Inside Comcast's Surveillance Policies

Monk writes "The Federation of American Scientists has obtained a recently disclosed Comcast Handbook for Law Enforcement which details its policies for divulging its customers' personal information. (Here's the handbook itself in PDF form.) All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records. According to the handbook, Comcast keeps logs for up to 180 days on IP address allocation, and they do not keep all of your e-mails forever (45 days at most). VoIP phone records are stored for 2 years, and cable records can only be retrieved upon a court order. The document even details how much it costs law enforcement to get access to personal data (data for child exploitation cases is free of charge)."

Secure your email

[MacDork]

I'll trot this pony out one more time:

(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx

Re:Secure your email

[ArcherB]

I'll trot this pony out one more time:

(Mac OS X 10.3+) http://www.joar.com/certificates/
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx

While I appreciate the idea and all, why? It's really not worth the time to encrypt my email. Do you think that if the feds are monitoring your line, they are just going to say, "Damn! He's encrypted. Let's move on to the next." I'm going to guess not. If anything, seeing that you email is encrypted might be enough to peak their interest to make you MORE watched, not less. This also takes precious manpower away from the people who are trying to stop the next terror attack in the US. Regardless of you political opinions, I don't see how anyone could think that impeding these guys is a good thing.

Me on the other hand, I don't care. There is nothing incriminating in my email beyond sending stupid YouTube links to a buddy or bitching to the wife about who chooses whats for dinner. I'm really not interesting enough for the Feds to care about. Please take no offense when I say that I doubt anyone else here is either.

Re:Secure your email

[waa]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nothing incriminating in your email? Not worried about 'them' monitoring your emails? Think again.

"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety"
Ben Franklin

And BTW, encrypting email only takes a few minutes to set up and no (perceptible) time when signing/encrypting a message.

- --
Bill Arlofski

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: 'email gpgpublickey@revpol.com for my public key'

iD8DBQFHFDdxcBKMMWOpTtwRAm7SAJ9sk5L6zOiACP91e8T2OJwMAl1xrQCbBxOS
z/z40E7hPJkxLSBUE1WuMDg=
=VH+Y
-----END PGP SIGNATURE-----

Re:Secure your email

[spud603]

There's a strong argument to be made to encrypt specifically because you have nothing to hide.
This is similar to the idea that you should not let the cops search your home without a warrant even though you don't have anything illegal inside. The more it becomes assumed that only the "bad guys" that are asserting their rights and/or privacy, the more likely such assertions will be thought of as indicative of bad behavior in and of themselves. If the feds assume I'm a criminal simply because I encrypt my email, then they are not doing their job effectively.

Re:Secure your email

[Kadin2048]

I have the capability of using both S/MIME and GPG for email (using Apple Mail, it's a matter of installing gpg, getting the Sente Software gpg addon for Mail, and getting a S/MIME certificate to activate the built-in S/MIME support), but overall I think S/MIME is probably better positioned to succeed in the marketplace. It's more idiotproof.

As much as I really despise the centralized philosophy behind S/MIME and x.509, there's something to be said for avoiding the 'web of trust' models that lie underneath GPG as its currently used, because most users just don't want to have to deal with it.

Getting people to use encryption is always a tough sell, because most people, to be perfectly frank, lead lives that are so completely boring that nobody would ever want to read their mail, and they know it. Therefore, they're not going to expend much effort getting it working. Either it works all automagically, or they don't use it at all.

I've yet to see a GPG implementation that comes as close to being foolproof as some S/MIME implementations (like Apple's), once you get the certificates set up. Once you've received a signed message from someone, you have their public key. Once you have that, the encryption button is magically enabled, and you can send encrypted stuff to them. Even Sente's Mail frontend to GPG isn't that easy to use.

Re:Secure your email

[Ucklak]

Do I have anything incriminating in my email?
No

Do I care if they snoop in my email?
Yes

Will I encrypt my email because they're snooping?
No - in the case of confidential messages, they have always been dealt with cryptically.

Can I do anything about them snooping in my email - regardless if it's encrypted or not?
Absolutely not

Can we do anything about them snooping in my email?
We can try

I am such a low priority for them that as long as it doesn't disturb my day to day routine, I really don't worry about it. I don't even notice if they are even sniffing my packets.

It's like being robbed in your home when you're out. It doesn't matter if you have an alarm system or not, if someone wants property of yours, they will get it.
You can double lock your doors, put bars on the windows, pay for a monitoring service, or whatever, it will not stop a determined person from getting whatever they want to get.

That hassle of behavior is not worth it to me. Supporting a group or honest politician to stop the snooping is worth the hassle.

I'm not going to go downtown and walk across the street out of my way just to avoid the town crier (you know, every town has one, a crazy coot parked in the center of town that says the end of the world is coming). I will confront him if he confronts me.

Re:Secure your email

[ArcherB]

There's a strong argument to be made to encrypt specifically because you have nothing to hide.
This is similar to the idea that you should not let the cops search your home without a warrant even though you don't have anything illegal inside. The more it becomes assumed that only the "bad guys" that are asserting their rights and/or privacy, the more likely such assertions will be thought of as indicative of bad behavior in and of themselves. If the feds assume I'm a criminal simply because I encrypt my email, then they are not doing their job effectively.

Sure, but that is because having the police enter my house is intrusive. They track mud in, can drop anything anywhere and say that they found it there. That can't be done with email. Also, a warrant specifies exactly what they are looking for. Finally, items found in a house search is enough for prosecution. A quote from an email is not. Besides, these guys are not looking for prosecution, they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack. They are looking to intercept supplies such as bomb making materials and replace them with something inert. Yes, an email will be evidence, but when it comes to terrorism, they require a open and shut case with multiple arrests. They don't want to pop you for looking for weed.

If the feds assume I'm a criminal simply because I encrypt my email, then they are not doing their job effectively.

I never said that. I said they would take a close look, wasting their time and doing MORE of what you didn't want them to do in the first place. If they can't get your email, they may listen to your phone calls. They may start tailing you. They may start investigating the people you email. Why? Because you thought it would be super cool spy stuff to encrypt your email to keep the evil G-Men out.

Besides, even the SS didn't really need to evesdrop. If they wanted information, they'd kick down your door, torture your little girl until YOU cracked, and put you on a train somewhere with a bunch of people with stars sewn into their clothing.

Re:Secure your email

[Technician]

There is nothing incriminating in my email beyond sending stupid YouTube links to a buddy or bitching to the wife about who chooses whats for dinner.

My stock trades are not incriminating either, but they are not sent plaintext. They are also not sent on my ISP mail servers. Sometimes data security is simply data security to prevent mis-use in the wrong hands. There is nothing incriminating, but my credit card order details is not to be made public.

There is a reason to encrypt some sensitive data. ID theft of credit card information is just one of the many reasons.

Re:Secure your email

[slashqwerty]

I trot out this old quote from the postal museum in Washington, D.C.

At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

In England, for centuries, the mail was frequently scrutinized by agents of the Crown or of the Parliament. It could be worth your life to write a letter that might be seen as having the seeds of treason. This did not happen here. From the beginning, by and large, the U.S. mails have been free of eyes other than our own and those of the sender.

To the framers of the Constitution, the mail made the engine of democracy run--along with the newspapers. And newspapers then printed a good deal of correspondence. Rufus Putnam, a key military figure in the Revolutionary War, said, "The knowledge diffused among the people by newspapers, by correspondence between friends" was crucial to the future of the nation. "Nothing can be more fatal to a republican government than ignorance among its citizens."

As a journalist, I have sometimes been asked where my leads for stories come from. Much of the time, they come from opening the mail. Readers from all over the country send personal stories, newspaper clippings, local court decisions, and student newspaper editorials arguing for the First Amendment rights of students. There is no other way I would have known about these stories except through the mail. It is through letters that I often receive highly confidential stories about unfairness in the justice system from people who would not trust any other form of communication.

The framers of the Constitution knew how vital the mail would be when Article I was written to protect privacy of communication through the mail.

Nat Hentoff is a columnist for the Washington Post and the Village Voice, and the author of Free Speech for Me, but Not for Thee. How the Left and Right Relentlessly Censor Each Other.

Re:Secure your email

[greg_barton]

They track mud in, can drop anything anywhere and say that they found it there. That can't be done with email.

You're kidding, right?

Re:Secure your email

[ArcherB]

And this part is the key:
It could be worth your life to write a letter that might be seen as having the seeds of treason.

George Bush is not going to have you executed if you look like you may be "seeding the seeds of treason". Hell, if that were the case, all he'd have to do is show up at a anti-war rally and shot the people carrying the signs calling for revolution! Why bother paying Comcast? The King of England read mail to keep himself in power. The feds read mail to prevent a terrorist from killing hundreds, thousands or possibly millions of people while crippling the world's economies. One was a group of freedom fighters trying to gain independence and human rights from a dictator. The other is a government trying to save the lives of its population from those who want an oppressive religion based world government. To compare the two really isn't valid.

Also, I could not find that quote you mentioned, although it seems more of an argument for freedom of the press than anything else. A search for the first paragraph only links back to an earlier slashdot post of yours. Although I'll go ahead and take what you say at face value, and it does seem to be something that Hentoff would say, but it seems odd that it's not posted anywhere on the web.

I searched for the author and found this about Nat Hentoff from his Wiki page:

In February 2003, Hentoff signed a letter circulated by Social Democrats, USA advocating the removal of Saddam Hussein from power in Iraq on human rights grounds, citing reports detailing Hussein's disregard for fundamental liberties. In March and April of that year Hussein was deposed by a US-led invasion, launching the ongoing Iraq war. In summer 2003, Hentoff wrote a column for the Washington Times in which he supported Tony Blair's humanitarian justifications for the war. He also criticized the Democratic Party for casting doubt on President Bush's pre-war assertions about Iraq's alleged weapons of mass destruction in an election year. So I guess you are pro-life and support our presence in Iraq too?

Re:Secure your email

[Jah-Wren+Ryel]

Besides, these guys are not looking for prosecution, they are looking to identify and bust terrorism cells. They are looking to stop the next terrorist attack. They are looking to intercept supplies such as bomb making materials and replace them with something inert. Yes, an email will be evidence, but when it comes to terrorism, they require a open and shut case with multiple arrests. They don't want to pop you for looking for weed. Could you be any more naive?

Just how many terrorists attacks have we had in the US? Why are you still knee-jerking on a crime that kills less people world-wide (including Israel) than drown in bath-tubs?

As for "they require a open and shut case with multiple arrests" WTF are you talking about? Do you know how many people in Guantanamo are part of "open and shut cases?" NONE. Do you know how many were even "picked up on the battlefield?" Hardly more than 5%.

How about the thousands arrested in NYC during the republican convention who were then just conveniently released without charges?

Recent history is chock-a-block full of cases where OUR government abused civil rights - when they couldn't find something legit to bust someone for, they stretched to find anything to pin on them - like popping you for looking for weed.

I never said that. I said they would take a close look, wasting their time and doing MORE of what you didn't want them to do in the first place. If they can't get your email, they may listen to your phone calls. They may start tailing you. They may start investigating the people you email. Why? Because you thought it would be super cool spy stuff to encrypt your email to keep the evil G-Men out. Yeah, and if enough people do it then this goddamn fear-mongering will have to end because there won't be enough people in the world to take it to the next level for every one of them.

Besides, even the SS didn't really need to evesdrop. If they wanted information, they'd kick down your door, torture your little girl until YOU cracked, and put you on a train somewhere with a bunch of people with stars sewn into their clothing. You make that statement as if it is some kind of justification to bow down to the man because he'll do whatever he wants anyway. You have got to be trolling, either that are you are some kind of Martin Niemöller wannabe.

Re:Secure your email

[shmlco]

"Getting people to use encryption is always a tough sell, because most people, to be perfectly frank, lead lives that are so completely boring that nobody would ever want to read their mail, and they know it."

Or the flip side of the equation. Many are already placing already anything and everything about themselves on MySpace and Facebook. With so much information already public and available, what's to hide?

Re:Secure your email

[shawb]

And I forgot to post a link to this article

Re:Secure your email

[Kadin2048]

Can I do anything about them snooping in my email - regardless if it's encrypted or not? This is where I think you are wrong. There is strong evidence to suggest that modern, widely-available encryption techniques provide a substantial barrier to snooping, and make the process of snooping far more difficult than it would otherwise be. It's certainly possible that someone has the capability of decrypting 2048-bit ElGamal or other modern PK encryption, if they do it's a closely guarded secret, unavailable to the vast majority of would-be snoopers. (I.e., if the NSA does have some unimaginably powerful quantum computer in its basement, which I frankly don't think they do, they're only going to use it on very high-value targets; anything more risks revealing their capability. It's not a tool you could use for the most oppressive kinds of mass surveillance.)

Therefore the aggregate effect of large numbers of people using encryption would be to render large-scale electronic surveillance systems useless, since they are only practical for plaintext traffic. (In fact, you don't really even need to be using state-of-the-art crypto; if everyone were using even keys that took a few days to break on a supercomputer, it would prevent most types of high-speed/real-time analysis and force authorities to take much more fine-grained, targeted approaches.

Your argument against taking an individual step to prohibit mass surveillance is the same argument that many people make against voting: your action, taken singularly, has virtually no effect. It is only as part of a group that it is significant. But just as many people deciding to vote the same way can change a government, a large number of people deciding to make the snoopers' jobs (even slightly more) difficult would quickly outpace their resources available for the task.

I don't think the solution is either-or, personally. As concerned citizens, we need to vote. As people with technological knowledge and capabilities, we have a responsibility to not make it easy for those in power to abuse it, through our passivity.

Re:Secure your email

[vertinox]

It's like being robbed in your home when you're out. It doesn't matter if you have an alarm system or not, if someone wants property of yours, they will get it.
You can double lock your doors, put bars on the windows, pay for a monitoring service, or whatever, it will not stop a determined person from getting whatever they want to get.

But in this instance it is like having someone in your house at all times who is allowed to go through your stuff at any given time for any particular reason. They aren't supposed to steal anything or do anything illegal to your home, but the thought of having them there and having that ability is what annoys me.

As they say... Locks are there to keep honest people honest. When you don't have any at all or have someone on the inside who you can implicitly trust is when things get hairy.

How much it costs?

[aeschenkarnos]

That's odd. I'd have thought it cost "do it or be fined/arrested".

Re:How much it costs?

[Burdell]

IIRC, when a subpoena is issued for information from a third party, that party can charge a fee to cover the costs of gathering the requested information.

Re:How much it costs?

[the+unbeliever]

Most law enforcement budgets have a clause for "emergency funding for investigative purposes"

Comcast's charges don't seem unreasonable either, considering the amount of data they'll have to sift through to provide the information.

The law doesn't protect you

[MacDork]

The law doesn't protect you. You protect you. Encrypt.

Re:The law doesn't protect you

[Hijacked+Public]

Also buy a rifle.

Re:The law doesn't protect you

[megaditto]

And when they ask you for your key and you won't give them, they throw you in jail and keep you there. Already happened to a few people.

Re:The law doesn't protect you

[arthurpaliden]

Funny, rifles do not seem to be protecting the Iraqi people....

Re:The law doesn't protect you

[buswolley]

Then you offer to exchange keys.

Re:The law doesn't protect you

[Eskarel]

Well it really depends on a couple of things, presuming that your encryption method of choice has no weak points(ie backdoors or algorithm faults) and P!=NP and the government doesn't have a quantum computer and factoring is indeed hard, then breaking your encryption basically involves a brute force approach. Since for most reasonable encyrption methods these assumptions are valid(at least at the moment), we'll presume that brute force is the only way to crack it.

They did a distributed computing project a few years back to break a 64 bit encryption method and it took them a little over 5 years. Most encryption keys these days are 128 bits or higher and every bit you add doubles the number of possibilities they'd have to check, so for 128 bit using the same level of resources brute force would take 92,233,720,368,547,758,080 years(assuming that the five years case was an average case). Computers are a lot faster than they were, but not that much faster.

To sum up, if encryption works at all, no one is going to get in without knowing your password, and the shows are bollocks. That said some encryption algorithms do contain backdoors for the US government, and some algorithms are badly written(WEP for instance), P may equal NP and the US government will probably have a quantum computer as soon as they're available so YMMV.

Misleading article

Complying with requests from "Law Enforcement" is quite a bit different from complying with requests to assist a US government agency with an anti-terror program. Local law enforcement is far removed from the latter.

Is this an attempt to improve Comcat's poor reputation among /.'ers? They still haven't changed thier undocumented policies related to bandwidth limitations on "unlimited bandwidth" accounts.

comast high speed

[gadzook33]

Internet, Voice, TV. All on one subpoena.

Quick and Dirty Summary

[value_added]

Interesting read, especially considering the "Comcast Confidential" footer at the bottom of every page. That said, it's informative only insofar as it states there's laws to be considered, and makes clear the folks at Comcast insist on following them. Nothing in that document is very different than a typical publically-available TOS. Here's an excerpt:

Generally, the following information, when available to Comcast, can be
supplied in response to the types of requests listed below. Each request
is evaluated and reviewed on a case by case basis in light of any
special procedural or legal requirements and applicable laws. The
following examples are for illustration only.
 
- Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena
- Judicial Summons
- Court Order
- Search Warrant
- Preservation Request/ Backup Preservation Request
- Pen Register / Trap and Trace Device
- Foreign Intelligent Surveillance Act of 1978
- National Security Letter
- Child Abuse
- Emergency Disclosure

As for the email policies referred to in the summary, Comcast does not store emails any longer than the subscriber chooses keeps them.

Comcast's Webmail service permits customers to change their email
deletion policies, but the current default settings are described below.
 
- Inbox (Read Mail No automatic deletion policy)
                    (Unread Mail 45 day retention period)
- Trash (Read Mail 1 day retention period)
                    (Unread Mail 1 day retention period)
- Sent Mail (Read Mail 30 day retention period)
                    (Unread Mail 30 day retention period)
- Screened Mail (Read Mail 3 day retention period)
                    (Unread Mail 3 day retention period)
- Personal Folders (Read/Unread No deletion policy)
- Popped Mail (Deleted immediately from web mail servers)

Put another way, Comcast doesn't store your emails. You do.

Re:Quick and Dirty Summary

[Technician]

Doesnt matter, Vonage and all VOIP Providers must be CALEA Complient or huge fines are given.

correction Vontage and all US VOIP Providers must

There fixed it. From you link..
"The Communications Assistance for Law Enforcement Act (CALEA) is a United States wiretapping law passed in 1994 "

Vontage is US based. Where is Ekiga which ships with Ubuntu based?
http://ekiga.org/index.php?rub=3&pos=0&faqpage=x149.html
"1.1.4. What is it compatible with?
Ekiga is compatible with any software, device or router supporting SIP or H.323. It includes SwissVoice, CISCO, SNOM, ... IP Phones, but also software like Windows Messenger, Netmeeting, SJPhone, Eyebeam, X-Lite, ... or also the Asterisk popular IPBX, as well as any other commercial or Open Source IPBX."

How many of these supported services is directly under CALEA?

Vontage may be CALEA Complient. Not everyone is under US rule. Not all VOIP service is commercialy provided.

Yay for Viral PR

[vprasad]

Yay for viral PR provided by Comcast... nice handbook... how much different is it from the "real" handbook?

Cox

[DanielBoz]

For any interested here is the equivalent info on Cox Communications: http://www.cox.com/policy/leainformation/default.asp http://www.cox.com/policy/leainformation/CoxLawfulInterceptWorksheet.pdf

Clarification please...

[shaitand]

'and cable records can only be retrieved upon a court order'

Are they saying that comcast will hand over identity and ip records WITHOUT a court order? The only 'balanced' policy would be to turn over nothing to law enforcement without a court order and even then to oppose the order if possible.

Comcast's words are compared to others' actions

[dpbsmith]

"All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records."

Apples and oranges. "Monk" is comparing Comcast's words to AT&T's actions..

It's nice to know that Comcast is able to write a policy manual that follows the law, but surely a written policy telling employees to break the law would trigger a minor scandal.

Anyone who's ever been in a large organization is familiar with lip-service CYA written policies.

How seriously does Comcast take this policy? Do they give training sessions to the people who need to implement it? Do they back up or undercut the people who go "by the book?"