsi d_2051000/2051117.stm for more info.

we need a standard "envelope" for email

[jimmcq]

You always hear the analogy that email is just sending a postcard... well, its about time that we start to make email "envelopes" (aka encryption) standard for ALL email.

I think Joe Sixpack would be more inclined to use encryption if he thought it was just an envelope to put mail into... he doesn't need to know about technojargon like PGP, GPG, SSL, S/MIME, X.509 certificates, just tell him its an "email envelope" instead of the old postcard he's used to.

The only thing that really needs to be public is the To address. Everything else could be encrypted (enclosed in the envelope) except for maybe a couple fields like the From Address and the maybe the Subject Line (but even those could be "inside").

What needs to happen before email encryption becomes a "standard" thing that everyone uses all the time?

What's the fuss?

[meta-monkey]

Many other posters have already commented that the update to the story says the Gub'ment denies attempts to do this. I'm surprised this story wasn't taken with a grain of salt in the first place...you know this wouldn't stand up to any kind of court scrutiny.

Really, the idea that the government can arbitrarily spy on anybody, but only look at later if they have a reason, violates your 4th Amendment rights against unreasonable searches (OT: sometimes I feel bad for the 3rd Amendment...it just gets completely ignored. Nobody ever takes to the streets demanding their 3rd Amendment rights be protected. Oh well). The federal government has no power to inventory your entire home, or keep a list of every person with whom you correspond by mail, and as such, they have no similar power to log your email headers or http requests. I don't see this one happening any time soon.

Love/Hate the idea

[gerardrj]

Outright I hate the idea, this is just pre-emptive search/seizure. The gov would only propose this because it's in the digital domain where it's A: feasable, B: deemed by J. Pulic to be a non-issue. The could NEVER get such a thing in to action with physical mailings.

But then I thought.... If every ISP had to monitor port 25, isolate all to and from IPs and email addresses (forged or not), and fill up all those hard drives, tapes and whatnot...
Can you image how fast SPAM would drop off as the ISPs attempted to control the now real costs of hosting spammers?

Re:As long as data goes in the clear ...

[Tazzy531]

How bout these:

• 60 of 98 FBI Terrorism Cases were thrown out because of lack of evidence - The article even has a quote from an FBI spokesman admitting to arresting and trying to prosecute people knowing that it would never go through.
• Village Voice Analysis - It's the Village Voice, take it with a grain of salt. (I'm just adding it to this list because it is quite insightful.
• Business Week Article discussing the various infringement of civil rights
• NYTime Editorial on naming an American citizen as an illegal combatant
• Ohio State graduates threatened with expulsion/arrest if they "demonstrate or heckle" during Bush's speech - "But immediately before class members filed into the giant football stadium, an announcer instructed the crowd that all the university's speakers deserve to be treated with respect and that anyone demonstrating or heckling would be subject to expulsion and arrest. The announcer urged that Bush be greeted with a "thunderous" ovation.
• Federal Courts strike down Bush Administrations attempt to prevent people from challenging censorship laws
• Justice Department raising questions about case on John Lindh
• Another NYTimes article on illegally detaining American Citizens

Also if you think this and the USA/PATRIOT Act is unfair, sign the petition to get it repealed

Misinformation

[SamMichaels]

The problem is the general populus and law makers don't understand what they're saying/hearing. A analogy would help to put things into perspective.

Logging email headers can be compared to the phone company keeping records of your incoming/outgoing phone calls.

Do they do it now? Yes...and most ISPs keep generic logs as it is.

Does the phone company retain ALL the info? No...but they CAN get the info and keep it if you're suspected of doing Bad Things...or they can tap the line. Can an ISP track the same amount of info? Sure...but they don't do it right now unless you're doing Bad Things.

Keeping track of where you go on the web can be compared to driving.

Does your state's dept of transportation keep track of what road you drive, and what time you did it? No.

Does your ISP track what sites you go to and when you go to them? No...unless you have a proxy, in which case they might keep a generic log.

Can the dept of transportation put cameras at all intersections and track your license plate number? Yes...but think of the hideous cost and hideous amount of data. Same goes for an ISP to track where you go.

It's all about perspective...

Of course they don't have any *plans*

[billstewart]

They do this sort of thing all the time, and sometimes they get away with it. *Plans* implies that they've gotten sufficiently wide internal buy-in to implement something, or at least to announce it. Simply leaking wish-list desires like this and seeing how the public reacts to it gives them deniability, and lets them pretend it was just an idea, and hey, maybe it'll take off and they'll get to push the envelope a little farther past what common sense and the Constitution actually authorize them to do. In addition, by putting a wide spectrum of proposals out there, from the reasonable to the totally totalitarian wacko, lets them not only know where the edge is, but lets them take any position they want and say "see, we've been talking about this for a long time, and we're just updating this long-discussed plan to reflect current circumstances". Remember Clipper? They got their teeth kicked in on that one. Remember CALEA? That passed, though the telcos resisted for a long time because the FBI wanted billions of dollars of infrastructure implemented in ways that disrupted the potential evolution of the telecom infrastructure and market without actually having to pay for any of it, but it's vague and fuzzy enough that they've been able to use it to gradually impmement some things, even if they're way beyond the Congressional approval level, much less the Constitutional one. Don't expect the ratchet to go back in the other direction without it getting pushed really hard - and this also means support your local so we can stop these things before they start.

Can We Put this in perspective for the courts?

[guttentag]

Let's compare:

• DOJ wants local garbage men nationwide to store all residential and commercial trash in marked bins for 10 years so the FBI can research an individual's lifestyle
• DOJ wants power companies to keep detailed records of household power usage so the FBI can determine what time of day is best to break in and plant listening devices
• DOJ wants all White House officials to publish full transcripts of their meetings so the public knows just how much of Bush's energy policy was written by Enron
• DOJ wants all ISPs to log and retain all of your email headers and browsing history so the FBI can go through your trash without feeling nauseous.

Which of the above seems reasonable to you, your Honor?