Slashdot Mirror
Which ISPs Are Spying On You?
firesquirt sends us an article from Wired about a survey they conducted to determine major ISPs' data retention and other privacy practices. Over a period of two months, four national ISPs would not give Wired the time of day; and another four answered some of their questions in a fashion not altogether reassuring.
All of them (in the world) have the potential to spy on you. But in the US, thanks to government privacy lobbyists, we get the privilidge of full disclosure and an open forum to debate what privacy we'd like to see from a government.
~/.sig: No such file or directory
Actually, in the European Union, such spying practices are _mandatory_.
Here's an idea: Develop a web browser extention that does a random web crawl. I don't mind letting my ISP sell marketeers, give to the government, keep on file, ect a clickstream that is 99% chaff and 1% my actuall surfing. Yes, I realize that if someone puts in enough effort and analysis, they could probably sift out the false signal, but it's that very effort that makes it cost prohibitive to do it across a broad scale. And of course there is always the defense: I didn't visit that web site, my computer constantly does a random walk of the internet. And to help keep the ISPs in line, it ups the volume of records they have to keep by 500 fold.
As for the other things such as IM's, emails, torrents, ect I can encrypt those should I feel the need. Yes, I could start using TOR, but it's slow and watching a web crawler do a random walk can be entertainment all by itself.
I would think all they need to do is show they warned their users they are 1. being watched 2. downloading illegal data. Actually providing the authorities with a history of the data is not their job and should only be the acquired by the authorities with their own equipment and only under a court order.
At the least the ISP's should give their users the ability to opt-out of their "data retention" programs.
Namaste
Somewhere, there are lobbyists laughing at this comment.
As far as you know.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Even though I never had an account with them, for the longest time they always seemed to know where I lived because they kept sending me CDs. Spooky.
If brevity is the soul of wit, then how does one explain Twitter?
All of the United States' ISPs are MANDATED to have the ability to spy on you, at a moment's notice, and send the full stream they request off to FBI or whoever's data warehouse. and they (the ISP) must comply and must not tell you if they are doing so, courtesy of CALEA. Penalties start at $10,000 per day. Obligatory bow of the head: I, for one, welcome our new overlords.
Crazy Al's House of Intertubes - where we make up in volume what we lose per bit...
Its time to encrypt EVERYTHING. ( at least until the government bans it )
Sure they know where you went, but not what you viewed or 'said' while there.
Back when I was operating a mailing list on a controversial topic on my home machine, I had a couple rules:
- No postings soliciting or admitting to breaking laws.
- No encrypted traffic (not just on the list: All traffic (except passwords) to-from the machine was in the clear).
The thinking was like this:
- Police, other government investigative agencies, and various unofficial snoops have a long track record of ignoring laws against various kinds of eavesdropping. So you have to assume that the line might be tapped.
- If the police became interested they could always get a warrant and tap the line. (Or illegally tap the line without a warrant to see what's going on, then (if it looked interesting) get a warrant to tap it legally.)
- If the data was encrypted they could STILL get it - by getting a warrant and seizing the computer (and everything else of interest in the house).
- If the data was UNencrypted they would want to keep a low profile to avoid scaring off any "bad guys", would eventually see that there was nothing to go after, and thus would probably switch to hunting real bad guys elsewhere and go away WITHOUT breaking in and trashing stuff.
"Encrypt everything" seems like a nice solution. But if only a few are doing it, just the fact that their traffic is encrypted makes them targets. It's easy to trump up enough stuff to get a warrant and go after the machine.
Once a LOT of people are all swapping lots of encrypted traffic (as the default way of "sealing" the "envelope" on the datagrams) the fact of encryption will stop making the users targets. (The police can still get a warrant and grab the machines. But with so many potential machines to grab they'll have to find some other way to pick the ones to hit - like by bothering to dig up real "probable cause" from other evidence, like they're supposed to.)
Fortunately we don't need to construct a "shelling point" for this: The internet is gradually moving toward pervasive encryption, as the legitimate need to encrypt for personal and corporate security becomes broadly understood. Once that becomes the norm our electronic "papers" will be about as secure as our physical ones. We're starting to get there. But IMHO we're not there yet.
Unfortunately we WON'T be fully safe using encryption until the typical machine configurations are such that, if the machines are seized, it will be impossible to recover incriminating data from them - even with passwords browbeaten out of their owners. Until that time it will still be useful to bypass encryption by raiding one of the machines at the endpoints.
= = = =
Re the list and "no encrypted traffic": When one of the regulate-the-internet laws was about to make it too much hassle to continue, we closed down the list (after finding volunteers to run its successor and - since the participants hadn't agreed to have their info forwarded - announcing the successor on the original list and giving people time to sign up.
Now I regularly use SSH to telecommute or to access the primary house machine from the vacation house. But that's still low-profile: It's clear from the IP addresses that the SSH connections are going to the company, coming from it, or coming from a single external dialup machine via a particular service provider.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
fdD87d
W Q544ASdf455saSA1dfF3AS5D5WQsEa5dr413L50fSAdDsA3QW5 DsfDfdALJd99AD09asdfK9J00aUIOsdfOU9I0dIaOU46IOsCVd Xf61S
DF325eLJw5LKljLk3kjl18dfaw3F3DSADFsdfYDOewrs313aSS dfADuy5SA135D1H155yipHoiSDAjnkml51151LHHkmfSASd217
64F5F6sAS4Dd46KJfUYd0NsafH54UJ6Y35U135KdYUsU1Jf35
JD3hFdJf8o
SD45uio5K2o
http://www.rsync.net/resources/notices/canary.txt
In addition to a stated policy of "No data or meta-data concerning the behavior of our customers or filesystem contents will ever be divulged to any law enforcement agency without order served directly by a US court having jurisdiction. All such orders will be reported to our entire customer base."
You should read their philosophy page.
"... All such orders will be reported to our entire customer base."
:(
Ummm... dream on about this part (at least), as "Patriot Act"-backed demands (with or without a warrant) can forbid the disclosure of said demand.
And while an especially conscientious service provider might insist on dotting i's and crossing t's, it is doubtful any of their personnel (or bosses) will be willing to be jailed as a "terrorist".
Sort of. But it's an interesting idea. The law *does* prevent them from stating that they've been raided, in certain situations anyway.
But does the same law have the power to force them to continue publishing signed lies ? That's what they'd be doing if they continued to claim that they have never been raided after they where indeed raided.
I don't know enough US-law to know the answer, but atleast it's not obvious that it wouldn't work.