When I dial-up to the internet what information is given away about me
to my ISP and if so how long is it kept for? For example, do they
immediately know the location I am dialling from and what computer I
am using at that time. If they know this information then how how long
is this kept for etc?

Hello Ash1106,

The specifics will vary by ISP. If you need a firm answer for a
specific ISP, please use a clarification request to provide that
information. The remaining material is general and should apply to any
ISP.

Basically there is two kinds of information that MAY be provided to
your ISP by the telephone company, depending on their equipment. They
are:
 - Caller Identification
 - Automatic Number Identification (ANI)

The first is available from any phone but can be blocked at the
source, usually by setting up a permanent block or blocking on a per
call basis (e.g., *67). The second is normally available from all
phones because it is used for both emergency calls (911) and for toll
free numbers (800, 877, etc.). For example, if you dial the ISP
through a toll free number, the ISP has the opportunity to capture the
calling phone number right away, or get it on the billing information.
Also note that the FCC requires a company to gain authorization from
the user prior to disclosing ANI information to other organizations.
See
  http://www.cpsr.org/alert/cpsr.alert.3.06.html
(third section) for a short summary of the 1994 FCC ruling.

The values received can then be used to look up a variety of other
information. For example, in 911 services, the number is used to look
up the address (and possibly map coordinates) so the emergency worker
can direct the police and fire department to the right location. A
good summary of this kind of auxillary look up is at
  http://www.911dispatch.com/911_file/911explain.html
(scroll past the table of references)

There are methods to disable or disguise your calling location. For
several examples, see
  http://artofhacking.com/files/callerid/index1.htm
which has a number of "hacking" files relative to both caller id and
ANI. For example, there is an 800 number listed in one reference that
you can call and the device will speak the ANI value back to you.

Of course, if you call from a portable phone, they can get your number
but not your "location".

Once you make the connection to the ISP, what is disclosed depends on
the software you have set up. For example, my ISP requires me to
provide a user name and password to "sign on" and authenticate myself
as a registered user. The ISP can then use that information (and the
duration of the call) for billing purposes. Beyond that, I have set up
my system to respond to little or no queries from systems at the ISP.
This is set up in the basic firewall that is part of my system. For
example, I don't host a web site, so any queries to TCP port 80 are
completely ignored. In the same manner, I don't respond to SNMP
(Simple Network Management Protocol) messages that might disclose
information about my system.

If you have suitable port sniffing software (or hardware if using a
serial modem external to your computer), you could check for "extra
queries" or information you don't want to have disclosed.

About the "how long" part, there were a few good references including:
http://www.icsalabs.com/html/communities/ispsec/downloads/LETF_icsa_edit_notes.rtf
or in Google's cache at
http://216.239.53.104/search?q=cache:AY2k0qvCYHIJ:www.icsalabs.com/html/communities/ispsec/downloads/LETF_icsa_edit_notes.rtf+internet+service+provider+ani+security+retention&hl=en&ie=UTF-8
which describes a number of related concepts such as security,
retention of data (e.g, duration) and disclosure to outside groups
(e.g., police). The retention slide in particular mentions a pretty
broad range of retention periods (down to none in some cases).

I suggest you review the Terms of Service that your ISP has for
details of their specific policy on this matter. Don't hesitate to use
a clarification request if part of this answer is unclear or you need
more on a specific issue.

  --Maniac

---

Request for Answer Clarification by ash1106-ga on 09 Jan 2004 08:09 PST

Great answer, pretty much hit the nail right on the head, but when you
mention about ANI and "...if you call from a portable phone, they can
get your number but not your "location"..." does that mean that ANI
cannot be negated or circumvented in some way the same as caller ID?

Thanks very much.

---

Clarification of Answer by maniac-ga on 09 Jan 2004 13:57 PST

Hello Ash1106,

When I talk about ANI from a portable (e.g., cell) phone, it may get my number
  555-123-4567
but obviously cannot find out where I am in the world. Certainly I am
within range of some cellular tower, but my specific location (e.g.,
street address) won't be possible with a cell phone. At best, they may
be able to look up the street address of "the phone", but not where
you are right now using it.

In general, ANI is harder to prevent than Caller Id. The main reason
for this is the billing aspect related to 800 numbers and dispatching
for 911 services. For example, if you disable Caller Id (e.g., *67),
that does nothing to the ANI value sent out by your phone. Check out
the art of hacking site for more details on methods to do this using
an operator or calling card service.

  --Maniac