Which ISPs Hand Private Surfing Info Over To Secretive Private Group Who Monitors It For The Feds?

from the feeling-safe? dept

So this is just bizarre. I saw a Wired report about a talk by a guy named Chet Uber, who claimed he helped connect Adrian Lamo to the feds in order to turn in Bradley Manning (the Army intelligence analyst accused of leaking content to Wikileaks), but Uber's little talk raised a number of other issues unrelated to Manning/Lamo. Specifically, towards the end of this Forbes piece about Uber and his organization, Project Vigilant comes a little shocker about how the firm spies on internet traffic for the US government:
According to Uber, one of Project Vigilant's manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users' Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can "develop portfolios on any name, screen name or IP address."

"We don't do anything illegal," says Uber. "If an ISP has a EULA to let us monitor traffic, we can work with them. If they don't, we can't."

And whether that massive data gathering violates privacy? The organization says it never looks at personally identifying information, though just how it defines that information isn't clear, nor is how it scrubs its data mining for sensitive details.
Uh... what? Given the uproar and then Congressional smackdown to ISPs that tried to monitor such information for advertising purposes, that doesn't seem right at all. Sneaking a clause into an EULA saying that it's handing all your info over to a private party who will monitor it for the feds (maybe) and whoever else they want doesn't really seem aboveboard or legal despite the claims. It's also highly unlikely that it "never looks at personally identifying information." Nearly everyone who's ever claimed that has been proven wrong later.

The whole thing seems really sketchy, and as Glenn Greenwald notes, it appears to be an attempt to skirt the law:
There are serious obstacles that impede the Government's ability to create these electronic dossiers themselves. It requires both huge resources and expertise. Various statutes enacted in the mid-1970s -- such as the Privacy Act of 1974 -- impose transparency requirements and other forms of accountability on programs whereby the Government collects data on citizens. And the fact that much of the data about you ends up in the hands of private corporations can create further obstacles, because the tools which the Government has to compel private companies to turn over this information is limited (the fact that the FBI is sometimes unable to obtain your "transactional" Internet data without a court order -- i.e., whom you email, who emails you, what Google searches you enter, and what websites you visit --is what has caused the Obama administration to demand that Congress amend the Patriot Act to vest them with the power to obtain all of that with no judicial supervision).

But the emergence of a private market that sells this data to the Government (or, in the case of Project Vigilance, is funded in order to hand it over voluntarily) has eliminated those obstacles. As a result, the Government is able to circumvent the legal and logistical restrictions on maintaining vast dossiers on citizens, and is doing exactly that. While advertisers really only care about your online profile (IP address) in order to assess what you do and who you are, the Government wants your online activities linked to your actual name and other identifying information.
So, since Uber and Project Vigilant won't say who these 12 ISPs are, can anyone help us out? What are the 12 ISPs out there who, via sneaky language in their EULAs are simply handing over your private data to some company to sell to the US government?

Filed Under: government, isps, monitoring
Companies: project vigilant

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Dane Jasper (profile), 3 Aug 2010 @ 4:59pm

    Re: Re: Re: Not sonic.net

    Hi there. Sonic.net CEO Dane Jasper here.

    A few years ago we revisited our old privacy policy to clarify just these sort of questions. That was a time when slimy operations like NebuAd were coming along to try to do ad swapping, and it was the beginning of concerns about sale of things like clickstream data.

    I had a hand in the writing of the policy, and it was written with the concerns of the day in mind. It goes beyond simply stating what we will or won't do, and gives some information on our philosophy - "strongly opposed" and "does not actively monitor" are examples of this. The goal was to provide as much reassurance as we could that we won't engage in these types of behaviors, because we abhor them.

    As there does seem to remain some confusion here, I'll try to state it as clearly as possible.

    With the narrow exception of a lawful obligation (subpoena or warrant), we will not harvest, sell, snoop or share any data about your use of the Internet via our services.

    I'll also state that we are very careful about any subpoenas and warrants that we do get, and we reject roughly 50% of them as they are improperly executed. Also, in any case where we are allowed to do so, we always inform our customer prior to handing over any information. (Some ongoing criminal investigations incorporate a gag order which we must legally obey. This must be granted by a judge based upon justification provided by investigators in a criminal case.)

    We structured this notice procedure so that customers who might be subject to a "John Doe" civil lawsuit would have an opportunity to retain counsel and object to any data hand-over BEFORE it happens. Most service providers don't bother with this, as they have no obligation to do so.

    Finally, note that we don't log any actual Internet activity, so even under subpoena or warrant, we don't know what you have done, so we cannot reveal it. Our logging is limited to IP allocation and authentication data, the minimum required to support our services.

    I hope this clarifies our official position and my opinion on some of the items under discussion here.

    Dane Jasper
    CEO and Co-Founder

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.