On Wed, 2008-08-06 at 12:14 +1200, Don Gould wrote:
I've been following this discussion with some interest.
I'm sure the issue of ethics has been raised on this topic but I hadn't seen any mention in this thread and am unclear where users stand.
Are users advised that their data is being captured for analysis?
What is the law regarding this sort of data capture?
Are regulators/auditors involved in ensuring appropriate security of captured data?
I'm not after a flame war on this issue, if it's already been discussed with respect to earlier projects I'd be interested in a link to the previous discussions.
While I can't comment on the approach actually being taken, since I have no idea (and IANAL), I'd have thought such concerns could easily be dealt with by just capturing aggregate statistics. In other words, "Between 2008-08-01 00:00:00 and 23:59:59, ISP X's DSL customers terminated X inbound TCP connections on port X, totalling X bytes." Of course the customer's data had to be processed by network hardware and/or servers in order to collect the above stats, but they're being processed by network hardware anyway in order to switch and route the traffic. As long as the output of the system doesn't include any identifying data, which the above example does not, I would have thought that there'd be no problem. I'd be interested to hear from someone more involved in this type of analysis on the legal issues involved... -jasper