On Tue, May 10, 2011 at 3:38 PM, Michael Holstein < michael.holstein@csuohio.edu> wrote:
http://www.wired.com/images_blogs/threatlevel/2011/05/expendibleipaddresses....
The dates in the timestamps are back in February. We deleted those logs "..in the regular course of business.." a LONG TIME AGO.
If you didn't do that, you really ought to ask yourself why.
Regards,
Michael Holstein Information Security Administrator Cleveland State University
In the EU you have Directive 2006/24/EC: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:006... Article 6 - Periods of retention Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication. Article 5 - Categories of data to be retained 1. Member States shall ensure that the following categories of data are retained under this Directive: (a) data necessary to trace and identify the source of a communication: (...) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication; Each member state creates its own law, according to the directive. In Portugal, you have to retain the data for one year. Best Regards, Luís Marta.
On May 10, 2011, at 11:49 AM, Michael Holstein wrote:
In the EU you have Directive 2006/24/EC:
But I'm not, and neither are most of the ISPs in the linked document.
Regards,
Michael Holstein Information Security Administrator Cleveland State University
In the US, I believe that CALEA requires you to have those records for 7 years. Owen
On May 10, 2011, at 3:02 33PM, Owen DeLong wrote:
On May 10, 2011, at 11:49 AM, Michael Holstein wrote:
In the EU you have Directive 2006/24/EC:
But I'm not, and neither are most of the ISPs in the linked document.
Regards,
Michael Holstein Information Security Administrator Cleveland State University
In the US, I believe that CALEA requires you to have those records for 7 years.
Source, please -- I've never heard of this, nor can I find anything like it at askcalea.com. All I've found is that you have to keep records of *interceptions*. I've also seen numerous news stories about how the FBI wants that to be added to the law, thus implying that it isn't there now. See, for example, http://news.cnet.com/8301-13578_3-10448060-38.html --Steve Bellovin, https://www.cs.columbia.edu/~smb
From: Owen DeLong <owen@delong.com> Date: Tue, 10 May 2011 12:02:33 -0700
On May 10, 2011, at 11:49 AM, Michael Holstein wrote:
In the EU you have Directive 2006/24/EC:
But I'm not, and neither are most of the ISPs in the linked document.
Regards,
Michael Holstein Information Security Administrator Cleveland State University
In the US, I believe that CALEA requires you to have those records for 7 years.
Owen, Afraid not. As of this time there are no data retention requirements in CALEA. There is a proposal to add data retention to CALEA this year, but I can't even find anything indicating the legislation has been introduced. According to an article in the NY Times last fall, the FBI will be asking for several new tools in CALEA that include data retention requirements, requiring P2P software to allow intercept and requiring that providers dong encryption (e.g. Blackberry) to provide the ability for the government to decrypt the data. I don't know that legislation has actually been introduced, though. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
On Tue, 10 May 2011, Owen DeLong wrote:
In the US, I believe that CALEA requires you to have those records for 7 years.
Some universities have taken the position that they do not meet the criteria for being "communications service providers" under CALEA, and therefore not subject to the intercept and data retention requirements. Whether or not that has been tested in court yet, I don't know. jms
In the US, I believe that CALEA requires you to have those records for 7 years.
No, it doesn't (records *of the requests* are required, but no obligation to create subscriber records exists). Even if it did .. academic institutions are exempt (to CALEA) as private networks.* There are various legislative attempts afoot to create one here in the US .. but none have passed. Regards, Michael Holstein Information Security Administrator Cleveland State Unviersity (*): US Court of Appeals, District of Columbia, 50-1504.
Date: Tue, 10 May 2011 15:51:32 -0400 From: Michael Holstein <michael.holstein@csuohio.edu>
In the US, I believe that CALEA requires you to have those records for 7 years.
No, it doesn't (records *of the requests* are required, but no obligation to create subscriber records exists).
Even if it did .. academic institutions are exempt (to CALEA) as private networks.*
There are various legislative attempts afoot to create one here in the US .. but none have passed.
There is a great deal of uncertainty about the issue of academic institutions being exempt. I know tha that the opinion of the University of California's Counsel was that the wording in the last CALEA update a few years ago removed that exemption and a representative of the FBI, speaking on CALEA requirements, was explicit in saying that they were not exempt. (Of course, that would be the FBI's position.) In any case, get your own legal opinion about this. Don't rely on NANOG for legal advice. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
On May 10, 2011, at 3:51 32PM, Michael Holstein wrote:
In the US, I believe that CALEA requires you to have those records for 7 years.
No, it doesn't (records *of the requests* are required, but no obligation to create subscriber records exists).
Even if it did .. academic institutions are exempt (to CALEA) as private networks.*
There are various legislative attempts afoot to create one here in the US .. but none have passed.
Regards,
Michael Holstein Information Security Administrator Cleveland State Unviersity
(*): US Court of Appeals, District of Columbia, 50-1504.
If I've found the right case, it was 05-1404, and published as 451 F.3d 226 (2006); see http://law.justia.com/cases/federal/appellate-courts/F3/451/226/627290/ I have no idea if it's still good law.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
On Tue, May 10, 2011 at 4:31 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
If I've found the right case, it was 05-1404, and published as 451 F.3d 226 (2006); see http://law.justia.com/cases/federal/appellate-courts/F3/451/226/627290/ I have no idea if it's still good law.
According to EDUCAUSE the appellate decision was complex: http://www.educause.edu/Policy+Analysis+%26+Advocacy/PressReleases/CALEACour... This status page indicates that 'most' campus networks would be exempt: http://www.educause.edu/Resources/Browse/CALEA/30781 Definitely a case of 'talk to your lawyers' to be sure. Bill Bogstad bogstad@pobox.com
Hello, On Tue, May 10, 2011 at 4:02 PM, Owen DeLong <owen@delong.com> wrote:
In the US, I believe that CALEA requires you to have those records for 7 years.
FWIW, in Argentina there is a requirement to hold all records for a full ten years. A sweet bite for the storage folks here... regards, cl.
Luis Marta wrote on 2011-05-10:
In the EU you have Directive 2006/24/EC: http://eur- lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF
Article 6 - Periods of retention Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication.
Article 5 - Categories of data to be retained 1. Member States shall ensure that the following categories of data are retained under this Directive: (a) data necessary to trace and identify the source of a communication: (...) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
The real problem is in the stupid wording. The IP Address is not allocated to a "subscriber" or "registered user". It is handed out for use on an authorized circuit. That circuit is being paid for by someone. There is no nexus between a "circuit number" and a "subscriber" or "user" (or there should not be -- and there only is if YOU CHOOSE TO CREATE SUCH). If network operators behaved rationally, the proper response to any request to divulge information related to an IP address would be limited to the Account Number which was paying for the circuit on which the IP Address was allocated WITH NO IDENTIFICATION OF ANY INDIVIDUAL WHATSOEVER. The entire problem is being created by Network Operators who are making up answers that they cannot prove are true, and causing grief to their customers. Eventually some customer will decide to challenge the Network Operator to prove their allegations of misfeasance. The result will be that the Network Operators will lose, and lose big time. After all, it is the Network Operators who are the accusers -- not the media mafia.
Each member state creates its own law, according to the directive. In Portugal, you have to retain the data for one year.
Best Regards, Luís Marta.
--- Keith Medcalf () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
In article <5f713bd4b694ac42a8bb61aa6001a82f@mail.dessus.com>, Keith Medcalf <kmedcalf@dessus.com> writes
Article 5 - Categories of data to be retained 1. Member States shall ensure that the following categories of data are retained under this Directive: (a) data necessary to trace and identify the source of a communication: (...) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
The real problem is in the stupid wording. The IP Address is not allocated to a "subscriber" or "registered user". It is handed out for use on an authorized circuit. That circuit is being paid for by someone. There is no nexus between a "circuit number" and a "subscriber" or "user" (or there should not be -- and there only is if YOU CHOOSE TO CREATE SUCH).
While there's an argument that the circuit number doesn't identify the user, it most certainly identifies the Subscriber, who is the person who has the legal contract for supply of the circuit.
If network operators behaved rationally, the proper response to any request to divulge information related to an IP address would be limited to the Account Number which was paying for the circuit on which the IP Address was allocated WITH NO IDENTIFICATION OF ANY INDIVIDUAL WHATSOEVER.
So you'd give out the bank/credit card number, but not the name? The legislation above asks for the name and address, and in many jurisdictions revealing the credit card number or bank account number would be regarded as *more* intrusive, not less. -- Roland Perry
participants (10)
-
Bill Bogstad -
Claudio Lapidus -
Justin M. Streiner -
Keith Medcalf -
Kevin Oberman -
Luis Marta -
Michael Holstein -
Owen DeLong -
Roland Perry -
Steven Bellovin