Posted on 06/19/2002 8:38:51 AM PDT by Dominic Harr
Internet service providers may be forced into wholesale spying on their customers as part of the White House's strategy for securing cyberspace.
By Kevin Poulsen,
Jun 18 2002 3:46PMAn early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.
In recent weeks, the administration has begun doling out bits and pieces of a draft of the strategy to technology industry members and advocacy groups. A federal data retention law is suggested briefly in a section drafted in part by the U.S. Justice Department.
The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.
While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.
A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.
Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, a policy analyst at the Electronic Privacy Information Center (EPIC), which opposed the directive.
"Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech and the basic principal of the presumption of innocence."
The draft of the U.S. plan does not specify how much data ISPs would be forced to collect, or how long they would have to store it. The White House did not return phone calls on the strategy, which is scheduled for release in September.
I'm trying not to get too upset here, but this is really rankling my fur.
Is the net as we know it in danger?
Ping.
We can encrypt the content of our e-mail with PGP, just in case the feds want to log that too.
We can use anonymiser proxies and encrypt all of our web traffic with SSL.
SSH and SCP, of course, we should be using this NOW just for general security considerations.
Are there any NNTP services out there which use encryption?
Isaiah 44
8 Fear ye not, neither be afraid: have not I told thee from that time, and have declared it? ye are even my witnesses. Is there a God beside me? yea, there is no God; I know not any.
9 They that make a graven image are all of them vanity; and their delectable things shall not profit; and they are their own witnesses; they see not, nor know; that they may be ashamed.
10 Who hath formed a god, or molten a graven image that is profitable for nothing?
Yikes, I don't believe I know of any. And that is *certainly* one of the last places on earth it is now possible to speak out.
It's going to be awfully easy for the next Nixon or Hoover to go out and identify the dissenters, it seems.
I do not like this.
Forgive me, but I have no faith in 'writing my congressman'.
I believe it takes money to get their ear.
For files on your hard disk, this really isn't a big deal, for mail it's a pain. But you could use Hushmail instead of your normal email account.
For painless disk encryption, I recommend DriveCrypt as it is from overseas and unlikely to have any NSA hooks in it.
For NNTP posting and browsing, I recommend either finding one that allows SSL encryption (usually NOT your ISP, you'll probably have to pay a monthly fee) or use a SSL-enabled HTTP anonymizer proxy to access a web-based front-end to newsgroups.
Since NNTP is high volume, encryption is a difficult prospect and you're going to have to make some compromises.
And those posters that show up and proudly exclaim that they don't care about Uncle Sam snooping around since they have nothing to hide:
Please include your full name, address, evening phone number and social security number with your post. Or shut up. You've got nothing to hide, right?
When you combine this with the fact that the FBI/police/etc. can damn near access your e-mail, traffic, phones, etc. without search warrants, yes, the net as we know it is in danger.
We all accept that nobody is anonymous anymore (unless you know what your doing). Certain agencies track as much computer traffic, e-mail, etc. as possible already.
Even here, if in the future some liberal is in the WH, and somebody decides they don't like some of the people posting on FR, they can easily raid the servers, probably without a search warrant the way things are going, get the IPs or look at financial donations, and then goto the ISPs and look at who had that IP at a certain time a message was posted.
I think the next couple of years are going to decide the shape of the internet. We weathered this company and that company filing all of these patent claims, or trying to keep us from running certain programs (such as the file-sharing programs) or doing certain things with our computers. I don't know about the government monitoring everything and delving into our personal lives.
Please include your full name, address, evening phone number and social security number with your post. Or shut up. You've got nothing to hide, right?
They also need to include their DL # if they have one, any and all credit cards, work address, the amount of taxes they last paid, how much they owe, their date of birth, as well as any and all relevant information about their immediate family. Also, any and all guns they have access to need to be listed for "security" reasons.
Heh. With their name, address and SSN, I can get the rest. :)
Once upon a time, one of my in-laws was a private investigator. I paid attention.
By profession, I'm a security geek. Generally, I just build firewall, intrusion detection systems and such, but security also includes data security.
I see a profitable future for me, helping clients encrypt hard drives, network connections and tape systems.
Like most government regulations, those that can pay enough to secure their data don't have to worry. Average citizens are screwed.
I already have a non-ISP usenet service but I haven't yet found one that uses encryption.
I'm heavily into NFS here, so file encryption on my network isn't much of a concern... yet.
I'd rather the feds devote their attention to the asians and french and germans who keep trying to crack my FTP server.. :-P
Yes it is, it will be controlled if we let it happen. The controllers can't help themselves, they must not let anything that's free and wonderful exist because it's a threat to their tight-assed little world. Fiber optics weren't part of the controllers (controllers in government, the media and in business) game plan.
They're enemies of freedom and they have plenty of enablers. They would take your freedom in a second if it benefited their agenda, whatever that agenda may be.
Right now some stinky-assed bureaucrat can use your tax dollars to rifle through the hard drive in your home. Meanwhile the sheep go "ho-hum".
All of my NFS traffic is behind two firewalls, but yeah, I still worry about it.
I recently got a wireless card and AP and set up an IPSEC tunnel between the laptop and a box behind the base station. I've been thinking about converting the entire network to 802.11a and running IPSEC for the entire thing.
If it gets really ugly, I'lll just set up CFS drives for /var/log. I'd have to be present and enter the key each time those machines boot, but I run FreeBSD and Linux and have everything UPSed, so that wouldn't be very often.
I already keep all of my downloaded mail on a CFS drive, just in case someone sends me mail that isn't encrypted.
But then, I've always been paranoid. :)
I'm a firm believer in iptables MAC filtering for the wireless stuff. It's kept a few war-drivers out of my net last year. Nowadays there are more than a few unsecured APs in my development which are much easier pickings, so I don't log any hits at all anymore.
But I still change those keys about every two months.
Now I can use Twofish encryption and since both ends of the IPSEC tunnel also have firewalls installed, even if my AP is unsecured, it doesn't matter. All they have access to is the AP, and I turn SNMP off on all public devices.
A war-driver will know that my device exists, but since the firewalls only allow IPSEC traffic, that won't do them much good.
Like most government regulations, those that can pay enough to secure their data don't have to worry. Average citizens are screwed.
True, but then what's to prevent the government five years from now (or sooner, the way Ashcroft and others are acting) declaring that encryption/firewalls that the government can't get through are illegal, because they could be used to assist in terrorist acts?
At some point, some bits of data you and your customers generate is going to find it's way on the net, whether it's a post on FR, e-mail, a posting to a newsgroup, or whatever. The government is going to try and do it's best (while spending your tax dollars) to break your encryption/codes.
Kinda sad isn't it? Our own government doesn't even trust us.
No kidding. I think the internet is the most important tool we have right now in keeping our freedom, next to the Constitution. People underestimate the power of it. You and I and others on FR, as an example, are discussing all sorts of freedoms, liberties, etc. and we are spread out all around the country/world. Ten years ago, you and I would not be talking and people wouldn't be able to keep each other informed of what's happening wherever and be able to get this assistance and that assistance.
Ten years ago we could have communicated through newsletters locally, but we wouldn't be able to get so many people organized over the entire country, and the government controlled the means of contact (through the USPS).
Right now, this means of communication has little regulation (and I pray it stays that way) and the government still doesn't have a good grasp of how to control it. I'm sure the major ISPs/content providers would prefer the government to stay out of their hair as well as the data retention would cost them lots of money, as well as the fact none of them wants the government controlling what they do, that is, make money.
Even in China and Cuba and North Korea (and now South Africa) the governments are trying to control the internet coming into their country, but they are still unable to.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.