This article is saying, basically, that the tendency of ISPs to try to monetize user data is a natural consequence of capitalism, and trying to curb that tendency with legislation is ineffectual compared to the real solutions (fight monopolies, and everyone use a VPN).
I don't buy it. Roughly the same argument could be made about virtually any regulation. "Corporations are incentivized to pollute, so there's no point trying to stop them. Buy a water filter." "People will always try to get heroin, so there's no point in restricting it. Get some naloxone." Damn near every regulation is an attempt to counteract some profit-motivated tendency which is the unfortunate consequence of capitalism. And as regulations go, user data is a lot easier to regulate than drugs or pollution.
"Just get a VPN" might be good advice for individuals, but it is emphatically not the society-wide solution to data privacy. We can and should continue to fight for good legislation that protects us.
I think you missed the authors real point. The selling of data isn't the policy you need to fight. The monopoly power of ISP's is the problem you must push back on. The author has rightly pointed out that regulating your way to your goal is not a solution. He is advocating for a free market solution which is much more robust then one that hinges on the right people being in power for all eternity.
There won't be a free market solution to land-based ISPs. After the government broke the telcos up, they just consolidated again. Now we have less than half-dozen large ISPs, and states are trying to ban local governments from creating co-ops! Maybe one or two entrants will come in (google Fiber, who stopped expanding), and only then, it will be from GOVERNMENT enforcing free use of easements.
Certain industries have a tendency to be monopolistic, or else have incredibly high barriers to entry. ISPs should be regulated to protect customer privacy. This is the equivalent of USPS, the public library, and the phone company selling your data to whoever wants it, and it's wrong.
While not 100% 'free market,' I think that turning things like last mile lines, etc in to a public utility (allowing many ISPs to hook into them), and abolishing local government-granted monopolies is the real solution here. While abolishing the government-grants of monopoly status is unquestionably free-market, turning the last-mile lines into a public utility is slightly less so. But this move would effectively force the playing field to level a bit.
If you wanted to make it slightly less "government-y," you could just establish rules that those running the last-mile lines, and those providing the connectivity must be separate entities (and not connected to each other like some "spin it off as a separate division of Comcast but they are still parts of / owned by the same company"-type deal) so that everyone gets a fair shake.
[ That said, I'm not in favour of letting the privacy war play out in the market, because I'm not 100% sure that the market wouldn't just settle into a state where everyone was doing something I don't like to some extent. ]
It's funny that you (and many others) say this because we had this from 1996 to roughly 2004. Unbundled last element, or linesharing, was a requirement of the Telecommunications Act of 1996.
Telcos loathed it and pitched many mighty fits and threw every (physical and metaphorical) wrench they could in front of their brand new competitors. But it worked, in spite of the problems[0]. The absolute best I ever had was in Southwestern Bell territory. Over a single copper circuit I could choose from TEN different ISPs. Speakeasy, Megapath, Covad Direct, August Net, and a handful more that I can't remember. In 2002, I paid Speakeasy $160/month for 10mbps symmetrical with 8 real IP addresses and no port blocking.
President Bush was elected and the telcos' complaints were given new life at the new FCC. The unbundling requirements were swiftly removed. Now, we have this.
0 - And don't get me wrong, the problems were legion. UNE-P didn't apply to cable providers nor the new-ish fiber optic last mile buildouts. Only ILECs were subject to it so competitive providers who had built physical plants got to skate by. And there were some legitimate complaints over the "profit margin" calculation (in quotes because what's a margin in the telco business, really?). But, damn, it did work for a brief time...
> It's funny that you (and many others) say this because we had this from 1996 to roughly 2004.
Oh, I know that. The US also had more "competition" in the ISP space nationally because all of the regional telephone companies and cable tv providers hadn't yet consolidated into the mega-corps we have now.
> Telcos loathed it and pitched many mighty fits and threw every (physical and metaphorical) wrench they could in front of their brand new competitors.
Separating (e.g.) AT&T from their last mile infrastructure (and placing barriers to them re-obtaining it) would go some of the way to preventing this. Someone operating the last mile infrastructure that is not also a direct competitor to their customers[1]. It's a conflict of interest that no law or regulation is going to properly resolve.
[edit: I should clarify this. No law or regulation is going to properly resolve the situation unless we remove the incentives for the last mile operator to find loopholes to screw their customers.]
[1] the ISPs connecting to people over the last mile infrastructure
The big problem with that unbundling scheme is that it made DSL less profitable than cable internet,which didn't have to be unbundled (because they aren't ILECs).
This is why in the USA the cable companies are the big ISP leaders and the telecoms are second fiddle.
Verizon only built Fios when they got clearance that they wouldn't have to share it.
The unbundling is a great way to make sure that legacy systems are fairly priced. It's a bad way build new systems.
It's worth pointing out that Verizon has abandoned Fios expansion. Most of their build-out was to low hanging fruit like new residential communities where they laid fiber instead of copper.
So there's no simple cause+effect here related to unbundling. And even with unbundling it's not like a company loses money; they just lose monopoly rents but are guaranteed some profit whether or not they have to share.
Really the issue is about opportunity cost and financing: Verizon would rather invest in endeavors with a higher return than what they'd get with copper or even fiber. That higher return is wireless.
But there's so much cash available, or at least there has been for the past 10 years, that theoretically somebody could have stepped in to invest in these projects. Google was tentatively one of those people--initially it was enough for them to break even--but it looks like the only entity capable of committing for the long haul will be a non-profit or government entity. More so as the era of freakishly low capital costs slowly comes to an end.
> The big problem with that unbundling scheme is that it made DSL less profitable than cable internet,which didn't have to be unbundled (because they aren't ILECs).
Don't forget the fact that it's 2017, and DSL sucks. 40mbit down and 10mbit up at best is what DSL providers tend to offer. DSL just isn't viable compared to cable.
I don't see why we should give up on breaking up monopolies/oligopolies just because they have a tendency to consolidate again. These solutions aren't meant to be permanent. They are meant to be regularly applied every couple of generations.
> [...] stop relying on governments for self-protection that you can handle yourself. If it’s not the current administration that will repeal our protections, it will be the next one. And what then?
The whole point of a democratic government is to protect the interest of the majority of their citizens, and the selling of personal personal data is clearly against the interest of most Americans. In a democracy the tool we have to protect our interests is the law. Unfortunately this tool sometimes is also used by small but powerful actors for their own purposes, colliding with the will of the majority. That's exactly when we have to fight back to keep the government democratic.
VPNs can be used as a temporary workaround by some people, but it's definitively not a good permanent fix for this constant invasion of privacy that many corporations in the US are so willing to attain. Even if you think you have a perfect technical solution (GNUnet? Tor? I2P?) the next administration can simply say that solution is unlawful, and what then? The fact is, sometimes we have to demand our government to do the right thing, and this now is one of those times.
This argument is the central one in the article, and it's really weird, because it could be seemingly applied to any government regulation, or, indeed, any useful service provided by the government.
Once you notice that, the whole piece is basically just ancap apologetics.
You are right indeed if we abandon the law as a tool to protect ourselves and decide to go it alone not only will this surely leave the confused majority in the dust unprotected it provides no protection against future encroachment. Whats to stop them from banning consumer vpns or requiring registration and some sort of key escrow system whereby the key to your vpn is held by the government, your isp, and eventually your competitors/hackers after they steal it.
> The whole point of a democratic government is to protect the interest of the majority of their citizens
Is this the goal we strive for? There are lots of things that we don't want that could be largely couched in the language of "being in the interest of a majority of citizens". For example: Aggressive policing against petty theft, stop and frisk, prohibiting sales of off label unpackaged cigarettes; antiterrorism laws with intrusive cavity searches at every airport; fugitive slave laws...
It's evident from previous examples that it's a significant increment from legalizing a bad practice, that is anyway going to be done by law enforcement and other government organs, and by stealth even if it was illegal, to making software or protocols contraband.
Completely agree. Monopolies are the problem. Capitalism is a delicate system and, unregulated, it leads to monopolies. That's why capitalism needs regulation -- not to pick winners, but to ensure healthy competition. This is something Republicans seem to be willfully obtuse about. Capitalism without regulation is like a football game without referees.
This is I think where the voting public gets played by both sides. On the "free market" side people are told all regulation is bad, just let the market operate. Which ignores that some regulation is needed to keep a level playing field. Then on the other side we are told we need to strictly regulate to control for safety and shared resources, but both sides just impose regulation that benefit established firms and sell out consumers.
> Which ignores that some regulation is needed to keep a level playing field.
Think about the original purpose of the FCC. Some regulation is required to make the services work at all. With a completely deregulated system, your microwave would disrupt cell-phone service for blocks. Your computer power supply might do the same thing. And Verizon phones would probably intentionally interfere with AT&T phones.
Low-frequency spectrum is a public resource, full stop.
> ... but both sides just impose regulation that benefit established firms and sell out consumers.
Can't agree more. Corporatist rent-seeking is the fundamental problem with our political economy and/or society. But both sides keep talking past each other (as they are incentivized to do).
Tangent, thanks. This is the phrase I was trying to conjure to mind earlier today in a discussion about the very topic of this thread. Ended up taking a long, exhaustive and context-laden road to get to my point; after which I had already lost an audience but so it goes.
There are a lot of factors leading to the current lack of competition in most markets, but I'm not convinced that a monopoly is an entirely natural market condition in this instance. If it were, providers wouldn't demand franchise agreements before entering markets.
Government regulation contributes much to the cost of investing in infrastructure and starting an ISP business in most areas. I think it would be interesting to see what would happen if that cost could be brought down.
Yes, ISP monopolies are still a problem w.r.t. price and quality of service. But VPNs stop the ability of ISPs to snoop on and sell your data, which -- in a perfect world with ISP competition -- market forces would prevent. So VPNs can take the place of market forces for one of the bad things that arise with ISP monopolies, namely the one that the House just enabled yesterday.
VPNs do that so long as ISPs don't inhibit, block, deprioritize, or charge extra for traffic that isn't over known protocols that they can mine for salable data; which, given that the same political actors that oppose the FCCs Privacy Report and Order also oppose the Open Internet Report and Order that prohibits that action means that VPNs may not long be an effective mitigation of the policy problem, because of an intimately linked policy problem.
It is the regulation that created the monopolies. Local cable companies and telcos have legal monopolies in many areas by way of franchise agreements with municipalities.
Monopolies don't last in a free market. Someone hungrier will eventually come in and undercut the incumbent.
Regulations destroy competition. Sometimes that's a sacrifice you want to make - do you want an unregulated drug market or would you reduce the number participants with burdensome regulations? - but I don't think you can regulate your way to competition. Or to lower prices.
I'm going to object to the "more or less what the tool user intends it to". Our economy and political system is chockfull with examples of unintended consequences. Both majority parties are guilting of this.
And what if ISPs start banning VPNs in their TOS? What's the market based solution to that?
It seems odd to reject regulating against certain practices and reject the breakup of monopolies as well. Without a market that works properly many more specific practices are going to have to be banned. That's not an ideal situation. Monopolies are indeed the main problem here.
Also, VPNs seem to be under attack from governments, so I wouldn't rely that option being available forever either.
Right, and once everyone is used to life without internet let's go all the way back to a hunter-gatherer life so we're safe from extortionist practices made possible by other entrenched oligopolies that defeat market mechanisms.
I have to wonder why government regulation is to be avoided at all cost when it comes to consumer protection whilst the very existence of corporations, their property rights and hence markets themselves is owed entirely to government regulation.
I am very much in favor of using market mechanisms to solve as many problems as we can, because if and when markets work they solve a very complex coordination problem that is extremely hard to replace with planning. But to claim that markets can solve every problem including their own dysfunction is just logically nonsensical.
I depend on many things that hinge on the right people being in power for all eternity, and so do you.
We've seen what the wrong people in power do. Mussolini, Stalin and his gulags, Pol Pot and his genocides, Kim Jong-il, Slobodan Milošević. This isn't a statement about the current US President, but we depend on having right (enough) people in power in a lot more ways than this one policy decision.
I disagree. I mean you make a good point, the monopoly power of ISPs is a problem. But even if you solve that, that doesn't mean you solve the privacy issue. You can have dozens of ISPs and even if half of them sell your data that's still a problem. And it simply won't be enough of a factor for the free market to correct.
This, and the original article, makes the assumption that your ISP continues to transfer your VPN encrypted bits with the same priority that it transfers your HTTP and HTTPS bits.
There's nothing that says this will be the case. It would be very simple to deprioritize VPN connections, and recommend an upgrade to their "business" ISP plan if you need your VPN connection prioritized.
They have no reason not to, and every reason to. Either way, they get more money out of your existing internet use. It would be a pyrrhic victory at best; they wouldn't be spying on you, but you're paying twice more for that "right".
> The author has rightly pointed out that regulating your way to your goal is not a solution. He is advocating for a free market solution which is much more robust then one that hinges on the right people being in power for all eternity.
Then the author should go all out and suggest that the federal government completely deregulate all the spectrum from, say, 500 MHz to 1 GHz. We'll have lots of wireless providers, and none of them will work well because they'll all interfere with each other.
There's a variant that might work, though: force the licensees to operate on a wholesale basis only. No Internet, no voice, no SMS, no phone number, no streaming NFL games, purely connectivity to a wholesale backend provider that can provide whatever services they like using whatever peering, transit, CDN, etc relationships they want.
As a practical matter, it would probably work better to let the spectrum licensees provide voice and SMS, just because the protocols are so absurdly complicated that it might be very hard to get it to work wholesale.
(As an aside, public utility regulators could do the same thing for wired services. Let one provider supply every property in an area with a 10Gbps point-to-point fiber link to a nearby datacenter. Anyone else can lease space in the data center and cross-connect to residents' fibers.)
> He is advocating for a free market solution which is much more robust then one that hinges on the right people being in power for all eternity.
Unfortunately, in the real world, history teaches us that free markets will absolutely go to hell in a handbasket if the wrong people are in power even for a short time.
So, on the one hand we can have effective legislation right now over reasonably well-defined privacy concerns.
On the other hand, we can work for a decade to introduce regulation over the hard-to-define concept of an ISP monopoly, and then spend more decades going through the inevitable break-up and re-conglomeration of these entities under different forms, like we had with the telcos through the last half of the 20th century. In 50 years we may have a landscape that resembles that of the current cellular carriers: three or four large players in most metro areas, fewer rural options, and little real choice among them in terms of QoS or T&C. I suppose this would represent a slight improvement over the status quo?
This is the problem with so many free-market proposals, they would have you off tilting at windmills instead of directly addressing a fairly straightforward problem.
> regulating your way to your goal is not a solution
Why not? Author didnt say much at all about this. What else is regulation for if not to keep certain things in check better than the free market/people/whatever can do?
Right. People forget that there is no such thing as a truly "free" market. Literally everything we consider a "market" has regulations, from contract enforcement to currency standardization to abolishing violence and theft as market forces.
It's not only a free-market solution, it's also the solution that doesn't involve giving your ISP plaintext data and trusting them to do nothing wrong with it because the government said so.
Pure free market solutions are nearly always worthless by themselves there is always misaligned intensives in every transaction move complicated than selling a can of soup.
Where incentives are misaligned and/or the issue is a technical/complex and users are highly unlikely to vote with their dollars regulation is the only possible achieve success.
That was most certainly not the author's main point; he only mentioned it briefly, and he didn't mention a way to fight monopolies. To be sure, when the "Make Network Monopolies Not Exist Somehow Act of 20xx" is up for a vote, I'll probably be for it. But that's not what this article is about.
I think what the author saying is incredibly valid and the pollution example doesn't exactly equate.
Ideally, you wouldn't rely on trust, i.e. Policy, you would rely on math. As far as we know, judging from the Wikileaks releases, encryption still works.
With pollution, it is a policy issue, because there's no mathematical way to prevent polluters. So we have to negotiate amongst lawmakers, regular people, and corporations.
I think what the author is saying here is that we shouldn't bet our privacy and safety on who is in charge, as we are always one flick of the pen away from losing those protections. I think this is especially the case when there is a mathematical solution to the problem, that doesn't require trust. Obviously, having math and policy would be an added bonus.
Pollution and privacy are just two examples of cases where we use regulatory laws to curb the natural tendency of for-profit corporations successfully. That the regulations are implemented differently isn't very relevant; they're both regulations that a) shouldn't be relied on according to the article's rationale, but b) have proven effective in the real world.
> I think what the author is saying here is that we shouldn't bet our privacy and safety on who is in charge, as we are always one flick of the pen away from losing those protections.
Yes, and what I'm saying is that the same is true of every other regulation, which is why it's not a compelling argument against this one. You may have noticed that the same Congress currently gutting privacy protections is also gutting air quality protections...
Sorry, I'm not sure I totally follow your thesis. I think what you're trying to say is that the right thing to do is for privacy to be protected by the legal system, right? Then I think you're analogy to support that is how we have regulations around pollution.
So, on this point I agree. We should live in a world where lawmakers protect privacy and the environment, and the fact that they don't is disappointing and a short term (hopefully not long term) failure of government.
So far we are in agreement. In addition to that, I think what I'm trying to add is that VPNs are absolutely a way to mitigate the need for lawmakers to do the right thing, a concept in the abstract we all agree on but in reality proves to be very difficult. I'm not sure you're disagreeing with that point or if you think they're mutually exclusive, maybe you can clarify.
To go with your analogy about water filters being a substitution for having protection for keeping water clean. No, of course I don't think it's an effective substitute, but I'm still going to filter my water in addition to demanding that adequate protection is put in place.
So hopefully we are in agreement on that point as well, as they're not mutually exclusive.
But the overall, larger point to be made is we should just always do what we can. So voting is one thing, among other avenues within the process of government, however I'm also going to use a VPN, because, damn it, it works.
One last thing I'd like to say from another comment that I wrote somewhere else in here is that hopefully this will be an impetus for full decentralization the internet further, because an ideal solution would be to make it logistically intractable to snoop. A distributed internet, similar to how it was originally envisioned.
We're not really disagreeing much. I think that VPNs are a fine and effective solution for the problem "I want to keep my data private and I'm willing to pay for it" but not for the problem "I think corporations selling peoples' private information is bad and we as a society should try to stop it." I don't think VPNs are a realistic solution to that, and I think regulation is, and I think the author of the article would disagree with both of those assertions.
We are all engineers and can understand the concept of a patch versus a refactor. Yes, a refactor may be harder, but there is never an excuse to rely indefinitely on a patch; that's how you get burned with technical debt.
The government needs to change to be more responsive to the people and not constantly sell them out at the flick of a pen. Yes, use a VPN! But don't buy the message that there isn't more that can be done. There is, and many people are working tirelessly to see it through. Don't ignore or devalue their efforts to make a better system for people.
Allow me to followup in support: I work for a private VPN company (that coincidentally used to be a dial-up ISP), and the owner/leadership is very active in lobbying state and federal legislatures to pass privacy-oriented legislation. In other words: someone who's worked for decades on both sides of the issue acknowledges that legislation is the best solution.
I find the outrage rather interesting. Google and Facebook are basically everywhere sniffing as much data as they can. I actually don't mind if another party starts collecting the data as well. Go nuts.
Google is already toying with the idea of creating VPNs for consumers. In the case of the pixel it's legit because they allow you to opt-in to VPNing to google servers on untrusted WIFI connections. The irony is that now google has even more data on you.
Once your VPN exits, you can still get MitMed/injected on non-TLS resources, so what is the VPN really doing for you? The only thing the VPN does is control which party will spy on you.
You can easily avoid facebook by not registering there and blocking requests to their servers from other sites. Similarly with google, though you can't use Chrome and Android in that case.
There is no easy and free way to avoid your ISP spying on you.
Maybe I don't understand DNS well enough, but I assume all the tech sites that recommend everyone change their DNS servers to google's 8.8.8.8 or 8.8.4.4 understand that Google is heavily data mining and monetizing every lookup.
And the FCC has never attempted to regulate that level of privacy.
So they don't track personally-identifiable information directly; it's certainly possible you could de-anonymize someone from their dataset, but most of what they do track is on their end (what machine handled the request, how quickly, etc.)
The thing is, let's say Google reneged on their promises and started violating privacy on 8.8.8.8 - would it be up to the FCC to enforce that or the FTC to enforce it as fraudulent behavior?
Very good question. It could be handled similarly to the fiasco of google's street view cars 'hacking' poorly protected wireless routers. They got a pretty serious smack on the wrist for that.
Speaking about pollution, we should definitely create a way to pollute web traffic. When the enemy has heat-seeking technology, we have to start using chaff/ECM.
VPNs are a tool, but it's easier for users to install a plugin that pollutes their data than to enable VPN.
I think the key difference is selling one person's internet history mostly only affects that person's privacy. The environment on the other hand is a common good, and any damage to it hurts everyone. Similarly, someone taking heroin doesn't only hurt themselves, they are likely to hurt people around them as well.
It's a lot easier to see many pollution problems and the harm often is more direct and quantifiable - with a privacy issue the harm is often abstract and harder to see.
I think privacy and pollution regulations can be good, but they need to be carefully tracked and aren't always effective.
The best solution for you is always to be a vigilant consumer. Something like this can be protected entirely by doing so. Pollution is harder to defend against. Using a VPN is a great strategy to mitigate these issues before they're allowed to happen to you.
The article didn't use the term, but it's basically arguing there are such things as natural monopolies, and that ISPs are examples of them.
Fighting monopolies is an argument for more aggressive application of competition law, to break up monopolies, and disallow anti-competitive conglomeration. But again the article doesn't bring up anti-trust.
The article also doesn't account for the fact that an ISP, without net neutrality regulation, can block or throttle or charge extra, for VPN usage.
You're absolutely right that a broad regulatory solution would be a good thing - but we shouldn't ignore a technical solution when it's available. By analogy, we have pretty good regulations about the contents of your home not being stolen. But you should still lock your doors when you leave.
Buying water filters doesn't do anything to the polluting party. They can just keep polluting.
On the other hand, using a VPN makes your data worthless. It allows you to directly hit back at the companies trying to monetize your data. It's entirely different that just avoiding the problem.
Only techies will be setting up VPNs. What about the vast majority of everyone else who don't understand what is happening when they connect to the internet?
Considering the whole point of selling user data is that advertisers want to profile you, using a VPN just lets the ISPs tell the advertisers "this guy is a techie, send him ads for computer stuff".
I didn't say that privacy and pollution were similar in any way except that the line of reasoning presented in the article would apply to regulations policing both of them (and many others, and is hence over-broad).
... wait, there's an incentive for corporations to pollute? I think 'The Tragedy of the Commons' is a better explanation for that, but I see what you're driving at.
Your comparison is nonsensical. Pollution is a violation of a shared resource, and can even be an aggression to someone's property. Even the most libertarian minded individual will make a case against it, see for instance Rothbard[1]. Selling user supplied data to advertisers is exactly what Google and Facebook do. The problem is that there is a monopoly in the ISP business. You can use Searx, Startpage, DDG, or other privacy-focused solutions instead of Google directly, and Facebook is really superfluous, if you don't want don't use it, or just create a fake profile. When it comes to ISPs you don't really have a choice if they all decide to turtle up and do the same (the freer the market the greater the incentive to one of them to turn or for another to start in business by answering to the demand for a more private browsing experience, even if locally at a certain city at first).
[1] "The eruption of Mt. St. Helens should have alerted everyone to the ever-present processes of natural pollution (...) In sum, no one has a right to clean air, but one does have a right to not have his air invaded by pollutants generated by an aggressor (...) such aggression may take the form of pollution of someone else's air, including his owned effective airspace, injury against his person, or a nuisance interfering with his possession or use of his land (...) this is the case, provided that (...) while visible pollutants or noxious odors are per se aggression, in the case of invisible and insensible pollutants the plaintiff must prove actual harm; the burden of proof of such aggression rests upon the plaintiff; the plaintiff must prove strict causality from the actions of the defendant to the victimization of the plaintiff; the plaintiff must prove such causality and aggression beyond a reasonable doubt; and there is no vicarious liability, but only liability for those who actually commit the deed." https://mises.org/library/law-property-rights-and-air-pollut...
Rothbard's approach to pollution in many cases does reduce down to "tough...buy a filter if you want clean air/water", due to his requirement that the plaintiff prove strict causality, and in the case of invisible pollutants prove actual harm.
When you find, for example, your crops damaged by acid rain, that acid rain can have been caused by pollutants releases hundreds or even thousands of miles away, from hundreds of sources.
Who do you sue? It's generally not going to be possible to prove that the pollution emitted by any particular source ended up in the rain that fell on your crops.
I didn't say pollution and privacy were identical, or even similar. My whole point was that the fact that the author's argument would apply to almost any type of regulation is proof that it's over-broad.
As far I am aware Google doesn't operates as a data broker ("We do not sell your personal information to anyone." - https://privacy.google.com/how-ads-work.html), so comparing what Google does with ISPs selling PII associated with traffic to any third-party is in my opinion, no offense, a bit absurd. Not trying to defend Google neither: I don't support the way they use user's data, which is why I use DuckDuckGo, but I don't think this comparison (which was used by the Republicans) is valid.
That just means that Google is vertically integrated the advertising value chain.
And while the law would probably let the ISPs sell your actual web history, in the past ISPs never went anywhere near that far. They more or less did what Facebook and Google do with their data.
The only thing is, I shouldn't have to pay for a VPN to continue enjoying some measure of privacy when I'm paying for the ISP's service. This is just some MBA's "great idea" to "leverage previously untapped revenue sources" rather than a real need by struggling firms grasping at any life-line.
It's disgusting, and I'm disgusted (_yet again_) by the mercenary Republican Party. They are declaring war on me and my loved ones and the vast majority of our fellow Americans and anyone else unfortunate to have to use an internet connection in the US (and live under the rest of their insane policies).
For the record, I signed up for a personal VPN two weeks ago because this anti-consumer outcome was assured with the current party in power in the US.
I found this comparison matrix[1] which provided me the info I needed to identify a few services to compare. I'm really just looking to keep my ISP from snooping on my traffic, so my criteria are pretty limited and I just wanted something quick. I don't plan to watch Netflix with it for example, which might have pushed me to a service that would allow me to select specific servers for traffic egress.
I also went with Private Internet Access, but I'm not sure what you mean by
>I don't plan to watch Netflix with it for example, which might have pushed me to a service that would allow me to select specific servers for traffic egress.
PIA has servers in many different countries that you could switch to, does that not that fulfill this?
I am very happy with f secure freedome. Good speeds (mostly able to give me at least 30-40 megabit) and reputable company that provides decent support. I have been a customer for a few years.
Telecoms give about 6% more to Democrats than Republicans[0] (and more than 20% more in 2010, in fact they've received just as much funding or more than republicans ever since Obama was elected). Voting against this bill because of some personal stand seems like a weird time to suddenly find a moral compass. The Democrats didn't vote yes because they didn't have to, so they get a chance to grandstand and rack up brownie points with their base while their bosses still get what they want. It's a win/win for everyone!
On actually contentious issues, like CISPA and the like, the votes split almost exactly down donation lines as opposed to party lines.
Regardless, even if the split is supposedly true what do you think is the real problem? The current republican gang or the influence and power the rich wield? Even if you replaced every single politician you hated with the wave of a magic wand the powers that be would still find ways to influence the new group.
We should tackle the systemic problems first as a whole nation, then hopefully the issue of removing those that wish themselves our master will be much easier.
Yet people will cry "whataboutism" while ignoring the fact that just because no D's voted for this, it's just one of many pendulums in which they both take fucking turns doing the same thing. On that next peice of legislation, all D's vote yay and no R's, so it's obviously the D's fault!
Congress is completely corrupt. They don't write legislation, k-street does. They don't read legislation they pass. When confronted, they waffle about benefits to corporations being beneficial to their constituents. Almost all are in violation of their oath.
After much deliberation I think reprent.us has it right, the only way for us to take of this issue is for a new rallying cry to elect third-parties and indepedents to take away the majorities of both parties. (which is also how we get an independent or third-party elected president by taking the 270 votes away from both parties and the vote goes to the house).
We need to stop letting people push the farcicle duverger's law as if it's irrefutable fact, because it's not.
Not a single Democrat voted for the bill. The Democrats certainly have their own problems, but this "both sides are the same" shtick is really getting old when they very clearly aren't.
But combined, their views represent only a narrow slice of the political spectrum.
Both parties have their own flavor of expanding the powers of the government, while no one in office is advocating reduction of government power.
Sure, the republicans occasionally give lip service to the idea, but they're all the same as the dems.
I guess I'm a bit fed up being told "pick a party that represents you" and finding absolutely zero options who don't make me feel dirty or stupid.
I maintain that both parties are the same, neither is capable of delivering real change. (A perfect example is the last US presidential election. Trump and Hillary? FFS.)
>Both parties have their own flavor of expanding the powers of the government, while no one in office is advocating reduction of government power.
Not everyone is interested in across-the-board reduction of government power. I understand it appears to be your view, but you need to be careful to treat that as another political position, not as a global constant.
>I maintain that both parties are the same, neither is capable of delivering real change
I think it's a naive fallacy to have the base goal being some nebulous thing called "real change". When things like Obamacare and gay marriage and raising the minimum wage and protecting the environment, like Obama did and Clinton would have worked for, can't be called "real change" because they aren't the perfect solution some liberals/libertarians would want belies a privilege in not being a member of the classes that these things really affect, which coincidentally are not classes often represented well in the tech industry or on tech boards like this one.
I am too quick to elevate my political _opinion_ to that of fact, and in doing so, commit the exact same mistake that drives me bonkers when other people do it.
Also, my own use of "real change", as soon as I read your comment, made me hang my head in shame. "Real Change(TM)" is just a stand in for "something that I think should be done, and until it's done, nothing else matters!"
It's related, I suspect, to the "no true scotsman" fallacy.
So, you're right. I worded that entire comment poorly.
This is one of the reasons I enjoy dipping into the HN comments now and again - I sometimes get really high-value feedback like this.
So thank you, /u/mejari, for taking the time to comment what you did. It's a good gift. :)
> Not everyone is interested in across-the-board reduction of government power. I understand it appears to be your view, but you need to be careful to treat that as another political position, not as a global constant.
It kinda depends on what you mean by "across-the-board reduction of government power." I do believe that everyone is interested in peace. And justice. And creativity. And hope. And being able to relax and do what they want.
And even if government isn't in opposition to these things in every case, empire certainly is. And people recognize that.
So yes, deprecating the American Empire is something that enjoys very broad support; certain aspects enjoy consensus.
> deprecating the American Empire is something that enjoys very broad support
While 'No Empire' seems to be a Good Thing, in general, if the question was instead, "Which country should lead the global Empire if not America?" I wonder what the survey results would be.
> ...both parties are different. But combined, their views represent only a narrow slice of the political spectrum.
That is (by way of the Median Voter Theorem) a consequence of the two-party system, which is (by way of Duverger's law) a consequence of winner-takes-all or first-past-the-post (and not proportional) voting, I'd say.
Ah, yes, president obama, advocate of the privacy rights of individuals world-wide.
He expanded the powers of the NSA because he could, or had to, or whatever. I struggle to imagine that he then turned around and used the FCC to push meaningful reform along for his citizens.
I think the burden of proof is on you to show that his track record with government spying should be ignored when thinking about his track record with FCC/consumer protections.
Both of those are consistent in one respect, that they both expand executive power. A group with power consistently seeks to increase that power. The FCC wants power, the NSA wants power.
Really? Because every Republican voted for this and every Dem voted against. I get so sick of the false equivalency BS people spout off to sound smart and edgy.
And yet when an opportunity for real change happens, both parties dig in and fight back.
It is in their interests for us to think there is meaningful difference between them, and I'm confident that many dems and republicans do earnestly believe there are differences between them and the other party.
But the differences are _so small_.
If one party wants to pass legislation that does X, and the other wants legislation that does Y, there is _no one_ advocating for all the myriad unspoken options.
My wife used to be a kindergarten teacher. One of her classroom management strategies was to try to give her students options. She'd say "would you like to do X or Y right now?"
Of course, she only gave options that she already approved.
So, for the "powers that be", the real power is deciding what bills go up for a vote. What happens in the actual vote is trivial compared to the power that comes with killing a bill before it hits the floor, or passing other legislation in omnibus spending bills.
I maintain that they work together to screw us all over for their own benefit, and to keep the corporate spigot flowing.
Wrong. This argument is intellectually lazy, and serves only to let you feel smugly superior to others. I suggest that such comments be flagged in the future.
> It's disgusting, and I'm disgusted (_yet again_) by the mercenary Republican Party
Stop this BS. The democratic party has done pretty much similar bad things that violate our privacy. Are you just good at selectively ignoring things? This is really the fact that every US govt is not for personal data privacy. You have to just accept it (if you are an american).
On this specific issue, it was the Obama FCC that made sure that ISPs couldn't sell this data, and it's the republican congress & president that rolled it back. So it's a pretty fair issue to point this difference out with.
It's also a good concrete issue to use in understanding that while arguments like "Democrats Do Bad Stuff Too So IDK Apathy" may be persuasive to some people in justifying not voting, it's ultimately not true. If this issue matters to you, there was a ballot box solution to preventing it. Not enough people used it.
While I'm usually all for bashing both sides, does it really apply in this case? The bill in question repeals rules set out by the FCC under the Obama administration. Those rules were a proactive measure that increased privacy from ISP monopoly overreach.
If this recent attack on privacy is something both sides support (as you seem to claim), why did the Obama administration set out those rules? And why did the Democrats in Congress not vote for this repeal?
Were? Obama's rules affected by this legislation wouldn't have taken effect until next December at the earliest. It was an Obama administration screwup that opened this privacy hole in 2015, and it's been there ever since. Why is the outrage only popping up now? The ISPs have almost 2 years' worth of data already.
Exactly! While both parties do bad things and are undermining this country, it helps nobody to blame both parties for something specific that one party is doing without the support of the other. The vote was along party lines and in this case, one is right and one is wrong.
Why not? for every other service you use online this measure of privacy doesn't exist and no one seemed to care about it. When services came along that advertised a measure of privacy they were not inundated with business turning them into titans of industry.
If when given the option you don't use services that keep your data private, why is this a big deal to you when yet another service you use sells your data? If you want privacy you either need to shop for services that provider it, or like this article states, take measure to ensure some level of privacy.
Politically, it means that people who should be getting angry about reduced privacy are "comfortable" with the fact they can work around it, while a new generation grows up with fewer and fewer expectations of what privacy means. It's short term protection in return for normalization of anti-private behaviours and long term damage.
But I also have a problem with it technically:
Issue: You don't trust ISPs to not sell browsing history.
Solution? Provision a virtual server, set-up a VPN and tunnel.
But your server still has a service provider. It might not be literally tied to your billing information but that was never going to be anyway.
You've shifted which ISP gets to sell the data from "home provider" to "virtual server provider", but there is still browsing data isn't there and it's just as valuable from a private single-use VPN as it is from your home connection.
> But your server still has a service provider. It might not be literally tied to your billing information but that was never going to be anyway.
The idea is to use a VPN provider that keeps no logs and runs many concurrent connections NAT'd behind the same public IP address. That way your traffic is mixed in with everyone else's who's using the service and provides you with an additional layer of anonymity.
That would be one way. In the VPN provider scenario if the ISP can snoop on both the incoming and outgoing traffic that can correlate the two by analyzing the timing and packet sizes. This is how Tor can be defeated as well but it's much simpler to do to a VPN service since they prioritize speed over privacy more than Tor.
This could be as simple as connecting the dots between you logging into your ISP account to pay your bill via the VPN.
This is one specific way in which a VPN is a poor solution to protecting privacy. It means the user has to constantly be on guard to which traffic should go over the VPN and which should not. Even one single slip up could negate all the benefits you think you are getting.
Edit: This reply should have been a couple levels higher, addressing the general tracking discussion rather than NATs specifically.
Assuming it's possible to make it easy to companies to become VPN providers, and since the problem is trust, shouldn't a service from a trusted non-profit be good ? one that must share any financial information, as some non-profits do ?
There are no foolproof security solutions, only varying degrees of who you trust with what. There are many VPN providers who claim to keep no logs on user activity. If their claims are true, that is a better option than Comcast or AT&T since the VPN provider with no logs has no data to sell or share.
Those VPN providers need to get their internet connection somewhere and if you terminate your VPN inside USA (which you'll have to - to get decent speeds and pings), you'll just move the point of data collection.
Sure but if you have a VPN from a provider with enough customers I and use TLS to connect to websites, associating the browsing activity to a particular customer is difficult even for their ISP. Some of it could be traced back by traffic analysis, but it's at least more obscured than if you are using TLS from your own connection without a VPN.
In the US most folks only have a handful of service providers to choose from. There are a huge number of VPN/PaaS/HaaS providers you can choose from, it shouldn't be hard to find one that respects your privacy.
I think that actually increases your exposure, as a monthly snapshot will likely be as good as any other month's snapshot and just as damaging (or not) if it got out. If all providers sell your data, that means that purchasers of aggregated data will always have up to the date info anyhow.
I would say the "better" solution would be to find a provider with a good reputation and stick with them, and leave them in a heartbeat if it appears that they've sold your data. It gives them an incentive to continue behaving well through referrals and recurring revenue.
So I was a call-in on NPR today (http://www.wbur.org/onpoint/2017/03/29/internet-privacy-cong...) that discussed the ISP privacy issue. I brought up the crowd funding initiatives to buy Republican's info as well as the Democrat's unwillingness to make use of this issue. The call-ins were unanimously against what the congress did.
edit:
Here's the GofundMe trying to raise money to buy their Internet history. Something tells me this dude is going to run off with the money though
These "jokes" are already getting incredibly stale and silly. I don't get it at all. A provider is not just going to let you come in, even with say a billion USD, and buy X individual's data. That's not how it would work at all, this is not just like some sort of self-checkout to get someone's data.
And even if it was remotely like that, I can guarantee you that the providers will go to lengths to make sure they didn't just lobby millions (speculating, of course) to get this through and then throw the same congress members under the bus that they lobbied to and then hand out their data to get them in trouble with the public.
However, they can do what everyone else does; buy anonymized data for the area person X lives in. They can then use countless techniques (that have been demonstrated repeatedly) to de-anonymize the data and find out about person X.
What I'm getting at is even if they did try to use the method you described, I highly doubt they would even include that data of those congress members. I bet they blacklist users in situations like this. They are not just going to give that sort of thing out via a sell. Even if they law ALLOWS them, doesn't mean they sell to anyone with money.
All-in-all, I think if you donate any money towards these crowdfunding initiatives, you might as well burn that money because it's not going to get people the info they think they are going to get. ¯\_(ツ)_/¯
Now you are being over-optimistic about ISPs' sophistication. If I wanted data to target white renters, I can get it as long as I don't do it wearing a klan hood. A data set encompassing legislators is for the most part a data set of lawyers with some special characteristics. It could be a subset of data you can buy, or it could be assembled as a mosaic.
>Other articles have argued that VPNs are not a solution to a policy problem, because you can’t necessarily trust a VPN provider, or some VPN providers don’t encrypt your data properly. That may be the case, but that’s an easily solvable problem. And there are no monopolies on VPNs. This is something that a market economy can solve in a year.
It has been a few years since my Econ 101 class, but I suggest the author Google "market for lemons". Users have no way to verify the intentions of VPN providers as there is natural information asymmetry. Trust is not an issue that market economies have come up with a good solution to fix. The solution we often use ironically enough happens to be policy and regulation. So maybe this is a policy problem.
The market has come up with a great solution to some trust problems, like Underwriter's Laboratory. A group of experts certify any device that will have their stamp of approval.
There could be an identical service for privacy/internet tech. There isn't, but I'd trust an "Internet Underwriter Laboratory" group way, WAY more than a group of politicians.
Which is a regulatory solution. I don't know the specific history of UL, but the most common way these type of agencies are created is by the government or from within the industry out of fear of government regulation.
Read over UL's history [0]. It was started by a private individual, and is a for-profit company with huge reach and sets safety standards for devices in many, many industries.
So, while I can't speak to how these things _normally_ come about, this is a compelling example of self-regulation entirely outside of the scope of the government.
Everybody is right. It doesn't have to be either-or.
You can select a paid VPN service that helps protect you from specific adversaries. You can roll your own VPN on your own VPS that helps protect you in some use cases.
You can, and should, advocate for good privacy policy.
"That may be the case, but that’s an easily solvable problem."
So, how is that problem solved? I can't see what VPN companies are really doing inside their stack. They might very well be logging everything and I have no way to find out other than to "trust them" - so there's no real market mechanism to choose a VPN provider which doesn't log anything.
I suppose it could be in the contract.. so does VPN contracts have a clause like that, and how is it enforced?
A VPS provider would be very unlikely to sell that sort of information. If they were caught capturing traffic, I doubt many businesses would want to use their services.
Some of the tiny VPS providers accept $12-20 up front for a year of service and might disappear before the year is out, but it isn't a big deal because they are so cheap.
I imagine they wouldn't know how to monetize the data, but if the market matures, there could easily be the same people behind buying data from Comcast-sized ISPs, creating tiny VPS and VPN providers that don't get any meaningful scrutiny in practice.
If you're serious about your privacy, the first thing you'd want to do would be to use a reputable VPS provider. $60/yr for a DigitalOcean droplet isn't terribly expensive.
A VPN that sells your information and eventually, inevitably is caught, will lose their entire business. Meanwhile they can make a perfectly good profit just... providing the desired service. There are also people who take the time to investigate these various services, and you can do some work to find one that meets standards you deem to be acceptable.
There isn't going to be a perfect solution here, but the issues with VPN's are really not the issues you raise. My concerns are: Google and other major sites endlessly pestering VPN users with CAPTCHA requests, or the government actually making them illegal. Your concerns are largely answered by researching which product you're willing to buy, not unlike all other similar decisions in life.
This argument, applied to any industry, is so tired by now.
Yes, a VPN company caught selling info would crash and burn. The invisible hand would ensure this, etc etc. But only if they got caught, and even then it's not like there would be any actual legal punishment (outside of a lawsuit if they were contractually obligated to not sell the info, I guess). And if selling that info meant double the profits, I doubt the owners who were willing to lie to their customers would feel all that bad or embarrassed. They'd probably also be shameless enough to re-brand.
And all that is ignoring the fact that with VPNs privacy becomes a privilege only to people who can a.) afford it and b.) understand how to use it. And finding a VPN that won't sell your info on the side requires the time and know-how to research it, not to mention even considering that a VPN might sell your info requires interacting with news orgs or people who might bring this concept up.
Chalk this up as another "HN readers don't realize most people don't read HN", color me surprised.
Except that those "most people" are the ones who are directly responsible for electing the current crop of leaders who have put us in this position, so I'm running a bit low on universal love and compassion, sue me. Moreover this is, as others have pointed out, not a new loss of privacy, just a new monetization of the existing loss of privacy.
So yes, there are better solutions involving the law, but unfortunately the innocent lambs you're defending are the ones calling us nerds and buying IoT junk!
Those "most people" also elected the bunch that put the law there in the first place. But it wasn't a campaign issue for either side, so it seems silly to bring up. This is a consumer protection / rights issue and the best way to handle it is clearly through policy, the free market won't do well for the vast majority of people especially in the ISP industry.
Their competitors that sell info will be cheaper, so there's a good chance that the trustworthy ones will be pushed out of business. Then you're left with only cheaters, but you won't know that at the time. You'll only find out that everyone is cheating long after your info has been sold.
Someone could make a program that inspects the packets on your local network. If they're encrypted then the connection is safe. They could then start a register of VPNs and rate them.
This is just the start though, you'd also have to guard against common keys and other various gotchas.
Also, another idea is VPN providers might start seeing it as a business opportunity to provide robust, secure connections and advertise how they work. These claims could easily be verified.
Just a start, I'm not an expert in networking, but it seems fairly doable. Obviously MITM is always possible if you're not connecting via ssl.
Also, this could be the impetus for further decentralizing the internet, although who knows how far that's out. The centralization of the internet might have taken things too far and killed the golden goose by abusing their position, incentivizing an acceleration of full decentralization, like with IPFS and their ilk.
I don't understand. The VPN connection is decrypted at some point when it goes to public internet, and that server is in control of the VPN provider (or so I've thought). They could log the requests at that point. Even if you only use HTTPS, the VPN provider can at least log what servers you're making requests to, and DNS requests too I suppose, even if they can't figure out what HTTP route you're requesting.
"Companies selling your data is nothing new—Facebook and Google have been doing it for decades."
Is there any evidence for this? I'm pretty sure that in the case of Google, at least, it's a flat-out lie. In fact, they state in massive letters: "We do not sell your personal information to anyone." (https://privacy.google.com/how-ads-work.html) Who would they even sell it to? They're at an advantage having that data themselves.
I'm not sure what "pimping out" means if not "selling".
Google runs the ad network, so they don't have to sell or "pimp out" personal data to advertisers. They use it themselves to make sure the ads are being seen by the people the advertisers want them to be seen by.
Google doesn't sell an indexed list of users and their interests: you can't buy the data and then use it how you want.
But, yes, pimping it out was just hyperbole for renting it for particular, well-defined purposes. But even that doesn't convey the fact that advertisers never have full access to the underlying data itself. They can specify the market demographics desired and google or any other ad network delivers the matching eyeballs.
Allow me to rephrase this entire debate in terms that might sound more familiar.
Point: Locked doors and a shotgun under the bed is not a solution to the violent crime problem. We also need laws, and police to enforce them.
Counterpoint: Locked doors and a shotgun under the bed is absolutely a solution to the violent crime problem. You can't rely on laws, because they can easily go away with a stroke of the pen.
Most of us: I lock my doors and might have a gun just in case, but I recognize the value and role of laws. In the real world we have to accept that we need to defend ourselves, and also act collectively through politics and law to protect each other.
And yet anyone who says crime is not a problem worth fixing because we have guns will be laughed out of the room.
And that's despite crime being a very hard problem to fix. The privacy problem we're talking about here is actually trivially fixable with legislation alone.
Actual most of us: I let Google and Facebook rummage through my underwear and dick pics in exchange for 50 cents worth of free server usage a month. I also stare at hours of advertising a week to get free TV.
I won't deny that FB has a huge userbase, but no, that's still not most of us. In addition, broadcast tv isn't shitting the bed because people aren't tired of the deal you've described; they're just cutting the cord.
Locked doors and a shotgun fails when a) the perpetrators have more guns than you and b) when your shotgun "misfires" and causes more damage than the threat.
But it's a false dichotomy. We need (the rights to have) both. Defense in depth.
Exactly, it's not a dichotomy. But the first point doesn't present it at one - it doesn't claim that VPN is not useful for defense in depth, only that it's not the solution.
The counterpoint is the one that sets it up as a dichotomy of sorts - that you don't need regulations, because the things that you can do on your own are sufficient.
Instead of using a VPN I think I'm just going to create a script that randomly requests various websites 24/7. So don't cut off the signal to your ISP just drown it in a lot of meaningless noise
1. VPNs are slow: They will never get widespread adoption because people pay for internet speeds and want them. Not to mention many people use internet that is so slow that VPNs are just not viable. I try to use a VPN at least when I go on public WiFi, but I've been to hotels were the service was so slow that the internet would just not work while using a VPN.
2. The article encourages ad blocking. The problem is that a lot of the web relies on ad revenue. Content doesn't just produce itself without funding. Yes, most content creators are finding alternate means of getting money, but we still need to keep in mind that this is an issue.
Therefore, while VPNs and Adblockers can help, I just don't see them as viable enough strategy to take down the ISPs. You are both slowing the user's ability to get content and the creator's ability to make it. Yes, the privacy focused community can use these tools, but everyone knew we liked privacy already. It isn't until the mainstream users speak up or do something that we can get stuff done.
This article is really bad. On the one hand it says government is unreliable and therefore it's hopeless to regulate. Then it immediately argues we need to break the ISP monopolies (which is true.) But why are there monopolies? It is because the ISPs collude not because there is regulation stopping new ISPs. Google and Verizon both dipped their toes in and gave up on providing wired access to the home.
The only way to break the monopolies is with government regulation forcing them to share the lines, because running the lines is the very costly part that stops new ISPs from competing.
And it’s so damn lucrative that ISPs are crying, No fair! I want a piece of that too! Are they not entitled to pursue such an opportunity?
If they give me the broadband access for free then I might feel some sympathy for this line of argument. At 97% profit margins, not so much.
Funny how "entitlement" can be a positive thing when it describes a rich, powerful entity but a negative thing when it describes someone or something more ordinary.
Classic libertarian fallacy: “every resource should be managed by markets and every problem solved by the marketplace”. Except, the Internet is not a commodity, it’s infrastructure: it’s not a car, it’s the road. For consumer fluff — sure, go the libertarian route (“shop around”), but for things that really matter, like infrastructure and healthcare, don’t look for trivial market-based solutions…
Does anyone know of some kind of appliance I can sit in front of my router that will put all the traffic in my house through a VPN? I run OpenWRT, so I think it's possible to do it there, but I think it would be easier to make it it's own thing.
Whitelisting would be nice too. Netflix video traffic, for example, would be nice to not put through another hop.
Just getting a VPN is like a teacher telling a bullied student to "just ignore and move away". Sounds great in theory, but really doesn't work for everyone in the real world. Some day, when wireless solutions get really good, or the cable monopolies are broken, pro-privacy will be a selling point.
I enjoyed this article until I came to this paragraph:
> Other articles have argued that VPNs are not a solution to a policy problem, because you can’t necessarily trust a VPN provider, or some VPN providers don’t encrypt your data properly. That may be the case, but that’s an easily solvable problem. And there are no monopolies on VPNs. This is something that a market economy can solve in a year.
That's where the author lost me. Building a secure VPN is different than your run of the mill SAAS - it's a difficult security problem, and an incredibly complicated user problem.
On the security side, it isn't hard to make a mistake that will give motivated parties the hole they need to crack the VPN. On a business side, it's hard to know which companies have received lucrative deals (or national security letters) from three letter agencies. And from a communications side, it's damned near impossible to let the whole world know that VPN Provider A collects data for a three letter agency.
Sorry to say it folks, but this is an area where we either need wholesale political change, or technological change. I'm Canadian, so I can't help you with the first one and I'm not even remotely qualified to help with the second.
Couldn't disagree more with this article.
VPN is a solution to a policy problem until policy makers forbid VPN to enforce their core idea in the first place. (e.g. see United Arab Emirates for some restrictions of VPN use)
Didn't you read the "Big Book of Internet Rules"? All you have to do is say the words "Virtual Private Network" 3-times-fast in the bathroom mirror of The Courthouse, with the lights off. The judge is then required to let you go and drop any pending charges. Those are the rules!
That's right folks: the overwhelming power of the state to enact actual policy that can impact millions of lives? It crumbles before the power of my 1ghz Atom router. It has AES-NI, after all. That's, like, impossible to beat.
In my home, Comcast business uses IPv6. So far, no VPN supports this, and I haven't found proper answers on how to handle this?
I've heard I can just "disable IPv6" on my Mac, but I don't know the full implications of this. If anyone has any input I'd appreciate this, because then I would use a VPN all the time.
EDIT Sorry I meant to type VPN not VPS, stupid typo.
If you're on Comcast business, there's no real implication on turning off IPv6.
Any sites you use that are exclusively available only via IPv6 will stop working, but due to slow adoption of IPv6, that list of exceptions is quite small. IPv6 adoption is big in China, but even then the major services themselves are available over IPv4. (Weibo.com doesn't even advertise an IPv6 AAAA DNS record, so the things I read about IPv6 adoption in China may be overstated.)
There are, of course, exceptions. There are a number of intentionally ipv6-only test sites like https://ipv6.google.com that won't work. Things like Google.com which are available over both IPv4 and IPv6 will degrade gracefully if you turn off IPv6 on your mac, and just connect over IPv4.
What I'd really like is a vpn that gives me an ipv4 address and an ipv6/64 so I can have my router do the vpn and route my whole network through a vpn by only configuring one computer.
There's no secrecy, there's no product yet. I just already operate a VPN for my own use, and could easily do so for others. Maybe a product would come out of it, maybe not.
I don't have any way to prove I'm not logging your traffic, but I am a big believer in privacy and promise not to. If you don't trust me, you don't have to use it.
According to the Supreme Court you don't have any expectation of privacy in information given to a third party so whether the VPN is in the US or not does not matter.
At least until they overturn the net neutrality rules, too, and then the ISPs will be able to throttle VPN services to make them unusable. Or perhaps they'll ask them to pay more for the "fast line", and VPNs may get too expensive for most people.
Technical solutions are the way to solve this sort of problem without policy. A protocol that obfuscates your traffic, along with an unpredictable IP for the provider, would make the DPI required to throttle VPN connections very difficult and expensive.
In regards to the question of ISPs selling browsing history, how much of that data outside of law enforcement has ever led to profitable sales from consumers? Like honestly, I've never ever been swayed by a web advert. If anything, they've made me disgusted with the advertiser and made me delay any purchases. Plus, most of the web ads as they are now are just boring repeats of the same product I've searched on Amazon or Google. No related products, no accessories (I bought a telescope recently so I find it odd that no one is trying to hawk eye pieces or filters for the coming solar eclipse). Just the same dumb product I've ALREADY BOUGHT! Like I can't imagine the profit margins on data mining are all that significant if my intuition holds true.
How much is that data worth? Combine Google and Facebook's market cap and then maybe multiply by 2 or 3?
We're talking about EVERYTHING you do online on your devices. It's no longer limited to what you're doing on Google or Facebook or any other place who's primary product is your data.
Yeah so you know that I like telescopes, talking smack on Twitter, and watching Let's Plays of Dwarf Fortress. Now, how do you monetize that? What meaningful marketing information does that give you? You see where I'm going with my skepticism? I'm skeptical that the data itself is useful by any measure because in itself it does not give a marketer nor a business an insight that they couldn't infer by more low tech means (my age, income bracket, how often I buy things, etc all which is already in their records in the majority of cases). None of this "big data" stuff is really that novel and it's an attempt at modern alchemy of turning crap data into "valuable information." Knowing the minutia of your customers or users in general won't help you serve them nor will it help you get more of them. At some point the supposed tacit information of the market devolves into the random noise of the universe.
>Hey Google, when all email providers sucked you fixed it with Gmail, you run a DNS at 8.8.8.8, and now -- now, I think you know what you need to do now :)
>(I personally recommend you also do a web-based proxy, because who is going to filter https://www.google.com now or in the future?)
>I believe in you. You can do it!
>Counter this chilling effect today - and show more adwords as a result. (There is no irony in this statement. I mean from web sites that opt into adwords, not from selling VPN traffic logs.)
----
Google, pay attention: step up to the plate. Please!
> "You own the computer from which all your valuable data is generated."
That might be true at the moment, if you're using a good computer, but many computers do not provide full access to the system, including: Android, iOS, Windows 10. (Almost all mobile devices block root access as much as they can.)
Watch out for attempts to appify the WWW and reduce the ability of consumers to block ads and tracking: AMP, FB Instant Articles, etc.
One of the most dangerous threats to privacy is the increasing restriction on access to devices' hardware and software. If it isn't stopped, there won't be any way to block tracking.
Correct me if I'm wrong, but aren't ISP already monetizing on my data by the fact that I _literally pay them for their data services_? So no: an ISP going "I want a piece of that behavioural profiling ads money" is most absolutely not reasonable.
If you want to be in the ad business, stop being an ISP and go into the ad business, but if you're providing a service and that service is internet-for-pay, and we pay you the money you have said it costs to use your service, then it is not reasonable for you to complain that there is more money to be had, and you want all of it.
Are telephone providers in the US allowed to sell the data about who you called when, how often and how long? If not, why not? Should be possible to monetize that.
Not a solution, rather a workaround. VPNs reduce performance, and they aren't free either. The idea of privacy abusers is to to tax those who value it.
The author screws up big on the VPN vs government issue. Let me illustrate the points made.
1. The government's laws/policies are a threat to users' privacy.
2. You can currently use VPN's to protect your privacy.
3. People point out that the VPN's might lie to you willingly or under compulsion by LEO's w/ existing surveillance legislation. The same LEO's that Snowden leaks say compelled secret backdoors in all kinds of products and services.
4. "That may be the case, but it's an easily solvable problem."
Lol. If it was so easy, we wouldn't have a surveillance state or it would be well-regulated based on GAO's reports. Instead, we do have one, VPN providers might be compelled by it, market choice doesn't change that, and you're still essentially hoping via a numbers game that you don't pick a bad one. This isn't even considering the fact that ISP's beholden to US TLA's might ban VPN's or require their assistance for decryption/tracking.
The VPN's could be a decent solution if a very popular one was a non-profit in a non-surveillance state with protections for consumers built into its charter, contract, whatever. People who were previously shown trustworthy [enough] would have to operate it. The endpoints and monitoring would have to be strong. It would need enough traffic from each country to obscure the users. If it wasn't getting enough, they could pull trick from high-assurance's book to do fixed-rate, fixed-sized transmission constantly from the apps. That would get expensive on bandwidth side, though.
So, it's doable to make VPN's useful until law or ISP policies start killing them. Just hard to evaluate who if any are doing all the above to be trustworthy enough. For now, you're throwing dice for a probabilistic level of protection that's hard to quantify.
I think I might be a little outdated on my knowledge of VPNs, but wouldn't they throw inefficiency into how your traffic is routed around the internet? It's not like you're going for the most efficient exit out of the VPN closest to your intended target, simply the one advertised as a gateway.
VPNs may be a solution to privacy issues, but the whole Internet will be worse for it if everyone were to use one.
I wish we could quantify how much electricity is wasted just routing things around inefficiently from VPNs. How much infrastructure must be upgraded because of the growing use of them. Maybe this would incent ISPs to avoid selling analytic data on its customers?
ISPs should calculate how much this will make them then charge us that much to opt out. Wins all around - the ISP makes every dime they can, privacy-conscious customers aren't abused, unconscious customers don't need to pay more.
Hell, take it a step farther - sell VPN-like anonymization. Think about it, your ISP is technically able to do it far better than any VPN: no impact on speed, no impact on latency, no software required, wouldn't miss any types of traffic, and increases anonymity just by having more customers.
If ISPs don't realize that they can make money selling privacy then they're just bad businesses.
I really believe that engineers live with the belief that "We can work around politics or route around corruption" that only makes us better off. There are many more people who don't have the knowledge to work around it. No amount of engineering is going to educate or move a change in policy. You're essentially saying "I've got mine, so fuck you."
With that being said, given that VPNs are the only practical chance until the software developers of the world start running for Congress, I have gone ahead and paid ipredator for the next two years.
Is there a reason that instead of using a VPN to hide our traffic we don't just have an app that surfs randomly around the net in the background ruining the usefulness of the data collected in the first place?
VPN's are a way for you to choose which provider's or country's policies you want to be under. Obviously this can only happen as long as the powers that be allow it. It is trivial to forbid or block all non-backdoored vpn's for example.
A question which I find interesting is why we can't make these policy choices in the real world. For example, choose which country's social safety net you want and be taxed accordingly. It may be impractical, but are rivers and mountain slopes (aka borders) really the best way to draw a line between two different policies?
Sounds like an indirect way to say you want to privatize social services. If a country is "selling" you a social safety net, you're essentially just paying a company for insurance coverage and/or a retirement savings plan.
Well, I don't want anyone to turn a profit on it, so not particularly. The downfall of letting people choose is that the rich end up opting out, which undermines the system. Maybe I'm arguing the opposite, that there should be a single global system. Or maybe I don't quite know what the right policy is, just that the current system is nonsensical.
I use a VPN and agree it's a solution, but imagine this same line of thinking were applied to telephone lines. What if tomorrow, we removed all regulation preventing telephone providers from scraping your conversations or selling them to the highest bidder.
How fast would the market be able to respond, and what kind of damage would be done in the meantime?
We regulate based on the public interest. It was in the public interest to place limits on telecom. I don't see any reason to treat the Internet differently.
How do I do know what VPN to trust? I guess getting my own server and provisioning everything myself is the answer? I'm sure that'll work fine for average Joe.
VPNs are one solution, it may even be the only possible solution, but I really can't see it as a good solution.
It is super important to keep in mind of course that there may indeed be no good solution, or it may be that the good solution is politically, economically or otherwise unfeasible. In this case a good solution is technically very feasible, but that may often not be the case.
I am just going to write an app to pull random (safe) items every few minutes and poison all the data. Even better, I will have it hit news sites all over the world in different languages and load Amazon and eBay from other countries also. Hum, why I am at it I will have it swap the web browser agent IDs. Hey this could be a fun project.
Completely agree. All we need now is for a major player to step up and say "here's our VPN cloud and it's free to use and we guarantee it's encrypted and won't keep logs. From now on, all our devices will use it by default unless you opt out." I imagine meetings are already being held at Apple to discuss this.
Uh. No but cell tower negotiation over LTE isn't using TCP/IP which is all the VPN has power over. Or am I really confused? The LTE radio is totally independent of internet protocols and can be tracked by cell providers since I must connect to their tower.
I am trying to understand here, what more information ISPs can get other than they have access now? Does this policy let them do man middle attack? Can they access my SSL internet data too?
Federal statute known as 18 USC Section 1702 makes it illegal to open correspondence addressed to someone else. I don't know that the mail services keep statistics of where mail comes from and to, although they likely do, but regardless, they don't get to know what the content is. They don't get to know what I buy from Amazon.. But they do know I shop at Amazon because they see the boxes. ISPs might be able to know you hit these servers but they shouldn't be profiling you based on all your browsing data.
If another person can't open your mail, then why is it so hard for lawmakers to understand that this adds up to the same? You route my mail/traffic, doesn't give you the right to spy into the contents of it, to know what I buy, what media I consume, what my hobbies are, how often I check my bank balances, whether or not I'm left or right leaning based on the news I consume, whether or not I'm shopping for internet at competing ISPs... List goes on. Imagine the depth of the information an ISP can build on you if they have all your browsing information.
The lack of respect shown towards the people who have made these companies possible by buying their services is appalling. And the fact that they keep competition away is even worse.
Provide your services and stop trying to suck in every penny from every potential revenue stream possible.
To make a comparison, just because my car has GPS, doesn't mean the manufacturer should track and sell my location and build a megacorp ads company to interrupt my radio and force me to listen to ads for businesses in my direct vicinity.
Just because you make shoes, and you could integrate piezoelectric energy capture devices, doesn't mean you should integrate tracking devices into people's shoes so you can sell the data to who ever wants it.
Just because you provide a service and because you've squashed competition by lobbying for everything which gives you monopoly, doesn't mean you should drop all sense of right and wrong.
There's countless business models which could abuse data collection and make a few extra bucks, but they don't. Because you don't always have to be a dick. Because at the end of the day, a businesses image should still be important because it is USUALLY what decides if consumers will keep on buying from them or not.. Unless there's no competition....
This by itself is big enough although some will argue its not a big deal. But once you remove all protections, you have no clue how far they'll go and once they go there, its harder to backtrack.
It's not a solution for one simple reason: policymakers can create a "policy" that simply makes them illegal. They don't have to defeat them on technological grounds.
The problem with VPN services, at least when used to circumvent regional restrictions, is that a lot of other people do the same thing, and the VPN provider ends up getting blocked. I've never had that problem when using SSH.
Also, with SSH, I own both the client and server, and setting it up is extremely easy. Setting up a VPN, when you do own both client and server, takes more effort, I think.
Basically, I set up SSH on a server somewhere (I actually have many), and a local SSH key (I don't use passwords with SSH). The SSH server can be a cloud server or a physical one; it doesn't matter. Then, I create an alias in my .zshrc or .bashrc configuration file to easily create a tunnel to that server, like this:
alias <alias_name>="ssh -D 8080 -f -C -q -N <username>@<host>"
Then, I go into my network settings and create a local SOCKS 5 proxy that points to the port I'm tunneling through (8080 in this case). Once I've done this, everything between me and the remote server is encrypted, and it appears that I'm browsing from the remote location. This works well for services that are not available in my country, as long as I can set up a server in the country I want to appear to be coming from.
If you want to keep the SSH tunnel open all the time, you can use autossh, like this:
While using VPNs might protect your privacy in the short-run, it's just a continuation of the privacy-invasion arms race. And it's kinda hard to win a tit-for-tat war when your opponent has an unlimited supply of 'tat', and a whole bunch of armed, well-trained dudes they can send round to your house when you don't comply with their newest rule.
- The US government tries to restrict 'strong' crypto --> people print PGP source code on t-shirts and the government eventually has to accept SSL/TLS.
- The government starts capturing information directly off devices (using regular search warrants etc. --> people start using encryption (e.g. truecrypt, veracrypt) and large device makers respond to consumer concerns by encrypting by default.
- The government starts MiTM'ing everyone's traffic at the ISP and online service provider (e.g. google, microsoft) level, using their newly created pseudo-court, secret warrant process (FISA) --> people start using VPNs.
- The government starts talking about key escrow, banning encryption.....
You can't eradicate a disease by just treating the symptoms as they pop up (in ever increasing severity). If you do this, you'll die. You have to attack the disease directly (and, in many cases, first convince people that they really are ill). So far, we've made one attempt at the direct approach by 'engaging in public discourse'. It's clear this is not effective in this case.
I doubt protesting in the streets would make much of a difference either, if the lead up to the Iraq war is anything to go by. Consider these two quotes from the previous thread (the second is mine), as just one example of the many possible actions that could be taken:
"The Video Privacy Protection Act was passed after Supreme Court nominee Robert Bork's rental history was leaked to a newspaper."
and
"I've always liked the idea of using the copious public video of these politicians to train voice and face recognition NNs, specifically targeting anti-privacy politicians. Maybe even sell pre-made raspberry pis with all of this stuff preloaded for journalists to scatter around places that politicians congregate.
I think it's only fair that these folks get to be the first ones to live in the kind of world they are creating. And none of them should have a problem with any of this, because I'm certain none of them ever do anything wrong and therefore have nothing to hide."
Although one always tends to like one's own ideas, I think this idea has merit, because:
- It's low effort compared to organising protests and then getting everyone to take to the streets
- It directly attacks the source and (assuming you aren't sent to a Federally funded leisure resort for your efforts), creates a 'heads I win, tails you lose' situation: they either pass laws to stop this kind of privacy invasion, or we end up with a long-term selective pressure against anti-privacy politicians. Everyone has secrets...
- It directly educates the public about their "illness" (through example). It shows them exactly how their life could be in the near future if they don't start paying serious attention to privacy issues. If a bunch of angry nerds can pull it off, imagine what the NSA and CIA are capable of...
The time for 'reasoned public discourse' and 'teching around the problem' is well and truly over. It doesn't hurt to do these things, but it does no good in the long-run either. More drastic measures are required.
Somebody needs to put on a black hat and target the congressmen/women and the senators that passed these bills. Release all their internet history, indexed and everything. Put it on some platform like wikileaks.
Crowdfunding some guy to do it is not the answer. We can not trust him.
There sorta is. Install the OpenVPN app, load your ovpn config, and connect. After you do that, there will be a VPN option on the homepage of your settings that will use the connection automatically and will keep you connected when switching networks.
Source: Figured it out over the weekend and have been pleased by it for the past few days.
Pretty much. You use OpenVPN Connect (https://itunes.apple.com/us/app/openvpn-connect/id590379981?...) and set up openvpn on a VPS somewhere. The only exceptions are a few things like Facetime and Apple's push service, which are given special routing treatment by iOS—they skip the VPN.
The iPhone has a built-in VPN client. I've only used it (the IKEv1 client, specifically) to access stuff on my home network, but I have no reason to think that it doesn't respect the routes that the server offers.
This article is saying, basically, that the tendency of ISPs to try to monetize user data is a natural consequence of capitalism, and trying to curb that tendency with legislation is ineffectual compared to the real solutions (fight monopolies, and everyone use a VPN).
I don't buy it. Roughly the same argument could be made about virtually any regulation. "Corporations are incentivized to pollute, so there's no point trying to stop them. Buy a water filter." "People will always try to get heroin, so there's no point in restricting it. Get some naloxone." Damn near every regulation is an attempt to counteract some profit-motivated tendency which is the unfortunate consequence of capitalism. And as regulations go, user data is a lot easier to regulate than drugs or pollution.
"Just get a VPN" might be good advice for individuals, but it is emphatically not the society-wide solution to data privacy. We can and should continue to fight for good legislation that protects us.