Wednesday, 22 February 2012

How Expensive is it to Track Internet Usage?

One of the aspects of the Bill C-30 story that puzzles me as a network technician is the concept that it will cost ISPs gobs of money to install the equipment necessary to log customer traffic once a warrant has been issued. Today it was reported that the cost will be "$80 million dollars"


What is this $80 million for? Is this to buy equipment at the ISP or is this to cover costs incurred by the federal government to setup some sort of bureaucracy to support the bill? I hate costs without details of what those costs are to be.

What most people don't realize is that the capability to log and monitor traffic is baked into most network equipment already. Almost any network equipment sold to businesses has mirror or span port capability built in. Port mirroring allows a network admin to dump all traffic through a port or a device out a secondary port for, wait for it, logging and analysis. This spy port capability has been around for at least a decade. Given that ISPs are networking companies that buy mid to top tier equipment, every ISP has the capability to already monitor all Internet traffic routed through them.

That isn't the total story of course. All that data has to be stored somewhere, and if you are logging Gigabytes of network traffic per hour, you need a lot of disk to store it on. Let's take a quick peek at the monitoring provisions in Bill C-30.

Obligations Concerning Interceptions

Obligation to have capabilities

6. (1) For the purpose of enabling authorized persons to exercise their authority to intercept communications, every telecommunications service provider must have the capa-bility to do the following:
(a) provide intercepted communications to authorized persons; and
(b) provide authorized persons with the prescribed information that is in the possession or control of the service provider respecting the location of equipment used in the transmission of communications.

Operational requirements for transmission apparatus

7. The operational requirements in respect of any transmission apparatus are that the telecommunications service provider operating the apparatus have the capability to do the following:
(a) enable the interception of communications generated by or transmitted through the apparatus to or from any temporary or permanent user of the service provider’s telecommunications services;
(b) isolate the communication that is authorized to be intercepted from other information, including
(i) isolating the communications of the person whose communications are authorized to be intercepted from those of other persons, and
(ii) isolating the telecommunications data of the person whose communications are authorized to be intercepted from the rest of the person’s communications;

What does this mean? To me this requires a very simple setup on the part of the ISP. Turn on the mirroring or span port capability on a device that all of a customer's traffic would be routed through, and filter the resultant data stream to only include the data of the subscriber (or subscribers) the warrant applies to. For a small ISP, the monitoring can be done with the built-in capabilities of the network equipment they already own and the filtering can be done with free open source software. But what about the storage costs? Well an ISP must "provide intercepted communications to authorized persons". If a law enforcement agency approached an ISP with a warrant, a liberal interpretation of Bill C-30 would allow the ISP to respond "give us the storage and we'll provide you with intercepted communications." This isn't all that unreasonable as the data has to be collected (i.e. copied) by the law enforcement agency from the ISP. Writing the data direct to provided storage eliminates the step of having to copy the data from the ISP's storage system to the law enforcement agency's storage system. No matter what, the police, CSIS, the competition bureau(!!) will need their own storage to analyze the data. Writing direct to their storage avoids any errors introduced trying to copy large volumes of data between systems.

So for a small ISP, net cost of compliance with Bill C-30 is close to zero. Larger ISPs with more complex networks may need more powerful filtering software or equipment. But they likely already have most of this equipment (how do you think they know you went over your data cap doing BitTorrent downloads?) so again, the net cost is not that great for them.

The biggest cost of network data logging isn't the collecting of data. It is in the storage, analysis and the reporting of that data. That cost will be borne by the agency requesting the data once they start to go through it and collecting evidence. It won't be borne by the ISP.

No comments: