> Legal limits on national security agencies

You're not talking about what they're talking about. They're talking about limiting corporate data collection. If companies don't build this into routers, then 99% of routers won't be collecting this data, and foreign spies won't have any data to steal.

They will classify the data as necessary for business purposes and collect it under a different name. They will be obligated to pass full take information if necessary, and it will be tapped at any point by employees who are given NSLs and asked/told to do things under penalty of law where applicable, and on threat of arrest or dismissal if not, or by federal agents themselves or their deputies or other approved third parties. Your modem may be intercepted in the mail and reflashed if necessary or over the wire, and that functionality is part of the operating standards of the modems. You could find a way to secure this on your own maybe, which is perhaps just another signal which flips a bit somewhere and may be logged. You can’t close Pandora’s box. It doesn’t matter if Comcast has the WiFi data to sell because they will have access to the information due to how the WiFi signals propagate. It’s diagnostic data. It’s the signals themselves. So all this is perhaps a misdirect, as any third party in range of the WiFi network can likely do the same thing passively, so it is a moot point. The data being gathered and sold should be legislated, but I don’t think that it will affect any of the actual concerns raised, because feds will still legally do whatever they are authorized to do, the justification and doctrine may not be public information. You probably won’t know, so you won’t object. Third parties who lack principles will gather the data regardless of legality. I don’t know how you could even legislate against passive monitoring unless you could demonstrate intent to harm or violate FCC regulations and applicable laws about harming people or computer systems like CFAA, which is a whole other issue.

> They will classify the data as necessary for business purposes and collect it under a different name.

Laws are powerful enough to stop that.

> wiretaps

I said 99%, not 100%.

> any third party in range of the WiFi network can likely do the same thing passively

But they won't do it in bulk without a lot of motivation (like profit).

When they are compelled to do it, they will not even know it is happening. Only the people doing it would know. That’s the reality of why it is done now. That there is a market for it should never have been allowed but the capability is necessary to troubleshoot the network. I guess it seems silly to say this is even a legal issue. They shouldn’t do a lot of things, but they are going to be legally compelled to do them, so the network structure’s form follows that function. If there is no market for that data, they will get the data by proxy by leasing access to the network or the customer or the metadata for security or other legal purposes via intermediaries or separate internal units. This is just how ISPs have to handle this kind of data request or other legal request. They have formal means to ask for what they need, and they will usually get enough data to find out anything they will need to find out that the CPE is emitting or doing.

I guess if you’re truly concerned you shouldn’t have WiFi at home or a mobile phone. Too bad 5G signals have similar capabilities, but at least the signals don’t propagate as well.

> When they are compelled to do it, they will not even know it is happening.

That ... might or might not be an issue, but it's not _this_ issue, ie the one we were originally talking about here.

A targeted order to wiretap (or otherwise spy on) a specific person or entity is entirely different from widespread data collection, retention, and sale for whatever corporate purpose. With widespread collection the data is then sitting there in a data lake waiting to be subpoenaed by law enforcement at their leisure for any arbitrary reason they happen to think up potentially years in the future.

> they are going to be legally compelled to do them, so the network structure’s form follows that function

You can't be compelled to hand over that which you do not have. Neither can you be compelled to modify your product in a particular manner absent market wide legislation; see FBI v Apple if you doubt that.

> A targeted order to wiretap (or otherwise spy on) a specific person or entity is entirely different from widespread data collection, retention, and sale for whatever corporate purpose. With widespread collection the data is then sitting there in a data lake waiting to be subpoenaed by law enforcement at their leisure for any arbitrary reason they happen to think up potentially years in the future.

I do see what you mean, but they are differences of degree, not kind. It could be considered a best practice to minimize PII etc, but even other groups don’t do any better. Signal still uses phone numbers.

> > they are going to be legally compelled to do them, so the network structure’s form follows that function

> You can't be compelled to hand over that which you do not have. Neither can you be compelled to modify your product in a particular manner absent market wide legislation; see FBI v Apple if you doubt that.

I agree. However, Apple is also confident enough in their legal team, reasoning, funding, and likely legal outcomes that they will flout NSLs in America, and yet they will cave to UK in that they disabled Apple’s Advanced Data Protection (in UK) which means that iCloud files aren’t really E2EE if the government can just say that you can’t do that anymore. Not your keys, not your files and the security and privacy of said effects thereof.