At 09:31 6/24/02 -0700, you wrote:
I recently claimed that, in the USA, there is a law that prohibits an ISP from inspecting packets in a telecommunications network for anything other than traffic statistics or debugging.
Was I correct?
I would imagine privacy laws prohibit disclosure of this type of information in some places like Europe, but privacy protection is nil in the US. How else could all this spy-ware be legal to jam down people's throats?
I'ld also like to get opinions on privacy policies for network operators.
We operate much like the FCC rules on radio eavesdropping. If we hear/see something, we do not tell anyone else about it, nor ever use it for financial gain. (One of my major gripes about spyware)
It has been suggested that we should adopt a policy that says that we'll notify customers if: 1) we inspect traffic,
If youre a good network operator, you will always have occasions to do this for performance and security issues that only you can determine the validity of. No need to scare the customer. The customer deserves their privacy to the extent you can facilitate it. By taking their money, they should expect their email and web viewing habits will remain private. You might include a line in your TOS that you might inspect traffic for operational purposes, but anything seen will remain confidential and never used for financial gain. (I'm not a lawyer, so I highly suggest you consult one on this aspect).
2) we're aware that an upstream is inspecting traffic
Thats a touchy subject, while we expect our feeds will always be doing similar maintenance/security testing, blowing them in and causing customer angst might get you sued or disconnected.
3) we're required to inspect traffic (by anyone).
Since the police-state/anti-privacy measures rammed down our throats post 9.11 they might haul you off to the gulag for doing this. Or worse, declare you an "enemy of the state", strip your citizenship and lock you away forever.
Point 3) is just about the same as 1), but it does imply a slightly different motivation behind the inspection.
I know informing a suspect of a phone tap, in the telecom business will get you hard time. SO again, check with your law people...a lot's changed since 9.11 and the police state is doing things that havent been ruled legal or illegal by the USSC. So beware and get competent legal council before implementing anything. These are offered only as opinions...
At 02:29 PM 6/24/2002, you wrote:
Point 3) is just about the same as 1), but it does imply a slightly different motivation behind the inspection.
I know informing a suspect of a phone tap, in the telecom business will get you hard time. SO again, check with your law people...a lot's changed since 9.11 and the police state is doing things that havent been ruled legal or illegal by the USSC. So beware and get competent legal council before implementing anything.
I do know that when I've gotten supoenas for information (logs, etc), I was instructed by language in the document not to disclose its existance. I always suspected this included informing the customer! It makes sense when you think about it - if you know your data's being inspected, you're not going to send that message about whatever illegal activity you're involved in. So authorities investigating something, even pre-9/11, don't want the subject of that investigation to know they're being looked at. I think that beyond including in your TOS that you may from time to time inspect data, etc, for system/network security and/or performance reasons, you can't inform customers every time you start looking at things. IANAL, though, so do seek competent legal counsel on the issue before implementing anything.
So authorities investigating something, even pre-9/11, don't want the subject of that investigation to know they're being looked at.
This is one of the more useful documents: http://www.usdoj.gov/criminal/cybercrime/searching.html It's what the government lawyers think the law says. It's often useful to point out to the locals that this document exists and that they need to follow it. Mark Radabaugh Amplex (419) 833-3635
participants (3)
-
blitz -
Dave Stewart -
Mark Radabaugh