What do ISPs charge the law to spy on you?

Cryptome is hosting several ISPs' pricelists and guidelines for "lawful spying" activities on behalf of law enforcement. Included is Yahoo's price-guide (hilariously, Yahoo tried to send them a copyright takedown notice to make this go away).

One of the more remarkable elements of Yahoo's document is the sheer quantity of material that Yahoo retains for very, very long periods. From /.: "IP logs last for one year, but the original IPs used to create accounts have been kept since 1999. The contents of your Yahoo account are bought for $30 to $40 by law enforcement agencies."

Yahoo! will seek reimbursement based on the actual time expended by Yahoo!'s compliance staff in complying with the request. The average costs related to compliance matters are listed below for your convenience. These estimates are neither a ceiling nor a floor but represent the average costs of typical searches. Time spent may vary considerably based on the wording of the request and the information available about the user. These time estimates are also based on narrowly tailored requests that do not require extensive searches in multiple databases. These estimates are not price quotes, budgets, or guarantees and should not be used for budgeting purposes. Yahoo! reserves the right to adjust its estimates and reimbursement charges as necessary.

* Basic subscriber records: approx. $20 for the first ID, $10 per ID thereafter

* Basic Group Information (including information about moderators): approx. $20 for a group with a single moderator

* Contents of subscriber accounts, including email: approx. $30-$40 per user

* Contents of Groups: approx. $40 - $80 per group

Yahoo Lawful Spying Guide (via /.)



  1. hrrmm… After-hours emergencies: Yahoo! Security at 408-349-5400

    [ring… ring…]

    “Help! Help! This is an emergency! Our civil rights are going to shit!”

  2. @3: “Why wouldn’t they hang on to records?” Because the more the keep, and the longer they keep it, the greater the likelihood of harmful disclosure, either as the result of a court order or an accident or a crime.

    1. Harmful to whom? I don’t see how Yahoo can be harmed by this. And given that Yahoo still doesn’t give a hoot about you, especially if you did something that might be judged “harmful” I don’t see why it’s in their best interest not to keep this data. Especially considering that they get paid for finding it.

  3. Sheesh, they’re cheap. If you’re going to sell out like that in the first place, you should at least have the good grace to suck up ten times as much taxpayer money.

  4. In the UK, under the Regulation of Investigatory Powers Act, ISPs can charge the same kind of fees to cover costs for law enforcement requests. As reported by the BBC and others, those charges can be “as much as £65 a time” (http://news.bbc.co.uk/1/hi/uk/7840924.stm). Some ISPs do not charge UK police at all for these requests – AOL has a policy of not charging in the UK as they do not in the US (AFAIK, this may have changed).

    The Child Exploitation & Online Protection Centre is lobbying hard for them to be exempt from this provision of RIPA as they think it should be part of the cost of doing business for the ISPs, but it can be argued that attaching a price tag to each request helps moderate law enforcement’s insatiable desire for data on each and every one of us.

    Is HMG’s desire to have a central database of all internet communications managed by them just a desire to get the cost of unlimited access down to a more manageable level?

  5. I would think the government bodies concerned would just laugh in the ISP’s figurative faces and tell ’em to add it to their customers’ bills. I thought they had anyway.

  6. I’ve worked for a couple of large Telecoms companies, both didn’t keep detailed records for more than was necessary for billing purposes because of the sheer volumes involved.
    Sweden, France and the UK are going to choke on their data if their idiot governments persue their various 3 strikes policies. And their customers will choke on their freshly-inflated bills.

  7. Charging seems perfectly fine for me.

    The important thing is not what they charge but when and how they grant access.
    a) Anyone from “the law” at any time.
    b) With a court order, under some circumstances.

    I can understand Yahoo wanting to be reemberised for their time and these fee’s arnt much.
    Your paying for an engineer to spend half hour to an hour getting the relivent information from a database, formating it nicely, and sending it off.
    If the database is well secure, and the ISP’s are doing their job. This shouldnt be too easy (ie, not everyone on the staff should have access), and they should double check everything.

    Id be more worried if they didnt charge.

  8. They will sell the contents of your user account for $40.00 bucks to a leo but no amount of begging pleading or cash can get your own account contents back if you get locked out of your own email by someone.

  9. The trick is to post contradictory stuff in multiple places. This way, all they manage to accumulate is a meaningless pile of confusion, Making them waste time and money is the only protest you can make on the individual level – um . . . or, so I’ve heard. . . .

  10. More evidence that you need a good encryption program, even on your free email accounts. PGP anyone?

  11. I’ll bet one could argue for a class action suite for royalities to the person whose data was provided if it could be shown their copyrighted information sold to the police generated a profit for the ISP.

    It’s one thing to provide info under a court order for no profit, but if a company is profiting on your writing’s being sold to a client no matter what the reason you can demand a cut of the profit’s as copyright holder in your own writings.

    I’d love to see that lawsuit.
    Then either ISP’s would need to verify they don’t make a profit from selling your writings or you would have a right to royalty statements every time your stuff was sold to law enforcement for a profit.

  12. Good luck removing this, Yahoo. It’s fair use for the purpose of discussion and commentary. It is newsworthy and there is a compelling public interest in the dissemination of this item.

  13. is that a statistical fact or conjecture? Do odds and averages really work that way? If Yahoo (for example) keeps account records for one year, five years or forty years it would be interesting (statistically) to see if year one is any different than year forty. Court orders, accidents and crimes can’t really be put on a statistical graph, can they?

    Right, what could possibly go wrong?






  14. @stevennatural: Actually, court orders, accidents and crimes are good all examples of things which can be and are graphed statistically. For an individual they obey an (undetermined) random distribution with large variability (math geek for “it’s pretty unpredictable”).

    But for a large population – say, all Yahoo users – it’s easily possible to study the odds for the population as a whole with great accuracy. (I doubt this study has been done for Yahoo, because Yahoo probably haven’t and nobody else has the data, but it’s possible. It’s been done before for other institutions.)

    Odds of disclosure are strictly nondecreasing with time, so yes, in this case, odds and averages really do work that way.

  15. All three are unpredictable (except possibly a court order)


    Information NOT kept cannot be released. A null option’s chance is always zero. A zero sided die cannot roll a 1. There is a constant zero percent chance.

    If there is a constant low chance of kept information being released, then the passage of time, in fact, increases the odds of said release. Roll a 10,000 sided die repeatedly and eventually you wil roll a 1.

  16. “s that a statistical fact or conjecture? Do odds and averages really work that way? If Yahoo (for example) keeps account records for one year, five years or forty years it would be interesting (statistically) to see if year one is any different than year forty.”

    This is irrelevant. There is some chance of “harmful disclosure” in year one, some chance in year two, and so on. Call these event one, even two, event three, etc. The probability of disclosure in either year one or year two (P(e1 or e2)) is necessarily as large as or larger than disclosure in year one alone. The key insight is that you can’t get to year two without passing through year one first.

    So, odds of harmful disclosure are zero at time zero, and increase monotonically and asymptotically to one.

  17. Actually I believe the act of rolling a dice generates a unique random result each time. Rolling the dice repeatedly does not increase the odds of a certain number coming up. Each roll is a new unique random event. I do agree with you though that holding the data for increasing periods of time would increase the chance of it being somehow released.

  18. Rolling the dice repeatedly does not increase the odds of a certain number coming up.

    You are no more likely to roll a 1 on any individual roll but we’re talking about the cumulative probability of lots of rolls.

    You can think about it like this: For a 6-sided dice, the probability of rolling a 1 is 1/6. So, the probability of NOT rolling a 1 is 5/6 (0.83..).

    For two dice rolls, the probability of not rolling a 1 is (5/6 * 5/6) = 25/36 (0.694..), so the probability of rolling a 1 is 1 – (5/6 * 5/6) = (0.305..), already higher than a single roll.

    For 100 dice rolls, the probability of rolling a 1 is 1 – (5/6)^100 = 0.999999. In other words, extremely likely.

Comments are closed.