Wednesday, May 30, 2007

Which ISP's Are Spying On You?

By Ryan Singel
05.30.07 2:00 AM
Wired

The few souls that attempt to read and understand website privacy policies know they are almost universally unintelligible and shot through with clever loopholes. But one of the most important policies to know is your internet service provider's -- the company that ferries all your traffic to and from the internet, from search queries to BitTorrent uploads, flirty IMs to porn.

Wired News, with help from some readers, attempted to get real answers from the largest United States-based ISPs about what information they gather on their customers' use of the internet, and how long they retain records like IP addresses, e-mail and real-time browsing activity. Most importantly, we asked what they require from law-enforcement agencies before coughing up the data, and whether they sell your data to marketers.

Only four of the eight largest ISPs responded to the 10-question survey, despite being contacted repeatedly over the course of two months. Some ISPs wouldn't talk to us, but gave answers to customers responding to a call for reader help on Wired's Threat Level blog.

Marc Rotenberg, the executive director of the Electronic Privacy Information Center, says ISPs should be more circumspect about keeping user data. Maintaining detailed data for long periods of time makes any internet company a huge target for law enforcement fishing expeditions.

"From a user perspective, the best practice would be for ISPs to delete data as soon as possible," Rotenberg said. "(The government) will treat ISPs as one-stop shops for subpoenas unless there is a solid policy on data destruction," Rotenberg said.

The Results:

AOL, AT&T, Cox and Qwest all responded to the survey, with a mix of timeliness and transparency.

But only Cox answered the question, "How long do you retain records of the IP addresses assigned to customers."

These records can be used to trace an internet posting, website visit or an e-mail back to an ISP's customers. The records are useful to police tracking down child-porn providers, and music-industry groups use them to sue file sharers. Companies have also used the records to track down anonymous posters who write unflattering comments in stock-trading boards.

Cox's answer: six months. AOL says "limited period of time," while AT&T says it varies across its internet-access offerings but that the time limits are all "within industry standards."

Comcast, EarthLink, Verizon and Time Warner didn't respond.

Some of the most sensitive information sent across an ISP's network are the URLs of the websites that people visit. This so-called clickstream data includes every URL a customer visits, including URLs from search engines, which generally include the search term.

AOL, AT&T and Cox all say they don't store these URLs at all, while Qwest dodged the question. Comcast, EarthLink, Verizon and Time Warner didn't respond.

When asked if they allow marketers to see anonymized or partially-anonymized clickstream data, AOL, AT&T and Cox said they did not, while Qwest gave a muddled answer and declined to answer a follow-up question. Comcast, EarthLink, Verizon and Time Warner didn't respond.

This question was prompted by hints at a web-data conference last March that ISPs were peddling their customer's anonymized clickstream data to web marketers. Anonymization of data such as URLs and search histories is not, however, a perfect science.

This became clear last summer when AOL employees attempted to provide the search-research community with a large body of queries that researchers could mine to improve search algorithms.

AOL researchers replaced IP addresses with different unique numbers, but news organizations quickly were able to find individuals based on the content of their queries.

Wired News also asked the companies if they have been in contact or discussions with the government about how long they should be keeping data.

The Justice Department, along with some members of Congress, are pushing for European Union-style data-retention rules that would require ISPs to store customer information for months or years -- a measure law enforcement says is necessary to prosecute computer crimes, such as trading in child pornography.

ISPs were nearly universally reluctant to talk about any conversations or meetings they have had with federal officials. AOL had no comment, Qwest dodged the question, AT&T wouldn't say, but noted it would broach the issue with the government as part of an industry-wide discussion. For its part, Cox says it has not been contacted.

As for whether they oppose data retention: Qwest said that the market should decide how long data is kept, while Cox was "studying the issue"; AOL is working with the industry and Congress, and AT&T is "ready to work with all parties."

Internet surveillance recently got easier, as the deadline passed last week for ISPs to equip their networks to federal specifications for real-time surveillance of a target's e-mails, VOIP calls and internet usage -- as well as data like IP address assignment and web URLs.

While law enforcement currently prefers to ask for stored internet records rather than get real-time surveillance, that balance may shift once the nation's networks are wired to government surveillance standards.

No comments: