In message <200206241631.g5OGVw2q037988@noc.mainstreet.net>, Mark Kent writes:
I recently claimed that, in the USA, there is a law that prohibits an ISP from inspecting packets in a telecommunications network for anything other than traffic statistics or debugging.
Was I correct?
No. Or at least you weren't; the Patriot Act may have changed it. (I assume you're talking about U.S. law.) There was a quirk in the wording of the law -- what you say is correct for *telephone* companies, but not ISPs.
I'ld also like to get opinions on privacy policies for network operators. It has been suggested that we should adopt a policy that says that we'll notify customers if: 1) we inspect traffic, 2) we're aware that an upstream is inspecting traffic 3) we're required to inspect traffic (by anyone).
Point 3) is just about the same as 1), but it does imply a slightly different motivation behind the inspection.
Point 3 is explicitly prohibited by U.S. wiretap law, if it's a legal, court-approved wiretap under either the regular wiretap statute or the Foreign Intelligence Surveillance Act. Btw -- see the slides from Mark Eckenwiler's tutorial on wiretapping at a recent NANOG (October 2000, as I recall, and definitely in D.C.) --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)