Big Story: Comcast Obeys the Law

Ok, I know that most of you are not the uber-privacy geeks that I am. You may have missed this “story” on the Internet this week, and you may not care. However, as an obsessive privacy professional, I have been reading and reading, and I am frankly baffled.

At this point, I should also reiterate that everything in this post and this blog represent my personal opinions, and I am not speaking for my employer on this subject. This is important here as I am presently updating my company’s policies and procedures for doing the kinds of things I’m about to discuss. I won’t be discussing the details of what my company does here.

Monday, the Federation of American Scientists Government Secrecy project blog posted Comcast Cable company’s Handbook for Law Enforcement (pdf).

While the document isn’t a generally public document, it is clearly intended for distribution to federal, state, and local law enforcement officials.

It doesn’t contain any big secrets — it says, in some detail, that law enforcement agencies and officers have to very closely follow the law, and that Comcast will check to make sure they are before they provide any information about their customers.

It also notes that Comcast doesn’t charge for investigation of child sexual exploitation, but that for other investigations, they reserve the right to seek cost reimbursement from the government. And it specifically says that Comcast charges $1000 to set up a “Court Ordered Pen Register/Trap and Trace compliant/FISA requiring deployment of an intercept device.”

For some reason that I do not understand, that last bit seems to be extremely exciting to some people on the Internet. Even ABC News, who should really know better. Only cNet shared my, “where’s the news here?” view.

Allow me to translate it for those of you who don’t routinely deal with 4th Amendment law.

Court Order: Specific ruling from a judge that you have to do or provide whatever they are ordering you to do or provide. Any time a court ORDERS you to do something, you have to do it. You can challenge the order, and the court might let you wait to comply while the appeal is pending, but they might not. A court order is otherwise 100% mandatory. You can be arrested if you fail to comply.

Pen Register/Trap and Trace: “Trap and trace” and “pen register” are terms leftover from the early days of telephone surveillance orders.

They are orders from the court that a communications provider give the law enforcement agency information about with whom and when the target of the investigation communicated. In the phone world, that’s your call records — you called XXX-XXX-XXXX on Y date and were connected for Z minutes. In the Internet, that’s your email header information, arguably except for the subject line.

FISA Orders: These are court orders from the secret federal Foreign Intelligence Surveillance Court, might be the same, or they might include more complete information about what you’re doing — in the Internet, it could be the content of your emails, or even all traffic that goes over the Internet from your connection.

Plenty of people worry that the FISA court and the FBI have access to too much information about US citizens without much oversight. The court system hasn’t yet determined whether or not these laws are unconstitutional.

Incidentally, one of the quirks of the FISA law is that anyone who receives a FISA order is prohibited from discussing even that minimal fact, except as is necessary to implement the order. Even after the surveillance is completed. Comcast cannot say whether or not they have ever even received one of these. It is possible that they never have — concern about terrorism is not the only reason that courts issue surveillance orders.

Unless or until laws like FISA are found unconstitutional, everyone, including Comcast, is obligated to follow those laws.

Deployment of an Intercept Device: Some kinds of surveillance require putting new hardware on a computer network in order to intercept capture the information flowing through it. Others, which might be more narrow in scope, do not. For example, in my experience, it is unlikely that a pen register/trap & trace order for someone’s email records would require the deployment of an intercept device. But different computer networks are set up and designed differently, so there may be some that do require the deployment of additional hardware.

The handbook that sparked this strange controversy is pretty clear — it says that the law enforcement officers have to get all of their legal ducks in a row, and that Comcast will check and only provide the information to which they are legally entitled.

ISN’T THAT A GOOD THING?

I think that protects Comcast customer privacy. I think that’s what we, as companies, are supposed to be doing. There might be details on which we differ, but on the whole…. From a consumer perspective, I haven’t always been happy with Comcast’s customer service. But I’m happy with these policies and procedures.

I am a huge privacy geek. I’ve been a privacy professional and advocate for more than a dozen years. I am sure that I am in the 5% of the population most concerned about privacy protection. And I don’t see what the fuss is here.

The other part that seems to be upsetting people in these stories is that Comcast charges $1000 to set these orders up, and $750 per month after the first month.

I doubt that even begins to recover their actual costs.

I don’t have direct knowledge of how Comcast does these things, but I manage surveillance orders for my company, and I’ve talked about them extensively with the people who do them for other cable companies and other traditional ISPs.

First, the person who gets these orders and figures out if they are legitimate and what information the company has about the target customer is a lawyer. Let’s say it takes them only an hour to do that work — and trust me, it probably takes longer. That’s between $200-500.

Then the lawyer needs to call some network operations engineers, and tell them to drop what they’re doing and install these orders. Depending on the complexity and the degree to which the company has things automated, that could be anywhere from another hour to a team spending a day or two. Call that $100-$10,000.

This charge only appears to apply when Comcast has special intercept equipment that needs to be deployed onto their network. In some cases, this could be to a location near where the target is connected to the Internet, not the corporate headquarters or main technical facilities. I have heard estimates for the equipment costs, not to mention shipping and installing and testing, as high as $20,000 per order.

From that, $1000 seems like an estimate on the far low end of the actual cost.

And remember — these companies are not in business to spy on people. They’re in business to sell phone or Internet service. People in jobs like mine are unprofitable — necessary, but cash sinkholes. And in many of these companies, there is a team of at least 2-3 people just handling the legal side of things. Telephone companies might have a dozen people in those roles.

Here’s my last WTF thought about this “story.” Much has been made about the Comcast manual being “leaked” and “confidential.” But some companies post this information on their websites. Here’s the link to that information for one of Comcast’s competitors, Cox Communications. They do more or less the same thing, and by the way, they charge more.

Did I mention that I’m not an investigative journalist? It wasn’t exactly hard to find that information. But it isn’t in any of the “news stories” or blogs that I found covering this “issue.”

archcrone says:
October 17th, 2007 at 2:23 pm

FWIW, why so many folks were pointing to the story in the first place was not that Comcast complies with the law, it’s that FISA, NSL’s and other court orders are so common that there is an established fee schedule.

Liza says:
October 17th, 2007 at 2:34 pm

The key phrase in your comment is “and other court orders.”

Hundreds of local law enforcement agencies get surveillance orders to try to bust cases like Internet fraud, identity theft, and child pornography. Implementing these orders costs companies money, and most of the governing statutes acknowledge that and permit companies to recoup their expenses. It should be the government bearing the cost of conducting criminal investigations, not corporate third parties.

And given that companies have an established way to deal with regular criminal investigation court orders, why should they handle FISA court orders differently, or charge less for them?

Carrie says:
October 17th, 2007 at 9:09 pm

Not to get all huffy here, but I’m glad you put “news” in quotes when referring to those stories. Bloggers, so-called “citizen journalists” and wiki editors are just people with a platform for their opinions. They’re not journalists — and since you point that out about yourself I’m assuming you’re not offended — any more than I’m a doctor because I know what percutaneous means or I’m a lawyer because I sometimes read Supreme Court opinions.

I quickly tired of reading most of the opaque posts you linked to, but only one tried to get comment from Comcast, and none looked to the outside experts (like you, for instnace) or sought the context you quickly found.

None of these folks has to adhere to the Society of Professional Journalists’ code of ethics (link above; I don’t know how to get all fancy), as do those of us who actually trained to do this. (OK, you did mention ABC. Sometimes broadcast goes off its nut.)

OK, I got all huffy here.

Thanks for making me think. Ouch.