[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: TOR and ISP



>      On the contrary, in the United States, all ISPs are *required* by
>  statute to record all URL requests that can be detected passing from their
>  customers through their equipment.

False. ISP's in the US don't have to record any information of any
kind about their user or their data whatsoever. None, period. Nor are
they required to give it to anyone except under legal process
[subpoena, court order].

US ISP's routinely lobby against recording anything because the time,
capital and
recurring cost to them to do so is precisely that, pure cost, no profit.

Any information they record is usually related to generating metrics
so that they can make more money.

However, lately, all that has been flipping on it's back, now many are
recording as a feel good or pressure measure, 'Hey, I'm a spiffy
"patriotic" company, I helped law enforcement bust a terrorist 9yo kid
today. Yay :) Please count me in as a good guy and don't put me on
your watch list ok.'

Any data they do happen to have on hand is of course subject to process.

> norms... against the ISPs reminding users that ISPs have this ability. :-)

True. There is also the CALEA system, the result of which is that
pretty much every phone switch in the US is remotely tappable.
Internet gear is the next obviously logical step for that joint,
partly required, partly offered, effort.

>  I doubt that they provide this information
>  to private individuals, and doing so may well be prohibited by ECPA

True. Including other acts... wiretap, fcra, blah and etc. Such acts
in some cases require those that have data about you to disclose it
back to you on request. Or to others at your explicit direction. But
that's usually only in the finance and medical sectors.

>  but they
>  can be required to submit their logs of this information to statute
>  enforcement agencies.

Only if such 'requirement' means court order. They can give it to whoever they
want, provided they don't care about the possible legal repurcussions
of doing so. ie: AT&T etc obviously have a 69 position with the gov't
going back to the days of Western Union, so they don't care.

>      The key here is that the ISPs not only cannot detect encrypted URLs,

The ISP only knows that the user is using Tor.

And as always, it is best to assume your adversary knows far more than
you think... and to plan your strategies accordingly.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/