Comcast Deflects User's Questions - Updated

Reader PB took up the 27B reader challenge and asked Comcast a detailed set of questions about their data retention policies. A customer service representative replied with an answer that linked to Comcast's subscriber agreement and privacy policy, which turn out to be very revealing documents indeed -- though they hardly answer the questions asked.

The privacy policy starts off with the fine sentiment that: "Comcast is committed to maintaining your privacy and believes that, as a subscriber to its high-speed Internet service, you are entitled to know Comcast's information practices." The policy then goes on to state "We will not read your outgoing or incoming e-mail, video mail, private chat, or instant messages, but we (or our third party providers) do store e-mail messages and video mail messages on computer systems for a period of time."

"A period of time" is not defined. Woe to the convicted criminal who hears those words coming from the bench. As for the TrustE logo, be aware it doesn't mean anything, other than a certification that Comcast has a privacy policy.

The rest of the privacy policy is largely dedicated to the use of web beacons and cookies set by Comcast's homepage that then track your usage across the web for the 'benefit' of not serving you redundant ads. The policy does not address whether Comcast keeps anonymized server logs, how long IP addresses are retained, or whether the company has been in discussions with the government about data retention.

The subscriber agreement is fascinating, at least once you get past all the clauses that sign away your legal rights and assigns all power in your dealings with Comcast to Comcast.

For instance, Comcast's lawyers seem to be trying to find a way to be held harmless for any video you upload, but end up claiming an unlimited copyright interest in any information you send upstream, including your emails:

Comcast does not claim any ownership of any material that you publish, transmit or distribute using [High Speed Internet]. By using HSI to publish, transmit or distribute material or content, you (i) warrant that the material or content complies with the provisions of this Agreement, (ii) consent to and authorize Comcast, its agents, suppliers, and affiliates to reproduce, publish, distribute, and display the content worldwide and (iii) warrant that you have the right to provide this authorization. You acknowledge that material posted or transmitted using HSI may be copied, republished or distributed by third parties, and you agree to indemnify, defend and hold harmless Comcast, its agents, suppliers, and affiliates for any harm resulting from these actions.

Comcast admits it can monitor your internet usage, but doesn't tell you what if anything they do with that information. Addendum 3(c)

The company then also admits that its systems are thoroughly insecure and that due to the design of its networks, other people can spy on your internet usage or get access to any home network you set up.

High Speed Internet may function in some ways as a Local Area Network (LAN) with each Customer constituting a node on the network. As such, users outside of the Premises may be able to access the Customer Equipment and other equipment connected in some way to the Customer Equipment. In addition, some available software includes capabilities that will permit other users to gain access to the Customer Equipment and other equipment connected in some way to the Customer Equipment, and to the software, files and data stored on such equipment. Unless you are subject to a HSI service plan that expressly provides otherwise, we recommend that you connect only a single computer to HSI.

Kevin also notes that this security hole isn't new, and that back when he wrote for Security Focus, he tried to find out about cable modem's vulnerability to hacking and whether encryption was used to protect users:

Outside security experts have generally dismissed any eavesdropping threat on modern cable systems based on a belief that cable companies are encrypting customer traffic, a capability built into all DOCSIS-certified modems since 1999. But while encryption would indeed thwart any eavesdropping attempt, in the most commonly-deployed version of the DOCSIS standard, version 1.0, the encryption option is just that -- an option, and one that's turned off by default. "The security has to be there" in the modem, says Oscar Marcia, chief security architect at for CableLabs, the industry group responsible for DOCSIS. "But the [service provider] can decide when to turn it on."[...]

SecurityFocus asked four U.S. cable modem service providers if they protected their customers with the encryption option. Comcast, Adelphia, and CableVision's Optimum Online declined comment; a spokesman for Time Warner's Road Runner service didn't return repeated phone calls on the question. Comcast's terms of service, however, acknowledges a risk of eavesdropping by "other subscribers," and Optimum Online's bluntly admits the company doesn't utilize encryption: "All Subscriber's ethernet traffic ... will be reflected by the cable Modem in an unencrypted form onto the cable network and be subject to eavesdropping."

Infowarrior and tech/security author Richard Forno writes in with a bit of perspective:

[H]ow does this differ from what GeoCities, Microsoft, and who knows who else tried to do about claiming ownership of any user-created content crossing or being stored in its environment? If memory serves, didn't a court find such policies at GeoCities unenforceable a few years ago? This raises questions about privacy, sure --- but what about regulatory concerns such as HIPPA or SOX? Comcast is claiming ownership over information that's federally-protected!