Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Which ISPs Are Spying On You?

Posted by kdawson on Mon Jun 11, 2007 06:24 PM
from the what-do-they-keep-and-how-long-do-they-keep-it dept.
Privacy
firesquirt sends us an article from Wired about a survey they conducted to determine major ISPs' data retention and other privacy practices. Over a period of two months, four national ISPs would not give Wired the time of day; and another four answered some of their questions in a fashion not altogether reassuring.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Which ISPs Are Spying On You? 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • All of them (Score:2, Informative)

    by Anonymous Coward
    All of them (in the US) are spying on you, thanks to government data-retention requirements. Y'know, in case a turrist or pedophile happens to use the intarwebs.

    • Re:All of them, DUH - NO. Some do the right thing (Score:5, Interesting)

      by enselsharon (968932) on Monday June 11 2007, @09:07PM (#19473299)
      Although not an ISP per se, my offsite backup provider publishes a warrant canary:

      http://www.rsync.net/resources/notices/canary.txt [rsync.net]

      In addition to a stated policy of "No data or meta-data concerning the behavior of our customers or filesystem contents will ever be divulged to any law enforcement agency without order served directly by a US court having jurisdiction. All such orders will be reported to our entire customer base."

      You should read their philosophy page [rsync.net].

      • Re:All of them, DUH - NO. Some do the right thing (Score:4, Informative)

        by RDaneel2 (533639) on Monday June 11 2007, @09:41PM (#19473521) Homepage
        "... All such orders will be reported to our entire customer base."

        Ummm... dream on about this part (at least), as "Patriot Act"-backed demands (with or without a warrant) can forbid the disclosure of said demand.

        And while an especially conscientious service provider might insist on dotting i's and crossing t's, it is doubtful any of their personnel (or bosses) will be willing to be jailed as a "terrorist". :(

          • That is what the canary is for (!)

            Read this again:

            rsync.net warrant canary [rsync.net]

            If they are served with a secret warrant, they simply stop updating the warrant canary...

            Which, since everyone knows what it means, effectively functions as a way of disclosing that they've been served with a warrant demanding nondisclosure. I hope they're not relying on whatever lawyer told them that this was a good idea to bail them out after the fact, or they may be in for a rather rude surprise.

            • Sort of. But it's an interesting idea. The law *does* prevent them from stating that they've been raided, in certain situations anyway.

              But does the same law have the power to force them to continue publishing signed lies ? That's what they'd be doing if they continued to claim that they have never been raided after they where indeed raided.

              I don't know enough US-law to know the answer, but atleast it's not obvious that it wouldn't work.

      • TOS aside, you still can't trust your ISP. They may be gagged, or commandeered by the law (or illegally for that matter). Think Echelon, Carnivore, etc. Trustno1 is not just a password, my friend!

    • Over a period of two months, four national ISPs would not give Wired the time of day

      So? BFD. I wouldn't give Wired the time of day, either. Wired had promise in the last century, but is nothing more than a hybrid of Ars Technica and People Magazine.

      In spite of what the people at Wired think of themselves, they're not the New York Times, or any other news organization with a 100+ year track record of journalism (recent gaffes notwithstanding). They're just a garish tech fanboi rag, and not even a goo

  • in EU this is mandated by the government... (Score:4, Informative)

    by Anonymous Coward on Monday June 11 2007, @06:37PM (#19472227)
    Actually, in the European Union, such spying practices are _mandatory_.

  • Noisy clickstream (Score:5, Insightful)

    by mstrcat (517519) * on Monday June 11 2007, @06:42PM (#19472265)
    Here's an idea: Develop a web browser extention that does a random web crawl. I don't mind letting my ISP sell marketeers, give to the government, keep on file, ect a clickstream that is 99% chaff and 1% my actuall surfing. Yes, I realize that if someone puts in enough effort and analysis, they could probably sift out the false signal, but it's that very effort that makes it cost prohibitive to do it across a broad scale. And of course there is always the defense: I didn't visit that web site, my computer constantly does a random walk of the internet. And to help keep the ISPs in line, it ups the volume of records they have to keep by 500 fold.
            As for the other things such as IM's, emails, torrents, ect I can encrypt those should I feel the need. Yes, I could start using TOR, but it's slow and watching a web crawler do a random walk can be entertainment all by itself.

    • Re:Noisy clickstream (Score:5, Funny)

      by mh1997 (1065630) on Monday June 11 2007, @07:20PM (#19472563)

      Here's an idea: Develop a web browser extention that does a random web crawl
      It would be my luck that my browser would hit every child porn site on the web.

    • Re:Noisy clickstream (Score:5, Informative)

      by Anonymous Coward on Monday June 11 2007, @07:20PM (#19472567)
      Already done (see here [nyu.edu])

      Also see Bruce Schneier's opinion on the matter [schneier.com].

      In short, it isn't a good idea.

      • Re: (Score:2, Informative)

        by chrono13 (879557)
        TrackMeNot isn't designed to hide your searches from your ISP. It is designed to muddy the profiling Yahoo, MSN and Google are performing. Recent versions of it seem to perform that job fantastically and address most of Bruce's concerns (word list, timing, etc). So while it would hinder, to a degree, it is the fact that it really does not erase or otherwise really hide my legitimate searches from my ISP or work proxy, that I do not use it. But most of Bruce's concerns are no longer valid.

    • but it's that very effort that makes it cost prohibitive to do it across a broad scale

      That's a good idea. Poisoning the data well.

      I'm wondering if a secure proxy would defeat your ISP's snooping? For some reason I was thinking it's possible to snoop https traffic. Difficult, but possible. It would certainly be a pain the rear and an ISP would need a good reason to go to all the trouble. Especially with so many, many people who wouldn't bother. All the search engine would have is the proxy IP, all

      • Re: (Score:2)

        by 1u3hr (530656)
        And to help keep the ISPs in line, it ups the volume of records they have to keep by 500 fold.
        Install filter before logs are made. Problem solved.

        Filtering a log pretty much makes it useless as evidence. Though the Feds can just disappear you regardless of legal procedure these days.

  • ISP's fearful of RIAA/MPAA? (Score:5, Insightful)

    by planckscale (579258) on Monday June 11 2007, @06:43PM (#19472277) Journal
    So ultimately the ISP's are afraid they'll be fined or shut down due to the negligence of the users and/or refusing to submit evidence? I just don't understand how a user's nefarious actions could be blamed on the ISP...

    I would think all they need to do is show they warned their users they are 1. being watched 2. downloading illegal data. Actually providing the authorities with a history of the data is not their job and should only be the acquired by the authorities with their own equipment and only under a court order.

    At the least the ISP's should give their users the ability to opt-out of their "data retention" programs.

    • Re: (Score:3, Interesting)

      by element-o.p. (939033)
      There's a little more to it than that.

      Most ISPs assign dynamic IP addresses to the majority of their customers. Where I used to work, we used RADIUS to provide dynamic IP addressing to our customers, and we would keep logs that would let us determine which customer had any given IP address on any given day and time. This data was used to help troubleshoot customer login problems, resolve billing disputes with customers, suspend and/or warn customers who had violated our terms and conditions of use, and

      • Re:ISP's fearful of RIAA/MPAA? (Score:4, Insightful)

        by number11 (129686) on Monday June 11 2007, @09:57PM (#19473593)
        However, we absolutely, positively refused to provide subscriber information without a court order of some kind, however. I would like to think that most ISPs operate to the same standards we did

        I would like to think that no ISP would ever spy on me or keep records of my activities. I would like to think that no ISP would provide data without a court order. Unfortunately, what I would like to think bears little relation to what actually is. And my understanding is that the (US) government no longer requires a court order to demand such things.

  • Rogers Slogan is "Don't be not evil." (Score:4, Informative)

    by CheeseburgerBrown (553703) on Monday June 11 2007, @06:46PM (#19472311) Homepage Journal
    My Canadian ISP, Rogers, is not on the list but if I were to hazard a guess I'd reckon they'd sell my tracks six ways from Sunday as soon as sneeze.

    These are, after all, the goons who think just about any kind of encrypted traffic coming out of your box is a terrorist threat to the movie industry -- even if it's just a VPN connection.

    Does anyone know what Rogers retention policies actually are?

  • Sure... We spy..... (Score:3, Funny)

    by bagboy (630125) <neoNO@SPAMarctic.net> on Monday June 11 2007, @07:06PM (#19472479)
    because as a Sr. Network Eng for an ISP with thousands of users I have oh so much time to devote to tracking down every website you visit. Please, even if packet sniffing and tcpdumps are used, most ISPs can't afford manpower for intensive tracking... Maybe the big ones, but medium to small...
  • Its time to encrypt EVERYTHING. ( at least until the government bans it )

    Sure they know where you went, but not what you viewed or 'said' while there.

    • Think about that... (Score:5, Insightful)

      by Ungrounded Lightning (62228) on Monday June 11 2007, @07:43PM (#19472771) Journal
      Its time to encrypt EVERYTHING. ( at least until the government bans it )
      Sure they know where you went, but not what you viewed or 'said' while there.

      Back when I was operating a mailing list on a controversial topic on my home machine, I had a couple rules:
        - No postings soliciting or admitting to breaking laws.
        - No encrypted traffic (not just on the list: All traffic (except passwords) to-from the machine was in the clear).

      The thinking was like this:

        - Police, other government investigative agencies, and various unofficial snoops have a long track record of ignoring laws against various kinds of eavesdropping. So you have to assume that the line might be tapped.

        - If the police became interested they could always get a warrant and tap the line. (Or illegally tap the line without a warrant to see what's going on, then (if it looked interesting) get a warrant to tap it legally.)

        - If the data was encrypted they could STILL get it - by getting a warrant and seizing the computer (and everything else of interest in the house).

        - If the data was UNencrypted they would want to keep a low profile to avoid scaring off any "bad guys", would eventually see that there was nothing to go after, and thus would probably switch to hunting real bad guys elsewhere and go away WITHOUT breaking in and trashing stuff.

      "Encrypt everything" seems like a nice solution. But if only a few are doing it, just the fact that their traffic is encrypted makes them targets. It's easy to trump up enough stuff to get a warrant and go after the machine.

      Once a LOT of people are all swapping lots of encrypted traffic (as the default way of "sealing" the "envelope" on the datagrams) the fact of encryption will stop making the users targets. (The police can still get a warrant and grab the machines. But with so many potential machines to grab they'll have to find some other way to pick the ones to hit - like by bothering to dig up real "probable cause" from other evidence, like they're supposed to.)

      Fortunately we don't need to construct a "shelling point" for this: The internet is gradually moving toward pervasive encryption, as the legitimate need to encrypt for personal and corporate security becomes broadly understood. Once that becomes the norm our electronic "papers" will be about as secure as our physical ones. We're starting to get there. But IMHO we're not there yet.

      Unfortunately we WON'T be fully safe using encryption until the typical machine configurations are such that, if the machines are seized, it will be impossible to recover incriminating data from them - even with passwords browbeaten out of their owners. Until that time it will still be useful to bypass encryption by raiding one of the machines at the endpoints.

      = = = =

      Re the list and "no encrypted traffic": When one of the regulate-the-internet laws was about to make it too much hassle to continue, we closed down the list (after finding volunteers to run its successor and - since the participants hadn't agreed to have their info forwarded - announcing the successor on the original list and giving people time to sign up.

      Now I regularly use SSH to telecommute or to access the primary house machine from the vacation house. But that's still low-profile: It's clear from the IP addresses that the SSH connections are going to the company, coming from it, or coming from a single external dialup machine via a particular service provider.

    • sAKafdfDds6SFALGI5as4fdf564saDDdaASDSsdaf (Score:5, Insightful)

      by digitalderbs (718388) on Monday June 11 2007, @07:55PM (#19472873)
      fdD87d

      64F5F6sAS4Dd46KJfUYd0NsafH54UJ6Y35U135KdYUsU1Jf35W Q544ASdf455saSA1dfF3AS5D5WQsEa5dr413L50fSAdDsA3QW5 DsfDfdALJd99AD09asdfK9J00aUIOsdfOU9I0dIaOU46IOsCVd Xf61S DF325eLJw5LKljLk3kjl18dfaw3F3DSADFsdfYDOewrs313aSS dfADuy5SA135D1H155yipHoiSDAjnkml51151LHHkmfSASd217

      JD3hFdJf8o

      SD45uio5K2o

    • Re: (Score:2, Insightful)

      by Eli Gottlieb (917758)
      It would certainly help if many websites (including Slashdot) didn't refuse logins or postings from users running Tor.

  • IRC logs (Score:3, Interesting)

    by Tribbin (565963) on Monday June 11 2007, @07:24PM (#19472595) Homepage
    Slightly offtopic, but ...

    I seldom spend time on IRC.

    Two weeks ago I was on #debian.

    I asked the people if the conversations get logged.

    Nobody present could tell me.

    Is there a place when you can look up such things?

  • AOL (Score:5, Funny)

    by Shadow Wrought (586631) * <shadow.wrought@g ... m minus math_god> on Monday June 11 2007, @07:26PM (#19472611) Homepage Journal
    Even though I never had an account with them, for the longest time they always seemed to know where I lived because they kept sending me CDs. Spooky.
  • Aren't there VPN ISPs that terminate in neutral countries that can circumvent spying?

    • Re: (Score:3, Informative)

      by cswiger (63672)
      Um, the point of a VPN is to set up a secure tunnel to get to your destination network with the traffic encrypted en route, so it doesn't matter whether your ISP is snooping on your traffic or not. Now, if you wanted to host your destination server or network somewhere like Canada or someplace with less intrusive government monitoring, that might well be a good thought.

      The problem is that the US via CALEA is requiring things like Cisco routers used to terminate many VPN connections be wiretap-friendly, so

      • Re: (Score:2)

        by Joe U (443617)
        Actually, I was describing a VPN system where you terminated in some country that doesn't have rules like CALEA.

        So, I would tunnel to a friendly country like Sealand (example) and send all my packets out from there.
  • ... consider what your reaction to this is going to be.

    Suggested Search terms:
    "Well damn, if I look at crack sites, am I going to be busted for attempted piracy" when I was really looking for a download 30 trial of autodesk Inventor 2008. Its also interesting that directly after the last law related passed, all crack sites are asking for some small amount of payment --- so as to verify identity....

    I'm absolutely certain that search terms can be made to communicate to the spys well enough to cause a "MAD - S

  • Time of Day (Score:2, Funny)

    by Anonymous Coward
    four national ISPs would not give Wired the time of day
    What, they blocked port 123?

  • 010000100110100101101110011000010111001001111001 (Score:4, Funny)

    by Barkmullz (594479) on Tuesday June 12 2007, @03:35AM (#19475269)
    01000011011011110110110101101101011101010110111001 10100101100011011000010111010001100101001000000110 10010110111000100000011000100110100101101110011000 01011100100111100100101110001000000101010001101000 01100101011110010010000001110111011010010110110001 10110000100000011000100110010100100000011101010110 11100110000101100010011011000110010100100000011101 00011011110010000001100100011010010111001101110100 01101001011011100110011101110101011010010111001101 10100000100000011110010110111101110101011100100010 00000110110101100101011100110111001101100001011001 11011001010010000001100110011100100110111101101101 00100000011000010110110001101100001000000111010001 10100001100101001000000110111101110100011010000110 01010111001000100000001100010010011101110011001000 00011000010110111001100100001000000011000000100111 01110011001011100010000000100000010000110110110001 10010101110110011001010111001000101100001000000111 01010110100000111111
    • Even easier if you live in the US...it's your own government.

      • Re:That's easy (Score:5, Insightful)

        by SeaFox (739806) on Monday June 11 2007, @06:57PM (#19472421)

        Even easier if you live in the US...it's your own government.

        Somewhere, there are lobbyists laughing at this comment.
        • Oh yeah, let's ignore the Average American Citizen's role in bringing this all about.

          -Stare at the TV 4 hours a day

          -Stop participating in your Government.

          -Allow Civics/government programs to be gutted.

          -Turn away from reason to embrace The Lord.

          It's _soo_ easy to whip off comments like yours. But it's more patriotic to be labled a Democratic (as in democracy) nut job.

    • Re: (Score:3, Insightful)

      by ObsessiveMathsFreak (773371)
      ....the US, Great Britain, Australia, Ireland, etc, etc...

      The net is being reined in by those who don't like it. There's little anyone who cares can do to stop it.
    • You have a twisted world perspective anonymous boy.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.