[Dshield] ISPs - How much monitoring is enough?

Johannes B. Ullrich jullrich at sans.org
Sat Jan 17 17:22:35 GMT 2004

> This could get out of hand real quick. You want your ISP watching your
> traffic? Everything you send in email, ftp, http- all clear text.

This is exactly the issue. "Monitoring Traffic" (sniffing) is a lot more
complex legally then port scanning. Usually, ISPs can use IDS's, but
they are not allowed to just run 'tcpdump -s 1480 -w /tmp/everything'
as a matter of doing business. As an ISP, you have to be careful with 
privacy laws, in addition to standard wiretapping rules.

I am not a lawyer of course... but as far as I know, the basic rules for
an ISP are:

- they can only sniff traffic if it is directly related to security.
  I am not sure what the limits are, but for example an IDS with tuned
  signatures falls into the permitted category
- Once a file is stored on their servers, they can not read it. Even
  if for some reason they find a file indicating possible illegal 
  activity, they are not permitted to just hand it over to law

This is US law. Europe is much more difficult. In Germany or example,
ISPs can only store information that is necessary for billing. If you
have an 'unlimited' account, they are not allowed to log at what time
you log in, and what IP addresses they assign to you. This makes
abuse reports rather useless in some cases.

There are 'security exemptions', but it is not well defined how far they
go and courts have not decided in unison in Germany. T-Online in one
part of germany was permitted by its regulatory authority to log user's
IPs to aid in abuse handling. But others have gotten different answers.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040117/3599cade/attachment.bin

More information about the list mailing list