nanog mailing list archives

Re: ISP CALEA compliance

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Fri, 11 May 2007 17:05:20 -0400


On Fri, 11 May 2007 12:47:56 -0700 (GMT-07:00)
Todd Glassey <tglassey () earthlink net> wrote:

Gee Steven, that's what everyone thought prior to a Federal Judge
ordering Microsoft to produce seven years of Email...

We're getting off-topic here, but I'll respond.

First -- the context of the conversation is wiretap law, including the
stored communications and customer records provisions. This covers
what communications providers do for their customers, not internal
emails.

Second:

(a) The judge's order was for a civil lawsuit, under
discovery procedures;

(b) The order was for records that they apparently had.
If Microsoft had had and enforced a policy, prior to that
lawsuit, of not retaining internal email older than 30
days, they'd have been in the clear. Microsoft got in
trouble because the judge believed they were not complying
with his order to turn over data he believed they had,
either deliberately or by not exerting sufficient effort;

(c) you may have business reasons to retain certain records
for longer, including the requirements of external auditors.
For example, if you do usage-sensitive billing, you may
need to retain certain records for a while so that your
accounting firm can verify that your financial records
accurately reflect actual customer behavior.

(d) What doesn't exist can't be subpoenaed; what does exist,
in general, can be, subject to other specialized exceptions
(i.e., attorney work product)

Third -- that isn't what I'm talking about. Please see, among others,

http://news.com.com/Gonzales+pressures+ISPs+on+data+retention/2100-1028_3-6077654.html
http://www.theregister.co.uk/2006/09/20/gonzales_calls_for_data_retention/
http://news.com.com/2100-1028_3-6156948.html

Note especially that last one, since it's only 3 months old and provides
for jail time for "employees of any Internet provider who fail to store
that information", and not just fines for the company.

I've tried hard to keep this discussion factual, with copious
references. But I think I've run out of things to say that are even
vaguely on-topic, so I'll shut up.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Current thread:

Re: ISP CALEA compliance, (continued)
- - - Re: ISP CALEA compliance Donald Stahl (May 11)
    - Re: ISP CALEA compliance Joe Provo (May 10)
    - Re: ISP CALEA compliance Sean Donelan (May 10)
    - Re: ISP CALEA compliance David Lesher (May 10)
    - Re: ISP CALEA compliance Stephen Satchell (May 10)
    - Re: ISP CALEA compliance William Allen Simpson (May 11)
    - Re: ISP CALEA compliance Steven M. Bellovin (May 11)
    - Re: ISP CALEA compliance Sean Donelan (May 11)
- Re: ISP CALEA compliance Mike Hammett (May 10)
- Re: ISP CALEA compliance Jason Frisvold (May 11)
- Re: ISP CALEA compliance Steven M. Bellovin (May 11)
- Re: ISP CALEA compliance Martin Hannigan (May 12)
  - Re: ISP CALEA compliance Joe Provo (May 12)
- Re: ISP CALEA compliance Martin Hannigan (May 23)
  - Re: ISP CALEA compliance Randy Bush (May 23)
  - Re: ISP CALEA compliance Albert Meyer (May 23)
    - Re: ISP CALEA compliance Owen DeLong (May 23)
    - Re: ISP CALEA compliance Suresh Ramasubramanian (May 23)
    - Re: ISP CALEA compliance Valdis . Kletnieks (May 23)
    - Re: ISP CALEA compliance Suresh Ramasubramanian (May 23)
    - Re: ISP CALEA compliance Andy Davidson (May 24)