From the comments: on the change in your internet privacy

I am still seeing many misleading headlines and takes on the recent Congressional vote to “sell your internet privacy.”  Do read this thread to the bottom (link here):

MOFO March 29, 2017 at 9:27 am [edit]

Something is not quite adding up here. According to Ars Technica, this vote replaces a rule that hasnt even taken affect yet. :

“So what has changed for Internet users? In one sense, nothing changed this week, because the requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017. ISPs didn’t have to follow the rules yesterday or the day before, and they won’t ever have to follow them if the rules are eliminated.”

Im not saying this vote is a good thing, but it sounds to me like all the things we fear are already possible.


11 Charles Guo March 29, 2017 at 10:34 am [edit]

12 MOFO March 29, 2017 at 10:53 am [edit]

The rules that are being changed went into effect january 4th? is that correct?

TC again: If you believe these claims to be wrong, by all means tell us and I will investigate the matter further.  But so far I think I am witnessing another case of “Trump exaggerated click-bait headlines” on this one.  It is fine if you think this change is a bad idea, but it is hard for me to see it as the internet privacy skies falling, especially if you already are using Google and Facebook.  It’s not exactly the case that our privacy birthright has been stolen from us…

Here is further useful perspective from The Washington Post.


The other aspect of this that is an exaggeration, is the whole "privacy" part. None of this was private. If the rules are in effect or went into effect, the website a user clicked on after a search has all this information. That site could have and probably would have used that to target marketing. A toothless rule was repealed - who cares.

But using a specific website (or google for that matter) is an individuals choice. As websites like facebook and google started to share/use personal info, people did indeed decide to take their browsing history elsewhere (at least for particular searches). Verizon and comcast are government regulated monopolies. I don't have an option to take my business elsewhere.

have you ever searched for something (any search engine) and clicked on an Amazon link? How much other info can Amazon link with that search info? Do you know how much Amazon knows about you? They know I am going to Peru for my summer vacation, and they know quite a bit about what I will need? They know how fast I go through razors and have an uncanny ability of predicting when I need them. That is just Amazon, Google knows more - don't forget their algorithm reads all your mail. They probably know me better than my wife.

Right. I get all that. But I still have the option to go to a different store/website when I want to buy more "sensitive" items, or use tor when the wifes away for the weekend (if you get my drift).

Perhaps blackmailing someone over their search history is a bit of a stretch, but why take the chance. Then again, after 10s of millions of stored data items are already being stolen by criminals (see target) I don't even see it as that much of a stretch.

So instead of Verizon, use TMobile, ATT, Sprint, Cricket, MetroPCS, etc. Verizon isn't a monopoly.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

There's a difference between a company having your contact information and the government being able to review all your phone records with no due process.

Similarly, there's a difference between a company knowing that you visited its own website and the government being able to review all of your online activity with no due process.

Molehills out of mountains, as it were.

Comments for this post are closed

Comments for this post are closed

Cui Bono, please tell me how repealing this benefits the average internet user.

Sure there is probably overreaction, but if it was such a toothless bill why even bother to repeal it.

Perhaps because every new rule means additional job for the compliance department of any business.

not really. If you read the linked washington post article, these companies already have their own voluntary set of privacy principles that they could be sued for if they break. If they already created their own regulations to comply with, how does explicitly making them a law give them any more work to do?

Complying and proving you are complying are two way different things. Often this additional regulation may be at odds with the several other regulations and could make the situation worse.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

or one could ask, how would the average user benefit from having this rule? and given that every rule has a cost (in this case forgone revenue), a follow up would then be why have this rule.

One less company watching my kid's mouse clicks seems like a user benefit. Especially given that no one, not even Google, has the ability now to watch the kid's every move. Only the carriers can see everything.

Comments for this post are closed

What cost is there in not tracking your Internet traffic and simply moving your data as they agreed to when you pay them more than their cost every billing cycle?

You seem to be in the free lunch domain where costly regulations are costly because they require paying no workers, while deregulation cuts costs by more workers being paid more.

To cut costs of the ISP, they install lots more computers and hardware to collect the data because the way to cut costs is to pay for more hardware and software per customer. Free lunch economics, cheaper stuff pays more to more workers for the same quantity of stuff.

Comments for this post are closed

Your kid will benefit from toy companies and game companies knowing more about your kid's interests to target ads at him, so he bugs you to buy their products for him. Food companies will target him with ads and promotions to get them to want sweet foods like cereal and candy to shape their arguments on how sugar is critical to healthy kids.

Comments for this post are closed

Comments for this post are closed

Since when was it the job of government to represent consumers or citizens?

Comments for this post are closed

Comments for this post are closed

I think it's a problem when you lack any real choice in ISPs. Where I live - I only have Comcast available for high-speed internet (no Verizon, no RCN, no other options). While most people use Google and Facebook, they at least have a modicum of choice and ability to opt out, where many people do not even have that option with their ISP.

If there is a secret high-speed internet ISP option I've overlooked, I'd be very interested.

Time Warner upped my speed and bill recently. I called and said that I didn't need 50 Mbps, and they said "sorry, we don't offer anything slower." That is a great pricing power to have.

Comments for this post are closed

Is wireless an option where you live?

I used to think this was a facetious question, but occasionally when I switch to the cellphone network I can still do everything I need, even Citrix and Netflix, over it.

Comments for this post are closed

Comments for this post are closed

Who "owns" my browser history? Does my ISP? Do I? Who "owns" my Google searches? Does Google? Does my ISP? Do I? Is this actually a dispute between the ISP and Google (or Facebook, etc.) over who "owns" the browser history or Google searches (etc.)? What's the Straussian reading of this?

I remind readers that Google and Facebook capture almost 65% of digital advertising revenues (and nearly 80% of the marginal dollar spent on digital advertising). Maybe the ISPs believe they deserve part of the spoils since Google and Facebook couldn't collect all those revenues absent the ISPs. Advertisers pay Google and Facebook because Google and Facebook know where you've been and what you want.

Interesting take. NPR had a segment yesterday where one person was trying to say that the ISPs were trying to be regulated like the Googles and Facebooks. The former are under the FCC, the latter under the FTC.

I get why the ISPs want that. But just because two different industries are each chasing the same pie doesn't mean they should be regulated the same. (Compare car services versus taxis, which compete over the same customers a lot, but using different business models.)

Comments for this post are closed

Comments for this post are closed

Your enter into a contract with Google. They provide services in exchange for your usage data.

You entered into a contract with your ISP. You pay them money, more than cost in the US, to get your data transferred over the Internet.

But now the ISPs are lobbying Congress to let them unilaterally change the contract. You pay for service with money that is already too much because of their monopoly, plus they get to sell your usage data.

This is the same battle as over selling your prescription history, with some wanting to selling your medical records, all your financial records, etc.

Note that the people who want the rule providing some privacy protection, like Trump, are totally opposed to anyone tracking them, their finances, their medical records, etc.

Given Trump wants the privacy rule rescinded, why is he complaining about the FBI, NSA, CIA, or whoever else he imagines tracked him, tracking him? Why does he object to reporters seeking "usage data" for Trump to make a profit?

Why do the wealthy backers of the lobbying seek to keep anyone from tracking their financial support?

Clearly this is a case of the rich and powerful wanting two sets of rules, privacy for the rich elite and none for the masses and poor.

Why is "privacy" so erased from the conversation?

Well, Congress has erased privacy forever from the rules of the FCC. The FCC can never issue a rule protecting privacy of Internet use again because of the way the regulation rescission act operates.

The entire focus of the regulation process was protecting privacy, so Congress now prohibits the FCC from ever considering user privacy ever again in rule making.

Only Congress can prevent George Soros buying copies of all the Internet data going to Trump, Ryan, McConnell, et al and their families. Maybe he will need to buy seats on the board of the ISPs to change the policies on capturing and then sale of copies of data to his political action groups. But he's rich and powerful and a radical leftist so he will now legally begin unrestricted wire tapping of patriotic conservatives.

Please spread this fake news: next year, Soros will be wiretapping all patriotic conservatives.

This was a devious plot by Obama who got a rule made that he knew conservatives would reverse so that only Congress can reinstate it, but that Democrats will block by filibuster. Liberals get to look like they are protecting your privacy, when in reality they are going to make trillions in profit invading your privacy. Just like the total government takeover of the entire health care industry was to make trillions in profits from selling insurance, with liberals spreading fake news about insurers losing billions selling insurance. Or the EPA regulations to generate trillions in profits from green energy, but spreading fake news about green energy companies going bankrupt and even more evil, fake news about ExxonMobil making $50 billion in profit when instead they were going bankrupt.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

not a straussian reading but consider, if entities and people did in real life (assume the cost were not present) what is done in the setting of the internet what would people think? Stalkers? Harassment? A violation of our right to peacefully pursue our lives even when wondering around in a public area?

I think if anyone has any questions here some day when you don't have anything else to do go to the local mall. Pick a person and just start following them, noting down all the stores they stop in. All the items they look at. You can also include things like how long they looked at them. Now, what about start to video their activities -- that's a bit more complete a documentation of their habits in the public space. Right?

Comments for this post are closed

Comments for this post are closed

Tyler knows my gmail address. Actually, he knows and keeps private my semi-public/social gmail address. And that's really what I'm commenting on. I can control, relatively easily, the aspects of myself that Google and Facebook see. I control which they can connect to a true id (cell phone number). A cable company is different in kind because it is a full flow of household information (everyone and every device you've ever let on your WIFI), and beyond my control to easily filter. Sure, there are VPNs for privacy nerds, but I'm not that much of a privacy nerd (and good luck getting the kids on that). I use that social email for most things, and a private email for banking, taxes, and serious stuff. Does Google know that those are the same person? Probably not in any functional way. They just advertise to my public self, and probably never do the IP matching to see that the two IDs I use connect to the same flesh and blood person. Why should they? They are interested in eyeballs, not people.

(I certainly hope no one is giving Tyler, or Facebook, the same email address that they use for taxes. Time Warner of course, sees all.)

"Time Warner of course, sees all"

I really hope you are not doing taxes in plain text. Actually, you are not. All these sensitive, and almost all other sites use https. Time Warner can only see the top level site you are visiting, and none of the data shared.

You are correct. I avoided the https weeds. The more sites that use it, the less the carriers (and other interceptors) see. And if my "serious" email is only used with seriously implemented https connections, the carrier won't see it.

Comments for this post are closed

Comments for this post are closed

That is simply false. I cancelled my facebook account over 4 years ago. I asked they delete everything. (they don't). FB still tracks my, and your, movements within the internet because they have a host of hooks in so many sites.

I never had a Facebook account. I chose to give them (directly) zero. Do they have a ghost image of me? Probably not more than an entry in some users' contacts.

There are companies that attempt to stitch together images of us from "all" sites we visit, but many of those sites are actually at war. Amazon and Best Buy aren't going to share. Facebook and Twitter won't share.

Apple (especially) and Google (less so) have set sharing limits.

So, in addition to privacy agreements and privacy law, we are shielded by a lack of cooperation.

Well, by comparing your Internet history with those with Facebook data, they can infer data about you. Eg, you send mail to relatives on Facebook and by correlating their Facebook data they can infer a close relationship and then infer you share the same demographics. Ie, if they are inferred to be Irish than you are more likely to be Irish than Japanese in interest and culture.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Is it possible for people to buy lists of people who I've called and talked to on the phone? If not, why not? If so, why so? Is the principle with internet searches and browsing history fundamentally different?

According to NPR, you cannot buy any individual's web history anyway, with or without these rules.

I'm not taking that 100% to the bank because sometimes they mean things are "anonymized" which often is trivial to undo.

There's also a distinction between cannot now, and cannot ever.

The linked WP article suggested that while you can't now, there's a possibility that it could be done in the future

Comments for this post are closed

Comments for this post are closed

Yes it's possible. The NSA and FBI actually do buy this data from ISPs.

Congress debated how freely these agencies could buy it. They can not simply take it because that would violate the takings clause. Congress has mandated making it possible to buy the data for a reasonable price.

However, government has paved the way for lots of private sector profit making. The Internet is making profit thanks to government creating the Internet. Without the government reversing government policy to not pick the winner, we would still be fighting it out between AOL, MSN, MCI services, IBM SNA, etc, and a group of big corporations trying to force the world government ISO OSI networking standards on corporations and customers.

To comply with Congress order to sell to NSA, et al, ISPs have done so by feeding the raw traffic requiring government convert the raw traffic into useful data. But government contracts with private corporations to develop hardware and software on nonexclusive terms to collect the data. Now that dozens of companies have spying products developed for and sold to government, they now have lots of motivation to sell to ISPs to increase revenues and profits.

The Internet was picked as winner by contractors, to the government developing the Internet, lobbying Congress to reverse the "no commercial use" into "promote the Internet for commercial use".

Full speed ahead for these companies to market their products to ISPs. There is zero uncertainty about whether it's legal. Congress has made it legal until Congress reverses itself and Congress explicitly prohibits it.

Comments for this post are closed

Comments for this post are closed

"especially if you already are using Google and Facebook"

I don't need to move to another nation to switch from Google or Facebook, but if all ISPs can track and sell all Web traffic in the US, it will require moving to Canada or maybe the EU.

Suggestions are made for thwarting the monitoring, but they strike me as buying bullet proof clothing for your kids if gun policy makes your neighborhood rife with shootings and the public policy is to advocate everyone buy more guns.

I find it odd that one argument is the cost of monitoring is high so no one does it, so a regulation to prohibit what is not done will be extremely costly for industry to comply, because after all, without a law defining murder, no one would commit murder, but a law defining and punishing munder will be extremely costly to everyone as they must take costly actions to stop murdering.

That the rule is being rescinded by active effort by Congress, a Congress that has for years done little, indicates the ISP industry sees large profit potential from tracking it's paying customers and selling the data.

Comments for this post are closed

Aside from the points that are being made elsewhere in the comments -- it's worth highlighting that an ISP is uniquely privileged when it comes to emails. Much of email transmission is unencrypted, and even encrypted transmissions are often negotiated over STARTTLS, which a trivial man-in-the-middle (which your ISP is in a unique position to perform) can transparently downgrade to unencrypted transmissions. The upshot of this is that, if you use an email client, an ISP often has a variety of measures it can take to quietly gather the text of your emails, if it has the incentive to do so. (And that's the kicker, right? If it has the incentive to do so.)

The WaPo article linked is illuminating:

> That said, if the providers relax their privacy policies or if the FCC chooses not to take action, ISPs could conceivably share detailed information about a person's Web usage that could be used to discover his or her identity.

This is key. People who argue that this isn't such a huge deal rest their argument, implicitly, on the notion that ISPs will behave more or less the same as they currently do, after gaining the ability to sell this additional information on their customers. But then you have to ask yourself -- why the push to make this change, then, if it's not one that will alter their business? Reasoning on this basis is a fool's errand; it's clear that privacy policies _will_ be relaxed, and that the FCC will not choose to take action against ISPs for exercising this newfound capability.

(Also worth noting: effectively anonymizing a dataset is _much_ harder than de-anonymizing it. Everyone struggles with this. This should be, in your mind, a good argument for why we ought to err on the side of caution and restriction here.)

This is correct and reminds me of a conversation I had last night on this topic with a friend who formerly worked in big data for a to remain nameless government agency outside of central DC.

He said he recently had an interview with a western US cable company to build databases and analytical tools to do exactly this type of thing; aggregate user information at a very large scale and package it in a way that would drive future revenue streams (internally or externally). He has also worked for the equivalent of the Google's and Facebooks of the world and has seen their capabilities.

A few thoughts sprung from that conversation:
1. As you mentioned, it would still be legal under these rules to sell user information as long as it was sufficiently aggregated and anonymized, but using meta data to identify individuals is a trivial exercise these days for any sufficiently staffed company. Combining sold meta data with third party or internal data to individually track someone is quite simple and legal.
2. The scale of the available data for an ISP is 100% barring use of VPNs or encryption. Right now I can use Ad Blockers or Incognito Mode tricks to avoid being tracked, an ISP does this on the server end and cannot be avoided. Little privacy on the internet (the current state with FB/Google/Amazon/etc) is a much different threat than absolutely no privacy on the internet (what ISPs are capable of).
3. There is a difference of degree we are talking about here when considering the future risk vs. what is technically possible today. What he found in that interview is that company (and by inference most cable companies) is massively behind in figuring out how to monetize user data compared to the other internet companies being cited that already do similar things. So to point 1, cable companies are not currently sufficiently staffed, they will be very shortly.

So the suggestion from the parent articles that things will be status quo is not accurate at all. Cable companies are behind the curve, we have really no idea what the future of privacy is like from what is effectively a zero or minimal competition monopoly with 100% access to every bit of your data and the legal right to sell that data to third party sources who then can quite simply unmask the data to target individual users. That's quite a bit more worrying to me personally than having FB know I like cat videos.

Congress definitely changed the status quo. ISPs selling your traffic was in the gray zone. The FCC was making it in the black zone. Congress has made into the white zone, it is totally legal because no executive department can ever issue an Internet privacy rule, and Congress is unlikely to make it illegal. Look at the action Congress took when it came to government spying. Congress authorized spying on everyone without a warrant as long as non US citizens are connected to the Internet. The data collected on the Trump administration before they took office was done by authority of Congress to buy the data from ISPs, data Congress mandated ISPs collect so government can buy it.

Oddly, lots of people are shocked by this even though this was all debated openly in Congress and signed into law by both Bush and Obama after years of open due process in Congress which legalized the secret actions of the Bush administration, with additional restrictions and reporting in secret to Congress. As a computer industry veteran who had to understand all the data security issues end to end, I fully understood the implications of the policy choices made.

The three security basics are:

Knowing who someone is. This is to prevent identity theft.

Knowing data is exchanged end to end. This is to prevent man in the middle attacks.

Keeping the data from the eyes of those not authorized, which includes the fact the data exists.

HTTPS provides weak identity security - a website has a secure ID that comes from a trusted end party, but the user accessing the website is not securely identified. Most attacks on data exploit the weak user identity, aka that's how the DNC was hacked, along with thousands of corporate credit card databases.

HTTPS provides weak end to end security because users must look closely at the Web address following the HTTPS to ensure they are not securely sending their data to the man in the middle.

And HTTPS seldom encrypts all the data transferred. And when all the data is encrypted the encryption is weak based on the design tradeoff of cutting cost of encryption while assuming the one time key and short message will make breaking the weak encryption too costly.

And HTTPS has nothing to do with the data on disk being encrypted, so having access to lots of traffic data makes it easier to have a bot do the social engineering of getting someone to download a backdoor or give up passwords voluntarily by being carelessly oblivious. Now everything is revealed.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed

Versions of this are spawning some interesting litigation. Company A licenses its software to Company B to manage some aspect of its business. After a couple of years Company A approaches Company B with a business proposition. "We don't have your data, of course, but we've extracted patterns of usage that we believe can help you better predict the ebb and flow of your business and we'll sell it to you for $$$". Company B is both intrigued and alarmed. The camel they've let in the tent knows something potentially valuable, but there's a camel in the tent. Its lawyers scrutinize the language in the software lease and realize that Company A knew going in that it might learn something monetizable and crafted the language accordingly. It's not a new phenomenon, companies leasing equipment to E&P outfits will analyze lubricants, air filters, etc in an effort to anticipate demand. The difference is that the E&P Co. is free to do the same thing whereas Company B can't unless it runs everything parallel on a competing or custom made platform which of course defeats the purpose of leasing Company A's product in the first place.

And then there are the questions regarding whether a software provider has a duty to mine useage data for patterns. Let's say that there's a nosocomial outbreak in a hospital and after the inevitable litigation ensues it becomes apparent that the unfolding outbreak had been recognized as say an increasing usage of anti C. difficile meds first on the geriatric floor, then cardio, etc. At least one court has held that there may be a duty to mine.

Essentially there's a seeming Peeping Tom who wound up with a deeper insight about your business than you have and he wants to sell you the pics and yet he finds himself in the unexpected role of an insurance company's risk/loss inspector whose failure to notice a slight swelling in a boiler leads not only to a loss but also a direct action against the insurance company by the owner and everybody killed/injured in the ensuing blast.

So, let's say some company mines a troubled youth's Internet meanderings and in it is a clear pattern of suicidal ideations. When a company buys that pattern and thereafter dangles before her eyes otherwise innocuous links to the means of her end does it bear any responsibility? Maybe the answer to the unwanted harvesting of information is to impose a duty to mine on the harvester.

Comments for this post are closed

Isn't this a byproduct of reclassifying ISPs as a common carrier. I just assumed blocking this was the first step to rolling back the common carrier classification from 2015.

Were ISPs EVER NOT common carriers?

On The Media used the analogy that Congress has effectively declared your data is the property of the ISP to use just like giving your package to USPS, UPS, FedEx, a trucking company, makes your package their property to use until they deliver it.

You ship your show horse, which allows the trucking company to put it out to stud, and then deliver the horse. Or even not deliver it at all unless you pay a ransom in excess of the markup of local retailers that give the trucking company lots of business, or are owned by the trucking company. Ie, a retailer sells stud services, so the delivery charge is increased on your horse to match the cost of buying from the retailer you are competing with by going around him.

The two aspects of a common carrier: you must protect the property for the owner, and you must treat all customers equally.

Comments for this post are closed

Comments for this post are closed

Tyler Cowen - is hard for me to see it as the internet privacy skies falling, especially if you already are using Google and Facebook. It’s not exactly the case that our privacy birthright has been stolen from us…

The guy who's optimistic about our future because surveillance technology and mood-altering drugs will keep the lumpenproles in line advises complacency regarding diminished privacy.

Comments for this post are closed

One thing is for sure, this will lower my internet bill!

Comments for this post are closed

Privacy advocates failed to convince the Obama FTC a few years ago that anonymized browsing history is “sensitive” data. (The FTC has treated SSNs, medical information, financial information, precise location, etc. as “sensitive” for years and companies must handle these differently.) Having lost at the FTC, when the FCC started regulating ISPs, privacy advocates took their fight there and in 2016 they convinced the FCC to deem browsing history as “sensitive data"--but it’s sensitive only when ISPs have it.

This would have created some regulatory absurdities. For instance, if you bought your child a mobile plan with web filtering, she’s protected by FTC privacy standards, while your mobile plan is governed by FCC rules. Google Fiber customers are covered by FTC policies when they use Google Search but FCC policies when they use Yelp. Your browsing history is considered "sensitive" when your ISPs collects it but not when your browser does. And so on.

Congress' actions give the new FCC chairman a clean slate to enact FTC-like standards, treating all parties that have browsing data equivalently. It (mostly) clears up the confusing state of online privacy had the FCC rules taken effect.

No, Congress has prohibited the FCC from EVER issuing a year regulation about user privacy on the Internet. Only Congress can do anything in regard to privacy of data on the Internet. Congress can direct the FCC to implement privacy by rule making, but any FCC rule that mentions "privacy" is now prohibited.

Note, Congress mandates ISPs collect and sell usage data to the government. So, do not argue Congress has any interest in blocking ISPs from collecting and selling your usage data. And in passing this law, Congress has green lit unrestricted collection and selling of your data. The most the FTC can do is require an honest statement about doing this, but it's unlikely the Trump FTC will mandate ISP service contracts disclose that your data is being sold. Omission will be a true contract. The news discloses ISPs can collect and sell data by authority of Congress. Congress has prohibited any privacy rule until Congress specifically reverses it's prohibition on privacy rules for Internet traffic.

And, BTW, an ISPs stating it will not collect and sell does not mean the ISPs it sends all your data through will not collect and sell your data.

Comments for this post are closed

Comments for this post are closed

Comments for this post are closed