[LACNIC/Seguridad] Fwd: Re: question regarding US requirements for journaling public email (possible legislation?)

Fernando Gont fernando en gont.com.ar
Vie Ene 6 04:29:03 BRST 2012


Puede que sea de su interés. Es parte de un thread que está ocurriendo
en la lista de correo de NANOG, en este momento....


-------- Original Message --------
Subject: Re: question regarding US requirements for journaling public
email (possible legislation?)
Date: Thu, 5 Jan 2012 15:10:45 -0500
From: Steven Bellovin <smb en cs.columbia.edu>
To: Fred Baker <fred en cisco.com>
CC: nanog en nanog.org <nanog en nanog.org>

On Jan 5, 2012, at 2:16 PM, Fred Baker wrote:

> On Jan 5, 2012, at 10:42 AM, William Herrin wrote:
>> On Thu, Jan 5, 2012 at 10:56 AM, Eric J Esslinger <eesslinger en fpu-tn.com> wrote:
>>> His response was there is legislation being pushed in both
>>> House and Senate that would require journalling for 2 or 5
>>> years, all mail passing through all of your mail servers.
>> Hi Eric,
>> The only relatively recent thing I'm aware of in the Congress is the
>> Protecting Children From Internet Pornographers Act of 2011.
> Since you bring it up, I sent this to Eric a few moments ago. Like you, IANAL, and this is not legal advice.
>> From: Fred Baker <fred en cisco.com>
>> Date: January 5, 2012 10:46:30 AM PST
>> To: Eric J Esslinger <eesslinger en fpu-tn.com>
>> Subject: Re: question regarding US requirements for journaling public email (possible legislation?)
>> I don't know of anything on email journaling, but you might look into section 4 of the "Protecting Children From Internet Pornographers Act of 2011", which asks you to log IP addresses allocated to subscribers. My guess is that the concern is correct, but the details have morphed into urban legend.
>> http://www.govtrack.us/congress/billtext.xpd?bill=h112-1981
>> http://www.techdirt.com/articles/20110707/04402514995/congress-tries-to-hide-massive-data-retention-law-pretending-its-anti-child-porn-law.shtml
>> I'm not sure I see this as shrilly as the techdirt article does, but it is in fact enabling legislation for a part of Article 20 of the COE Cybercrime Convention http://conventions.coe.int/Treaty/en/Treaties/html/185.htm. US is a signatory. Article 21 is Lawful Intercept as specified in OCCSSS, FISA, CALEA, and PATRIOT. Article 20 essentially looks for retention of mail/web/etc logs, and in the Danish interpretation, maintaining Netflow records for every subscriber in Denmark along with a mapping between IP address and subscriber identity in a form that can be data mined with an appropriate warrant.
> I can't say (I don't know) whether the Danish Police have in fact implemented what they proposed in 2003. What they were looking for at the time was that the netflow records would be kept for something on the order of 6-18 months. 
> From a US perspective, you might peruse
>    http://en.wikipedia.org/wiki/Telecommunications_data_retention#United_States
> The Wikipedia article goes on to comment on the forensic value of data retention. I think it is fair to say that the use of telephone numbers in TV shows like CSI ("gee, he called X a lot, maybe we should too") is the comic book version of the use but not far from the mark. A law enforcement official once described it to me as "mapping criminal networks"; if Alice and Bob are known criminals that talk with each other, and both also talk regularly with Carol, Carol may simply be a mutual friend, but she might also be something else. Further, if Alice and Bob are known criminals in one organization, Dick and Jane are known criminals in another, and a change in communication patterns is observed - Alice and Bob don't talk with Dick or Jane for a long period, and then they start talking - it may signal a shift that law enforcement is interested in.
Yah, but that's all "non-content records"; it's a far cry from having to
retain the body of every email, which is what he asked about.  As far as
I know -- and I'm on enough tech policy lists that I probably would know
-- nothing like that is being proposed.  That said, for a few industries
-- finance comes to mind -- companies are required to do things like
that by the SEC, but not ISPs per se.  See
for some details.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

Más información sobre la lista de distribución Seguridad