Inside Comcast's Surveillance Policies

Monk writes "The Federation of American Scientists has obtained a recently disclosed Comcast Handbook for Law Enforcement which details its policies for divulging its customers' personal information. (Here's the handbook itself in PDF form.) All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records. According to the handbook, Comcast keeps logs for up to 180 days on IP address allocation, and they do not keep all of your e-mails forever (45 days at most). VoIP phone records are stored for 2 years, and cable records can only be retrieved upon a court order. The document even details how much it costs law enforcement to get access to personal data (data for child exploitation cases is free of charge)."

How much it costs?

[aeschenkarnos]

That's odd. I'd have thought it cost "do it or be fined/arrested".

Misleading article

Complying with requests from "Law Enforcement" is quite a bit different from complying with requests to assist a US government agency with an anti-terror program. Local law enforcement is far removed from the latter.

Is this an attempt to improve Comcat's poor reputation among /.'ers? They still haven't changed thier undocumented policies related to bandwidth limitations on "unlimited bandwidth" accounts.

Re:Secure your email

[Kadin2048]

I have the capability of using both S/MIME and GPG for email (using Apple Mail, it's a matter of installing gpg, getting the Sente Software gpg addon for Mail, and getting a S/MIME certificate to activate the built-in S/MIME support), but overall I think S/MIME is probably better positioned to succeed in the marketplace. It's more idiotproof.

As much as I really despise the centralized philosophy behind S/MIME and x.509, there's something to be said for avoiding the 'web of trust' models that lie underneath GPG as its currently used, because most users just don't want to have to deal with it.

Getting people to use encryption is always a tough sell, because most people, to be perfectly frank, lead lives that are so completely boring that nobody would ever want to read their mail, and they know it. Therefore, they're not going to expend much effort getting it working. Either it works all automagically, or they don't use it at all.

I've yet to see a GPG implementation that comes as close to being foolproof as some S/MIME implementations (like Apple's), once you get the certificates set up. Once you've received a signed message from someone, you have their public key. Once you have that, the encryption button is magically enabled, and you can send encrypted stuff to them. Even Sente's Mail frontend to GPG isn't that easy to use.

Re:The law doesn't protect you

[Eskarel]

Well it really depends on a couple of things, presuming that your encryption method of choice has no weak points(ie backdoors or algorithm faults) and P!=NP and the government doesn't have a quantum computer and factoring is indeed hard, then breaking your encryption basically involves a brute force approach. Since for most reasonable encyrption methods these assumptions are valid(at least at the moment), we'll presume that brute force is the only way to crack it.

They did a distributed computing project a few years back to break a 64 bit encryption method and it took them a little over 5 years. Most encryption keys these days are 128 bits or higher and every bit you add doubles the number of possibilities they'd have to check, so for 128 bit using the same level of resources brute force would take 92,233,720,368,547,758,080 years(assuming that the five years case was an average case). Computers are a lot faster than they were, but not that much faster.

To sum up, if encryption works at all, no one is going to get in without knowing your password, and the shows are bollocks. That said some encryption algorithms do contain backdoors for the US government, and some algorithms are badly written(WEP for instance), P may equal NP and the US government will probably have a quantum computer as soon as they're available so YMMV.

Re:Secure your email

[Kadin2048]

Can I do anything about them snooping in my email - regardless if it's encrypted or not? This is where I think you are wrong. There is strong evidence to suggest that modern, widely-available encryption techniques provide a substantial barrier to snooping, and make the process of snooping far more difficult than it would otherwise be. It's certainly possible that someone has the capability of decrypting 2048-bit ElGamal or other modern PK encryption, if they do it's a closely guarded secret, unavailable to the vast majority of would-be snoopers. (I.e., if the NSA does have some unimaginably powerful quantum computer in its basement, which I frankly don't think they do, they're only going to use it on very high-value targets; anything more risks revealing their capability. It's not a tool you could use for the most oppressive kinds of mass surveillance.)

Therefore the aggregate effect of large numbers of people using encryption would be to render large-scale electronic surveillance systems useless, since they are only practical for plaintext traffic. (In fact, you don't really even need to be using state-of-the-art crypto; if everyone were using even keys that took a few days to break on a supercomputer, it would prevent most types of high-speed/real-time analysis and force authorities to take much more fine-grained, targeted approaches.

Your argument against taking an individual step to prohibit mass surveillance is the same argument that many people make against voting: your action, taken singularly, has virtually no effect. It is only as part of a group that it is significant. But just as many people deciding to vote the same way can change a government, a large number of people deciding to make the snoopers' jobs (even slightly more) difficult would quickly outpace their resources available for the task.

I don't think the solution is either-or, personally. As concerned citizens, we need to vote. As people with technological knowledge and capabilities, we have a responsibility to not make it easy for those in power to abuse it, through our passivity.