Some types of data is logged by your ISP, and I'm certain by the NSA as well:
- All DNS lookup requests.
- All IP address records, and associated MAC addresses.
- All header information on emails. Most of the time the actual body & attachments are only cached on a short term basis.
- Almost all of your traffic is also logged, for example pretty much all TCP header info.
- Use of things like Sandvine allow us to do DPI to perform additional logging of extra data when certain conditions are met. (For example, any traffic to/from a known child porn site will be fully logged & flagged)
- All of the above are also tied to your cable/dsl modem's MAC & account info.
The lesson to learn from this is that the tinfoil hat types [the truly paranoid people] are really only wrong in that they think we are watching them specifically.
We're not. We don't really watch anybody directly unless we get law enforcement interest, someone reports abuse, or you're doing something that's messing up our traffic or network. Those people who are singled out for observation for whatever reason, do indeed have ALL their traffic fully logged.
As for the legality, the suits sum it up for us techies as "The simple version is that it's our network, and we can log whatever we want to."
As for the NSA, they might not be able to do this within the US itself, but all traffic which leaves or enters the country is fair game for full monitoring 24/7.
No, we don't provide info directly to law enforcement. If they want it, they have to come get it with the proper paperwork. But there are some things we will report to them if it gets found during routine troubleshooting or if someone complains and we investigate.