Will ISPs Be Driven To Spy On Their Customers?

bs0d3 writes "In regards to the new 'voluntary' graduated response deal (where no one really knows how ISPs will track and accuse customers of copyright infringement), according to CNN, it may be the ISP directly spying on their customers. 'But now that they're free from individual blame, there's also the strong possibility that the ISPs will be doing the data monitoring directly. That's a much bigger deal. So instead of reaching out to the Internet to track down illegally flowing bits of their movies, the studios will sit back while ISP's "sniff" the packets of data coming to and from their customers' computers.' This could be a problem for people who use U.S.-based internet services. If the U.S. wants to be an internet savvy country, they still need the competition in the marketplace that's always been missing, and a digital bill of rights that isn't a sneaky anti-piracy measure."

short answer

[roman_mir]

yes

Re:short answer

[game+kid]

Though it seems like an exception to that headline law, it doesn't count because we already knew they already spy on us or allow direct use of their facilities to do so.

Just use SSL for everything

Computers are fast enough... there's barely any CPU overhead anymore.

Re:Just use SSL for everything

[The+Master+Control+P]

Do they also block access to all other DNS servers?

In any sane world this would be sarcasm, but you never know these days.

Re:Just use SSL for everything

[nurb432]

Perhaps, ( not a TW customer ) but that isn't really what the subject was about. Encryption would prevent spying on arbitrary data transmission.

Preventing access to 'unauthorized addresses', that is a different discussion.

Re:Just use SSL for everything

[amiller2571]

I have Time Warner and I used to use their DNS, but I had trouble with them not resolve some IP addresses. I switch to Google DNS and now I have had no trouble at all.

Re:Just use SSL for everything

[DarkOx]

I think most ISP have enough common sense not to try that. All it would take is for some 3rd party DNS provider to stuff a NAT statement into their iptables such that 80 -> 53. Doing DNS on TCP is not to much overhead for modern hardware.

At that point they'd have to start doing inspection to make sure all 80 traffic looks like http. That would even get somewhat more complicated if the SSL port were used. Its game over once people implement local stub DNS resolvers that actually call a web service somewhere over https to do queries.

Unless ISP are prepared to essentially deploy Websense or something like it with SSL intercept and block any protocol including VPNs etc, that is not http, https, possibly ftp, and does not appear to some other protocol implemented on top of those its impossible. I don't think consumers would stand for it.

*What do mean I can't connect to my companies VPN?
*WOW and all my old games wont work any more, I have to buy new ones that use webservices and have shit latency thru your proxy!
*No more VOIP

That dog won't hunt.

Re:Just use SSL for everything

[Jane+Q.+Public]

That's quite true. However, your traffic is STILL going through your ISP. There literally isn't any way around that.

Which is precisely why we must not allow ISPs to monitor.

Finally,

[SuricouRaven]

Freenet will get more users!

You mean they don't do it already?

[stanlyb]

Really? Anyone? Really believes that the ISP are protecting you? Your privacy? With claws and fangs?

Re:You mean they don't do it already?

[ATMAvatar]

I don't think anyone believed that many (if any) ISPs were fighting the good fight, as it were. The assumption was more that ISPs are typical businesses, which do not incur costs unless required to do so. Setting up infrastructure and staff to monitor subscriber traffic costs money and effort. Without some well-defined, monetary gain in doing so, ISPs simply won't bother.

So to answer your title - no, most ISPs probably haven't monitored traffic already, because it was a waste of time and resources to do so.

Re:You mean they don't do it already?

[Kjella]

Really? Anyone? Really believes that the ISP are protecting you? Your privacy? With claws and fangs?

No, I think they're covering their own asses by making sure they know absolutely nothing about anything I do or don't do. If they start flagging copyright infringements for one company I'm sure they'll get sued by a bunch of other companies for secondary infringement or criminal negligence or being co-conspirators as they let all the other infringements pass. And not just copyright infringement but everything else too, the user is sending SPAM and they let it pass? Sue the ISP. Internet fraud? Sue the ISP. Hacking? Sue the ISP. If anyone can show the ISP "knew" the customer was doing something illegal but continued the subscription to turn a profit, they could get in all sorts of legal shit. Either you're reading the bits or you're not, you can't both do that and claim ignorance at the same time.

Re:You mean they don't do it already?

[hot+soldering+iron]

Actually, at the last local industry expo I went to, the Sonicwall rep told me about their really new, really expensive, ISP grade router that came complete with deep packet inspection, white and black lists, and real-time data stream analysis. So I could push it to my clients to "stop those pirates downloading warez and movies".
Companies don't spend any more than they have to, true. But smart companies plan for shifts in the market, and having to spy on their users definitely is a market shift. Buy the equipment now, use the increased capabilities to make happy customers, and have the gear halfway amortized when the spying mandate comes down. Profit!

Re:You mean they don't do it already?

[stanlyb]

Except if they want to force you to not use your bandwidth, or your cap limit, or this or that site that are producing a lot of traffic, or with other words, the ISP business is the only one that does not give 100% of your speed, and does encourages you to NOT use your cap limit. In fact, it is even worst, when they promote for example 3MBs, with 30GB limit, what they mean is that the regular Joe would use only 1/10th of this speed and only 1/10th of this limit. As a result, if their cable has the maximum capacity of 3MBs, then they will sell this same speed to 10 customers (with the hope that it will work out....somehow).
And yes, in most cases it WORKS. But as the users become more and more computer savvy, and are demanding more video and audio, and more Netflix like services, the final result is that this approach DOES NOT WORK OUT anymore.
So, to answer your question, what a sane business entity as ISP could and would do in this case?
1.Monitor the traffic and do anything possible to throttle down the "bad" users.
2.Upgrade their network.
Please, don't answer me, we all know the answer...

Re:Free Market, Informed Customers

[Mycroft_VIII]

That only works when you have more than one to choose from. Where I am at you have the cable monopoly and AT&T who couldn't even keep dial-tone service working 3 days in a row let alone dsl (which caps out at 128 up 768 down!).

Mycroft

Why?

[Mathias616]

I can understand why the RIAA and MPAA would be interested in this happening, by why would an ISP want to do this? The act of monitoring the activity of their customers requires a lot of dedication to packet capturing and inspection which would cost a lot of money. From a business standpoint, embarking on this conquest to monitor every single customer is a bad idea because no revenue will be generated by doing this. The only reason I can think of for ISP's to do this is that they are being paid to do so by the RIAA and MPAA, that is the only way they would spend money on this program when it does not generate more revenue from their customers. So what is happening here is two big industries are paying members of another industry to violate the privacy of their customers for financial gain. I wonder where we will see this next if this succeeds. Perhaps the porn industry will pay ISP's to track their customers porn habits so that they can effectively market to those individuals. There is a wide variety of possibilities so long as they isn't illegal. You could argue that pirating is illegal and that is why this differs from other situations, but who the hell made the RIAA and MPAA into legal institutions? They aren't getting court orders to have ISP's snoop on customers, there is no court system here.

Short answer: No (the correct answer)

[gavron]

Fact:
First, there is no law requiring any action on the part of any ISP.
Disclosure: I participate in running an ISP, but not one of the ones involved in this.

Fact:
Some large national carriers have agreed to do some things. "Agreed" and "partnership" have no legal meaning. "An agreement is yet to be signed." is in the OP's link and that gives us an idea that in the future there MAY be an agreement. For now, should it happen, it's voluntary.

Fact:
No law of any jurisdiction in the United States currently requires any ISP to provide any content monitoring. The only requirements close to that are to allow Law Enforcement access should they have the right to it -- CALEA.

Opinion:
It would be counter to the AOL decision (Zeran v AOL) that an ISP is responsible for either monitoring content, taking action based on content, or being liable for content or failing to take action based on content. That's a fourth-circuit decision that makes it likely that any ISP that doesn't want to join the "partnership" with the MPAA/RIAA can easily not opt-in to their program. Note that I didn't say "opt-out" because that would beg the question of whether there's a requirement to join.

Looking forward, I can guess that our "friends" in the MPAA/RIAA will continue their program to CHANGE THE LAW through spending lots of money, lobbying, using the influence of former senator Dodd, etc. If they can get the law to require ISPs to do so, and thereby trump the 4th circuit's AOL decision, then there will be a concern.

However, as Sonic.net's CEO Dane Jasper said ISPs should keep as little logs as possible, preferably under two weeks. That would make it difficult unless they are doing real-time DPI, analysis, investigation, and sending out C&D letters for any of this to have meaning.

While the resources necessary for ISPs to provide access under CALEA are minimal ("Here's your Ethernet port, have a nice day, Feds") the requirement to do DPI for hundreds of gigabits-per-second of data is beyond onerous -- if even achievable. Consider -- it's not just that an ISP has to monitor their "upstream" pipes, but also customer-to-customer. The amount of bandwidth inside each ISP's core is immense.

Sorry to be long-winded, but having read the other responses, I see a lot of D&G and nay-saying. I agree that the landscape is pretty harsh, and the earth is getting scorched. I see hope because I see that we have defeated SOPA, PIPA, ACTA, (and yes I know the TPP is still alive) and we can likely continue to teach our congressional non-representatives that when the majority of the country doesn't want something ... it's likely not something they should support in our name.

Ehud

Re:Short answer: No (the correct answer)

[jftitan]

If I had any point, I would have given them all to you in some form or fashion. Thanks for your input, and you clearly have insight as to what this 'agreement' really means.

  I have heard random opinions about this situation, and most of them resemble your opinion as well. ISP will not be directly monitoring User's traffic, do so, violates a few other laws in palce. the AOL case, is a prime example WHY we will not have ISPs jumping onto the bandwagon to help MPAA/RIAA prosecute customers. From a business perspective, it would be detrimental for ISPs to be caught "snitching' on their users.

  The moment a ISP is labeled as a 'snitch', customers may change in droves to competition, thus killing a ISP in the process. I highly doubt this, because if Warner Brother wanted to go after its viewers and customers, then Time Warner would have been sending notices of impending doom to customers long ago. When ISP are forced to monitor customers' traffic, it will be FORCED. Non-compliance would result in fines, and penalties from the Government. Currently the government isn't the group of people trying to punish others right now.

Again this is about partnership. MPAA/RIAA being allowed direct investigation connection through the ISP. With this passing, it would only cheapen the process in which the RIAA/MPAA uses to catch users and send infringement letters.

The US is not a free market

[Darkness404]

That is all well, but the US is not a free market when it comes to ISPs because the government gave out massive amounts of moneys to large corporations to "modernize" the US which means that in many areas there are only 1 or 2 ISPs, both megacorporations and no other ISP can compete with them either by law or because they already had such a large competitive advantage by having all the infrastructure basically paid for by theft (taxes). We need to not make this mistake again and cut off all taxpayer support to ISPs and other private companies in order to allow the free market to work, otherwise you have a mess like we have today.

Re:The US is not a free market

[SuricouRaven]

Even absent government-granted monopoly, ISPs are a perfect example of a natural monopoly: Once one ISP has an area cabled up, it's no longer financially viable for another to move in. They'd have the huge up-front wireing cost only so they could compete with an incumbent.

Re:The US is not a free market

[amiller2571]

When it comes to cable internet, in my area we only have Time Warner. I hate them with all my hart, they charge out the ass for crappy speeds. I know some people who are play they same amount as I am and have 4 to 5 times the speed.

Re:The US is not a free market

[sqrt(2)]

Which is why the physical infrastructure should be nationalized and leased by the government to private businesses who must then compete with each other. This would lower the barriers to entry and open up competition. And laying all that fiber will create a lot of jobs too.

Re:The US is not a free market

[Jane+Q.+Public]

"Once one ISP has an area cabled up, it's no longer financially viable for another to move in."

That's why some smart communities have decided to let the city or county build the cable infrastructure, using tax dollars. Then they rent the infrastructure to data providers.

Not only do they save money, they are not subject to coercion by monopolies.

Re:The US is not a free market

[Jane+Q.+Public]

Agreed. But it is hard to explain how this works to people who are not familiar with the concept. They tend to think it is a "government takeover" of private enterprise and/or property.

There is a very high correlation (outside the U.S., which hasn't tried it so it's irrelevant) between regions that have required leasing of backbone bandwidth, and those that have not. Those that have mandated sharing deliver remarkably high bandwidth at astoundingly low prices, compared to those that do not.

So, although it seems counter-intuitive to many people, mandating the sharing of the infrastructure actually promotes free-market capitalism. And I'm all for it. We just need to kick some Congressional asses and get it done.

Re:USPS

[Darkness404]

The difference is the USPS is a government sponsored monopoly where legally you cannot compete with them. If they decide to increase the price of stamps to $15 a piece, they can do that and there's not much that anyone can do about it since it is illegal to deliver mail except by the USPS.

In fact, a guy named Lysander Spooner made a competitor to the US post office called the American Letter Mail Company, it did everything better than the USPS, faster delivery, cheaper rates, less waste, etc. but it was shut down because of the monopoly that the USPS has.

ISPs are not the same. While arguably many have monopoly status due to the fact that the government gave them massive amounts of money to "modernize" the US, there is nothing preventing me from starting a better, more privacy friendly ISP aside from the startup costs.

Re:USPS

[SuricouRaven]

Big startup costs. Unlike in Europe where our regulators can to some extent compel it, no existing ISP is going to let you use their cables - so you'd have to get roads dug up and cable laid. After which you are left competing with an incumbant, so you're already at a disadvantage: Switching ISPs is a hastle, and people already on the established provider will need a very compelling reason. You are free to start up your own ISP - but only a fool would invest in it.

Wheres the beef?

[WaffleMonster]

The CNN link is an opinion piece where the author dreams up a scenario of ISP content inspection not supported by any external evidence.

I can sit on my lazy ass all day and dream shit up too. This does not mean I should be expected to be taken seriously.

Where is the actual evidence this is being implemented or even seriously contemplated by any stakeholder?

In the interim I'm just going to sit back and wait for the lawsuits to start flying against ISPs for cutting off their paying customers without due process.

That's only one front

[no-body]

The other is the back-doors on every incoming hub http://www.cablemap.info/

Re:Free Market, Informed Customers

[cheekyjohnson]

I have plenty of choices. Let's see... Comcast, Comcast, and Comcast! Oh, and Comcast, too! Unfortunately, AT&T isn't in the area yet, but there are still plenty of choices!

would cost a lot of money

[nurb432]

That just gets passed along to the consumer.

CALEA DOES apply to ISPs and Internet Comm.

[gavron]

CALEA applies to Internet communication.

Pen/Trace - asking for email headers and IP headers but not content.
Full detail - asking for actual dump of bidirectional communication from a specific IP address or address-range.

See ISPs can be requested to forward all traffic...
or a company that helps ISPs comply...
or this has been a law since 2007...

To find these things check out this link.

Fact: I appreciate your copying my style. However, when doing so, please ensure that after the word "Fact:" comes a fact.

Ehud

Re:CALEA DOES apply to ISPs and Internet Comm.

[Jane+Q.+Public]

I appreciate that you appreciate my sarcasm.

However, my comment assumed the CONTEXT that you used in your own comment; your reply abandoned that context.

Fact:
No law of any jurisdiction in the United States currently requires any ISP to provide any content monitoring. The only requirements close to that are to allow Law Enforcement access should they have the right to it -- CALEA [askcalea.net].

According to the EFF (which has actually been involved in litigation of this matter, and is a source I trust far more than your liberal University professors or journalists), CALEA does NOT require monitoring of content, which was the matter under discussion. CALEA only requires recording of header data: times of activity, etc.

But the context here was CONTENT, which you seem to have forgotten in your reply.

CALEA does not apply to internet CONTENT, at all. It does not, in itself, allow Law Enforcement monitoring of the content of internet traffic. It DOES allow that for telephony.

From the EFF website: "CALEA requires communications carriers to be capable of providing both "call-identifying information" (CII) and call content to law enforcement. In the circuit-switched world of traditional telephony, the meaning of CII was clear: telephone numbers are CII, and the conversations are content. But in the packet-mode world of the Internet, communications are encapsulated (see 16 below â" link), and each protocol layer is associated with different "signaling information." Whether a component is "signaling information" or "content" depends on which layer is reading it. Thus CII on the Internet is not a clearly defined concept, although it is in traditional telephony
...
Law enforcement is now attempting to broaden CALEA by requiring communications service providers to design their networks to make it easy and fast for law enforcement to perform wiretaps, pen-register, and trap-and-trace surveillance on a large number of people."

In simple terms: it ain't done yet. And maybe it never will be.

Enough Please

[gavron]

This so off-topic as to be absurd.

Jane Q Public: You wrote "Fact: CALEA applies only to telephony; to date, it does not apply to the internet at all. "
Note: You didn't say "content" but later you clarified you meant it in context to imply content.

That's fine. Now go back and read my response where I pointed out that Federal agencies HAVE and DO request
[with court orders] pen/trace on email headers and IP packets.

I also appreciate that you labeled the three links I gave and a google search result (which has many more)
as "liberal University[sic] professors and journalists" but your ad-hominem attack only detracts from any claim you might have.

I know the EFF is wonderful, and I support them financially and use their 4th am. packing tape to seal my packages.
Unfortunately your lack of knowledge and insisitence that the EFF is the only source of knowledge despite "liberal
University[sic] professors and jounralists] is of no positive value in this discussion.

Finally, having personally been presented these court orders (and no, these were not National Security Letters;
these were plain old "Tap this, send us this" orders) by US three-letter agencies, I know it to be fact.

Stick to the facts, maam*.

E
* The real facts, not opinion, not ad-hominem attacks, not straw-man arguments, not anything.
My goal was to prevent disinformation -- THE EXACT THING YOU ARE NOW DOING. Stop it please and go time out.

Re:Deep Packet Inspection Is Illegal

[1s44c]

Yes, it's a different situation, but that does not change the law. Deep packet inspection is illegal. It doesn't matter WHY you are doing it, unless it's called for by a judicial warrant.

You misunderstand. It's illegal if You or I do it, it's not illegal if any part of the government does it.