Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
Asking for legal advice on NANOG is probably a REALLY REALLY bad idea.
Talk to a lawyer in the area(s) you do business.
-jim
You should be discussing this with inside counsel. Not NANOG.
-Hammer-
"I was a normal American nerd"
-Jack Herer
Thanks guys, I am looking for stuff to bring to my legal team (which is one
guy, that can't spell IP) and VPs.
There has to be some thing out there or is this really a hands of topic?
might I suggest you consider replacing your legal team.
0. General Reference http://en.wikipedia.org/wiki/Deep_packet_inspection#DPI_at_network.2FInternet_service_providers e.g. Lawful Intercept
1. network neutrality -- lots of possible laws coming up, http://en.wikipedia.org/wiki/Network_neutrality#Law_in_the_United_States http://www.sans.org/reading_room/whitepapers/policyissues/net-neutrality-rest-peace_33809
2. intellectual property -- all the sopa/pipa/etc. specifically privacy invasion http://en.wikipedia.org/wiki/Stop_Online_Piracy_Act#Deep-packet_inspection_and_privacy
3. principle of implied responsibility -- if you change a data stream, it is implied you are responsible for it (i.e. administratively, editorially, etc.)
4. Check out the CISSP legal domain. Especially resources and references for it. Someone on your team should have this certification. http://www.amazon.com/CISSP-Boxed-Set-All---One/dp/0071768459/ref=sr_1_1?ie=UTF8&qid=1337865477&sr=8-1
5. The EFF might be able to help you. WRT Privacy espec.
6. SANS has tons of references. www.sans.org
7. Get with a lawyer who is network-aware. Good luck with that. Maybe try to find a lawyer with a CISSP cert?
--Patrick Darden
The problem is that it is strictly a jurisdictional question. I'm not trying to throw it back at you. But I can't advise you w/o knowing the specifics of your ISP which I don't want to know. Does that make sense? What country? State? Where's your customer base? Do you have multiple carriers? Do you service DOD? Outside of US? Do you service EU? SWIFT (Financial wires?) etc? Mainly consumer? Commercial? The list could go on.
If you are being prodded by legal on this question then my advice would be to tell them that they have to provide that direction.
If you are being prodded by technology my advice would be to direct them to legal.
You should be picking up a pattern here....
-Hammer-
"I was a normal American nerd"
-Jack Herer
One reasonably balanced and relatively recent overview for
your legal folks to get oriented:
<http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1628024>
If that does not suffice, you have a more serious issue.
Best wishes,
/John
And if your legal can't figure it out that is exactly what "outside counsel" is for.
-Hammer-
"I was a normal American nerd"
-Jack Herer
Thanks guys, I am looking for stuff to bring to my legal team (which is one
guy, that can't spell IP) and VPs.
You probably want to fix that legal team. If you're an ISP and your legal eagle
doesn't understand networking, you're opening yourself up to a world of hurt.
There has to be some thing out there or is this really a hands of topic?
There's a whole mess of applicable laws. Patrick Darden just posed a good
intro as I was writing this.
Thank you all, this will get me started and @Hammer, I see the trend your
talking about.
Cheers,
Very nice Patrick
-Hammer-
"I was a normal American nerd"
-Jack Herer
Inside counsel should engage with outside counsel in this case. Part of being a professional in many fields is knowing how to engage the right people (e.g.: doctors that refer you to an expert).
- jared
My professional advice (IANAL) is that your inside counsel needs to find
appropriate outside counsel well versed in this topic, and your VPs need to
pay them.
This is a Bet The Company topic.
Cheers,
-- jra
Hello,
I am looking for some guidance on full packet inspection at the ISP level.
Is there any regulations that prohibit or provide guidance on this?
Unless you are absolutely huge, and maybe even then, you need to worry
more about how your customers will perceive this than how law enforcement
will perceive this. (I mean, you want to follow the law, sure, but
even if it's legal, if it cheeses the customers? well, you have a
problem.) More to the point, like most on this list, law
isn't my field.
In my experience? customers get really, really uncomfortable with you
doing, well, almost anything below the headers. I was talking about doing
a inward facing snort IDS (to detect compromised hosts before I got complaints)
and got so far as a prototype where I shared the info I recorded about each
IP with the customer in question, but talking to customers? this idea
was extremely offensive, so the project was quashed.
Now, generally speaking, customers are much more okay with you going through
the IP headers. For instance, instead of using an IDS, I could, say, count
the number of outgoing connections destined for port 22 or 25, or the same
but count how many unique destinations they use (e.g. to avoid MX host
or ssh tunneling false positives... both of those use cases would have
a lot of connections on those ports, but to a small number of remote hosts.)
From what I've heard customers say, this would likely cause less offense
than using snort or the like to do full packet inspection. (it wouldn't
be completely inoffensive, but I think that if I wiped the logs often
and shared my data with the customer, it sounds like something that
customers would tolerate.) I haven't prototyped that system yet,
though, so eh, who knows.
I've seen this come up on at least three different cop shows so I wouldn't
recommend it. It's also not cool. Packets wanna be free man.. 
Just my 2c
On a lighter note, did you know that your company can hold some of us
liable depending on what advice we give you and how far you run with it.
Just a thought... Overall, I wouldn't choose nanog over
google/wikipedia/GROKLAW unless it is something really specific
operationally. This isn't really one of those topics. Any lawyer worth
his luxury sedan should be able to do his own research. Most of the laws
were written by lawyers and judges that don't understand IP (Internet
Protocol or Intellectual Property) either so your legal team is in good
company.
[snip
I am looking for some guidance on full packet inspection at the ISP level.
Aside from any legal issue; there is a "respectable practices"
issue. Even if there is no regulation that prohibits something does
not mean it is OK. Your customers' deserve to be made aware of any
full packet capture practices that may impact traffic to/from network
they own/manage, before packet capture occurs, especially when there
is data retention, or human examination/analysis based on contents of
large numbers of packets; otherwise there is a risk you will be in
trouble, for some definition of "in trouble" that depends on the
circumstances.
Because your packet interception can put your user at risk;
proprietary information can be disclosed. And most ISP customers
intend to purchase network connectivity service, not "record all my
traffic without telling me" service ..
Are you prepared to explicitly explain to your customers, both
existing, and new ones,
before they are allowed to buy or continue service from you -- under
what circumstances
you intercept full packets, whose packets do you capture, what
packets do you capture, how many packets / how long will you capture
their packets, what do you do with their contents after you capture
them, how long do you keep data, what security controls do you have
in place to prevent unauthorized access to their packets and
ensure timely destruction of sensitive data?
If the answer is NO, that you have poor planning, or your privacy
practices are not solid enough to reveal to your customers with
confidence, then save the money on consulting lawyers, by choosing
NOT to implement interception and capture of full packets.
[snip
> I am looking for some guidance on full packet inspection at the ISP level.
Aside from any legal issue; there is a "respectable practices"
issue. Even if there is no regulation that prohibits something does
not mean it is OK. Your customers' deserve to be made aware of any
full packet capture practices that may impact traffic to/from network
they own/manage, before packet capture occurs, especially when there
is data retention, or human examination/analysis based on contents of
large numbers of packets; otherwise there is a risk you will be in
trouble, for some definition of "in trouble" that depends on the
circumstances.Because your packet interception can put your user at risk;
proprietary information can be disclosed. And most ISP customers
intend to purchase network connectivity service, not "record all my
traffic without telling me" service ..
If you need a call center to handle this just let me know... 
since
your call volume is going to spike through the roof.
Aside from all of the business and legal sticking points that others have mentioned, there are also the technical aspects of capturing, storing, transporting, analyzing, and managing those packets, and the appliances that do the heavy lifting. As your traffic grows, that problem scales 1:1 linearly, at best, and more likely n:1 linearly, or worse. The added overhead of the infrastructure needed to support this will also make it more difficult to be price-competitive with your peers.
Your sales/marketing/executive staff would have their work cut out for them in trying to explain to existing and prospective customers not only where the value-add is for them, but why that would be worth the significant recurring costs you'd have to charge to cover your overhead and/or maintain your profit margin.
jms