- 18 USC 3121 - the trap and trace & pen register statute, prohibits the collection of electronic or phone signaling info other than as a necessary part of providing, and billing for, service. The statute is VERY broad. Signaling info covers pretty much every electronic impulse that's not the "content" of an IP or voice packet (that gets more from other laws below.) You don't have to be a telephone company, ANY service provider is covered by it.
Here's why this statute is the 800 TON gorilla. DoJ knows this statute, loves it, and has a vested interest in having it cover clickstream info. DoJ got this statute explicitly amended to cover addressing information of electronic communications as well as traditional phone digits. for examples of such cases, see the several cellphone administrative subpoena cases EFF has opposed. (see Footnote 6 on p 8 (.pdf), for more details.)
Remember, this is the same DoJ that also uses this statute routinely to get extensive clickstream info without a formal probable cause warrant, because this statute is one of several that has lesser, administrative subpoena, provisions. (All those administrative subpoenas are bunk, and DOJ is in reeeeeeeal trouble, if this statute doesn't apply to clickstreams...)
- Telephone companies, or providers who use telephone services to provide service, are separately covered by 47 USC 222 - the CPNI statute. This statute is very detailed about what can and can't be disclosed, to whom, and what must be anonymized. There are also FCC rules implementing this. This statute still covers some dialup, but thanks to recent FCC rulings that have classified FiOS, DSL, and Cable Internet as "not communication services" the applicability of this statute to those is unclear.
(Background - these FCC rulings were the ones that removed non-discrimination requirements, triggering the whole net neutrality debates. Perhaps when people realize that the FCC rulings probably removed privacy protections too, there'll be a similar reaction? )
the Cable TV Privacy Act of 1984 prohibits Cable companies from selling or revealing this type of data. As much as Cable companies don't like it, and even try to write their privacy policies around it (see 3rd para of http://help.twcable.com/html/twc_privacy_notice.html) this law prevents them from selling this info, regardless of whether they are providing cable TV service or "other services" like Cable internet service.
ECPA, the CFAA, and SCA. These 3 Acts combine to provide most of the federal computer privacy, and computer crime law. Depending on how/when/where/by whom the clickstreams are captured and recorded, ISPs could easily violate one or more of these statutes. For example, say CableCo has enabled packet header logging on its router that sits at the head of a local neighborhood loop. CableCo networkOps looks at that log to see which of the packets are Port 25-bound, in an effort to limit unauthorized network traffic... Probably ok under most of those laws. BUT if instead the Biz.Exploitation&Development division later copied the header log and sold it off to NastyMarketing LLC, possibly a violation of ECPA or SCA.
States have similar laws, especially the CPNI statutes.
27B's attempt -- with reader help -- to ferret out how ISPs store and share user Internet usage histories isn't just an exercise in rabble-rousing. As one smart lawyer told 27B in an email, ISPs may be breaking the law if they are selling user data -- even if they sell only anonymized data as one web data analysis executive publicly said some ISPs were doing. The analysis is presented as a hypothetical based on whether an ISP might be violating the law if they were actually selling clickstream data as alleged.
