Inside Comcast's Surveillance Policies

Monk writes "The Federation of American Scientists has obtained a recently disclosed Comcast Handbook for Law Enforcement which details its policies for divulging its customers' personal information. (Here's the handbook itself in PDF form.) All of Comcast's policies seem to follow the letter of the law, and seem to weigh customer privacy with law enforcement's requests. This is in apparent contrast to AT&T and a number of other telecommunication companies, which have been only too happy to give over subscriber records. According to the handbook, Comcast keeps logs for up to 180 days on IP address allocation, and they do not keep all of your e-mails forever (45 days at most). VoIP phone records are stored for 2 years, and cable records can only be retrieved upon a court order. The document even details how much it costs law enforcement to get access to personal data (data for child exploitation cases is free of charge)."

Secure your email

[MacDork]

I'll trot this pony out one more time:

(Mac OS X 10.3+) http://www.joar.com/certificates/ [joar.com]
(Windows) http://www.marknoble.com/tutorial/smime/smime.aspx [marknoble.com]

Re:How much it costs?

[Burdell]

IIRC, when a subpoena is issued for information from a third party, that party can charge a fee to cover the costs of gathering the requested information.

Re:How much it costs?

[the unbeliever]

Most law enforcement budgets have a clause for "emergency funding for investigative purposes"

Comcast's charges don't seem unreasonable either, considering the amount of data they'll have to sift through to provide the information.

Quick and Dirty Summary

[value_added]

Interesting read, especially considering the "Comcast Confidential" footer at the bottom of every page. That said, it's informative only insofar as it states there's laws to be considered, and makes clear the folks at Comcast insist on following them. Nothing in that document is very different than a typical publically-available TOS. Here's an excerpt:

Generally, the following information, when available to Comcast, can be
supplied in response to the types of requests listed below. Each request
is evaluated and reviewed on a case by case basis in light of any
special procedural or legal requirements and applicable laws. The
following examples are for illustration only.
 
- Grand Jury, Trial, or Statutorily Authorized Administrative Subpoena
- Judicial Summons
- Court Order
- Search Warrant
- Preservation Request/ Backup Preservation Request
- Pen Register / Trap and Trace Device
- Foreign Intelligent Surveillance Act of 1978
- National Security Letter
- Child Abuse
- Emergency Disclosure

As for the email policies referred to in the summary, Comcast does not store emails any longer than the subscriber chooses keeps them.

Comcast's Webmail service permits customers to change their email
deletion policies, but the current default settings are described below.
 
- Inbox (Read Mail No automatic deletion policy)
                    (Unread Mail 45 day retention period)
- Trash (Read Mail 1 day retention period)
                    (Unread Mail 1 day retention period)
- Sent Mail (Read Mail 30 day retention period)
                    (Unread Mail 30 day retention period)
- Screened Mail (Read Mail 3 day retention period)
                    (Unread Mail 3 day retention period)
- Personal Folders (Read/Unread No deletion policy)
- Popped Mail (Deleted immediately from web mail servers)

Put another way, Comcast doesn't store your emails. You do.

Re:Secure your email

[greg_barton]

They track mud in, can drop anything anywhere and say that they found it there. That can't be done with email.

You're kidding, right?

Re:Quick and Dirty Summary

[Technician]

Doesnt matter, Vonage and all VOIP Providers must be CALEA Complient or huge fines are given.

correction Vontage and all US VOIP Providers must

There fixed it. From you link..
"The Communications Assistance for Law Enforcement Act (CALEA) is a United States wiretapping law passed in 1994 "

Vontage is US based. Where is Ekiga which ships with Ubuntu based?
http://ekiga.org/index.php?rub=3&pos=0&faqpage=x149.html [ekiga.org]
"1.1.4. What is it compatible with?
Ekiga is compatible with any software, device or router supporting SIP or H.323. It includes SwissVoice, CISCO, SNOM, ... IP Phones, but also software like Windows Messenger, Netmeeting, SJPhone, Eyebeam, X-Lite, ... or also the Asterisk popular IPBX, as well as any other commercial or Open Source IPBX."

How many of these supported services is directly under CALEA?

Vontage may be CALEA Complient. Not everyone is under US rule. Not all VOIP service is commercialy provided.

Re:The law doesn't protect you

[Anonymous Coward]

If it's the government you are worried about, I wouldn't be concerned with how long it would take them to brute force.

They'll just sneak into your house when aren't there and install a keylogger on your computer to get your passphrase. It's not like they haven't done it before [news.com]

With that kind of power, why even worry about brute force attacks?

Re:Secure your email

[shawb]

And I forgot to post a link to this article [nytimes.com]

Cox

[DanielBoz]

For any interested here is the equivalent info on Cox Communications: http://www.cox.com/policy/leainformation/default.asp [cox.com] http://www.cox.com/policy/leainformation/CoxLawfulInterceptWorksheet.pdf [cox.com]

Re:The law doesn't protect you

[Anonymous Coward]

Unless they can gain access to your PC and bypass the security, they wont have any idea that its not QWERTY. Any hardware keylogger or bug they insert will produce "garbage" since they have no way of knowing that will produce 'x' instead of 'q'.

You really don't know how hardware keyloggers work, and you do not understand how easy it is to crack a replacement cipher (which is what a random keyboard would essentially be equivalent of)

And by the way, it's easy to pick up the electric currents generated by your keypresses from a distance of about 100m. Google for tempest and you'll learn why your physical security needs to include tinfoil.

Verification

[Anonymous Coward]

I was told more-or-less the same thing when I interviewed at comcast earlier this year.
They also do not monitor outbound traffic at all unless for diagnostic purposes or because of a warrant. I was told, point blank, that they simply 'do not want to know' what is going on with their subscribers.

And to be frank, I can't say that I blame them. Collecting subscriber usage data is more of a liability than anything else these days.