Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: packet inspection and privacy

  • From: Steven M. Bellovin
  • Date: Tue Jun 25 12:58:56 2002

In message <>, David Charlap writes:
>Steven M. Bellovin wrote:
>> Mark Kent writes:
>>> I recently claimed that, in the USA, there is a law that prohibits an
>>> ISP from inspecting packets in a telecommunications network for
>>> anything other than traffic statistics or debugging.
>>> Was I correct?
>> No.  Or at least you weren't; the Patriot Act may have changed it.
>> (I assume you're talking about U.S. law.)
>> There was a quirk in the wording of the law -- what you say is correct 
>> for *telephone* companies, but not ISPs.
>You're referring to "common carrier" status, I think.

No, I'm referring to the wiretap act.  And this is based on conversations
with various Federal prosecutors.

>This isn't exclusively restricted to phone companies, but that's the way 
>it is right now.  I think it may also apply to non-voice carriers that 
>sell circuits.  I'm pretty certain that it does not apply to ISPs.
>A common carrier is not allowed to monitor/filter traffic on customer 
>circuits.  They also can't be held responsible for the traffic on those 

I'm referring to 18 USC 2510 and 2511, which you can find at and 2511.html.  In 
particular, 18 USC 2511(2)(a)(i) says:

	It shall not be unlawful under this chapter for an operator
	of a switchboard, or an officer, employee, or agent of a
	provider of wire or electronic communication service, whose
	facilities are used in the transmission of a wire or
	electronic communication, to intercept, disclose, or use
	that communication in the normal course of his employment
	while engaged in any activity which is a necessary incident
	to the rendition of his service or to the protection of
	the rights or property of the provider of that service,
	except that a provider of wire communication service to
	the public shall not utilize service observing or random
	monitoring except for mechanical or service quality control

Note that the ban on random monitoring applies to a "provider of wire
service communication services".  2510(1) defines "wire communication"
as "aural transfer", i.e., voice.  ISPs provide "electronic communication"
services, as defined in 2510(12);

	''electronic communication'' means any transfer of signs,
	signals, writing, images, sounds, data, or intelligence of
	any nature transmitted in whole or in part by a wire, radio,
	electromagnetic, photoelectronic or photooptical system
	that affects interstate or foreign commerce, but does not
	include -

	(A) any wire or oral communication;

	(B) any communication made through a tone-only paging

	(C) any communication from a tracking device (as defined
	in section 3117 of this title); or

	(D) electronic funds transfer information stored by a
	financial institution in a communications system used for
	the electronic storage and transfer of funds;

I'll let a real lawyer tell me what category VoIP or EFT over the Internet
falls under...

Btw, I referred to Eckenwiler's presentation.  See for the full thing; see
especially slide 12, which discusses what system operators can do,
and the part that says "phone companies more restricted than ISPs".
Eckenwiler is an attorney at DoJ.  And yes, I was the one who suggested
that he speak at NANOG, precisely to clear up some of these points.

Oh yes -- since I have the statute in front of me, see 2511(2)(a)(ii)(B):

	No provider of wire or electronic communication service,
	officer, employee, or agent thereof, or landlord, custodian,
	or other specified person shall disclose the existence of
	any interception or surveillance or the device used to
	accomplish the interception or surveillance with respect
	to which the person has been furnished a court order or
	certification under this chapter, except as may otherwise
	be required by legal process and then only after prior
	notification to the Attorney General or to the principal
	prosecuting attorney of a State or any political subdivision
	of a State, as may be appropriate. Any such disclosure,
	shall render such person liable for the civil damages
	provided for in section 2520.

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.