[49107] in North American Network Operators' Group
Re: packet inspection and privacy
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Jun 24 21:14:32 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Mark Kent <mark@noc.mainstreet.net>
Cc: nanog@merit.edu
Date: Mon, 24 Jun 2002 13:46:16 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <200206241631.g5OGVw2q037988@noc.mainstreet.net>, Mark Kent writes:
>
>I recently claimed that, in the USA, there is a law that prohibits an
>ISP from inspecting packets in a telecommunications network for
>anything other than traffic statistics or debugging.
>
>Was I correct?
No. Or at least you weren't; the Patriot Act may have changed it.
(I assume you're talking about U.S. law.)
There was a quirk in the wording of the law -- what you say is correct
for *telephone* companies, but not ISPs.
>
>I'ld also like to get opinions on privacy policies for network
>operators. It has been suggested that we should adopt a policy that
>says that we'll notify customers if:
>1) we inspect traffic,
>2) we're aware that an upstream is inspecting traffic
>3) we're required to inspect traffic (by anyone).
>
>Point 3) is just about the same as 1), but it does imply
>a slightly different motivation behind the inspection.
Point 3 is explicitly prohibited by U.S. wiretap law, if it's a legal,
court-approved wiretap under either the regular wiretap statute or the
Foreign Intelligence Surveillance Act.
Btw -- see the slides from Mark Eckenwiler's tutorial on wiretapping at
a recent NANOG (October 2000, as I recall, and definitely in D.C.)
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
