You can calm down about internet service providers selling your browser history

by on March 28, 2017 at 10:33 pm in Current Affairs, Law, Uncategorized, Web/Tech | Permalink

In light of these laws and institutions safeguarding user privacy, members of the House of Representatives need not fear that voting for the joint resolution to rescind the FCC’s privacy rule will mark the end of individual privacy on the Internet.

Here is the full piece by Ryan Radia, via Brent Skorup.  He also recommends this longer Georgia Tech paper of broader interest (pdf).

1 Ray Lopez March 28, 2017 at 10:52 pm

They can have my browser information, anyway most of the time I browse anonymously.

Reply

2 Dzhaughn March 28, 2017 at 11:51 pm

In fact, your ISP can see what your are doing with “anonymous browsing,” assuming you mean a “private window” or “incognito window.”

Reply

3 Troll me March 29, 2017 at 12:47 am

VPN or TOR?

Apparently last time around, the vote was quite close, that the mere fact of demonstrating an interest to browse or communicate privately, such as VPN or TOR, would itself and for no other reason, legitimize all available investigative tools for the FBI.

Which is basically a complete end run around the courts. Anyone who tries to have a private communication, well, then the courts don’t even need to get involved and it’s already pre-not-illegal.

So your journalist friend? Police could wiretap is heartbeat and toilet habits without a warrant, on the basis of private conversations with contacts. Well, 2 votes shy folks. Things are looking real good!

Reply

4 JWatts March 29, 2017 at 8:42 am

Agreed, you’d need to use an encrypted and anonymous service (such as TOR) to truly be anonymous. Also, you should only walk or use public transport and wear full body covering nondescript clothing, with a face mask and a large hat. Preferably with a metal underlay. Just to be on the safe side of course.

Reply

5 MOFO March 29, 2017 at 9:22 am

You dont need to use your ISP’s DNS system. You could further use encrypted DNS, if you so choose. I think thats a bit of a pain in the ass for consumers, but if you care about your privacy, you should care about what DNS you use, irrespective of the law.

Reply

6 Daniel Weber March 30, 2017 at 12:07 pm

It takes about 20 seconds with standard Unix tools to make your DNS requests go through an SSH tunnel and then set up your browser to use that SOCKS proxy.

The ISP selling my browsing information isn’t so much a concern as how someone intends to monetize that. I get how Google and Facebook would use that to advertise directly to me. What is the ISP, or the ISP’s customer, going to do?

7 Troll me March 29, 2017 at 2:00 pm

I wish that were just funny and not also too real.

Reply

8 Urso March 30, 2017 at 12:37 pm

The difference is that when people are on the sidewalk they know they’re in public and act accordingly. Being on your computer at home “feels” private even though it really isn’t. The real solution here is cultural — people need to understand that what they look at on the Internet (and when) is visible.

Reply

9 Tony P April 16, 2017 at 11:28 pm

Encrypted service like VPN is all we need to stay safe from these businessmen/politicians who are now planning to sell and expose everyone’s browsing history. Get Astrill, it will keep your privacy private!

Reply

10 Ray Lopez March 29, 2017 at 10:25 am

@Dzhaughn- you mean in theory or in practice? I once got into a debate at some Usenet forum on this topic, and I recall the consensus seemed to be something like this: if you use HTTPS on a site (or rather the site requires it), then it is theoretically possible that your ISP is the “man-in-the-middle” and can read the encrypted HTTPS data stream (they simply are stepping into your shoes, and pretending they are you, and get all the encrypted data, decrypt it, read it, and encrypt it again and pass it onto you), but in practice with so much traffic and so little time they are probably not bothering to (then again, the same has been said about unencrypted email: ‘there’s too much of it to read’, though with data mining I’m sure somebody can write a Perl script to catch ‘juicy’ stuff like sex, credit card numbers and the like). However, a minority school of thought said it’s easy for an ISP to read even HTTPS streams without much effort. I never did get a resolution on this issue. I agree HTTP (plaintext) is easy to read by your ISP, if they care to.

Bonus trivia: I use ExpressVPN, when I really want to be anonymous, which does not keep log files (so they say) of their customers browsing, and I trust them (you have to trust somebody). If they do keep log files then they’d lose my business. But I suppose it’s possible they are lying and are a CIA sponsored VPN service, reading and tracking every customer.

Reply

11 Milliez March 29, 2017 at 11:32 am

How can the ISP re-encrypt the data to pass it to you without the original site’s private key? That should at least generate a warning saying ‘you’re connection may be unseured’.

Anyhoo, even with VPN/TOR etc, it’s still likely that you’re trackable via browser fingerprinting. See https://panopticlick.eff.org to test.

Reply

12 Troll me March 29, 2017 at 2:05 pm

I do not hear from them that they (EFF) are saturated in funds relative to their ability to deliver things which are beneficial to most, if not nearly all, people. Especially Americans, of course.

13 Daniel Weber March 30, 2017 at 12:09 pm

What Milliez said. I’m not saying the TLS is perfect or has never had problems. Especially with the key distribution scheme, hoo boy, that’s a mess.

But this is the exact situation that TLS is there to defend against. Your ISP cannot transparently monitor the contents of your HTTPS without something else having gone seriously wrong.

14 Right Wing House Music March 30, 2017 at 6:34 pm

The ISP doesnt need to re-encrypt anything. They only need to re-send the encrypted data that they intercepted. Meanwhile, they would use the information they intercepted from *you* to decrypt the information they intercepted from *the server you thought you were connecting to*.

There’s really no cryptological defense against a man-in-the-middle attack.

15 Troll me March 31, 2017 at 12:23 am

Right Wing House Music

There are other approaches where you use additional keys shared in some way that involves a different channel of communication.

If you check the setting on some fairly widely known alternatives for email servers, chat communications, etc., then it’s set up to very easily use such features. There are quite a lot of ways to overcome those as well, including numerous legal avenues for legitimate cases, but this is sufficient to enable some private communications on the part of journalists, for example.

16 Jon March 31, 2017 at 12:56 am

The man in the middle cannot decrypt any of the data without the session key. This session key can either be simultaneously generated from both the client and the server or generated by one and sent to the other, but encrypted so that only the other party’s private key could decrypt it. The man in the middle would have to somehow impersonate the two sides with each other—i.e. tell the server “I am the client” and tell the client “I am the server” so it would then decrypt traffic from the server and then re-encrypt it to match the client’s key and visa versa for traffic in the other direction.

However, to succeed in doing that it would have to defeat the mechanisms used on the internet to authenticate sites. It could do so if it controlled the “certificate authorities” which grant the sites electronic certificates that verify their legitimacy (or rather verify that the encryption is being set up to be read by the correct party).

17 Daniel Weber March 31, 2017 at 1:51 pm

The PKI system — which has problems, but this isn’t one of them — creates pre-shared secrets so that MITM cannot read things.

And certificate pinning has fixed most of the PKI system’s flaws. Without some kind of malware on your computer, your ISP has no chance of intercepting messages to Gmail from Chrome, even if that ISP is a nation-state that has compromised the PKI system.

18 mulp March 29, 2017 at 5:13 pm

“They can have my browser information, anyway most of the time I browse anonymously.”

Ie, I’m perfectly fine with Congress serving the interests of US governments and the corporations instead of individuals because the representatives of We the People should simply concede that governments and global corporations will win globally, so it would be bad for Congress to try to be like Europeans and the EC who think they can put individual rights above corporate and government interests??

In other words, you are complacent and think Europeans are stupid to not be complacent?

Reply

19 Anonymous? March 28, 2017 at 11:51 pm

One hopes this is a citation that does not imply agreement. The reasons in the CEI piece are easily dismissed.

1. “Federal and state wiretapping laws” “In other words, if an ISP intercepts the contents of a subscriber’s Web traffic, or gives such data to an advertiser, that provider had better be sure it has the subscriber’s consent.”

All ISPs of course require subscriber consent to their privacy policies as a condition of service. The language of these policies, as described in #3, always permits the sale of the classification of individual subscribers into categories called segments, when it doesn’t allow more explicit sharing. A sufficient collection of these segments allows for easy de-anonymization.

2. “State attorneys general” “In many states, if an ISP has represented to consumers that it protects their privacy and safeguards their data, that ISP must act in accordance with such representations—or else it may see one or more state AGs in court”

No such lawsuits are ever brought. Many bigger fish to fry.

3. “Litigation (or arbitration) against providers that violate their privacy policies.” “For instance, Comcast’s Xfinity privacy notice says that while the company may collect and store personally identifiable information when users visit websites, transfer files, etc., the notice limits the purposes for which Comcast may use this information—and sets forth when it may divulge such data to third parties.”

A careful read of these policies makes clear that such limitations and restrictions are rhetorical and exist solely in the minds of the writers at CEI. See below.

“Verizon’s privacy policy restricts the company’s ability to share any information that individually identifies its customers to third parties outside the Verizon family of companies. Although this policy reserves the right to share certain information with third-party firms for advertising purposes, Verizon may do so only on an aggregate basis that does not individually identify any customers.”

This rule is interpreted as follows:

* accounts are assigned “advertising IDs”
* in the US, an “advertising ID” does “not individually identify” a consumer because on its own it doesn’t include a piece of data like a name or address
* aggregate means that individual advertising IDs are grouped into “segments” classifying web activity into behavioral groups
* there are no limits on how many groups an advertising ID can be assigned to
* the groups of IDs called segments are for sale
* there are no limits to how many segments an individual buyer can purchase and few limits on the uses to which a buyer can put those segments

As such, many distinct aggregates can be easily deaggregated.

“Other providers, such as AT&T and Charter, also have privacy policies that do not permit the selling of personal Internet usage data to third parties without a subscriber’s consent.”

Consent is provided through the consumption of services. This is explicit in ISP contracts.

“Although an ISP may amend its privacy policy, it must notify its customers when it does so and give them a chance to opt out of any material change—either by continuing service under the original terms, or by discontinuing service entirely”

IOW, if you want privacy on the internet- don’t use the internet.

Most areas of the country do not have household-level ISP competition. When multiple ISPs are present in a municipality, neighborhoods, blocks, and buildings are nevertheless often partitioned.

“A provider may also face liability under the common law, which has developed four torts protecting individual privacy, one of which affords injured persons a cause of action against the public disclosure of embarrassing private facts”

Good lord. Please see the practice of “doxing”. Or the history of legal failure well documented in the “ex-girlfriend photos” literature.

4. “The FCC itself.” “But so long as ISPs remain under Title II regulation, the FCC will have authority over their privacy practices, with or without the privacy rule in place.”

This point is self-refuted in the same paragraph with:

“To be clear, CEI opposed the FCC’s 2010 and 2015 rules, and we believe that Internet providers should not be regulated as common carriers.”

The FCC board is now positioned to agree.

5. “Technologies that circumvent surveillance.”

Refuted by reference to the EFF’s piece on metadata:

https://www.eff.org/deeplinks/2013/06/why-metadata-matters

6. “The marketplace.” “As of December 2013, over half of the U.S. population had access to at least three broadband providers offering 3 Mbps downstream—and as of December 2014, two in five U.S. households had access to at least two providers offering 25 Mbps downstream.”

Again, these numbers are calculated at the level of municipality, and do not consider the more granular partitioning performed by individual ISPs.

“Given recent advances in mobile broadband, along with continually improving “standard tier” speeds offered by cable and DSL providers, these figures almost certainly underestimate the level of competition in the broadband marketplace.”

Mobile data limits mean that in most cases, mobile ISPs are not in competition to wired ISPs.

“Even if most consumers don’t read the fine print, all it takes is one person to notice a problematic change—and tip off a vigilant journalist or tech blogger—to spark a media firestorm.”

Prominent tech bloggers are themselves the best evidence that such “firestorms” have little to no sustained impact. Why otherwise would Verizon consistently win “worst ISP” awards?

Reply

20 Charles Guo March 29, 2017 at 2:41 am

The Georgia Tech paper doesn’t seem to be much better, either. From the third page:

– By 2014, 46 percent of mobile data traffic was offloaded to WiFi networks, and that figure will grow to 60 percent by 2020. Any one ISP today is therefore the conduit
for only a fraction of a typical user’s online activity.

This is a non-sequitur; without knowing how the proportion of traffic that flows through a typical user’s home WiFi network, it is impossible to tell whether the amount of data that an ISP has access to has increased or decreased.

– Encryption such as HTTPS blocks ISPs from having the ability to see users’ content and detailed URLs. There clearly can be no “comprehensive” ISP visibility into user activity when ISPs are blocked from a growing majority of user activity.

The encryption provided by HTTPS does not prevent your ISP from seeing the domain name of every single website you visit, the times at which you visit them, and the frequency with which you visit them. It does not prevent your ISP from seeing data transmitted over non-HTTPS channels, such as literally all email, which your ISP is in a unique position to intercept and read.

– When a user accesses the Internet through an encrypted tunnel to one of these gateways, ISPs cannot even see the domain name that a user is visiting, much less the content of the packets they are sending and receiving.

This is technically true, but irrelevant to the point of misleading:

1) Nobody uses encrypted DNS.
2) Even if they did, the IP addresses that you visit are still transmitted in the clear. It is trivial for an ISP to perform a reverse DNS lookup to figure out what sites you’re viewing.

Tyler, I really hope you’re doing your research on this one, and listening to infosec experts.

Reply

21 Cory Doctorow March 29, 2017 at 8:55 am

Came here to say this – thank you very much. The Institute’s intellectual cover for mass commercial surveillance is thin even by the low standard of this kind of thing.

Reply

22 MOFO March 29, 2017 at 9:27 am

Something is not quite adding up here. According to Ars Technica, this vote replaces a rule that hasnt even taken affect yet. :

https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/

“So what has changed for Internet users? In one sense, nothing changed this week, because the requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017. ISPs didn’t have to follow the rules yesterday or the day before, and they won’t ever have to follow them if the rules are eliminated.”

Im not saying this vote is a good thing, but it sounds to me like all the things we fear are already possible.

Reply

23 Charles Guo March 29, 2017 at 10:34 am
24 MOFO March 29, 2017 at 10:53 am

The rules that are being changed went into effect january 4th? is that correct?

25 Troll me March 29, 2017 at 2:12 pm

What is technologically feasible will be done (with non-zero probability or frequency) unless something is stopping it from being done.

A more open source approach to thinking about these issues could very possibly result in better (e.g., more secure) outcomes at a lower cost.

Reply

26 mulp March 29, 2017 at 5:20 pm

The rules of the Obama appointed administrators is not complacent.

Congress is mandating complacency by representatives of We the People, at the urging of the corporations and police services. Let the corporation be free to make money off individuals with nothing in return.

Reply

27 Troll me March 29, 2017 at 12:40 am

Don’t need FCC rules because the FCC can decide if and when they need to be applied?

If no one was planning on abusing the rules, they would not have been removed. This is not a case of canning the rule that bans tying a horse outside the bar on Sundays within an urban area.

Reply

28 Oliver March 29, 2017 at 1:20 am

Where do you think CEI gets its $? Like the Chamber of Commerce, it raises money from utilities, corporations etc. Hardly a neutral source.

Reply

29 john March 29, 2017 at 5:52 am

Of course none need worry that striking down the FCC rule will end internet privacy. It doesn’t exist with the rule.

Reply

30 MOFO March 29, 2017 at 9:28 am

Apparently the rule that is being struck down isnt even in effect yet. Se my link above.

Reply

31 rayward March 29, 2017 at 6:54 am

Google and Facebook have become two of the largest companies because they offer great service not because they collect and sell data regarding their users. Of course, that’s preposterous: users don’t pay for the service, they pay a higher price for the goods they purchase that are advertised on Google and Facebook. Together, they capture roughly 65% of revenues from digital advertising, and between 75% and 80% of the marginal dollar spent on digital advertising. The ability to target digital advertising to the unique profile of the user is what makes digital advertising so appealing. Both Google and Facebook and their digital advertising rivals have every incentive to increase the collection and sale of data regarding their users.

Reply

32 anonymous March 29, 2017 at 8:11 am

Time to implement better chaffing.

Reply

33 prior_test2 March 29, 2017 at 8:27 am

It appears that Prof. Tabarrok need not fear his ISP selling his image data – it is available for free on the Internet, for example, for anyone interested in conducting market research on brand loyalty.

Reply

34 albatross March 29, 2017 at 9:34 am

You’re better off using technical defenses (VPNs) than trusting that some law is going to convince your ISP not to track you and sell the information to advertisers. In the modern US, when big companies with lots of lobbyists get caught violating a law like that, the fine is usually much less than the profits made from violating the law.

Reply

35 MOFO March 29, 2017 at 9:49 am

Yea, i think this is about right. Your ISP can track you now, not to mention ‘law enforcement’ and espionage agencies, this law changes nothing much. We need technical solutions, not legal ones.

Reply

36 Charles Guo March 29, 2017 at 10:39 am

A VPN isn’t a technical defense against an ISP selling traffic data. It merely shifts the ability to sell traffic data to your VPN provider’s ISP (and there is good reason to be wary of private VPN providers here); since you are usually tied to a VPN via credit card, such data is readily de-anonymised.

Reply

37 MOFO March 29, 2017 at 10:56 am

True, but in a not insignificant number of cases, consumers cannot change their ISP. You could change your VPN provider, however if they sell your data. Your VPN’s ISP could sell its data, but it would be aggregate data that they couldnt de-anonimize.

Reply

38 ¯\_(ツ)_/¯ March 29, 2017 at 10:36 am

I think this article was rather harmed by “besides, you can use a VPN.” It was supposed to be saying that everything is ok, and not that we live in a dystopia requiring countermeasures by citizens.

Reply

39 Cmon March 29, 2017 at 11:24 am

Ty, you got butthurt about being duped by the nyt piece and you are posting thiis?

Big day for adjusted priors hete at MR.

Reply

40 charlie March 29, 2017 at 1:12 pm

I’d say this may be peak Google/Facebook.

I’d much rather sell advertising via ATT/Comcast/Verizon/Charter/Cox/Time Warner than via Google/Facebook.

Reply

41 Victor Sletten March 29, 2017 at 7:22 pm

Has anyone bothered to point out that these sacred privacy protections have existed for less than 6 months? And somehow now privacy as we know it is dead?

Reply

42 Bob W March 31, 2017 at 3:44 pm

Check out the Electronic Frontier Foundation’s blog on the top 5 things they’ve thought of that the ISP’s can do.

https://www.eff.org/deeplinks/2017/03/five-creepy-things-your-isp-could-do-if-congress-repeals-fccs-privacy-protections

Bob W

Reply

Leave a Comment

Previous post:

Next post: