Re: packet inspection and privacy

["Steven M. Bellovin" <smb () research att com>]

In message <200206241631.g5OGVw2q037988 () noc mainstreet net>, Mark Kent writes:
> I recently claimed that, in the USA, there is a law that prohibits an
> ISP from inspecting packets in a telecommunications network for
> anything other than traffic statistics or debugging.
>
> Was I correct?

No.  Or at least you weren't; the Patriot Act may have changed it.
(I assume you're talking about U.S. law.)

There was a quirk in the wording of the law -- what you say is correct 
for *telephone* companies, but not ISPs.

> I'ld also like to get opinions on privacy policies for network
> operators.  It has been suggested that we should adopt a policy that
> says that we'll notify customers if:
> 1) we inspect traffic, 
> 2) we're aware that an upstream is inspecting traffic 
> 3) we're required to inspect traffic (by anyone).
>
> Point 3) is just about the same as 1), but it does imply
> a slightly different motivation behind the inspection.

Point 3 is explicitly prohibited by U.S. wiretap law, if it's a legal, 
court-approved wiretap under either the regular wiretap statute or the 
Foreign Intelligence Surveillance Act.

Btw -- see the slides from Mark Eckenwiler's tutorial on wiretapping at 
a recent NANOG (October 2000, as I recall, and definitely in D.C.)


                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com ("Firewalls" book)