Re: policies for securing privacy systemwide against random wiretap/nettap
> Given recent passage of the Patriot Act here in US, I'm re-evaluating
> privacy policies at the ISP I run.
> I'm curious what mechanisms and policies we might keep/implement
> to preserve the privacy and integrity of our clients. Some are obvious:
> * gnpgp/pgp email
> * quick and regular deletion of logs after our system security checks
> What about protecting client data? Suppose someone with a name like
> "Saddam" signs up for a mailing list; what can be done to protect everyone
> else on that mailing list. (I did not make up that example.) Are
> there ways of handling data like that mailing list that would keep it
> private?o What about customer databases?
> This may not be the place for this; can someone suggest other resources?
This is a very important issue, particularly in light of the draconian
bill just passed and, even though not Debian specific, should be of
great interest to many ISPs.
Be aware that simply encrypting mail and erasing old logs will not
shield your customers very well and may inadvertently create a worse
situation. Whatever policies you implement, be sure to thoroughly think
through the possible outcomes and be sure to have a well thought out and
rational reason for them.
Deleting server logs to "protect my customers' privacy" could easily
be transformed by today's "witch hunt" mentality into deleting server
logs to "intentionally erase evidence that could be used against the
terrorists using my system" A policy to quickly erase server logs to
enhance system security and maintain adequate disk space may be
perceived to be more rational and "patriotic."
For PGP, the government could easily recover the PGP keys from either
your servers or the customers machines - perhaps even without your or
the customer's knowledge since the government is allowed to ask for
"secret" search warrants.
Hmmm.. I wonder if the FBI would be violating the DMCA if they
circumvented the encryption of your email, which after all is a
"published" work and therefore copyrighted. :-)
Deleting the log files, and even writing all zeros to the disk,
doesn't make the files irretrievable. This policy may actually make
things *worse* for your customers because law enforcement may assume,
because of your actions, that you are attempting to hide something. The
"innocent until proven guilty" thing is just lip service.
Law enforcement may even more deeply invade your customers privacy by
doing a more thorough search then they would have done otherwise. They
may seize the computer to do forensic work to recover the logs, which
means your customers lose data all their data and service or they may
shut you down completely to prevent you from destroying more "evidence."
Perhaps writing logs to /dev/shm would be a way to go, if you are
really intent on total erasure of the logs, but that has security
<Paranoia Mode: off>
Having said all the above, I'd hope that all ISPs have a policy to
discontinue service to anyone using their system for "wrong" purposes
and that includes terrorism and SPAM!
ELB Internet Services, Inc.
Web Design, Computer Consulting, Internet Hosting