from the feeling-safe? dept
So this is just bizarre. I saw a Wired report about a talk by a guy named Chet Uber, who claimed he helped connect Adrian Lamo to the feds
in order to turn in
Bradley Manning (the Army intelligence analyst accused of leaking content to Wikileaks), but Uber's little talk raised a number of other issues unrelated to Manning/Lamo. Specifically, towards the end of this Forbes piece about Uber and his organization, Project Vigilant
comes a little shocker about how the firm spies on internet traffic for the US government
According to Uber, one of Project Vigilant's manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users' Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can "develop portfolios on any name, screen name or IP address."
"We don't do anything illegal," says Uber. "If an ISP has a EULA to let us monitor traffic, we can work with them. If they don't, we can't."
And whether that massive data gathering violates privacy? The organization says it never looks at personally identifying information, though just how it defines that information isn't clear, nor is how it scrubs its data mining for sensitive details.
Uh... what? Given the uproar and then Congressional smackdown
to ISPs that tried to monitor such information for advertising purposes, that doesn't seem right at all. Sneaking a clause into an EULA saying that it's handing all your info over to a private party who will monitor it for the feds (maybe) and whoever else they want doesn't really seem aboveboard or
legal despite the claims. It's also highly unlikely that it "never looks at personally identifying information." Nearly everyone who's ever claimed that has been proven wrong later.
The whole thing seems really sketchy, and as Glenn Greenwald notes, it appears to be an attempt to skirt the law
There are serious obstacles that impede the Government's ability to create these electronic dossiers themselves. It requires both huge resources and expertise. Various statutes enacted in the mid-1970s -- such as the Privacy Act of 1974 -- impose transparency requirements and other forms of accountability on programs whereby the Government collects data on citizens. And the fact that much of the data about you ends up in the hands of private corporations can create further obstacles, because the tools which the Government has to compel private companies to turn over this information is limited (the fact that the FBI is sometimes unable to obtain your "transactional" Internet data without a court order -- i.e., whom you email, who emails you, what Google searches you enter, and what websites you visit --is what has caused the Obama administration to demand that Congress amend the Patriot Act to vest them with the power to obtain all of that with no judicial supervision).
But the emergence of a private market that sells this data to the Government (or, in the case of Project Vigilance, is funded in order to hand it over voluntarily) has eliminated those obstacles. As a result, the Government is able to circumvent the legal and logistical restrictions on maintaining vast dossiers on citizens, and is doing exactly that. While advertisers really only care about your online profile (IP address) in order to assess what you do and who you are, the Government wants your online activities linked to your actual name and other identifying information.
So, since Uber and Project Vigilant won't say who these 12 ISPs are, can anyone help us out? What are the 12 ISPs out there who, via sneaky language in their EULAs are simply handing over your private data to some company to sell to the US government?