Which ISPs Hand Private Surfing Info Over To Secretive Private Group Who Monitors It For The Feds?
from the feeling-safe? dept
So this is just bizarre. I saw a Wired report about a talk by a guy named Chet Uber, who claimed he helped connect Adrian Lamo to the feds in order to turn in Bradley Manning (the Army intelligence analyst accused of leaking content to Wikileaks), but Uber's little talk raised a number of other issues unrelated to Manning/Lamo. Specifically, towards the end of this Forbes piece about Uber and his organization, Project Vigilant comes a little shocker about how the firm spies on internet traffic for the US government:According to Uber, one of Project Vigilant's manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users' Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can "develop portfolios on any name, screen name or IP address."Uh... what? Given the uproar and then Congressional smackdown to ISPs that tried to monitor such information for advertising purposes, that doesn't seem right at all. Sneaking a clause into an EULA saying that it's handing all your info over to a private party who will monitor it for the feds (maybe) and whoever else they want doesn't really seem aboveboard or legal despite the claims. It's also highly unlikely that it "never looks at personally identifying information." Nearly everyone who's ever claimed that has been proven wrong later.
"We don't do anything illegal," says Uber. "If an ISP has a EULA to let us monitor traffic, we can work with them. If they don't, we can't."
And whether that massive data gathering violates privacy? The organization says it never looks at personally identifying information, though just how it defines that information isn't clear, nor is how it scrubs its data mining for sensitive details.
The whole thing seems really sketchy, and as Glenn Greenwald notes, it appears to be an attempt to skirt the law:
There are serious obstacles that impede the Government's ability to create these electronic dossiers themselves. It requires both huge resources and expertise. Various statutes enacted in the mid-1970s -- such as the Privacy Act of 1974 -- impose transparency requirements and other forms of accountability on programs whereby the Government collects data on citizens. And the fact that much of the data about you ends up in the hands of private corporations can create further obstacles, because the tools which the Government has to compel private companies to turn over this information is limited (the fact that the FBI is sometimes unable to obtain your "transactional" Internet data without a court order -- i.e., whom you email, who emails you, what Google searches you enter, and what websites you visit --is what has caused the Obama administration to demand that Congress amend the Patriot Act to vest them with the power to obtain all of that with no judicial supervision).So, since Uber and Project Vigilant won't say who these 12 ISPs are, can anyone help us out? What are the 12 ISPs out there who, via sneaky language in their EULAs are simply handing over your private data to some company to sell to the US government?
But the emergence of a private market that sells this data to the Government (or, in the case of Project Vigilance, is funded in order to hand it over voluntarily) has eliminated those obstacles. As a result, the Government is able to circumvent the legal and logistical restrictions on maintaining vast dossiers on citizens, and is doing exactly that. While advertisers really only care about your online profile (IP address) in order to assess what you do and who you are, the Government wants your online activities linked to your actual name and other identifying information.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: government, isps, monitoring
Companies: project vigilant
Reader Comments
Subscribe: RSS
View by: Time | Thread
Rightio
[ link to this | view in thread ]
He he he
[ link to this | view in thread ]
Names Aren't Personally Identifying Information?
Yeah, right.
[ link to this | view in thread ]
Re: He he he
Your tax dollars at work.
[ link to this | view in thread ]
Not sonic.net
"Sonic.net does not actively monitor customer use of the Internet, customer email or other customer communications in the course of its regular operations. Sonic.net is also strongly opposed to the use of third-party information-harvesting strategies and technologies such as unlawful wiretapping."
Sonic has been a great ISP, highly recommended, esp. given their relatively low price.
My old ISP, Speakeasy, is slightly more ambiguous (from http://www.speakeasy.net/tos/msa.php#2)
"Speakeasy will not sell, rent, or lease Customer's personally identifiable information to others. Except as may be required by subpoena, search warrant, or other legal process or in the case of imminent physical harm to a customer or others, Speakeasy will only share the personal data the Customer provided with business partners who are acting on Speakeasy's behalf to complete the activities Customer requested. In that event, Speakeasy's business partners will be governed by Speakeasy's privacy policy with respect to the use of this data. Should a company not governed by Speakeasy's privacy policy require Customer's personal information, Customer's permission will be initially obtained, unless seeking Customer's permission is inconsistent with legal guidelines or legal requirements. The use of any shared data will be governed by the company's respective privacy policy. "
[ link to this | view in thread ]
Re: Not sonic.net
http://www.rsync.net/philosophy.html
The "Warrant Canary" is an interesting way of dealing with 'secret' wiretaps.
http://www.rsync.net/resources/notices/canary.txt
[ link to this | view in thread ]
You're new to fascism, aren't you?
Anyway, ever heard of Google?
[ link to this | view in thread ]
Re: Not sonic.net
Sonic.net does not actively monitor customer use of the Internet, customer email or other customer communications in the course of its regular operations.
Notice it only says that Sonic.net doesn't do these things, not that it prevents other groups from doing so.
"Sonic.net is also strongly opposed to the use of third-party information-harvesting strategies and technologies such as unlawful wiretapping."
And this statement doesn't actually say that Sonic.net doesn't allow third-party information harvesting, just that they're opposed to it. I can just hear it now, "Well, we are opposed to it, but we can't afford not to sell your personal information. Duh! What did you think we meant?"
[ link to this | view in thread ]
all this seems really fishy to me
project vigilent https://www.projectvigilant.us/securedrupal/ and bbhc global https://www.bbhc-global.com/securedrupal/ are stupid drupal sites that look like they took five minutes to set up badly, going against any legitimacy associated with some of the big names being thrown around as associates of the organization/s.
as well as lots of conflicting information being bandied about. details of the lamo case, length of existence (as well as other information) about project vigilant. I mean, maybe they have done a good job of being secretive, but going public at defcon you would assume the organization would have something ready to present to the public given the way internet backlash over privacy works. ... just saying
[ link to this | view in thread ]
As Frank Zappa said
SCRUTINIZER...it is my responsibility to enforce
all the laws that haven't been passed yet. It is
also my responsibility to alert each and every one
of you to the potential consequences of various
ordinary everyday activities you might be
performing which could eventually lead to *The
Death Penalty* (or affect your parents' credit
rating). Our criminal institutions are full of
little creeps like you who do wrong things...and
many of them were driven to these crimes by a
horrible force called MUSIC!
Our studies have shown that this horrible force is
so dangerous to society at large that laws are
being drawn up at this very moment to stop it
forever! Cruel and inhuman punishments are being
carefully described in tiny paragraphs so they
won't conflict with the Constitution (which,
itself, is being modified in order to accommodate
THE FUTURE). . . . .
[ link to this | view in thread ]
all this seems really fishy to me
project vigilent https://www.projectvigilant.us/securedrupal/ and bbhc global https://www.bbhc-global.com/securedrupal/ are stupid drupal sites that look like they took five minutes to set up badly, going against any legitimacy associated with some of the big names being thrown around as associates of the organization/s.
as well as lots of conflicting information being bandied about. details of the lamo case, length of existence (as well as other information) about project vigilant. I mean, maybe they have done a good job of being secretive, but going public at defcon you would assume the organization would have something ready to present to the public given the way internet backlash over privacy works. ... just saying
[ link to this | view in thread ]
Comcast's EULA allows it...
Section 3b:
Monitoring of Postings and Transmissions.
Comcast shall have no obligation to monitor postings or transmissions made in connection with HSI. However, you acknowledge and agree that Comcast and its agents have the right to monitor, from time to time, any such postings and transmissions, including without limitation e-mail, newsgroups, chat, IP audio and video, and Web space content. Comcast may also use and disclose them in accordance with the Comcast High-Speed Internet Acceptable Use Policy and other applicable policies, and as otherwise required by law or government request. We reserve the right to refuse to upload, post, publish, transmit or store any information or materials, in whole or in part, that, in our sole discretion, is unacceptable, undesirable or in violation of this Agreement.
[ link to this | view in thread ]
Re: all this seems really fishy to me
[ link to this | view in thread ]
Re: You're new to fascism, aren't you?
[ link to this | view in thread ]
http://www.verizon.net/policies/popups/tos_popup.asp
[ link to this | view in thread ]
Re: all this seems really fishy to me
[ link to this | view in thread ]
Re:
Verizon reserves the right to provide account and user information, including email, to third parties as required or permitted by law
[ link to this | view in thread ]
Re: Comcast's EULA allows it...
"Some features of certain Software are provided by third parties, and those third parties may collect or transmit personally identifiable and non-personally identifiable information about you in the course of providing these features. These third parties are not authorized to use your personally identifiable information except for the purpose of providing their services to you through Software. Your use of Software is subject to the terms of the Comcast Customer Privacy Notice, the Comcast Acceptable Use Policy and other applicable terms and policies."
[ link to this | view in thread ]
Re: Re: Not sonic.net
And this statement doesn't actually say that Sonic.net doesn't allow third-party information harvesting, just that they're opposed to it.
And even that they limit to the case of "unlawful wiretapping". They're apparently fine with other types of "third-party information-harvesting". In other words, as long as it's legal, they're good to go with it.
[ link to this | view in thread ]
FBI’s request for no warrant Internet surveillance can’t be viewed separately: if pending bills in Congress pass, the FBI can then use its warrant-less Internet surveillance to arrest and indefinitely detain Americans on mere suspicion not evidence, based on their Internet Activity. Private information the FBI derives from warrant-less searches of emails and Internet Activity—could potentially be used by U.S. Government to blackmail, target anyone though government harassment, prosecution or civil asset forfeiture because he or she disagreed with government.
Will lawful Internet Activity, be used by Government to detain/arrest Americans without probable cause? On March 4, 2010, Sen. McCain introduced The “Enemy Belligerent Interrogation, Detention, and Prosecution Act of 2010.” McCain’s bill would eliminate several Constitutional protections allowing Government to arbitrarily pick up Americans on mere suspicion—with no probable cause. Under McCain’s bill, your political opinions and statements made on web postings and in emails against U.S. Government and others could be used by authorities to deem you a “hostile” “Enemy Belligerent” to cause your arrest and indefinite detention. U.S. activists and individuals under McCain’s bill would be extremely vulnerable to detention or prosecution, if (charged with suspicion) of “intentionally providing support to hostilities or an Act of Terrorism”, for example American activists can’t control what other activists might do illegally—they network by email domestically and overseas. The Government under McCain’s bill would need only allege an individual kept in military detention, is an Unprivileged Enemy Belligerent suspected of; having engaged in hostilities against the United States; its coalition partners; or Civilians or (has) purposefully and materially supported hostilities against the United States; its coalition partners or U.S. civilians. Detained Americans can be denied legal counsel.
Alarmingly the Obama Government recently employed a vendor to search Internet social networking sites to collect information about Americans that could potentially be used by this government to injure Americans, for example, if you apply for a federal job, your name might be crossed referenced by the Obama Government with comments you made at Websites against Obama; or if you make application at a bank for a loan the Government has control since the financial crisis, could your Internet comment(s) prevent you getting that loan? Obama’s monitoring of the Internet sites can too easily be used by Government to intimidate, coerce and extort Corporations and Citizens from speaking out.
See McCain’s 12-page Senate bill S.3081 The “Enemy Belligerent Interrogation, Detention, and Prosecution Act of 2010 at: assets.theatlantic.com/static/mt/assets/politics/ARM10090.pdf
Obama gave a speech in May 2010 that asked Congress to pass legislation to give the President power, to detain any person in the U.S. that government deems a “combatant” or likely to engage in a violent act in the future. President Obama wants the power to incarcerate U.S. Citizens not on evidence, but for what they might do. Obama wants the power to override the U.S. Constitution, to detain indefinitely any American based on conjecture her or she might do something violent in the future. If Obama’s proposal to detain Americans without probable cause is approved, and FBI is granted warrant-less searches of the Internet, it is foreseeable Government could use anyone’s Internet activity including emails to claim an individual or lawful organization might do something violent in the future to order their indefinite detainment. See: Obama Sound-Video asking for power to detain people without probable cause at:
http://www.brasschecktv.com/page/630.html
What the recent Washington Post Report, (Secret America) did not mention: in the U.S., government-private contractors and their operatives work so close with U.S. law enforcement, exchanging information to arrest Americans and or share in the forfeiture of their assets, they appear to have merged with police. Similarly in 1933 Hitler merged his private police the Gestapo with German national security. Before the Gestapo was consolidated with the German Government, the Gestapo arrested Citizens and confiscated private property with no legal authority. However U.S. Government has already granted that power to private U.S. contractors. In 1939 all German Police agencies including the Gestapo were put under the control of the "Reich Main Security Office” the equivalent of U.S. Homeland Security.
Can History repeat itself? Should there be a radical change of U.S. Government, history shows law enforcement is generally not replaced; that police will work for—e.g. a fascist U.S. Government; communist or other despot government—against the interests of Citizens. Note: The German police first worked for a democracy before Hitler; then worked for the Nazi Fascists; then joined the Soviet Union’s East German Police (Stasi) believed to be the world most oppressive police force until the German Wall came down. Consequently it should be expected U.S. Government security contractors and private mercenary corporations would work for a despot U.S. Government.
If FBI warrant-less Internet Spying is approved, it is problematic the FBI will share its spying with law enforcement, government contractors and private individuals that have security clearances to facilitate the arrest and forfeiture of Americans’ property—-to keep part of the bounty. Police too easily can take an innocent person’s hastily written email, Internet fax, phone call or web activity out of context to allege a crime or violation was committed to cause an arrest or confiscation of someone’s property. There are over 200 U.S. laws and violations mentioned in the Civil Asset Forfeiture Reform Act of 2000 and the Patriot Act that can subject property to civil asset forfeiture. Under federal civil asset forfeiture laws, a person or business need not be charged with a crime for government to forfeit their property.
Rep. Henry Hyde’s bill HR 1658 passed, the “Civil Asset Forfeiture Reform Act of 2000” and effectively eliminated the “statue of limitations” for Government Civil Asset Forfeiture. The statute now runs five years from when police allege they “learned” that an asset became subject to forfeiture. With such a weak statute of limitations and the low standard of civil proof needed for government to forfeit property “A preponderance of Evidence”, it is problematic law enforcement and private government contractors will want access to FBI, NSA and other government Internet surveillance, including wiretaps perhaps illegal to arrest Americans and to seize their homes, assets and businesses under Title 18USC and other laws.
Of obvious concern, what happens to fair justice in America if police and government contractors become dependent on “Asset Forfeiture” to pay their salaries and operating costs?
[ link to this | view in thread ]
Re: all this seems really fishy to me
[ link to this | view in thread ]
Re: Re: Re: Not sonic.net
A few years ago we revisited our old privacy policy to clarify just these sort of questions. That was a time when slimy operations like NebuAd were coming along to try to do ad swapping, and it was the beginning of concerns about sale of things like clickstream data.
I had a hand in the writing of the policy, and it was written with the concerns of the day in mind. It goes beyond simply stating what we will or won't do, and gives some information on our philosophy - "strongly opposed" and "does not actively monitor" are examples of this. The goal was to provide as much reassurance as we could that we won't engage in these types of behaviors, because we abhor them.
As there does seem to remain some confusion here, I'll try to state it as clearly as possible.
With the narrow exception of a lawful obligation (subpoena or warrant), we will not harvest, sell, snoop or share any data about your use of the Internet via our services.
I'll also state that we are very careful about any subpoenas and warrants that we do get, and we reject roughly 50% of them as they are improperly executed. Also, in any case where we are allowed to do so, we always inform our customer prior to handing over any information. (Some ongoing criminal investigations incorporate a gag order which we must legally obey. This must be granted by a judge based upon justification provided by investigators in a criminal case.)
We structured this notice procedure so that customers who might be subject to a "John Doe" civil lawsuit would have an opportunity to retain counsel and object to any data hand-over BEFORE it happens. Most service providers don't bother with this, as they have no obligation to do so.
Finally, note that we don't log any actual Internet activity, so even under subpoena or warrant, we don't know what you have done, so we cannot reveal it. Our logging is limited to IP allocation and authentication data, the minimum required to support our services.
I hope this clarifies our official position and my opinion on some of the items under discussion here.
--
Dane Jasper
CEO and Co-Founder
Sonic.net
[ link to this | view in thread ]
Re: Re: Re: Re: Not sonic.net
You would probably do yourself a favor by revising your written privacy policy to align with your official policy as stated here.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Names Aren't Personally Identifying Information?
[ link to this | view in thread ]
Rogers
"We have the right, but not the obligation, to monitor or investigate any content that is transmitted using the Services (other than voice Services) or the Equipment. We may also access or preserve content or information to comply with legal process in Canada or foreign jurisdictions, operate the Services, ensure compliance with the Service Agreement or any Policies, or protect ourselves, our customers or the public. We may move, remove or refuse to post any content, information or materials, in whole or in part, that we decide are unacceptable, undesirable or in violation of the Service Agreement."
[ link to this | view in thread ]
Re: Re: Names Aren't Personally Identifying Information?
Or sloppy lying.
[ link to this | view in thread ]
Re: Not sonic.net
The more that ISP's brag about not monitoring your traffic are the ones I'd be most skeptical of. Elaboration is fabrication anyone.
[ link to this | view in thread ]
Not surprised
Finally, my hat's off to Sonic.net for their policies, at least as stated. Too bad other ISP's aren't as clear and ethical in the treatment of their customers.
[ link to this | view in thread ]
Re: Re: Not sonic.net
[ link to this | view in thread ]
Somebody is missing...
I thought this was his thing? ;)
[ link to this | view in thread ]
Re: @ Ross Wolf: a most excellent post.
[ link to this | view in thread ]
Re: Re: Re: Re: Not sonic.net
[ link to this | view in thread ]
[ link to this | view in thread ]
Sounds like another one of those.....
[ link to this | view in thread ]
Re: You're new to fascism, aren't you?
[ link to this | view in thread ]
Information gathering
[ link to this | view in thread ]
Re: Rogers
[ link to this | view in thread ]