[news=http://www.slyck.com/newspics/spy2.jpg]As governments all over the world step up the pressure for internet surveillance, we lift the lid on the shady world of ISP enforcment and uncover the international pressures that will be forcing them to work with police and mysterious other bodies.
The regulation of ISPs in the UK was originally a matter for a voluntary Code of Practice, established back in 2003 presumably as a mechanism to allow the Echelon eavesdropping project time to catch up with intensifying internet usage.
It included a requirement for ISPs to maintain comprehensive records of customer activities for 12 months, with the stark warning that if ISPs refused to comply, then the law would be changed and they would be forced to. Hardly voluntary, one might say. The rationale of the time was to help law enforcers stay ahead of the game when tracing pedophiles and their ilk.
That was back in 2003, and the EU now plans to compel all ISPs throughout Europe to keep records of internet activity for 12 months, with telephone records being retained for "at least" 6 months. Their rationale as we approach 2006? To actively pursue terrorist activity and aid “other law enforcement agencies”. Either pedophiles have ceased to exist or they felt it suited their political agenda to milk the threat of terrorism.
An unidentified UK ISP Blueyonder employee let slip to one of our readers that they routinely receive lists of IP addresses that are to be monitored for various “law enforcement” purposes, and that the resultant data was processed and provided to those requesting it. According to the information received, the Business Software Alliance and the BPI are amongst many requesting such information, although requests for any data identifying their clients go unanswered. Obviously if this is the case, it is likely to alter dramatically with the introduction of planned new legislation. They will simply have to comply.
Slyck decided to ask John Moorwood Senior Public Relations Manager of Telewest - who are the owners of the hugely popular Blueyonder ISP. John refused to enter any discussion on their use of spidering techniques of the kind reported to us, neither confirming nor denying our report, simply saying that “It is safe to assume that we do (so) as part of our overview of the network, to analyze trends and usage, but I'm not prepared to discuss and risk compromising our formal law enforcement policies"
This is of course a perfectly valid point, and so we asked him what exactly constituted a law enforcement agency. For example, did he agree that the BPI qualified as such, to which he responded " If it's a criminal issue, such as commercial piracy, then the police would initiate the formal request for identifying or personal data but we still require a court order"
We then asked if they had been called upon to collate or provide data regarding accesses by users to specific web sites or IP addresses? John explained “We may be asked by a third party, using a court order, to verify the identity of a user, based on the third party's information and evidence” , going on to add “That evidence may have been obtained by the third party using 'honeypots' or news group posting headers, etc. We ourselves do not specifically collate data on users' behavior, although we do inadvertently collect some information due to day-to-day running of operational systems such as web caches.”.
We went on to ask if they had collated data on the basis of specific internet activity (e.g. file transfers, ftp P2P, etc). John replied </I>“We are constantly evaluating all forms of capacity planning systems, including some that could identify specific application traffic types, but we have never implemented such a system”</I>
Accepting the need for capacity planning, we were curious why they are evaluating new systems giving their merger with NTL and talk of takeover bids? Surely this was time for rationalisation, and not expansion? Sensing that perhaps John was not giving us the full picture, we tried to press him on his peculiar choice of words such as “We ourselves do not specifically collate data on users' behavior”. He refused to be drawn, saying "I can't say either way, that's a matter of internal security policy and I'm neither agreeing nor denying”
When asked how his organization handled requests for further information (e.g. identification) regarding any specific user and how such information was used, John replied “Like any responsible ISP, we have our own abuse department to handle notifications of abusive behavior from our network. In the vast majority of cases these are found to originate as a consequence of 'zombied PCs', rather than any malicious intent by a user.
In the case of third party requests for identification, such as from the police and other government bodies, who have the power to require us to disclose this type of information under certain circumstances, we will comply with any legal obligations…. Occasionally we also receive requests to identify users from third parties who wish to pursue civil claims (e.g. in relation to copyright infringement). In these cases, it is also necessary for the party to obtain a court order requiring”.
We are obviously extremely grateful to John Moorwood of Telewest/Blueyonder for his help, as far as he felt able to go. Unfortunately this doesn’t shed much light on the changes that are being planned under new EU data retention legislation, neither did it tell us who these "other government bodies" were, although it suggests an underlying capability and willingness to comply with these requirements. Remember, ISP cooperation has only been a voluntary issue up until the present time, and this is set to change dramatically.
Quite clearly the ISPs know which side their bread is buttered, and in recognition of the fact that people generally want greater bandwidth for downloading purposes (60% of all internet traffic is for filesharing, according to Cachelogic and Big Champagne) they are perfectly happy for their customers to continue to use their services and watch their revenue grow. After all, unused bandwidth is absolutely no use to an ISP, it is simply dead money.
BT (generally known as British Telecom), the UK communications giant, were characteristically taciturn about all this when approached. Ian Read of their Press Office refusing to comment openly on what he described as “an enforcement debate” and in contrast with the extremely helpful staff at Blueyonder, emails and messages to BT's Jon Carter were left unanswered at the time of writing.
Other sources within BT have suggested that they are already well prepared for mandatory requirements of the sort being planned by the EU, explaining that they use similar if not identical technology to other ISPs and already consider themselves well placed to comply with requests such as those from “the police and other government bodies” to paraphrase Blueyonder’s John Moorwood.
When asked how that would be possible given current data protection legislation, our informant chillingly told us that such arrangements were already in place. He said that a “unique identifier” would be assigned to all those listed, and only the ISP itself would know exactly who that referred to. Any subpoena issued against them, forcing them to identify the individual concerned, would refer to the user only by that unique number until the court ordered that their identity was revealed.
The fact that this has been given such detailed thought must be of concern to all UK filesharers, for example, just who are these “other government bodies” that people keep referring to? If they do not themselves collate data on users' behavior, then who does? It seems quite likely that both this practice and this means of circumventing data protection laws are on the verge of widespread adoption, both in the UK and almost certainly everywhere before much longer.
With 60% of internet traffic being used for filesharing, it would be wise to anticipate proportionate enforcement effort. At no time since the birth of the Internet has our freedom been under a greater threat than it is today.