Pascal Gloor wrote:
Does any country in the world require such things ?
To put a small operational comment here [this is NANOG isn't it?],
customers with Slammer worm -really- blow out internal NetFlow between
themselves and the nearest filter blocking them. We had a lot of
56k modem customers with Slammer so we hadn't noticed them in terms
of any throughput graphs, and their actual traffic gets blocked at
various points, but before it does it has a drastic effect on the
NetFlow server. So if anyone else is keeping complete NetFlows of
every router in your network and wondering why they've grown so much
over the past few weeks... find everything to UDP destination 1434
and get someone to contact the customer *sigh*
In Australia you aren't -required- to keep anything, but anything you do
happen to have/keep (eg. proxy logs, NetFlow, mail logs, RADIUS logs, etc)
you are required to hand over on a proper request. And if you do happen
to keep reasonable logs and co-operate with authorities where required
(very rare that it's actually required), then they're unlikely to do
something unkind such as take your ISP's servers as "potential evidence"
for six months, which of course they'd be perfectly entitled to do
(after months of careful analysis they may find some old logs that have
been written over 100 times by carefully removing each magnetic signal
to reveal traces of the one before, for example - so it's a justified
but far from idea action).
I've never had an unreasonable or intrusive request from the authorities,
even as an example when a suspected murderer who had contacted his
alleged victim(s) via the internet had left his email on the server they
did not request his email as that was beyond the bounds of what they are
comfortable to request (fortunately - because we would have had to consult
the lawyers on the legality of releasing actual communications content;
the analogy of the envelope and the contents is an often used one, in
traditional mail the writing on the envelope is essentially public
knowledge but the contents of the envelope are subject to strict privacy
laws. NetFlow inspects packet headers - envelope. Proxy logs contain
only the size and address of requests - envelope. Similarly mail logs;
address, return address, size, etc - envelope details again. But mailbox
contents correspond to envelope contents, so they're a much harder
The authorities are usually quite understanding that logs are quite
large, and if they have a request they must get it to us quickly to
expect a useful response. And the response is has been in 100% of cases
that we've identified a customer who happens to be a Net Cafe... so they
get to go and try their luck on getting a Net Cafe to identify a
customer from their proxy logs and customer records (yeah, sure).
Note that caller ID is very special here. Specifically, the caller ID
used to connect to an account must NOT be revealed to the account holder
(think: account holder checks usage, finds out who did it, and goes
over to go kill person responsible for large bill), and must ONLY be
revealed to responsible authorities with some very specific paperwork.
This is contrary to, for example, Singapore (where our parent company
operates), where each customer sees the caller ID details on their online
As to extremes of lawful interception - try Singapore and China.
Singapore Govt require the use of a proxy (if the proxies are all down,
the internet is down), so I'd assume they also require keeping of
the proxy logs. I don't know if it's still the case, but it used to
be that Singapore had a "banned list" for the proxies and China took
things to a further extreme by having an "ok sites list" rather than
a "banned list".