About Italian Anti-Terrorism Law

[mbmichele]

As you Know (http://www.google.it/search?hl=it&rlz=1B3GGGL_itUS228IT229&q=anti+terrorism+law+pisanu+wifi&btnG=Cerca&meta=)
 in Italy there a big problem of legality of hot-spot.

How it is possible to have the logs of single user to give tho te police if will be required?

I think a gzipped file hourly sented to a big mail account (like gmail).

Thank Michele
  sorry for my english

[WorldSpot]

Worldspot is an access control service granting or not the right to connect to your internet.
It can also help identifying the identity of your users by asking them to register and validate their email.

I think the software you are looking for is a connection spying system, which is NOT the purpose of a hotspot. Note that with such software, you won't be able to connect to your VPN anymore, which makes your hotspot less useful.

I dont think that italian ISPs log all the sites that you are visiting, so I don't understand why you would need to do so. Asking the identity of your users (and storing it...) before they connect should be sufficient.
I will be thinking implementing a mobile phone based identification system in the future.

[mbmichele]

Thanks for reply.

I've found a postal police agent to ask this so if I found detaled information I will inform the forum (obviosly useful for italian user).


Michele

[mmpiece]

Hi admin, would it be possible to use squid between the hotspot and the internet? on the HotSpot you FW packet to a squid server that proxy and log calls to all internet pages. Worldspot functionalities (radius , UAM...) would be compromised in this case?
thanks very much for your reply!

[WorldSpot]

It should be possible to do this indeed, but not tested.
Chillispot would remain at the frontend, and behind, on the same or another PC you can have a squid proxy in transparent mode.
This is of course not possible on a router.

[samael]

Hi all,

sadly, mbmichele is right.
Italian laws (Normativa antiterrorismo del 16 agosto 2005, Circolare del Ministero dell'interno n. 5572005) impose every Internet access public operator to:

1. ask every customer for a valid Identification Document to be registered and binded to a unique username;
2. log *every* connection at TCP/UDP level from the local IP assigned to every username (username, local IP, local port, remote IP, remote port, and protocol are to be logged);
3. store the logs for *at least* five years.

In practice, if the Police asks for the logs, they have to know who (identified by valid ID card) is gone where on the Internet (as logs state).
Recent interpretations and modifications to the law have made possible to authentify via credit card, but the name and the card number have to be logged and binded to your username, just as an ID card.

BUT, at the same time, due to the Privacy laws (Dlgs. 196/2003) Internet access provider are NOT allowed to register the content of web pages, emails, chats and so forth.

That's really stupid, indeed, but if you want to be legal, you have to implement that in your system. That's the reason why I (and others in Italy) can't rely on your services until you support these requirements.

PS: I really don't see where VPNs are implied in the discussion, nor why a VPN should not work with such a configuration.

Cheers.

--
Samuele

[WorldSpot]

2. log *every* connection at TCP/UDP level from the local IP assigned to every username (username, local IP, local port, remote IP, remote port, and protocol are to be logged);
3. store the logs for *at least* five years.

Do italian broadband providers do this?
Do you imagine the quantity of data this is?
Simply create a virus that will scan ports everywhere on the internet, and this will make italian ISPs crazy.
Why do you need to know the LAN local IP? How can this be useful?
How can you identify the protocol under SSL?
Why wouldn't terrorists use their own protocols?

Believe me, this is not realistic.
In france, there are these kinds of laws. But in mac donalds, you can connect simply by clicking "connect". Then you can access any VPN or proxy server in the world and make whatever you want.
Maybe you should check that these laws are followed.

In practice, if the Police asks for the logs, they have to know who (identified by valid ID card) is gone where on the Internet (as logs state).
Recent interpretations and modifications to the law have made possible to authentify via credit card, but the name and the card number have to be logged and binded to your username, just as an ID card.

If the police ask, simply give the paypal transaction number which is available. They will then ask paypal for the credit card number.
I agree that identifying your clients is useful and enough. This is why SMS identification feature is planned.

PS: I really don't see where VPNs are implied in the discussion, nor why a VPN should not work with such a configuration.

Because if you want to identify all connections and protocols, you have to block all encrypted and unknown protocols.
A malicious users simply have to use an encrypted https proxy anywhere in the world to keep its privacy.
Why making so many useless efforts when it is so easy to bypass these rules?
Even if you are forced to use a proxy server, the malicious user can easily setup a vpn through the proxy through https.

It isn't possible to control internet access without blocking any encrypted communication, which is NOT realistic.
Even if not encrypted, simply create a custom protocol over http, and you can do whatever you want.
To get VPNs or proxies, create a virus or simply buy a list of them to pirates for cheap.

It is SO easy to go through all these checks.

[samael]

2. log *every* connection at TCP/UDP level from the local IP assigned to every username (username, local IP, local port, remote IP, remote port, and protocol are to be logged);
3. store the logs for *at least* five years.

Do italian broadband providers do this?

Yes, they do.

Do you imagine the quantity of data this is?

Yes, because I have to deal with it, as I'm a system administrator running various public networks in several places.

Simply create a virus that will scan ports everywhere on the internet, and this will make italian ISPs crazy.
Why do you need to know the LAN local IP? How can this be useful?
How can you identify the protocol under SSL?
Why wouldn't terrorists use their own protocols?

Believe me, this is not realistic.
In france, there are these kinds of laws. But in mac donalds, you can connect simply by clicking "connect". Then you can access any VPN or proxy server in the world and make whatever you want.
Maybe you should check that these laws are followed.

In practice, if the Police asks for the logs, they have to know who (identified by valid ID card) is gone where on the Internet (as logs state).
Recent interpretations and modifications to the law have made possible to authentify via credit card, but the name and the card number have to be logged and binded to your username, just as an ID card.

If the police ask, simply give the paypal transaction number which is available. They will then ask paypal for the credit card number.
I agree that identifying your clients is useful and enough. This is why SMS identification feature is planned.

PS: I really don't see where VPNs are implied in the discussion, nor why a VPN should not work with such a configuration.

Because if you want to identify all connections and protocols, you have to block all encrypted and unknown protocols.
A malicious users simply have to use an encrypted https proxy anywhere in the world to keep its privacy.
Why making so many useless efforts when it is so easy to bypass these rules?
Even if you are forced to use a proxy server, the malicious user can easily setup a vpn through the proxy through https.

It isn't possible to control internet access without blocking any encrypted communication, which is NOT realistic.
Even if not encrypted, simply create a custom protocol over http, and you can do whatever you want.
To get VPNs or proxies, create a virus or simply buy a list of them to pirates for cheap.

It is SO easy to go through all these checks.

Laws and technical feasibility are different things.
Laws in Italy are very badly written and impose crazy limits, but ISPs have to adequate.

On the technical side, I repeat, you don't have to log nor sniff any kind of content. That's why there is no need to block any connection, and costumers are no affected in any of their activities. You simply have to log and store all the connection source and destination addresses and ports at TCP/UDP level.

I asked various times the Police if the PayPal transaction number is valid for recognition purposes (which, technically speaking, indeed is), but they said that it is not explicitly provided for any law so they won't take the responsability to give you the permission to operate an Internet Point in such a manner, even if, in case of investigation, they do can use PayPal transaction numbers.

That's why many people here running public Internet access services do not observe laws at all, or if they have a lot of costumers, they spend a lot of money to implement complex systems.

Ciao.

--
Samuele

[WorldSpot]

Ok

Logging the ip addresses, ports and protocol should be possible only at the router level in parallel with chillispot access control.
This is a firmware feature. I don't know any out of the box solution.
You may look at tcpspy, ippl or snort exist for openwrt.
I strongly suggest a big harddrive for storing all these logs.