ISPs and online privacy

Baraqiyal · April 29, 2000, 8:46am

On a recent Law & Order, a couple of detectives walked into the offices of an ISP and requested a rundown of the online activities of a suspect. In a couple of minutes (seconds actually) the cops were presented with a list of all the web sites this guy had ever visited. My question is: how realistic is this? Do ISPs routinely keep a log of every web page visited by every customer? If so, for what reason? Isn’t this a waste of precious disk space? Is it possible that if in some unforeseen time in the future I were to get embroiled in litigation, every marginally legal web site I’ve visited could be used as leverage against me? If an overzealous prosecutor decides to arrest everyone who has ever downloaded an illegal MP3, would there be anything to prevent him from doing so?

(I’m on some pretty serious prescription pain medication so that might be making me unusually paranoid)

Whack-a-Mole · April 29, 2000, 2:09pm

It is possible for police to come in to an ISP and watch, real-time, where an individual is going but I do not think ISP’s keep records of your internet travels.

What possible reason would motivate an ISP to do this? Keep those records on the chance that police might show-up someday and need those records to bust someone?

An ISP is a business. It doesn’t make financial sense for them to keep records like that. Why waste server space on something like this? In addition, keeping those records around would encourage police to knock on your door anytime they had a suspect who used your service. Good corporate citizen or not I doubt many businesses would want police showing up constantly and disrupting your office every time the police caught a J-walker.

There is one other reason an ISP would want to forgo keeping records like that. It opens them up to liability. Say a pedophile tagged a kid through the ISP’s service and ultimately kidnapped and murdered that child. The parents (and a zealous attorney) might sue the ISP claiming that if they bothered to look at their records they could have spotted this pedophile before he did any damage.

An ISP in New York, trying to be a good corporate citizen, decided to block certain material from travelling through its servers. Some guy who took a bath in the stock market slandered (or is it lible on the internet?) the trading firm. The trading firm successfully sued the ISP for allowing that stuff through their systems. Since they assumed responsibility for what was happeing via their system they were to some extent responsible for letting that guy write his slanderous remarks (that and the fact that the ISP was much more valuable to sue than the guy who had just lost all his money).

If you never assume any responsibility for what happens on your system (and keeping records would be one way to assume some responsibility by default) then you are much better protected from someone who might try and sue your ISP.

Of course…I could be wrong :).

Nurlman · April 29, 2000, 2:29pm

I think it’s fairly commone for ISPs to maintain logs of when a particular user logged on and off, and what particular connection was assigned to that user for that session. And any person who hosts a website will usually keep a log of times and IP addresses of people who visit the site. (See that “IP: Logged” notation on these messages? The SDMB does it, too.)

This way, if someone spams a message board, the person hosting the board can look up the IP address of the person responsible, and pass it along to that ISP. The ISP can then check their logs and see which user was assigned that connection at the time. That’s how they can nail spammers or, in the case of the Yahoo Finance Board, the guy who posted the slanderous article.

But beyond those few pieces of information, I agree with Baraqiyal that ISPs probably don’t retain anything else. I suppose an investigator or lawyer looking for information could subpoena the logs of the website and ISP to find you, if that was important enough, but it seems unlikely to occur unless the crime at issue was directly related to use of the website.

Spiny_Norman · April 29, 2000, 2:37pm

Short version: It’s bullshit.

Longer version: As you say, there’s no real reason to track customer activity apart from login/logout times for the extremely essential task of billing.

Keeping track of website access for all customers would mean logging every DNS request/reply on all lines, it’s simply not realistic if you have a fair number of users logged in. In most set-ups, the customer name is only used for access control, after log-in traffic is identified only by IP address. And normally, a user is assigned a more-or-less random IP address every time he logs in.

In the real world, a log is normally kept of A-number (the phone number used for access) and assigned IP-address. The phone numbers can be useful information if a customer claims his account has been abused (if the same username/password is used in 10 different cities within an hour, something might be up…) and the IP addresses are useful when customers need to be reminded not to hack or spam other customers. Not that most ISPs have the ressources to track activity like that - but the targets will complain and the ISP will then warn or even ban the offender.

Now, if an ISP was ordered (by a court, on par with phone tapping, at least in the countries where I’ve worked. A police officer walking into the office isn’t enough) to track a given customer - I suppose a rather close profile could be made, including DNS requests, downloads etc. (This has actually started me wondering how exactly it could be done - an interesting challenge! I’d say something could be rigged up in two-three hours…)

As for the other questions: I’m European and don’t know the details of American law. In most jurisdictions over here, evidence acquired by phonetapping, opening letters etc. is not admissible in court unless the case in question is serious enough to land the accused in jail for several years, and even though Sony has a powerful lobby, MP3 possesion (sp?) is not yet a felony. YMMV.

On a side note, the ISPs would fight this. They (okay, we) have no interest in giving the customers the impression that someone is looking over their shoulder. We have no wish to spend badly needed bandwidth & disk space on this. And besides, the Net is OUR playground, and nobody is going to order us around.

Norman

handy · April 29, 2000, 3:05pm

ISP’s Do keep track of certain things believe me. If you are clever, youve got your email displaying all headers. Each one displays who sent it & it has a lot of ISP info in it that an ISP can use to track who really wrote it.

Spiny_Norman · April 29, 2000, 4:19pm

Sure, e-mail is a very different matter from web-access - it’s usually stored on the ISP’s mailserver(s), at least for a while.

Norman

handy · April 29, 2000, 11:49pm

Well you know Spiny, they also keep track of how much newsgroup stuff you download. So they can price based on how much you download. The only way to know that is to watch where & what you’re downloading
My ISP doesn’t let just anyone into that room.

Topic		Replies	Views
Your ISP and you . . . Factual Questions	10	1000	August 23, 2000
How long do ISP's retain information about surfing histories? Factual Questions	5	8026	May 12, 2003
IP address Factual Questions	10	1126	April 1, 2001
European dopers and email and online privacy. Miscellaneous and Personal Stuff I Must Share	4	815	June 9, 2002
Internet access tracking Factual Questions	2	620	April 25, 2001

ISPs and online privacy

Related topics