On 7/29/14 1:00 PM, "Robert Drake" <rdrake@direcpath.com> wrote:
On 7/29/2014 12:42 PM, Chris Boyd wrote:
There's probably going to be some interesting legal fallout from that practice. As an ISP customer, I'd be furious to find out that my communications had been intercepted due to the bad behavior of another user.
--Chris
Usually, unless the judge is being super generous, they'll provide a timestamp and a destination IP. That should be pretty unique unless they're looking for fraud against large website or something. In the unlikely event that two people hit the same IP at the same time(window) they would probably just throw that information out as unusable for their case.
If your CGN logs destination IP, then you are tracking every site your customer visits. Geoff posits that this is valuable information, but some of the likeliest buyers aren't interested. You'll want to find some buyers, because you'll need to defray the cost of your logging. Do some back-of-the-envelope math on the storage required per user per day if you log the 5-tuple. The alternative is logging of address and source ports only, keeping logs equivalent to your DHCP logs now. I've also heard law enforcement say they're not necessarily keen to ask, "Which of your customers accessed this web site at this time?" Sometimes it's awkward. They're much more likely to say, "Who was using this address (and source port) at this time?" If they can't tell you the source port, you have two options: 1. Give them the names of all customers using that address at that time. How many--10? 50? 100? 2. Tell them their subpoena is too broad, and you cannot respond. I suggest you consult with counsel to determine your response. Lee