CYBERSPACE — When Wired News set out to shed light on the secret lives of internet service providers, it might have suspected it could ask straightforward questions and receive straightforward answers.It would have been wrong.
Over the course of two months, the venerable new-age news site discovered that while American ISPs have access to vast amounts of data about the ways their users behave online, they’re not eager to expose their own behaviors. In trying to determine how much ISPs are spying on the public, Wired News found itself relying on covert operatives of its own.
It all started with a desire to know what information ISPs gather about their users, how long they retain the information and how they interact with law enforcement agencies and other data miners. Wired News sent a 10-question survey to the eight largest American ISPs; only four responded: AOL, AT&T, Cox, and Qwest. Comcast, EarthLink, Verizon, and Time Warner didn’t respond directly to Wired News, but they answered some of the survey’s questions when Wired News readers who were also their customers asked.
Most of the answers weren’t exactly illuminating, but that’s not unexpected of the same folks who are notorious for developing Terms of Service and FAQs that would have perplexed even Solomon. For example, Cox was the only company to provide a direct answer to the question “How long do you retain records of the IP addresses assigned to customers?” Cox’s answer: six months. AOL said it retains the information for “a limited period of time,” and AT&T said its data-retention policies are “within industry standards.” Nobody else even touched the question, which was important because IP addresses identify unique nodes on the network. They are the first thing about which law enforcement and copyright owners seek information when they’re investigating child-porn distribution or illegal file-sharing.
Some of the ISPs were a bit more forthcoming about whether they store “clickstream” data — a record of the URLs users visit. In the case of search-engine visits (and sometimes searches performed on other websites), the clickstream usually includes the search terms involved. AOL, AT&T and Cox said they didn’t store clickstream data at all. Qwest’s answer was abstruse, and Comcast, EarthLink, Verizon, and Time Warner didn’t respond.
Not surprisingly, the same pattern appeared for a question about whether the ISPs allow marketers to obtain clickstream data: AOL, AT&T, and Cox said they don’t provide anonymized or partially-anonymized clickstream data, Qwest dodged the question and then declined to respond to a follow-up question, and Comcast, EarthLink, Verizon, and Time Warner didn’t respond. This is particularly troubling if the latter four’s silence indicates admission by omission. Last year, AOL attempted to help the search-research community refine its techniques by providing a large body of queries in which random numbers were substituted for the related IP addresses. The experiment turned out badly when news organizations quickly were able to identify individual users based on the content of their queries.
Particularly disturbing in light of recent moves to diminish Fourth Amendment protections against unlawful search and seizure were the ISPs’ responses (or lack of response) to questions about interaction with law-enforcement agencies. Under current U.S. regulations, all ISPs are required to equip their networks with surveillance measures that allow real-time tracking of email, voice-over-internet-protocol telephony and other internet usage. According to Congress and the Justice Department, such measures make finding and prosecuting cyber-criminals easier, but they also represent the potential for unprecedented invasion of law-abiding citizens’ privacy. Nevertheless, Congress and the DOJ want to institute rules that would require ISPs to archive all surveillance data for anywhere from six months to several years.
The ISPs provided a mixed bag of responses to questions about surveillance and data retention: AOL had no comment, Qwest again dodged the question, AT&T declined to answer and Cox said it has not been involved in any discussions with the government about surveillance or data retention.
According to Electronic Privacy Information Center Executive Director Marc Rotenberg, consumers need to add their voices to the discussion about the types of data ISPs collect, how they store it and how it is used.
“From a user perspective, the best practice would be for ISPs to delete data as soon as possible,” Rotenberg told Wired News. “[The government] will treat ISPs as one-stop shops for subpoenas unless there is a solid policy on data destruction.”
