dslreports logo
 story category
Project Vigilant: Outsourced Spooks Or A Bunch Of Crackpots?
Group pops up at Defcon with some very large claims

Those busily debating whether Facebook's CEO personally values your privacy generally don't realize that unless you go to some great lengths, privacy on the Internet really doesn't exist in the first place -- and hasn't for a long time. Your every conversation and Internet action is tracked by a vast ocean of surveillance apparatus, from Echelon to AT&T's direct data dumps to the NSA. For years ISPs have also sold your clickstream data and other information to third parties.

With that in mind, Forbes has an interesting article on a government contractor named Project Vigilant. Project Vigilant surfaced at the Defcon security conference Sunday claiming they were recruiting for their work as essentially outsourced domestic surveillance and intelligence. The group either buys or directly monitors data from at least twelve ISPs (it's not clear about which, nor are the ISPs named), using said data to offer intelligence reports to government. According to the group, ISP EULAs make this all a-ok:

quote:
According to Uber, one of Project Vigilant's manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users' Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies.
The group appears to be a very bizarre entity, wanting to be a serious security agency but coming off as a bunch of crackpots. On first read you brush them off as some kind of bad fiction, though several outlets are claiming the group is stocked with former Homeland Security officials (Kevin Manson), NSA officials (Ira Winkler), former security bosses at the NYSE (Suzanne Gorman) and an official formerly in charge of DOJ cybercrime (Mark Rasch). Of course just because the group is staffed with some government officials doesn't mean they still aren't simply a bunch of crackpots, and there appears to be some legitimate privacy questions here if what the group is claiming is true.

Also see: Wired, the San Francsico Examiner and Salon.

Update: Richard Bejtlich has an interesting blog post at Tao Security arguing that Project Vigilant is little more than a PR stunt by a collection of "wanna be" security consultants. Bejtlich still has this to say about the group's ISP data collection efforts:
quote:
...and whether that massive data gathering violates privacy? The organization says it never looks at personally identifying information, though just how it defines that information isn't clear, nor is how it scrubs its data mining for sensitive details. The group doesn't look at PII, yet it develops "portfolios on any name, screen name or IP address"? I think it's time for some grown-ups to check out these guys. I don't think their activities will make those ISP's customers happy.

Most recommended from 22 comments



Logan 5
What a long strange trip its been
Premium Member
join:2001-05-25
San Francisco, CA

1 edit

2 recommendations

Logan 5

Premium Member

Is this really surprising?

Ever Since AT&T's infamous room '602' debacle in San Francisco, things like this should come as no surprise to the average end user....

I wonder what happened to the program that analyzed EULA's before agreeing to them (EULalyzer IIRC), and what it might find if ran against the major ISP's in the US?