[Infowarrior] - Which ISPs Are Spying on You?

Wed May 30 14:30:49 UTC 2007

Which ISPs Are Spying on You?
Ryan Singel Email 05.30.07 | 2:00 AM
http://www.wired.com/politics/onlinerights/news/2007/05/isp_privacy

The few souls that attempt to read and understand website privacy policies
know they are almost universally unintelligible and shot through with clever
loopholes. But one of the most important policies to know is your internet
service provider's -- the company that ferries all your traffic to and from
the internet, from search queries to BitTorrent uploads, flirty IMs to porn.

Wired News, with help from some readers, attempted to get real answers from
the largest United States-based ISPs about what information they gather on
their customers' use of the internet, and how long they retain records like
IP addresses, e-mail and real-time browsing activity. Most importantly, we
asked what they require from law-enforcement agencies before coughing up the
data, and whether they sell your data to marketers.

Only four of the eight largest ISPs responded to the 10-question survey,
despite being contacted repeatedly over the course of two months. Some ISPs
wouldn't talk to us, but gave answers to customers responding to a call for
reader help on Wired's Threat Level blog.

Marc Rotenberg, the executive director of the Electronic Privacy Information
Center, says ISPs should be more circumspect about keeping user data.
Maintaining detailed data for long periods of time makes any internet
company a huge target for law enforcement fishing expeditions.

"From a user perspective, the best practice would be for ISPs to delete data
as soon as possible," Rotenberg said. "(The government) will treat ISPs as
one-stop shops for subpoenas unless there is a solid policy on data
destruction," Rotenberg said.

The results:

AOL, AT&T, Cox and Qwest all responded to the survey, with a mix of
timeliness and transparency.

But only Cox answered the question, "How long do you retain records of the
IP addresses assigned to customers."

These records can be used to trace an internet posting, website visit or an
e-mail back to an ISP's customers. The records are useful to police tracking
down child-porn providers, and music-industry groups use them to sue file
sharers. Companies have also used the records to track down anonymous
posters who write unflattering comments in stock-trading boards.

Cox's answer: six months. AOL says "limited period of time," while AT&T says
it varies across its internet-access offerings but that the time limits are
all "within industry standards."

Comcast, EarthLink, Verizon and Time Warner didn't respond.

Some of the most sensitive information sent across an ISP's network are the
URLs of the websites that people visit. This so-called clickstream data
includes every URL a customer visits, including URLs from search engines,
which generally include the search term.

AOL, AT&T and Cox all say they don't store these URLs at all, while Qwest
dodged the question. Comcast, EarthLink, Verizon and Time Warner didn't
respond.

When asked if they allow marketers to see anonymized or partially-anonymized
clickstream data, AOL, AT&T and Cox said they did not, while Qwest gave a
muddled answer and declined to answer a follow-up question. Comcast,
EarthLink, Verizon and Time Warner didn't respond.

This question was prompted by hints at a web-data conference last March that
ISPs were peddling their customer's anonymized clickstream data to web
marketers. Anonymization of data such as URLs and search histories is not,
however, a perfect science. This became clear last summer when AOL employees
attempted to provide the search-research community with a large body of
queries that researchers could mine to improve search algorithms. AOL
researchers replaced IP addresses with different unique numbers, but news
organizations quickly were able to find individuals based on the content of
their queries.

Wired News also asked the companies if they have been in contact or
discussions with the government about how long they should be keeping data.
The Justice Department, along with some members of Congress, are pushing for
European Union-style data-retention rules that would require ISPs to store
customer information for months or years -- a measure law enforcement says
is necessary to prosecute computer crimes, such as trading in child
pornography.

ISPs were nearly universally reluctant to talk about any conversations or
meetings they have had with federal officials. AOL had no comment, Qwest
dodged the question, AT&T wouldn't say, but noted it would broach the issue
with the government as part of an industry-wide discussion. For its part,
Cox says it has not been contacted.

As for whether they oppose data retention: Qwest said that the market should
decide how long data is kept, while Cox was "studying the issue"; AOL is
working with the industry and Congress, and AT&T is "ready to work with all
parties."

Internet surveillance recently got easier, as the deadline passed last week
for ISPs to equip their networks to federal specifications for real-time
surveillance of a target's e-mails, VOIP calls and internet usage -- as well
as data like IP address assignment and web URLs. While law enforcement
currently prefers to ask for stored internet records rather than get
real-time surveillance, that balance may shift once the nation's networks
are wired to government surveillance standards.