RE: Comcast man-in-the-middle attack - ethics

["Ross Lotharius" <ross () recoveredstuff com>]

Comcast to stop storing Web users' data

http://news.com.com/2100-1023-836727.html

-----Original Message-----
From: J Edgar Hoover [mailto:zorch () totally righteous net]
Sent: Wednesday, February 13, 2002 10:29 AM
To: vuln-dev () securityfocus com
Subject: RE: Comcast man-in-the-middle attack - ethics



http://www.washingtonpost.com/wp-dyn/articles/A2083-2002Feb12.html

http://ap.tbo.com/ap/breaking/MGAH15EEMXC.html

Comcast Tracks Web Browsing of Its 1 Million Internet Subscribers
By Ted Bridis Associated Press Writer
Published: Feb 12, 2002

WASHINGTON (AP) - Comcast Corp., the nation's third-largest cable company, has begun tracking the Web browsing 
activities of
its 1 million high-speed Internet subscribers without notifying them.
Comcast said Tuesday the tracking of each Web page a subscriber visits was part of a technology overhaul designed to 
save
money and improve the speed of cable Internet service to its customers and was not intended to infringe on privacy.

But technology experts cautioned that the data could be subpoenaed by law enforcement agencies or lawyers in civil 
cases, and
they questioned whether Comcast's move reflects a more cavalier attitude toward online privacy in the aftermath of the
Sept. 11 terrorist attacks.

"Once you're sitting on it, you're really inviting all kinds of requests," said David Sobel of the Washington-based 
Electronic
Privacy Information Center. "If they can't identify a need to be collecting it, they should take the necessary steps to
eliminate it."

The company that sold Comcast the technology acknowledged the cable company is collecting too much information.

"It's not needed," said Steve Russell, a vice president for Inktomi Corp. Russell said Inktomi's software also records 
other
information from Comcast subscribers, such as passwords for Web sites and credit-card numbers under limited 
circumstances.

Russell discounted privacy concerns, saying engineers are using the information to improve Comcast performance.

Two of the nation's largest Internet providers, America Online and EarthLink, said they do not track the Web browsing 
of their
combined 35 million subscribers.

"We definitely would have no interest in doing that at all," said EarthLink's chief privacy officer, Les Seagraves. "We 
don't
want to have customer records about where they've visited."

AOL uses performance-enhancing technology, similar to that introduced by Comcast, on its network. But AOL spokesman 
Nicholas
Graham said, "We do not track the personal Web activity of our members for privacy reasons."

Comcast spokesman Tim Fitzpatrick said Web browsing was already being recorded for its subscribers in Detroit and in 
parts of
Delaware and Virginia, and would be extended across the nation by the end of this week.

He acknowledged customers weren't notified.

Fitzpatrick said Comcast, using the Inktomi software, is recording the numeric Internet address uniquely assigned to 
each
subscriber, along with the Internet address of each requested Web page. Comcast stores the information for days before 
it's
deleted, but it won't say for exactly how long.

Comcast's tracking is part of an overhaul using behind-the-scenes "proxy" computers, which funnel Web surfing through
powerful, centralized computers. Customers previously could volunteer to use these proxy computers, but they are 
automatically
activated now. The proxy computers track the most popular Web sites to determine which ones should be copied to its 
central
computers.

Industry experts said there was no need to match Web surfing back to specific subscribers.

"I'm furious," said George Imburgia, an Internet security expert in Dover, Del., and a Comcast customer. "They're 
monitoring
and logging everybody's activities." Imburgia compared it to the surveillance software the FBI uses: "It's an evil,
Carnivore-type thing."

Outfitted with high-tech eavesdropping tools and a court order, the FBI can secretly record what a person does online - 
but
only after agents identify the target and install monitoring equipment.

Police and the FBI are increasingly turning to computer evidence in criminal and terrorist investigations. Just last 
month,
the FBI warned that al-Qaida members had sought information about dangerous insecticides from Internet sites. Since 
Sept. 11
some Internet providers have been served with warrants for subscriber information under a powerful 1978 anti-terrorism 
law.

AP-ES-02-12-02 1856EST