Forgot your password?
typodupeerror
Privacy Your Rights Online

Which ISPs Are Spying On You? 160

Posted by kdawson
from the what-do-they-keep-and-how-long-do-they-keep-it dept.
firesquirt sends us an article from Wired about a survey they conducted to determine major ISPs' data retention and other privacy practices. Over a period of two months, four national ISPs would not give Wired the time of day; and another four answered some of their questions in a fashion not altogether reassuring.
This discussion has been archived. No new comments can be posted.

Which ISPs Are Spying On You?

Comments Filter:
  • All of them (Score:2, Informative)

    by Anonymous Coward
    All of them (in the US) are spying on you, thanks to government data-retention requirements. Y'know, in case a turrist or pedophile happens to use the intarwebs.
    • Re:All of them (Score:5, Insightful)

      by froggero1 (848930) on Monday June 11, 2007 @07:34PM (#19472193)
      All of them (in the world) have the potential to spy on you. But in the US, thanks to government privacy lobbyists, we get the privilidge of full disclosure and an open forum to debate what privacy we'd like to see from a government.
    • by morie (227571)
      It mostly depends on how willing they are to hand over information. in the end, they will have to, but they may put up soem resistance.

      I use XS4ALL in the netherlands. They tend to go to court rather than give up user privacy. Only if they lose, they will give it out.
    • It's similar in the UK, I think. Most ISPs hook into the national broadband infrastructure provided by BT (unless they're using LLU). BT represent this internal infrastructure as a cloud, with no explanation of what's happening between BT and the ISPs.
    • by Creepy (93888)
      I don't know how true that is, but it's completely unenforcible.

      Anyone that uses the open part of my wireless freenet is not logged, and even if I did log, I could only keep about 50k of logfiles (the free space available on my router). If my ISP was spying on me, they may get all sorts of stuff coming through my router that is not being downloaded by me, and unless they find it on my machine (which they won't, since it's routed to a separate subnet), there's not much they can do about it.
      • by walt-sjc (145127)
        Yeah, that's great until their seize all your computer equipment because they have logs showing that your IP downloaded child porn. The local DA will make much noise about the bust and your life as you know it is over. It doesn't matter that they won't actually find anything on your systems... It doesn't matter that it wasn't YOU that downloaded child porn. When it comes to child porn, you are guilty in the court of public opinion no matter what the evidence shows.
    • by enselsharon (968932) on Monday June 11, 2007 @10:07PM (#19473299)
      Although not an ISP per se, my offsite backup provider publishes a warrant canary:

      http://www.rsync.net/resources/notices/canary.txt [rsync.net]

      In addition to a stated policy of "No data or meta-data concerning the behavior of our customers or filesystem contents will ever be divulged to any law enforcement agency without order served directly by a US court having jurisdiction. All such orders will be reported to our entire customer base."

      You should read their philosophy page [rsync.net].

      • by RDaneel2 (533639) on Monday June 11, 2007 @10:41PM (#19473521) Homepage
        "... All such orders will be reported to our entire customer base."

        Ummm... dream on about this part (at least), as "Patriot Act"-backed demands (with or without a warrant) can forbid the disclosure of said demand.

        And while an especially conscientious service provider might insist on dotting i's and crossing t's, it is doubtful any of their personnel (or bosses) will be willing to be jailed as a "terrorist". :(
      • TOS aside, you still can't trust your ISP. They may be gagged, or commandeered by the law (or illegally for that matter). Think Echelon, Carnivore, etc. Trustno1 is not just a password, my friend!
    • Over a period of two months, four national ISPs would not give Wired the time of day

      So? BFD. I wouldn't give Wired the time of day, either. Wired had promise in the last century, but is nothing more than a hybrid of Ars Technica and People Magazine.

      In spite of what the people at Wired think of themselves, they're not the New York Times, or any other news organization with a 100+ year track record of journalism (recent gaffes notwithstanding). They're just a garish tech fanboi rag, and not even a goo

      • by Dogtanian (588974)

        I wouldn't give Wired the time of day, either. Wired had promise in the last century, but is nothing more than a hybrid of Ars Technica and People Magazine. In spite of what the people at Wired think of themselves, they're not the New York Times [..] They're just a garish tech fanboi rag, and not even a good one of those.

        Wired is rubbish. I could post why here, but I'd just be repeating myself since I've already done this [slashdot.org] on more than one occasion.

  • by Anonymous Coward on Monday June 11, 2007 @07:37PM (#19472227)
    Actually, in the European Union, such spying practices are _mandatory_.
    • Call me confused, but I have a question that may or may not have a true answer. When does a 'watch dogging' (the process of ensuring a society's laws are followed) become spying?

      Is the Internet considered private or public? Minus the VPN's or ssh'ing which would be considered private. If it's public then what is the difference between ISP's providing data to whichever agency and your local Park Ranger providing information to the local police about you when you visit a park?

      I'm all for privacy, but I'd thin
      • by Mikkeles (698461)
        'When does a 'watch dogging' (the process of ensuring a society's laws are followed) become spying?'

        When it involves those are are not disobeying laws or is otherwise arbitrary in whom it targets.

    • by UpnAtom (551727)
      Blame Blair and Bush. The Neo-cons lobbied strongly for EU data retention even tho the US would never have it:

      http://www.policylaundering.org/issues/comm/ [policylaundering.org]

      In Britain, your ISP could be forced to have mass surveillance equipment fitted that sends any and all data to the Govt. Your ISP would be prosecuted for telling anyone.
      They can also jail you for not telling them your encryption passphrases (or if you can't remember them).

      http://www.magnacartaplus.org/bills/rip/index.htm [magnacartaplus.org]

      Just one of the many terrifying la
  • Noisy clickstream (Score:5, Insightful)

    by mstrcat (517519) * on Monday June 11, 2007 @07:42PM (#19472265)
    Here's an idea: Develop a web browser extention that does a random web crawl. I don't mind letting my ISP sell marketeers, give to the government, keep on file, ect a clickstream that is 99% chaff and 1% my actuall surfing. Yes, I realize that if someone puts in enough effort and analysis, they could probably sift out the false signal, but it's that very effort that makes it cost prohibitive to do it across a broad scale. And of course there is always the defense: I didn't visit that web site, my computer constantly does a random walk of the internet. And to help keep the ISPs in line, it ups the volume of records they have to keep by 500 fold.
            As for the other things such as IM's, emails, torrents, ect I can encrypt those should I feel the need. Yes, I could start using TOR, but it's slow and watching a web crawler do a random walk can be entertainment all by itself.
    • by mh1997 (1065630) on Monday June 11, 2007 @08:20PM (#19472563)

      Here's an idea: Develop a web browser extention that does a random web crawl
      It would be my luck that my browser would hit every child porn site on the web.
    • Re:Noisy clickstream (Score:5, Informative)

      by Anonymous Coward on Monday June 11, 2007 @08:20PM (#19472567)
      Already done (see here [nyu.edu])

      Also see Bruce Schneier's opinion on the matter [schneier.com].

      In short, it isn't a good idea.
      • Re: (Score:2, Informative)

        by chrono13 (879557)
        TrackMeNot isn't designed to hide your searches from your ISP. It is designed to muddy the profiling Yahoo, MSN and Google are performing. Recent versions of it seem to perform that job fantastically and address most of Bruce's concerns (word list, timing, etc). So while it would hinder, to a degree, it is the fact that it really does not erase or otherwise really hide my legitimate searches from my ISP or work proxy, that I do not use it. But most of Bruce's concerns are no longer valid.
      • by 4D6963 (933028)

        While I agree that using such a dictionary as TrackMeNot uses is dumb, if you rather used the leaked AOL searches instead, it would be much more efficient. Well, I still think the whole thing is pointless and tinfol-hat-esque anyways.

    • Re: (Score:1, Redundant)

      by westlake (615356)
      Here's an idea: Develop a web browser extention that does a random web crawl...

      The random noise generated by the geek with the Big Idea is not going to change anything. Except that he just might see his shared connection to the net throttled down to the speed of a 300 baud modem.

    • Yes, I realize that if someone puts in enough effort and analysis, they could probably sift out the false signal, but it's that very effort that makes it cost prohibitive to do it across a broad scale.

      Except that you only have to do it once, since the same algorithm would be used on each person's web browser.

      And of course there is always the defense: I didn't visit that web site, my computer constantly does a random walk of the internet.

      I thought the point was to keep them from casually snooping on your leg

      • by 1u3hr (530656)
        And to help keep the ISPs in line, it ups the volume of records they have to keep by 500 fold.
        Install filter before logs are made. Problem solved.

        Filtering a log pretty much makes it useless as evidence. Though the Feds can just disappear you regardless of legal procedure these days.

    • but it's that very effort that makes it cost prohibitive to do it across a broad scale

      That's a good idea. Poisoning the data well.

      I'm wondering if a secure proxy would defeat your ISP's snooping? For some reason I was thinking it's possible to snoop https traffic. Difficult, but possible. It would certainly be a pain the rear and an ISP would need a good reason to go to all the trouble. Especially with so many, many people who wouldn't bother. All the search engine would have is the proxy IP, all

  • by planckscale (579258) on Monday June 11, 2007 @07:43PM (#19472277) Journal
    So ultimately the ISP's are afraid they'll be fined or shut down due to the negligence of the users and/or refusing to submit evidence? I just don't understand how a user's nefarious actions could be blamed on the ISP...

    I would think all they need to do is show they warned their users they are 1. being watched 2. downloading illegal data. Actually providing the authorities with a history of the data is not their job and should only be the acquired by the authorities with their own equipment and only under a court order.

    At the least the ISP's should give their users the ability to opt-out of their "data retention" programs.

    • by sgt_doom (655561)
      But...does it really matter? With the government (i.e., the Busheviks) having dropped SilentRunner apps at each IXP location in North America, what does it really matter what those ISPs do.....
    • Re: (Score:3, Interesting)

      by element-o.p. (939033)
      There's a little more to it than that.

      Most ISPs assign dynamic IP addresses to the majority of their customers. Where I used to work, we used RADIUS to provide dynamic IP addressing to our customers, and we would keep logs that would let us determine which customer had any given IP address on any given day and time. This data was used to help troubleshoot customer login problems, resolve billing disputes with customers, suspend and/or warn customers who had violated our terms and conditions of use, and
      • by number11 (129686) on Monday June 11, 2007 @10:57PM (#19473593)
        However, we absolutely, positively refused to provide subscriber information without a court order of some kind, however. I would like to think that most ISPs operate to the same standards we did

        I would like to think that no ISP would ever spy on me or keep records of my activities. I would like to think that no ISP would provide data without a court order. Unfortunately, what I would like to think bears little relation to what actually is. And my understanding is that the (US) government no longer requires a court order to demand such things.
        • I believe that's being challenged right now. Wasn't there a guy recently arrested for refusing to turn over information requested in a National Security Letter and for contacting a lawyer to have the NSL challenged? I'm too lazy to look it up right now, but I believe I read that here on /. The bottom line is, until SCOTUS rules on the legality of NSLs, their validity is in question. So, for now, my response to an NSL would be: http://www.gecko-ak.org/SpecialPurposeSigFile.txt [gecko-ak.org] :)

          In any case, your poin
    • Actually providing the authorities with a history of the data is not their job and should only be the acquired by the authorities with their own equipment and only under a court order.

      Actually, that is the new trend in law enforcement -forcing businesses to enforce the laws so the police don't have to. This frees up the police for more important things, like going after the businesses for not adequately enforcing the laws.

      Brick and mortar businesses are required to make sure that their customers don't smoke or drink in the wrong places, that they aren't buying for someone who is underage, that they are not selling drugs, or even whether their driver's license is expired. If you own

  • by CheeseburgerBrown (553703) on Monday June 11, 2007 @07:46PM (#19472311) Homepage Journal
    My Canadian ISP, Rogers, is not on the list but if I were to hazard a guess I'd reckon they'd sell my tracks six ways from Sunday as soon as sneeze.

    These are, after all, the goons who think just about any kind of encrypted traffic coming out of your box is a terrorist threat to the movie industry -- even if it's just a VPN connection.

    Does anyone know what Rogers retention policies actually are?

    • by froggero1 (848930)
      "Rogers does not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Rogers retains personal information only as long as necessary for the fulfillment of those purposes."

      http://www.shoprogers.com/privacy1.asp [shoprogers.com]
      • Re: (Score:1, Funny)

        by Anonymous Coward
        In other words, they'll shop you, and you'll be truly rogered.
    • Last I checked, both Rogers and Shaw were refusing to turn over account information to the CRIAA. Has this changed?
      • by Sigma 7 (266129)

        Last I checked, both Rogers and Shaw were refusing to turn over account information to the CRIAA. Has this changed?

        IANAL, but there is a Canadian law in effect that causes liability if they disclose information to third parties - especially on a large scale. I'm not sure if the law has any teeth, but private individuals can use it as leverage against large companies.

        There's already enough trouble with frivilous lawsuits (e.g. Warning: do not place ladder on frozen cow patties). Violating an actual law will be worse against companies, since they will need to win on a technicality (which won't always work.)

  • by bagboy (630125) <.ten.citcra. .ta. .oen.> on Monday June 11, 2007 @08:06PM (#19472479)
    because as a Sr. Network Eng for an ISP with thousands of users I have oh so much time to devote to tracking down every website you visit. Please, even if packet sniffing and tcpdumps are used, most ISPs can't afford manpower for intensive tracking... Maybe the big ones, but medium to small...
  • Its time to encrypt EVERYTHING. ( at least until the government bans it )

    Sure they know where you went, but not what you viewed or 'said' while there.
    • by Ungrounded Lightning (62228) on Monday June 11, 2007 @08:43PM (#19472771) Journal
      Its time to encrypt EVERYTHING. ( at least until the government bans it )
      Sure they know where you went, but not what you viewed or 'said' while there.


      Back when I was operating a mailing list on a controversial topic on my home machine, I had a couple rules:
        - No postings soliciting or admitting to breaking laws.
        - No encrypted traffic (not just on the list: All traffic (except passwords) to-from the machine was in the clear).

      The thinking was like this:

        - Police, other government investigative agencies, and various unofficial snoops have a long track record of ignoring laws against various kinds of eavesdropping. So you have to assume that the line might be tapped.

        - If the police became interested they could always get a warrant and tap the line. (Or illegally tap the line without a warrant to see what's going on, then (if it looked interesting) get a warrant to tap it legally.)

        - If the data was encrypted they could STILL get it - by getting a warrant and seizing the computer (and everything else of interest in the house).

        - If the data was UNencrypted they would want to keep a low profile to avoid scaring off any "bad guys", would eventually see that there was nothing to go after, and thus would probably switch to hunting real bad guys elsewhere and go away WITHOUT breaking in and trashing stuff.

      "Encrypt everything" seems like a nice solution. But if only a few are doing it, just the fact that their traffic is encrypted makes them targets. It's easy to trump up enough stuff to get a warrant and go after the machine.

      Once a LOT of people are all swapping lots of encrypted traffic (as the default way of "sealing" the "envelope" on the datagrams) the fact of encryption will stop making the users targets. (The police can still get a warrant and grab the machines. But with so many potential machines to grab they'll have to find some other way to pick the ones to hit - like by bothering to dig up real "probable cause" from other evidence, like they're supposed to.)

      Fortunately we don't need to construct a "shelling point" for this: The internet is gradually moving toward pervasive encryption, as the legitimate need to encrypt for personal and corporate security becomes broadly understood. Once that becomes the norm our electronic "papers" will be about as secure as our physical ones. We're starting to get there. But IMHO we're not there yet.

      Unfortunately we WON'T be fully safe using encryption until the typical machine configurations are such that, if the machines are seized, it will be impossible to recover incriminating data from them - even with passwords browbeaten out of their owners. Until that time it will still be useful to bypass encryption by raiding one of the machines at the endpoints.

      = = = =

      Re the list and "no encrypted traffic": When one of the regulate-the-internet laws was about to make it too much hassle to continue, we closed down the list (after finding volunteers to run its successor and - since the participants hadn't agreed to have their info forwarded - announcing the successor on the original list and giving people time to sign up.

      Now I regularly use SSH to telecommute or to access the primary house machine from the vacation house. But that's still low-profile: It's clear from the IP addresses that the SSH connections are going to the company, coming from it, or coming from a single external dialup machine via a particular service provider.
      • by Lumpy (12016)
        Unfortunately we WON'T be fully safe using encryption until the typical machine configurations are such that, if the machines are seized, it will be impossible to recover incriminating data from them - even with passwords browbeaten out of their owners.

        step 1 run all your internet apps from a thumbdrive with portable versions.
        step 2 use a good encryption system on that thumbdrive that gives you deniability.
        step 3 keep the PC you use clean and seperate from your regular PC (laptop preferred and hideable.)
        ste
        • step 1 run all your internet apps from a thumbdrive with portable versions.
          step 2 use a good encryption system on that thumbdrive that gives you deniability.


          Step 2B. Don't let your thumb drive go through the washer and drier. (Just happened to me yesterday.) B-( (Fortunately not with a thumb drive containing the only copy of something important.)
    • by digitalderbs (718388) on Monday June 11, 2007 @08:55PM (#19472873)
      fdD87d

      64F5F6sAS4Dd46KJfUYd0NsafH54UJ6Y35U135KdYUsU1Jf35W Q544ASdf455saSA1dfF3AS5D5WQsEa5dr413L50fSAdDsA3QW5 DsfDfdALJd99AD09asdfK9J00aUIOsdfOU9I0dIaOU46IOsCVd Xf61S DF325eLJw5LKljLk3kjl18dfaw3F3DSADFsdfYDOewrs313aSS dfADuy5SA135D1H155yipHoiSDAjnkml51151LHHkmfSASd217

      JD3hFdJf8o

      SD45uio5K2o
    • Re: (Score:2, Insightful)

      by Eli Gottlieb (917758)
      It would certainly help if many websites (including Slashdot) didn't refuse logins or postings from users running Tor.
  • by Novotny (718987)
    If by spying, you mean conducting your communications via the interweb and invariably having copies of said communications either in deliberately or not deliberatley maintained logs... Its a bit like asking someone to tell your mate down the street 'it rains on Tuesdays' and then complaining when the intermediate seems to know your secret weather-forceasting tip.
  • IRC logs (Score:3, Interesting)

    by Tribbin (565963) on Monday June 11, 2007 @08:24PM (#19472595) Homepage
    Slightly offtopic, but ...

    I seldom spend time on IRC.

    Two weeks ago I was on #debian.

    I asked the people if the conversations get logged.

    Nobody present could tell me.

    Is there a place when you can look up such things?
  • AOL (Score:5, Funny)

    by Shadow Wrought (586631) * <[shadow.wrought] [at] [gmail.com]> on Monday June 11, 2007 @08:26PM (#19472611) Homepage Journal
    Even though I never had an account with them, for the longest time they always seemed to know where I lived because they kept sending me CDs. Spooky.
  • Aren't there VPN ISPs that terminate in neutral countries that can circumvent spying?
    • Re: (Score:3, Informative)

      by cswiger (63672)
      Um, the point of a VPN is to set up a secure tunnel to get to your destination network with the traffic encrypted en route, so it doesn't matter whether your ISP is snooping on your traffic or not. Now, if you wanted to host your destination server or network somewhere like Canada or someplace with less intrusive government monitoring, that might well be a good thought.

      The problem is that the US via CALEA is requiring things like Cisco routers used to terminate many VPN connections be wiretap-friendly, so
      • by Joe U (443617)
        Actually, I was describing a VPN system where you terminated in some country that doesn't have rules like CALEA.

        So, I would tunnel to a friendly country like Sealand (example) and send all my packets out from there.
      • Re: (Score:1, Informative)

        by Anonymous Coward
        1) The router would be in the safe country anyway, therefore wouldn't be subject to physical wiretaps at the endpoint.

        2) Don't waste your money on a Cisco router. It is MUCH easier and cheaper to just rent a Linux machine in a "safe country" and install OpenVPN [openvpn.net] on it.

        3) Most of your traffic is going to be routed back through the US or EU anyway, where most of the world's servers (and backbones) are located.

        4) Your "safe" routing node is still identifiable, even if your ISP refuses to give up your name/addre
  • At http://www.net.tv/ [www.net.tv] you watch the ISP.
  • by Anonymous Coward
    A whole lot more TOR servers to sprout up. When everyone switches to encrypted traffic on all the normal ports, your connections might be logged and the data transferred between you and the onion network copied, but how long would it take to sift through the internet's traffic if it were all encrypted?
  • ... consider what your reaction to this is going to be.

    Suggested Search terms:
    "Well damn, if I look at crack sites, am I going to be busted for attempted piracy" when I was really looking for a download 30 trial of autodesk Inventor 2008. Its also interesting that directly after the last law related passed, all crack sites are asking for some small amount of payment --- so as to verify identity....

    I'm absolutely certain that search terms can be made to communicate to the spys well enough to cause a "MAD - S
    • Email, even passwords, are in cleartext. It'd be like being asked to pass a one word note in red with the ink faded through and not be able to read it.
  • In Soviet Russia, Internet browse YOU.
  • Unfortunately, this doesn't cover my ISP, Optimum Online. :-(
    • The Decepticons will be pleased.

  • Time of Day (Score:2, Funny)

    by Anonymous Coward
    four national ISPs would not give Wired the time of day
    What, they blocked port 123?
  • We all saw this coming.
    I prefer to do something about it.

    http://www.mysecureisp.com/ [mysecureisp.com]

    http://www.blackboxsearch.com/ [blackboxsearch.com]
  • by Barkmullz (594479) on Tuesday June 12, 2007 @04:35AM (#19475269)
    01000011011011110110110101101101011101010110111001 10100101100011011000010111010001100101001000000110 10010110111000100000011000100110100101101110011000 01011100100111100100101110001000000101010001101000 01100101011110010010000001110111011010010110110001 10110000100000011000100110010100100000011101010110 11100110000101100010011011000110010100100000011101 00011011110010000001100100011010010111001101110100 01101001011011100110011101110101011010010111001101 10100000100000011110010110111101110101011100100010 00000110110101100101011100110111001101100001011001 11011001010010000001100110011100100110111101101101 00100000011000010110110001101100001000000111010001 10100001100101001000000110111101110100011010000110 01010111001000100000001100010010011101110011001000 00011000010110111001100100001000000011000000100111 01110011001011100010000000100000010000110110110001 10010101110110011001010111001000101100001000000111 01010110100000111111
  • At least I can't. The article in question has a giant AT&T ad that pops up and covers almost the entire article, and it doesn't go away when you click it. At least in IE6. Don't post this shit if it's unreadable due to advertising.

  • Use encryption. PGP, IPSec, IPv6 for that matter. Please, for (insert random name here)'s sake, just use the technology your PC already provides. Sure, it won't stop the FBI knocking down your door, but encrypting every connection you can is better than doing everything in the clear.

    Encrypt your E-mails, use secure storage options, etc. There is a lot of security available out there, its just that people are too lazy to use it.
    • When it comes to spying, there are several types:
      1) What gov't/law enforcement does (whether legally or nsa-style). This is done to enforce the law or for political control.
      2) What HP's Patti Dunn or other private entities do to further a specific interest. Marginally legal at best.
      3) What ChoicePoint, Axciom, etc. do. Amassing databases of identity and transactional information and selling datamining services usually for business purposes (and now also for gov't purposes). Still legal but mostly under-
  • Here in Canada the largest ISP is Bell Sympatico (alias: bell nexxia).
    They are pure evil when it comes to privacy. Less than a year ago they ammended their terms of service to give themselves the right to monitor (content included) anything and everything you do on the internet at their whim and share the information with any government agency that asks for it. (no stipulations that the agency must be Canadian or be making a legal request for information).

    That was presumably an attempt to protect themselv
  • So what about Speakeasy?

Too much of everything is just enough. -- Bob Wier

Working...