Will Your ISP Protect Your Privacy?

The Bay Area Rapid Transit District's August shutdown of wireless service to squelch a demonstration in San Francisco raised anew questions about the use of technology in the face of authority. In this fourth installment in a series of FAQs, we examine the responsibilities of Internet service providers to protect your privacy. Be sure to check out the first three installments: a guide to which social networks fight for your rights, a primer on your right to phone service during a protest and a discussion of your right to photograph the police.

Political activists using technology to stay organized should take care with what they share online. Earlier this week we learned that Google and Internet service provider Sonic.net were forced to hand over WikiLeaks volunteer Jacob Applebaum's GMail account data, including the names and addresses of people he corresponded with (though not the actual content of his correspondence.)

Both Sonic.net and Google fought the court order, suing for the right to inform Applebaum that his private data was being asked for. Will your ISP do the same? No ISP can withhold information if the agent requesting it has a legal warrant, but your ISP can still protect your privacy by minimizing how much identifying data is retained on their servers, and for how long.

That's why civil liberties groups in the European Union are railing against the Data Retention Directive, which requires all member states to retain private telecommunications data--including IP addresses and traffic logs--for up to two years and turn it over to police with a court order. A similar data retention law is being pushed through the U.S. Congress under the header H.R. 1981, rankling privacy advocates and jeopardizing your anonymity online.

To help you stay informed about what data your ISP retains, we did a little digging on the privacy policies and legal track records of big-name broadband providers. Unfortunately, electronic surveillance and telecommunication law is always evolving and thus the information in this FAQ is not intended as legal advice. If you feel your rights have been violated, we encourage you to seek counsel from a legal professional.

What records does my ISP retain, and for how long?

It's hard to know for sure, since Internet service providers are private organizations and thus exempt from disclosing their internal affairs. "We don't actually know how much user data most major ISPs retain or for how long they retain it, because ISPs are not legally required to disclose that information," said Chris Conley, a Technology and Civil Liberties Fellow with the ACLU of Northern California.

But we do know that every time you connect to the Internet, your Internet service provider assigns you a dynamic IP address and ties it to your activities online, logging at least the time and date of every website you visit. Technically these logs are anonymous since they're tied to your IP address rather than your name, but since your ISP records which IP address is assigned to which subscriber, it's child's play for an investigator to figure out where you've been and who you've been talking to if your ISP turns over those records.

That said, you probably don't need to worry about someone else cracking into your network and making mischief with an IP address linked to your account; while it's possible for spammers and child pornographers to co-opt your network and get your IP address blacklisted, it's not worth worrying about. For a deeper analysis of the potential dangers of IP spoofing, we recommend reading through the discussion that grew out of Bruce Schneier's Open Wi-Fi post a few years ago.

While we don't have much credible evidence on the data retention practices of broadband ISPs, we do know the cellular branches of telecoms like Verizon and AT&T retain your cellular IP data for up to a year. Virgin Mobile and Verizon Wireless go even farther, retaining records of the content of your text messages for days or even months afterward. The full details can be found in the 2010 law enforcement guide to data retention periods of major cellular service providers published by the U.S. Department of Justice after a Freedom of Information Act request by the ACLU of North Carolina.

Will my Internet service provider turn over their records if the government demands it?

Yes. While we enjoy Fourth Amendment protection against unreasonable search and seizure of our physical property by government agents, modern telecommunications law is very vague about what constitutes unreasonable searches and seizures when it comes to private data stored online.

For now, we relinquish the lion's share of our Fourth Amendment protection when we voluntarily sign up for service from a commercial provider like AT&T. Should you need to pursue legal action, know that U.S. courts have a history of siding with the government in privacy disputes over data stored with third parties. This precedent is colloquially known as the "third party doctrine," and it makes it much easier for law enforcement agencies to shake down your ISP since they only need to secure a subpoena or court order to access your digital records. In contrast, obtaining a search warrant after showing probable cause--which is hard to do--is required to search your home.

Legally speaking, it gets even easier for law enforcement officials to access your records the longer they are stored. According to Section 2703 of the Electronic Communications Privacy Act of 1986, investigators need a search warrant to access data stored for less than 6 months by an electronic communication service. Most unopened emails fall into this category.

Worse, opened mail and other messages which you have read are often classified as being in remote storage the moment you read them and thus do not enjoy the 180-day search warrant protection of an unread message. If the government is after data that has been stored longer than 6 months they can compel your ISP to hand over your data with just a subpoena or court order and a promise to provide prior notice, which can itself be delayed indefinitely in 90-day increments if notifying you might jeopardize an investigation.

Thankfully, Section 2702 of the ECPA bars your Internet service provider from voluntarily disclosing the contents of any message stored or delivered via their service. But your ISP is allowed to voluntarily disclose noncontent data such as your IP address and logs of which sites you've visited, and many do so.

Can law enforcement agencies shut down my Internet access without my knowledge?

Internet access is not recognized as a federal right in the United States, so there's nothing stopping your Internet service provider from cutting you off. If you read our primer on your right to phone service, you'll know that under the Federal Communications Act of 1934 the Federal Communications Commission regulates broadband Internet access as a Title I information service, and thus ISPs can shut down your Internet access for any reason with no immediate repercussions.

Internet access is still a privilege here in the States. Much like social networks, Internet service providers are private actors with few restrictions on how they manage and disclose our data. Digital liberty organizations like the Digital Due Process Coalition and the Electronic Frontier Foundation are working to change that, but until they do, think carefully about your online activities: You never know who might be watching.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)