I just want to clarify a few things about our trace capture and analysis methods. More details about the traces we used for this analysis can be found at http://www.wand.net.nz/wits/localisp/b/3/ . Important things to note are that we snap all captured packets just after the transport header (TCP, UDP etc) as soon as we pull them off the wire. The IP addresses for this trace-set are not anonymized (unlike most other captures that WAND does) but we have no way of mapping IP addresses back to customers anyway. There are a number of checks and balances to ensure the privacy of any user data that we might end up examining. Primarily, we have a non-disclosure agreement with the ISP itself that includes not publicly sharing any information that is specific to either the ISP or its users. The agreement also defined what we could capture and what had to be anonymized - in this case, we were allowed to keep those four bytes of payload and unanonymized IP addresses. Obviously, summary statistics such as those on the web-page I linked to yesterday are OK. On top of all that, the university has ethics committees and a code of conduct to govern this kind of thing. The trace capture had to pass through an ethics committee at Waikato before we could even commence capturing traffic. We're also very careful to ensure that no-one here at the University gets access to the traces without signing an NDA. But ultimately, given that we've thrown away (almost) all the payload after the headers, users don't have too much to fear from me inspecting the packet headers anyway. It isn't as though I can read their email or steal their plain-text passwords. Hopefully that allays a few fears, Shane Alcock WAND Network Research Group University of Waikato Don Gould wrote:
Morning List,
I've been following this discussion with some interest.
I'm sure the issue of ethics has been raised on this topic but I hadn't seen any mention in this thread and am unclear where users stand.
Are users advised that their data is being captured for analysis?
What is the law regarding this sort of data capture?
Are regulators/auditors involved in ensuring appropriate security of captured data?
I'm not after a flame war on this issue, if it's already been discussed with respect to earlier projects I'd be interested in a link to the previous discussions.
Cheers Don
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog