On 2018-01-16 15:27:06 UTC, Deleted wrote:

imported from nuaSVr9YlaA

On 2018-01-16 15:28:54 UTC, Deleted wrote:

https://groups.google.com/forum/#!msg/tosdr/nuaSVr9YlaA/qtDi41mJ00AJ http://www.forbes.com/sites/andygreenberg/2012/06/22/ceo-of-internet-provider-sonic-net-we-delete-user-logs-after-two-weeks-your-internet-provider-should-too/2/

Since the forbes website is really awful to read, you can find a text
copy here:

CEO Of Internet Provider Sonic.net: We Delete User Logs After Two Weeks.
Your Internet Provider Should, Too.

Sonic.net chief executive Dane Jasper

Dane Jasper’s tiny Internet service provider Sonic.net briefly took the
national spotlight last October, when it contested a Department of
Justice order that it secretly hand over the data of privacy activist
and WikiLeaks associate Jacob Appelbaum. But Jasper’s conversion into a
privacy true believer began earlier, with a less-discussed subpoena: one
regarding a pornographic film with an unprintable title.

Eighteen months ago, Sonic.net began to see a string of legal requests
for its users’ data, mostly for copyright infringement cases involving
x-rated films with embarrassing names: When given the option to settle
or have their name attached to a smutty video in a legal case, Jasper
saw users paying up–even when they seemed to be innocent.

So he took an unprecedented step to protect the privacy of his 40,000 or
so Northern California customers: He cut the time that his ISP stores
logs of users’ Internet activity to just two weeks–a tiny period
compared to the 18-36 months ISPs like Verizon, AT&T, Qwest, Cox,
Comcast and Time Warner hold onto users’ private information.

I sat down with Jasper in his Santa Rosa office to talk about his stance
as a privacy pragmatist, the landmark WikiLeaks case he’s been involved
in, and why major ISPs refuse to follow his move to cut data retention
times. Here’s an edited transcript of our conversation.

Andy Greenberg: It seems like you’ve made a point of trying to become
the most privacy-preserving Internet service provider (ISP) in operation
in the United States.

Dane Jasper: We have.

AG: Can you tell me what are the concrete ways you’ve done that?

DJ: So, we’ve stood up for our customers, at our expense, when we had an
option not to. We’ve demonstrated a willingness to put our money where
our mouth is, and spend resources where we felt it was warranted to
legally defend our customers. And the other major thing that we’ve done
is to make a commitment to limit our logging interval.

AG: What’s your limit?

DJ: We limit it to two weeks.

AG: Is that the shortest that you know of?

DJ: No, some VPN providers commit to no logs. But it’s the shortest
retention period of any facilities-based Internet access provider that I
know of, yes. Comcast or AT&T or Verizon typically keep their logs for
18 to 36 months.

AG: And why did you make that decision?

DJ: So, what we saw was a shift towards customers being made part of a
business model that involved–I don’t know if extortion is the right
word–but embarassment for gain.
An individual would download a movie, using bittorrent, and infringe
copyright. And that might be our customer, like Bob Smith who owns a
Sonic.net account, or it might be their spouse, or it might be their
child. Or it might be one of his three roommates in a loft in San
Francisco, who Bob is not responsible for, and who rent out their loft
on AirBnB and have couch surfers and buddies from college and so on and
open Wifi.

When lawyers asked us for these users’ information, some of our
customers I spoke with said “Oh yeah, crap, they caught me,” and were
willing to admit they engaged in piracy and pay a settlement. But in
other cases, it turned out the roommate did it, or no one would admit to
doing it. But they would pay the settlement anyway. Because no one wants
to be named in the public record in a case from So-And-So Productions
vs. 1,600 names including Bob Smith for downloading a film called “Don’t
Tell My Wife I B—F—— The Babysitter.”

AG: Is that a real title?

DJ: Yes. I’ve read about cases where a lawyer was doing this for the
movie “The Expendables,” and 5% of people settled. So then he switched
to representing someone with an embarassing porn title, and like 30% of
people paid.

It seemed like half the time, the customer wasn’t the one right one, but
they rolled over because it would be very embarassing. And I think
that’s an abuse of process. I was unwilling to become part of that
business model. In many cases the lawyers never pursued the case, and it
was all bluster. But under that threat, you pay.

AG: So when did you decide to limit data retention?

DJ: Well, we saw a big uptake in this problem early last year. The
“Don’t Tell My Wife” one was the first, and we laughed about it. But
then we saw more and more coming in. So I looked at this, and it was a
cynical, awful business.

I met with my system team, and I said, why are we keeping these logs?
The primary reasons were law enforcement and spam, so we looked at our
law enforcement subpoenas, and the spam processing. In the case of spam,
someone is infected and becomes part of a botnet, somebody kicks off a
spam job and the customer dumps 20,000 emails in a day. We get
complaints, and they’re all about the last day. My systems team also
only needed logs for a day.

So then I looked at law enforcement subpoenas and tried to balance an
ability to help law enforcement when it’s morally right to do so with an
inability to help anybody beyond a certain window. In the civil
copyright cases, we’d get a subpoena from them anywhere from 30-90 days
later, sometimes longer after the alleged act of piracy has occurred.

We were concerned about cases where there’s a kidnapping, a threat to
the human life, and the FBI is trying to find the kidnapper who sent a
demand email yesterday or a week ago. We felt like two weeks was a good
window that would allow us to address some things–both our own needs in
the long term and the law enforcement’s dire needs in the mid-term–while
omitting any ability to assist in what we felt was like an extortion
racket. And so that was another concrete step we took last year, to
reduce our logging interval to two weeks.

AG: What was it before?

DJ: Some things we kept for 30 days, other things for years. We didn’t
have a defined procedure.

AG: Earlier, you mentioned fighting legal battles on behalf of your
users. Can you say specifically what battles and which customers?

DJ: I probably can’t. I can tell you that the case you’ve probably read
about regarding Jacob Appelbaum is under seal, and I can’t comment on
that case. And obviously Appelbaum spoke with the Wall Street Journal
reporter and reported that we informed him that we managed to get it
unsealed enough to inform him. So, however the entire case is still
under seal, so we can’t speak to the specific sides informing him.

We’ve committed to and published a policy of notification of customers
when their data is subpoenaed. The typical subpoena that we will get
will say “This is an ongoing investigation, and to protect the integrity
of the investigation, we request that you please not inform your
customer about the details of this subpoena while complying with it, now
or ever.” Sometimes they’ll say “and if you are or do tell your
customer, tell us that you have.”

I’m ok with that second part. but I’m not ok with the first. If
something belongs under a seal, they should make that case to the judge.
I shouldn’t be in the role of deciding whether or not someone should be
informed about a law enforcement request for their information. So we
instead say, “Here’s our policy document, we notify our customers, if
that’s a problem for your investigation, you should make that case to a
judge and put it under seal.”

AG: In Appelbaum’s case, did you actually have the seal raised or did
you violate the seal?

DJ: We were unable to get the case unsealed, we were able to unseal it
to a degree that we were allowed to inform our customer about compliance
with the subpoena.

AG: Are there cases where you’ve fought not just to tell your customer
about the subpoena but actually quash it, as Twitter is attempting to do
in the case of Occupy Wall Street protestor Malcolm Harris?

DJ: I have to answer carefully. I can’t say anything specific about the
Appelbaum case, so I can’t comment on whether we did or didn’t fight the
release of his data. The only thing that we are able to say is to him is
that we were forced to hand over his data.

AG: Did the Appelbaum case help convince you to limit your data
retention?

DJ: I would answer that in a general way. All of the subpoenas that we
receive from the various branches of law enforcement and all of the
civil cases that we’ve processed over the last few years have all
contributed to my outlook on privacy, and so I don’t want to say that
there’s a cause and effect between those things. I will say that
everything that we have received has been contributory towards our
position around privacy.

AG: If your ISP is able to operate with only two weeks of logging, why
can’t others like Comcast, AT&T, Verizon and Time Warner?

DJ: They should. I think ISPs need to minimize their logging to a degree
that it works within their business, notify customers about subpoenas
and, where subpoenas warrant resistance after review, they should resist
them.

AG: Why don’t they?

DJ: I could only speculate. Costs. The cost is legal friction and
lawyers.

AG: I’m sure it’s expensive to fight these legal battles over subpoenas.
But what about logging for just two weeks? That’s not expensive.

DJ: I would speculate it would be an unpopular move that might result in
more friction with law enforcement. Law enforcement has been lobbying to
pass laws that would require service providers to keep 18-36 months of
logs. It’s in their interests.

AG: Do ISPs keep the logs that long voluntarily to avoid being
legislated to do so?

DJ: Or just to be cooperative. They’re running a business. Picking a
fight with law enforcement isn’t part of their business model.

As a small provider, we can make an independent decision like this and
it doesn’t matter in the overall ecosystem. But if a very large carrier
made that decision, it would be much discussed. And potentially
legislated.

AG: Have you faced friction with law enforcement as a result of your
logging policy?

DJ: No. We’ve heard some expressions of surprise. But if they’re not
asking us for data, they’re asking web hosts, websites, or email service
providers.

I think we had one customer that wrote to us and said “Don’t protect the
terrorists. Log everything you can. I don’t care about my privacy,
because I’m not a terrorist.” But I think that that’s too simple away of
looking at it.

AG: Do you think your privacy policy could be a business advantage? Do
you market yourselves that way?

DJ: If you look at the marketing material, you won’t see us pitching
this as a feature, and that’s intentional. I’m trying to protect my
customers. The overall public. Not the self-selected subset who buys a
service because they especially care about their privacy, or are an
activist, or help some greater concern. I don’t think I can provide them
adequate protection. Two weeks of logs is two weeks of logs. If they are
a Chinese dissident living in the US they should be using Tor or
something.

On the other hand, if I say to the public “Hey, this is a great place
because we keep less logs,” I don’t want to attract people who want to
break the law, and then find that we don’t have the data and they don’t
get caught.

So I don’t think it’s appropriate to market on that basis. I think it’s
appropriate to do it, but not to market it.

AG: Services like VPNs and proxies clearly build competitive advantage
out of privacy, don’t they?

DJ: Are they really? I think it’s a cynical perversion. They are using
privacy as an excuse to create a product that if you were really to get
their true feelings about it, sells more because of piracy. They create
a mechanism to enable piracy through total anonymity and they end up
selling a lot of connections or VPN tunnels, or whatever their “privacy
product” is. And I think that’s fraught with risk as well. It’s through
that sort of exploitation of copyright holders that you’re going to get
legislation around log retention.

AG: You’ve talked a lot about the effects of the lack of competition
among ISPs in the U.S. Do you think that monopolistic environment is one
reason that none of them has a privacy policy like yours?

DJ: If we had a true open access and a vibrant competitive environment,
it would fix lots of problems. The whole network neutrality issue, that
whole fight is not an issue if you had 30 service providers to choose
from, because if one was goofing with your voice over IP, everybody
would leave.

Similarly, if there were 30 service providers to choose from in every
market, I think everyone would take better care of consumers’ privacy,
too.

In the US, we made a shift in 2002 and decided that we were going to
pick winners in each industry, and we’re going to have the incumbent
cable company compete with the incumbent phone company, and maybe the
power company will get into the business, and then there’ll be some
wireless, and maybe satellite. But realistically, wireless is expensive
and slow. Satellite is latent. Broadband over powerlines never really
worked. So you end up with two to choose from, and if you only have two,
one looks at the other, and they go, that guy is this fast, lets be that
fast. That guy is $25 let’s be $20.

AG: That guy logs 18 to 36 months. Why shouldn’t we?

DJ: Right. Why do we want to pick a fight with law enforcement, or lobby
congress, argue to pass laws about logging? So in a duopoly environment
you get a number of effects that aren’t beneficial to consumers.

In an environment where you’ve got 30 providers to choose from, do
privacy policies naturally improve? They might.

This article is available online at:
http://www.forbes.com/sites/andygreenberg/2012/06/22/ceo-of-internet-provider-sonic-net-we-delete-user-logs-after-two-weeks-your-internet-provider-should-too/
--
Hugo Roy
French Coordinator, FSFE chat: hugo@jabber.fsfe.org
www.fsfe.org/about/roy mobile: +336 08 74 13 41
mobile DE: +49 151 143 56 563

--
You received this message because you are subscribed to the Google Groups "Terms of Service; Didn't Read" group.
To post to this group, send email to tosdr@googlegroups.com.
To unsubscribe from this group, send email to tosdr+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On 2019-06-14 04:03:08 UTC, jessew ⁽²⁹⁹³⁾ Curator wrote:

approved: without comment

On 2020-12-11 15:16:13 UTC, System ^(21311) Bot wrote:

Found quote, changed: quoteStart quoteEnd

On 2023-11-28 10:11:42 UTC, dayili817 ^(31318) Suspended wrote:

I love this info presented and possesses given me some type of resolve forpersistance to succeed i really enjoy seeing, so sustain the excellent work. mayaptrungminigiare