Slyck.com
 
Slyck Chatbox - And More

ISPs Now Spying on Users

Discuss Slyck's latest news
Forum rules
PLEASE READ BEFORE POSTING: Slyck Forum Rules

ISPs Now Spying on Users

Postby Nick » Fri Nov 04, 2005 1:01 pm

As governments all over the world step up the pressure for internet surveillance, we lift the lid on the shady world of ISP enforcment and uncover the international pressures that will be forcing them to work with police and mysterious other bodies.

The regulation of ISPs in the UK was originally a matter for a voluntary <a href=http://news.zdnet.co.uk/internet/0,39020369,2124371,00.htm >Code of Practice</a>, established back in 2003 presumably as a mechanism to allow the <a href=http://duncan.gn.apc.org/echelon-dc.htm >Echelon</a> eavesdropping project time to catch up with intensifying internet usage.

It included a requirement for ISPs to maintain comprehensive records of customer activities for 12 months, with the stark warning that if ISPs refused to comply, then the law would be changed and they would be forced to. Hardly voluntary, one might say. The rationale of the time was to help law enforcers stay ahead of the game when tracing pedophiles and their ilk.

That was back in 2003, and the EU now plans to <a href=http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2005/10/07/weu07.xml&sSheet=/news/2005/10/07/ixworld.html[/>compel</a> all ISPs throughout Europe to keep records of internet activity for 12 months, with telephone records being retained for "at least" 6 months. Their rationale as we approach 2006? To actively pursue terrorist activity and aid “other law enforcement agencies”. Either pedophiles have ceased to exist or they felt it suited their political agenda to milk the threat of terrorism.

An unidentified UK ISP Blueyonder employee let slip to one of our readers that they routinely receive lists of IP addresses that are to be monitored for various “law enforcement” purposes, and that the resultant data was processed and provided to those requesting it. According to the information received, the Business Software Alliance and the BPI are amongst many requesting such information, although requests for any data identifying their clients go unanswered. Obviously if this is the case, it is likely to alter dramatically with the introduction of planned new legislation. They will simply have to comply.

Slyck decided to ask John Moorwood Senior Public Relations Manager of Telewest - who are the owners of the hugely popular Blueyonder ISP. John refused to enter any discussion on their use of spidering techniques of the kind reported to us, neither confirming nor denying our report, simply saying that <i>“It is safe to assume that we do (so) as part of our overview of the network, to analyze trends and usage, but I'm not prepared to discuss and risk compromising our formal law enforcement policies"</i>

This is of course a perfectly valid point, and so we asked him what exactly constituted a law enforcement agency. For example, did he agree that the BPI qualified as such, to which he responded <i>" If it's a criminal issue, such as commercial piracy, then the police would initiate the formal request for identifying or personal data but we still require a court order"</i>

We then asked if they had been called upon to collate or provide data regarding accesses by users to specific web sites or IP addresses? John explained <i> “We may be asked by a third party, using a court order, to verify the identity of a user, based on the third party's information and evidence” </i>, going on to add <i> “That evidence may have been obtained by the third party using 'honeypots' or news group posting headers, etc. We ourselves do not specifically collate data on users' behavior, although we do inadvertently collect some information due to day-to-day running of operational systems such as web caches.”</i>.

We went on to ask if they had collated data on the basis of specific internet activity (e.g. file transfers, ftp P2P, etc). John replied </i>“We are constantly evaluating all forms of capacity planning systems, including some that could identify specific application traffic types, but we have never implemented such a system”</i>

Accepting the need for capacity planning, we were curious why they are evaluating new systems giving their merger with NTL and talk of <a href=http://www.timesonline.co.uk/article/0,,2095-1827491,00.html >takeover</a> bids? Surely this was time for rationalisation, and not expansion? Sensing that perhaps John was not giving us the full picture, we tried to press him on his peculiar choice of words such as “We <i>ourselves</i> do not <i>specifically</i> collate data on users' behavior”. He refused to be drawn, saying <i>"I can't say either way, that's a matter of internal security policy and I'm neither agreeing nor denying”</i>

When asked how his organization handled requests for further information (e.g. identification) regarding any specific user and how such information was used, John replied <i> “Like any responsible ISP, we have our own abuse department to handle notifications of abusive behavior from our network. In the vast majority of cases these are found to originate as a consequence of <a href=http://business.timesonline.co.uk/article/0,,9076-1606324,00.html>'zombied PCs'</a>, rather than any malicious intent by a user.

In the case of third party requests for identification, such as from the police and other government bodies, who have the power to require us to disclose this type of information under certain circumstances, we will comply with any legal obligations…. Occasionally we also receive requests to identify users from third parties who wish to pursue civil claims (e.g. in relation to copyright infringement). In these cases, it is also necessary for the party to obtain a court order requiring”. </i>

We are obviously extremely grateful to John Moorwood of Telewest/Blueyonder for his help, as far as he felt able to go. Unfortunately this doesn’t shed much light on the changes that are being planned under new EU data retention legislation, neither did it tell us who these "other government bodies" were, although it suggests an underlying capability and willingness to comply with these requirements. Remember, ISP cooperation has only been a voluntary issue up until the present time, and this is set to change dramatically.

Quite clearly the ISPs know which side their bread is buttered, and in recognition of the fact that people generally want greater bandwidth for downloading purposes (60% of all internet traffic is for filesharing, according to Cachelogic and Big Champagne) they are perfectly happy for their customers to continue to use their services and watch their revenue grow. After all, unused bandwidth is absolutely no use to an ISP, it is simply dead money.

BT (generally known as British Telecom), the UK communications giant, were characteristically taciturn about all this when approached. Ian Read of their Press Office refusing to comment openly on what he described as “an enforcement debate” and in contrast with the extremely helpful staff at Blueyonder, emails and messages to BT's Jon Carter were left unanswered at the time of writing.

Other sources within BT have suggested that they are already well prepared for mandatory requirements of the sort being planned by the EU, explaining that they use similar if not identical technology to other ISPs and already consider themselves well placed to comply with requests such as those from “the police and <i>other government bodies</i>” to paraphrase Blueyonder’s John Moorwood.

When asked how that would be possible given current data protection legislation, our informant chillingly told us that such arrangements were already in place. He said that a “unique identifier” would be assigned to all those listed, and only the ISP itself would know exactly who that referred to. Any subpoena issued against them, forcing them to identify the individual concerned, would refer to the user only by that unique number until the court ordered that their identity was revealed.

The fact that this has been given such detailed thought must be of concern to all UK filesharers, for example, just who are these “other government bodies” that people keep referring to? If they do not <i>themselves</i> collate data on users' behavior, then who does? It seems quite likely that both this practice and this means of circumventing data protection laws are on the verge of widespread adoption, both in the UK and almost certainly everywhere before much longer.

With 60% of internet traffic being used for filesharing, it would be wise to anticipate proportionate enforcement effort. At no time since the birth of the Internet has our freedom been under a greater threat than it is today.

<i>The writer acknowledges the invaluable cooperation of Telewest/Blueyonder and the assistance of Slyck member, Graphix, in contributing information for use in this article. </i>
Nick
 
Posts: 3840
Joined: Sun Jan 30, 2005 7:38 am

Postby LANjackal » Fri Nov 04, 2005 1:28 pm

Great article, Nick :). Thanks.
Follow me around the internet!
[Windows 7 Pro x64 (Primary OS)
User avatar
LANjackal
 
Posts: 5895
Joined: Thu Feb 26, 2004 1:58 pm
Location: Various networks. In the physical world I'm an adaptive AI that pretends to be human

Postby eAi » Fri Nov 04, 2005 1:41 pm

Good article!
eAi
 
Posts: 79
Joined: Mon Jan 03, 2005 11:44 am

Postby bluestate american » Fri Nov 04, 2005 1:48 pm

Can anyone speak to the current state of ISP monitoring in the US? I'm sure its not better, given the PATRIOT Act, etc.

I know they'll turn over users names if IP's are provided by *AA lackey's - but does it require a subpoena or other legal mechanism?

Does anyone know if US ISPs have the capacity or desire to monitor the majority of their users or if there is legislation (as in the EU) requiring them to retain everything for a period of time?
"If anybody needs me, I'll be in the clock tower"

- Wooldoor Sockbat
User avatar
bluestate american
 
Posts: 192
Joined: Thu Oct 06, 2005 7:58 pm
Location: 1st quadrant of the US

Postby locotus » Fri Nov 04, 2005 1:53 pm

And, any similarity to "The Matrix", is purely coincidential.
locotus
 
Posts: 125
Joined: Fri Apr 09, 2004 2:54 pm

Postby Nick » Fri Nov 04, 2005 1:54 pm

Thanks for the kind remarks ;-)

Shame BT couldn't get their act together, leaving us to rely on less official sources within their organisation. Jon Carter probably though golf more important :lol:

As far as I understand, the US government is pushing hard for the retention of data under the Patroit Act. There was a sucessful challenge, and it was going to appeal. However I can't find out the latest on this

http://www.wired.com/news/privacy/0,1848,67674,00.html
Nick
 
Posts: 3840
Joined: Sun Jan 30, 2005 7:38 am

Postby irish » Fri Nov 04, 2005 2:09 pm

Excellent article Nick and Graphix. I'll have a look around here in the Spanish press and online to see what this means for isp's here.
User avatar
irish
 
Posts: 1830
Joined: Tue Feb 15, 2005 5:03 pm
Location: Na hOileain Chanaracha

Postby GraphiX » Fri Nov 04, 2005 2:27 pm

thank you Nick for running this article
much appreciated... i gotta say you have not half
taken some time over this one :)

no worries guys we'll since it was a cable
tech/engineer who's told me all i need to know
i feel alot better about "downloading" now.

at the end of the day what else do they think
we want fast braudband for???? lol

downloading pretty lil pictures of flowers faster?
i think not.

as long as these company's keep increasing bandwith
then we are going to use that service to download.

it's as simple as that. AOL/BT/CABLE all advertise use our service to download movies, games and music faster than other competitors we'll im doing exactly what they are advertising :)
GraphiX
 
Posts: 922
Joined: Sun Jun 12, 2005 7:19 pm

Postby zbeast » Fri Nov 04, 2005 2:40 pm

I dont like it but today surveillance is everywhere.

Your credit card is a tracking device.
All any goverment agency has to do is make a simple
request and when and where your credit card is being used can be transmitted to them in real time.

Use a credit card at walmart. When you use that card
a photograph is taken of the presenter.

Your at the airport all video camaras are active and being recored 24-7 leave a package sitting around.
Software automaticly detects that something is there.
that was not there befor.

Mail a package at the post office a photograph is taken of you.

The one good thing about the internet is the volume of connection and the overwhelming amount of data.

Voip because of the lack of central server datapath
remains one of the hold outs in the I know what your doing space.
zbeast
 
Posts: 6783
Joined: Thu Apr 01, 2004 5:20 pm
Location: Behind that itch. yes, that one right there.

Postby Nick » Fri Nov 04, 2005 2:46 pm

Thanks Irish ;-)

@Graphix: (check your pms) Having seen the original rough draft, and comparing with what is now said, I think you probably appreciate just how much extra research sometimes has to go into these things. This article has drained me over the past 48 hours!

But thanks to your input, and thanks to John from Blueyonder we've been able to get what amounts to official confirmation about what goes on behind the scenes.

The worry is that it will soon change if the terrorism obsessed governments of the world get their way.

It's a crazy old world when, despite the horror and fear terrorism generates, it probably accounts for less than 1% of our problems. Yet seems to occupy governments about 90% of the time. I wonder if the loss of our collective rights and freedoms are too high a price to pay, and we just play into the hands of the terrorists by reacting in this way.

Just a personal thought, not aimed at anyone, and not intending to steer this thread.
Nick
 
Posts: 3840
Joined: Sun Jan 30, 2005 7:38 am

Postby jetiants-tk-user » Fri Nov 04, 2005 2:51 pm

if p2p applications use end-to-end encryption ,then the isp is excluded on spying users. Mute has no e2e. but ants has, e.g.. Others 2generation applications maybe as well like filetopia ???
jetiants-tk-user
 
Posts: 133
Joined: Thu Jan 13, 2005 12:38 pm

Postby Christopher » Fri Nov 04, 2005 3:14 pm

zbeast wrote:I dont like it but today surveillance is everywhere.

Your credit card is a tracking device.
All any goverment agency has to do is make a simple
request and when and where your credit card is being used can be transmitted to them in real time.

Use a credit card at walmart. When you use that card
a photograph is taken of the presenter.

Your at the airport all video camaras are active and being recored 24-7 leave a package sitting around.
Software automaticly detects that something is there.
that was not there befor.

Mail a package at the post office a photograph is taken of you.

The one good thing about the internet is the volume of connection and the overwhelming amount of data.

Voip because of the lack of central server datapath
remains one of the hold outs in the I know what your doing space.


You're kidding about the Walmart thing, aren't you? I have heard about this before on news networks other than Slyck, and have asked the people who run our local Walmart, who say it is not true. They do have cameras placed around the store to try and catch shoplifters, but they do not have them specifically trained on your face when you are checking out.

And that software that tracks if something was there that wasn't before at the airports is a load of junk. I have read so many articles in security magazines saying that it can be fooled in so many ways, that it isn't even funny. On another point, most of the bombings are done by people who have the bomb strapped to their bodies or in a suitcase, or are working as baggage handlers. All they have to do is put it onto the baggage pickup, and BOOOOOOM! Everyone around said baggage pickup is dead.

Also, governments CANNOT just request your credit card reciepts. They have to have a court order from a judge before they can get your credit card report. This is coming straight from my boss, who is a lawyer and has been for nearly 30 years, they have to have a court order from a judge. They can REQUEST that the credit card company turn over your records without a court order, but they would then be in trouble for violating your right to privacy.

In the United States, there is no camera taking pictures of you at a post office. That is just rampant rumermongering, the United States Postal Service has already stated in the paper that there are no cameras taking pictures of you when you mail letters, or drop off packages inside the post office.

In order to get telephone records in the United States, the government and police have to get a search warrant. It might be different in the UK and Europe, but here they have to get a court order. Of course, just like credit card companies, they can ASK for the records, but you can then sue the company for violation of privacy if they give them to the police or anyone else.
I am not as stupid or naive as people would like to believe I am.
Christopher
 
Posts: 829
Joined: Sun Mar 27, 2005 9:43 am

Postby fernandose » Fri Nov 04, 2005 4:06 pm

sorry to move away from discussion, but have to say a what a brillaint article by nick. good job!

got a shock when they mentioned about newsgroup headers :shock:
User avatar
fernandose
 
Posts: 416
Joined: Fri Dec 03, 2004 8:02 pm
Location: England - South East!

Postby IceCube » Fri Nov 04, 2005 4:20 pm

Hmmm, almost sounds like it was a good idea not to get into newsgroups, but I know LX will have a fit over me saying that :lol:

Only one possibility that security would be compromised on newsgroups, so they are still probably the safest and most reliable way to go today from what I can gather.
User avatar
IceCube
 
Posts: 17079
Joined: Tue Jun 14, 2005 5:31 pm
Location: Igloo Country?

Postby LxBeast » Fri Nov 04, 2005 4:33 pm

IceCube wrote:Hmmm, almost sounds like it was a good idea not to get into newsgroups, but I know LX will have a fit over me saying that :lol:


As long as downloading for personal use remains legal, I will keep bitchin'. :P

Anyway, another awesome article Nick! :D

According to the information received, the Business Software Alliance and the BPI are amongst many requesting such information


Lovely, nice to know they care about what I get up to. :)
LxBeast
 

Postby bitz » Fri Nov 04, 2005 5:14 pm

Looks like the uk will likely be one of the first areas with internet users migrating on mass to the i2p network. :shock:

Soon afterwards would be users in the us.

Of course it is completely up to the users, they have the choice to migrate or not.

Like kazaa, many people will stubbornly remain behind and put up with being logged and spied on.
bitz
 
Posts: 237
Joined: Sat Dec 18, 2004 6:40 pm

Postby napho » Fri Nov 04, 2005 5:44 pm

fernandose wrote:
got a shock when they mentioned about newsgroup headers :shock:




I sense an overwhelming guilt in you. Think of all the unsuspecting noobies that you've enticed into Usenet. Fernandose's Honeypot perhaps? It might not be a coincidence that all of a sudden you've bought a Jaguar XK, not to mention your 20 room house in the country just outside of London. :evil: :wink:
User avatar
napho
 
Posts: 497
Joined: Wed Jun 11, 2003 3:31 am
Location: The Great White North

Postby Anonymous » Fri Nov 04, 2005 5:50 pm

zbeast wrote:I dont like it but today surveillance is everywhere.

Your credit card is a tracking device.
All any goverment agency has to do is make a simple
request and when and where your credit card is being used can be transmitted to them in real time.


You forgot the most obvious tracking device.

Your cell phone.

They use them to assasinate people in Afghanistan and Iraq. Locate the phone and send a missile at it.
Anonymous
 

Postby Nick » Fri Nov 04, 2005 7:31 pm

The quotes in the article were mostly taken from answers to written questions, and you can be sure on the accuracy throughout, including the comments regarding newsgroups.

I travel quite a bit, so I'll have to think about the UK security specifc issues. My first thoughts are:

1. They know you're in the country or where you are from your passport
2. They know what you're earning in the UK from either tax or national insurance data (more reliable, as they collect 6.75% on gross)
3. They know what you owe from credit checks and where you spend (from credit checks and loyalty cards)
4. They know the value of where you live from national records (provided to land registry when you buy your property by your solicitor)
5. They know what car you drive (DVLA records in UK)
6. They know if you're taxed, insured and roadworthy
7. They sometimes take cam shots at atms
8. They always take cam shots at airports
9. They know where you are from credit card usage
10. They can check your emails and browsing habits through Echelon & ISP
11. They can eavesdrop on your calls through Echelon
12. They can access your mobile (cellphone) records and know where you are from cell access
13. They have your health records
14. They have your criminal file (everyone has one, even if it says nothing known it still has your date of birth and address)
15. They have your school/college/uni records
16. If you've been stopped for questioning under arrest in the past 2 years they have our DNA
17. If you've been caught speeding, they probably have a photo of you and your car
18. They know where you've been (passport/immigration)
19. They know who you live with (voting register)
20. They know who you've married or divorced and your kid's names (from registry of births, deaths and marriages)

Shit, how much more information could they possibly want or need?
Nick
 
Posts: 3840
Joined: Sun Jan 30, 2005 7:38 am

Postby Exothermicus » Fri Nov 04, 2005 9:16 pm

jetiants-tk-user wrote:if p2p applications use end-to-end encryption ,then the isp is excluded on spying users. Mute has no e2e. but ants has, e.g.. Others 2generation applications maybe as well like filetopia ???

Encryption will only prevent them from seeing what is being transfered, they will still have a history of IP addresses. Even if a proxy is used, if they have captured data from you and the target site, the encrypted packets can be matched to prove it was data originating at your Ip that ultamatly wound up at the end server.

The only way around this would be to have a proxy system where the connection into the proxy is separately encypted from the packets being sent to the end server. Even then your IP would not be safe if the end server is compromosed.

Exo
User avatar
Exothermicus
 
Posts: 587
Joined: Sun Jun 29, 2003 3:04 pm

Postby OddballLN » Fri Nov 04, 2005 9:22 pm

I am not surprised to hear that the UK has the ability to know everything about its citizens in seconds. All anyone has to do is to see the footage of the London Bombings in July to see that surveillance is everywhere and it is no secret. As far as the US, the Patriot act is just one step away from total martial law. Warrants and court orders are not needed if someone is suspected of terrorism. The US Patriot act virtually threw out the entire bill of rights in one piece of legislation, and has not been held up to constitutional scrutiny. I suspect that should it ever get challenged that it would fail constitutional muster. “It is easier to understand the death of one than the death of a million.” Surveillance is every where, but who is watching the watchers? As far as Wal-mart, they have tape of EVERYONE from the time they pull into the parking lot till the time they leave. But this is true with every major chain store since 1990. They do it in an attempt to reduce fraud and theft. Under that guise, you can follow any one anywhere. If you have one of the many cell phones on the market, you can be tracked as long as it is on, not just during the call. The ultimate goal of any government is to control its citizens. Your financial transactions, except for cash, can be tracked very easily but any one with access, like your bank, apartment owner, utilities, insurance company, law enforcement, and employers, all without a warrant. The more people are afraid of the Bin Laden boogie man, the more the governments will watch its citizens and take away rights. ISPs have had the ability for years to track what you are doing on the net all of the time. There are ways to track all the way down to keystrokes on any computer at any time. This is nothing new. The technique has been around since the 50’s in one form or another. Technology has just made things easier to track.
Just food for thought.
So Who REALLY Won the Cold War?
User avatar
OddballLN
 
Posts: 84
Joined: Fri May 13, 2005 7:32 pm
Location: Soviet States of Amerika (USA)

Postby vtwin0001 » Sat Nov 05, 2005 12:51 am

Sure, your ISP can see that you are transferring data... back and forth, but if its encrypted, that is as far as they go, they cannot unencrypt it and see what there is (becasue it illegal and impossible, due to the fact that to unencrypt a 128 bit or better encryprion key, will take years if not decades)

I'll go for the encryption option..... :D

...using newsgroups is even better, they wont see too much movement (for one peer to another), so I guess this wont damage ppl)

Just my thoughts....
Did you know that Pulp Fiction cost $8 million to make - $5 million going to actor's salaries?
vtwin0001
 
Posts: 389
Joined: Thu May 26, 2005 3:47 pm

Postby Dog » Sat Nov 05, 2005 12:52 am

Screw US laws and Bush. Sorry for being off subject with the Bush thing but anyways, great job Nick :wink:
    Home Build (Specs Below) -and- HP Pavilion dv7-1270us
    Windows 7 RTM x64 Ultimate BOTH Machines
    AMD Athlon 64 3200+ 2.2GHz Venice - ECS 755-A2 socket 754 mobo
    XFX PVT73AUDE3 7600GT XXX edition AGP - ASUS VH222H connected through DVI/laptop HDMI
    Seagate 250GB SATA 1.5Gbps drive - WD GreenPower 500GB 5400RPM drive pulled from My Book Essential
User avatar
Dog
 
Posts: 574
Joined: Mon Oct 03, 2005 2:21 pm
Location: Hollyhood

Postby Psisquared » Sat Nov 05, 2005 2:10 am

Where are the companies going to store all this data. The one-year traffic data for every man, woman, and child on the interne tand telephone is in the shitloadabyte range.
The quick brown fox jumps over a lazy dog.
User avatar
Psisquared
 
Posts: 320
Joined: Sat Jun 19, 2004 11:36 am
Location: Impossible to ascertain due to uncertainty principle

Postby MrFredPFL » Sat Nov 05, 2005 9:50 am

Psisquared wrote:Where are the companies going to store all this data. The one-year traffic data for every man, woman, and child on the interne tand telephone is in the shitloadabyte range.


amidst all the shouts of "The sky is falling" it's nice to see a calm, rational perspective ;)

i am not trying to downplay the potential issues here - but i prefer to not see them exaggerated either. i'm kinda surprised that this is the first time anyone has mentioned the herculean proportions of the task of cacheing a year's worth of traffic.
User avatar
MrFredPFL
 
Posts: 15320
Joined: Wed Aug 17, 2005 4:48 pm

Next

Return to Slyck News

Who is online

Users browsing this forum: No registered users and 3 guests

cron
© 2001-2008 Slyck.com