Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Cyber Security Plan Contemplates U.S. Data Retention Law (ISPs may have to spy on their customers.)
SecurityFocus ^ | Jun 18 2002 3:46PM | Kevin Poulsen

Posted on 06/19/2002 8:38:51 AM PDT by Dominic Harr

Cyber Security Plan Contemplates U.S. Data Retention Law

Internet service providers may be forced into wholesale spying on their customers as part of the White House's strategy for securing cyberspace.
By Kevin Poulsen,

Jun 18 2002 3:46PMAn early draft of the White House's National Strategy to Secure Cyberspace envisions the same kind of mandatory customer data collection and retention by U.S. Internet service providers as was recently enacted in Europe, according to sources who have reviewed portions of the plan.

In recent weeks, the administration has begun doling out bits and pieces of a draft of the strategy to technology industry members and advocacy groups. A federal data retention law is suggested briefly in a section drafted in part by the U.S. Justice Department.

The comprehensive strategy is being assembled by the President's Critical Infrastructure Protection Board, headed by cyber security czar Richard Clarke, and is intended as a collaborative road map for further action by government agencies, private industry, and Congress.

While not binding, proposals that find their way into the final version of the National Strategy would likely have added weight in Congress, and could lead to legislation.

A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.

Data to be gathered under the European plan includes the headers (from, to, cc and subject lines) of every e-mail each customer sends or receives, and every user's complete Web browsing history. The period of time that the data will have to be retained is up to each member country; specific legislative proposals range from 12 months to seven years, according to Cedric Laurant, a policy analyst at the Electronic Privacy Information Center (EPIC), which opposed the directive.

"Somebody could see their past for the last seven years be completely open," says Laurant, speaking of the European directive. "It violates freedom of speech and the basic principal of the presumption of innocence."

The draft of the U.S. plan does not specify how much data ISPs would be forced to collect, or how long they would have to store it. The White House did not return phone calls on the strategy, which is scheduled for release in September.


TOPICS: Technical
KEYWORDS: techindex
Navigation: use the links below to view more comments.
first 1-2021-31 next last
A controversial directive passed by the European Parliament last month allows the 15 European Union member countries to force ISPs to collect and keep detailed logs of each customer's traffic, so that law enforcement agencies could access it later.

I'm trying not to get too upset here, but this is really rankling my fur.

Is the net as we know it in danger?

1 posted on 06/19/2002 8:38:51 AM PDT by Dominic Harr
[ Post Reply | Private Reply | View Replies]

To: *tech_index
If you can fill the unforgiving minute with sixty seconds worth of distance run,
Then yours is the Earth and everything that's in it, and -- what's more -- you'll be a man, my son.

Ping.

2 posted on 06/19/2002 8:40:20 AM PDT by Dominic Harr
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dominic Harr
Very alarming.

We can encrypt the content of our e-mail with PGP, just in case the feds want to log that too.

We can use anonymiser proxies and encrypt all of our web traffic with SSL.

SSH and SCP, of course, we should be using this NOW just for general security considerations.

Are there any NNTP services out there which use encryption?

3 posted on 06/19/2002 9:32:30 AM PDT by TechJunkYard
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dominic Harr
Omniscience is not meant for men seeking power!
What more graven image is there than an image of what is entering the minds of all those connected to this continuum?

Isaiah 44
8 Fear ye not, neither be afraid: have not I told thee from that time, and have declared it? ye are even my witnesses. Is there a God beside me? yea, there is no God; I know not any.
9 They that make a graven image are all of them vanity; and their delectable things shall not profit; and they are their own witnesses; they see not, nor know; that they may be ashamed.
10 Who hath formed a god, or molten a graven image that is profitable for nothing?

4 posted on 06/19/2002 10:54:11 AM PDT by PaxMacian
[ Post Reply | Private Reply | To 1 | View Replies]

To: TechJunkYard
Are there any NNTP services out there which use encryption?

Yikes, I don't believe I know of any. And that is *certainly* one of the last places on earth it is now possible to speak out.

It's going to be awfully easy for the next Nixon or Hoover to go out and identify the dissenters, it seems.

I do not like this.

5 posted on 06/19/2002 11:42:31 AM PDT by Dominic Harr
[ Post Reply | Private Reply | To 3 | View Replies]

To: Dominic Harr
Congress.org, 1 click and you can send an email to all 3 of your congresscritters.
6 posted on 06/19/2002 1:28:36 PM PDT by dheretic
[ Post Reply | Private Reply | To 1 | View Replies]

To: dheretic
1 click and you can send an email to all 3 of your congresscritters.

Forgive me, but I have no faith in 'writing my congressman'.

I believe it takes money to get their ear.

7 posted on 06/19/2002 1:37:56 PM PDT by Dominic Harr
[ Post Reply | Private Reply | To 6 | View Replies]

To: Dominic Harr
I am glad I closed my ISP biz last year.
8 posted on 06/19/2002 3:20:17 PM PDT by Mr_Magoo
[ Post Reply | Private Reply | To 1 | View Replies]

To: TechJunkYard
The current version of PGP is suspect. Even the original inventor of PGP left Network Associates and says that PGP can no longer be trusted. Either use a version before 6.0, use OpenPGP which is based on code prior to PGP 6.0 or use GnuPG. There is a Windows version of GnuPG, but it lacks a graphical interface.

For files on your hard disk, this really isn't a big deal, for mail it's a pain. But you could use Hushmail instead of your normal email account.

For painless disk encryption, I recommend DriveCrypt as it is from overseas and unlikely to have any NSA hooks in it.

For NNTP posting and browsing, I recommend either finding one that allows SSL encryption (usually NOT your ISP, you'll probably have to pay a monthly fee) or use a SSL-enabled HTTP anonymizer proxy to access a web-based front-end to newsgroups.

Since NNTP is high volume, encryption is a difficult prospect and you're going to have to make some compromises.

And those posters that show up and proudly exclaim that they don't care about Uncle Sam snooping around since they have nothing to hide:

Please include your full name, address, evening phone number and social security number with your post. Or shut up. You've got nothing to hide, right?

9 posted on 06/19/2002 3:52:55 PM PDT by Knitebane
[ Post Reply | Private Reply | To 3 | View Replies]

To: Dominic Harr
Is the net as we know it in danger?

When you combine this with the fact that the FBI/police/etc. can damn near access your e-mail, traffic, phones, etc. without search warrants, yes, the net as we know it is in danger.

We all accept that nobody is anonymous anymore (unless you know what your doing). Certain agencies track as much computer traffic, e-mail, etc. as possible already.

Even here, if in the future some liberal is in the WH, and somebody decides they don't like some of the people posting on FR, they can easily raid the servers, probably without a search warrant the way things are going, get the IPs or look at financial donations, and then goto the ISPs and look at who had that IP at a certain time a message was posted.

I think the next couple of years are going to decide the shape of the internet. We weathered this company and that company filing all of these patent claims, or trying to keep us from running certain programs (such as the file-sharing programs) or doing certain things with our computers. I don't know about the government monitoring everything and delving into our personal lives.

10 posted on 06/19/2002 4:31:31 PM PDT by texlok
[ Post Reply | Private Reply | To 1 | View Replies]

To: Knitebane
And those posters that show up and proudly exclaim that they don't care about Uncle Sam snooping around since they have nothing to hide:

Please include your full name, address, evening phone number and social security number with your post. Or shut up. You've got nothing to hide, right?

They also need to include their DL # if they have one, any and all credit cards, work address, the amount of taxes they last paid, how much they owe, their date of birth, as well as any and all relevant information about their immediate family. Also, any and all guns they have access to need to be listed for "security" reasons.

11 posted on 06/19/2002 4:34:03 PM PDT by texlok
[ Post Reply | Private Reply | To 9 | View Replies]

To: texlok
hey also need to include their DL # if they have one, any and all credit cards, work address, the amount of taxes they last paid, how much they owe, their date of birth, as well as any and all relevant information about their immediate family. Also, any and all guns they have access to need to be listed for "security" reasons.

Heh. With their name, address and SSN, I can get the rest. :)

Once upon a time, one of my in-laws was a private investigator. I paid attention.

12 posted on 06/19/2002 4:42:27 PM PDT by Knitebane
[ Post Reply | Private Reply | To 11 | View Replies]

To: texlok
I hate to say it, but this is good news for me.

By profession, I'm a security geek. Generally, I just build firewall, intrusion detection systems and such, but security also includes data security.

I see a profitable future for me, helping clients encrypt hard drives, network connections and tape systems.

Like most government regulations, those that can pay enough to secure their data don't have to worry. Average citizens are screwed.

13 posted on 06/19/2002 4:47:24 PM PDT by Knitebane
[ Post Reply | Private Reply | To 10 | View Replies]

To: Knitebane
I bought a domain and I operate my own mail servers here at the house, so that just leaves my outgoing mail to my friends at their ISPs exposed. I have no logging requirement.

I already have a non-ISP usenet service but I haven't yet found one that uses encryption.

I'm heavily into NFS here, so file encryption on my network isn't much of a concern... yet.

I'd rather the feds devote their attention to the asians and french and germans who keep trying to crack my FTP server.. :-P

14 posted on 06/19/2002 4:53:55 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 9 | View Replies]

To: Dominic Harr
Is the net as we know it in danger?

Yes it is, it will be controlled if we let it happen. The controllers can't help themselves, they must not let anything that's free and wonderful exist because it's a threat to their tight-assed little world. Fiber optics weren't part of the controllers (controllers in government, the media and in business) game plan.

They're enemies of freedom and they have plenty of enablers. They would take your freedom in a second if it benefited their agenda, whatever that agenda may be.

Right now some stinky-assed bureaucrat can use your tax dollars to rifle through the hard drive in your home. Meanwhile the sheep go "ho-hum".

15 posted on 06/19/2002 4:57:36 PM PDT by AAABEST
[ Post Reply | Private Reply | To 1 | View Replies]

To: TechJunkYard
I've got a couple of domains here too and my logging is limited to 24 hours on the mail servers (they roll over to /dev/null) and nearly infinite on the IDS and firewall.

All of my NFS traffic is behind two firewalls, but yeah, I still worry about it.

I recently got a wireless card and AP and set up an IPSEC tunnel between the laptop and a box behind the base station. I've been thinking about converting the entire network to 802.11a and running IPSEC for the entire thing.

If it gets really ugly, I'lll just set up CFS drives for /var/log. I'd have to be present and enter the key each time those machines boot, but I run FreeBSD and Linux and have everything UPSed, so that wouldn't be very often.

I already keep all of my downloaded mail on a CFS drive, just in case someone sends me mail that isn't encrypted.

But then, I've always been paranoid. :)

16 posted on 06/19/2002 5:02:43 PM PDT by Knitebane
[ Post Reply | Private Reply | To 14 | View Replies]

To: Knitebane
I recently got a wireless card and AP and set up an IPSEC tunnel between the laptop and a box behind the base station.

I'm a firm believer in iptables MAC filtering for the wireless stuff. It's kept a few war-drivers out of my net last year. Nowadays there are more than a few unsecured APs in my development which are much easier pickings, so I don't log any hits at all anymore.

But I still change those keys about every two months.

17 posted on 06/19/2002 6:24:28 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 16 | View Replies]

To: TechJunkYard
I considered using MAC filtering, but after I did some research on how easy WAP is to break, I decided to use IPSEC instead.

Now I can use Twofish encryption and since both ends of the IPSEC tunnel also have firewalls installed, even if my AP is unsecured, it doesn't matter. All they have access to is the AP, and I turn SNMP off on all public devices.

A war-driver will know that my device exists, but since the firewalls only allow IPSEC traffic, that won't do them much good.

18 posted on 06/19/2002 6:29:42 PM PDT by Knitebane
[ Post Reply | Private Reply | To 17 | View Replies]

To: Knitebane
I see a profitable future for me, helping clients encrypt hard drives, network connections and tape systems.

Like most government regulations, those that can pay enough to secure their data don't have to worry. Average citizens are screwed.

True, but then what's to prevent the government five years from now (or sooner, the way Ashcroft and others are acting) declaring that encryption/firewalls that the government can't get through are illegal, because they could be used to assist in terrorist acts?

At some point, some bits of data you and your customers generate is going to find it's way on the net, whether it's a post on FR, e-mail, a posting to a newsgroup, or whatever. The government is going to try and do it's best (while spending your tax dollars) to break your encryption/codes.

Kinda sad isn't it? Our own government doesn't even trust us.

19 posted on 06/19/2002 7:00:49 PM PDT by texlok
[ Post Reply | Private Reply | To 13 | View Replies]

To: AAABEST
Yes it is, it will be controlled if we let it happen. The controllers can't help themselves, they must not let anything that's free and wonderful exist because it's a threat to their tight-assed little world. Fiber optics weren't part of the controllers (controllers in government, the media and in business) game plan.

No kidding. I think the internet is the most important tool we have right now in keeping our freedom, next to the Constitution. People underestimate the power of it. You and I and others on FR, as an example, are discussing all sorts of freedoms, liberties, etc. and we are spread out all around the country/world. Ten years ago, you and I would not be talking and people wouldn't be able to keep each other informed of what's happening wherever and be able to get this assistance and that assistance.

Ten years ago we could have communicated through newsletters locally, but we wouldn't be able to get so many people organized over the entire country, and the government controlled the means of contact (through the USPS).

Right now, this means of communication has little regulation (and I pray it stays that way) and the government still doesn't have a good grasp of how to control it. I'm sure the major ISPs/content providers would prefer the government to stay out of their hair as well as the data retention would cost them lots of money, as well as the fact none of them wants the government controlling what they do, that is, make money.

Even in China and Cuba and North Korea (and now South Africa) the governments are trying to control the internet coming into their country, but they are still unable to.

20 posted on 06/19/2002 7:07:21 PM PDT by texlok
[ Post Reply | Private Reply | To 15 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-31 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson