
Comcast wants to sell your Web history to advertisers - walterbell
https://www.washingtonpost.com/news/the-switch/wp/2016/08/03/comcast-wants-to-sell-your-web-history/
======
zarriak
>A bargained-for exchange of information for service is a perfectly acceptable
and widely used model throughout the U.S. economy, including the Internet
ecosystem

Isn't bargaining a two sided affair?

Also something that should be part of the article and is a LARGE omission is
the fact that Comcast is literally a shareholder in Hulu.

This could mean it is them selling ads on a service they are owners of using
the data they gathered as an ISP and not only as a service, like the data
Netflix would have. It seems to me a much more egregious offense then them
selling my data, something I expect to happen with a monopoly.

Comcast is the company that seems like the entity that one would provide as an
example of why Libertarian ideology can't feasibly work, but the example would
seem so absurd it still shocks me it exists.

~~~
mtgx
I was with you until you mentioned the Libertarian ideology. Comcast's
position is not aided by the "free market". If there was a free market, there
would be a ton of other competitors that wouldn't be willing to do this and
people could switch over to them.

Comcast has its monopoly position because most cities and states give them
local monopoly - which is like the opposite of what a libertarian would allow.

~~~
Keverw
Yeah, only one cable company per area. The only option is a 3G/4G hotspot
which charges per GB and is outrageous, then slower DSL. Some people are lucky
to have Fiber offered.

Cell phone carriers, there's only 4 I think nationwide than all the other
"carriers" just resell them as a white label.

I never got why 1GB is $10 a gig, when with a VPS I can buy bandwidth for like
10 cents a GB. Why a 100x price increase for just making the bandwidth
wireless?

~~~
talmand
>> Why a 100x price increase for just making the bandwidth wireless?

Because they can and will continue to do so as long as they can.

------
bo1024
Imagine if car companies were allowed to sell your driving location history.

That's why their analogy to websites collecting data is awful, by the way: I
cam choose whether or not to visit a particular place, but my car goes with me
no matter where I go.

~~~
Unklejoe
I remember reading an article a while back about BMW attempting to use
location information to display ads for certain stores on the integrated
display (iDrive). They even talked about using the weight sensor on the seat
(for the air bags) to determine if there was a child in the car or not so that
they could optimize the ads.

I can't seem to find a link though. Apparently, the idea was scrapped due to
negative publicity, but who knows...

I do know that my car (2011 BMW) has a GSM telemetry link that is in periodic
communication with their dealer network, even well after the warranty expired.
I get calls all the time from my local dealer saying that my "car called in
requesting service". I would normally call BS, but this always occurs after
the service light comes on (I change the oil myself and sometimes forget to
reset the oil life system).

------
mrweasel
How much is a persons browsing history going to be worth in the long run? I
simply don't see how anyone can make money on knowing that I spend five hours
a day on PornHub, two hours on Hacker News and 15 minutes on the Django
documentation.

Or even that I primarily spend my money on Amazon when actually buying
something.

~~~
smackay
You do not seem to provide much direct sales potential but perhaps a future
mrsweasel, employer or insurance provider might find that information very
useful, valuable even.

~~~
mrweasel
You're right in that respect, but it says "to advertisers". My data would be
valuable as potential blackmail, or as you suggest: Not giving me a job, but
for advertisers not so much.

It's my feeling that for the majority of people their browsing data will
rarely translate to direct sales.

~~~
akerro
Dear mrweasel,

Our unencrypted database was compromised and all your browsing history and our
analysis of your daily habits is now on sale on
blabnlablabla.onion/sell.php?product=123 starting from 0.002BTC per year of
history of a user.

------
nstj
After making a reasonable outlay on a watch in a bricks and mortar store
recently and then being retargeted aggressively by watch manufacturers on my
browser (apparently card companies selling purchase history is par for the
course) I became rather upset about the whole "we like to track everything you
do because advertising" theme of the web.

I was recommended and have started using the free "Privacy Badger" Chrome
extension from the EFF which is exceptional. The web sans skeezy cookies and
3rd party tracking is a rather different (and enjoyable experience). What's
really funny too is that some sites (Bloomberg is an example) simply won't
work without all of these nasty trackers switched on.

~~~
geoka9
How is it possible to connect your browser to a credit card you used at a
brick and mortar store?

~~~
walterbell
Data brokers like Axciom collect offline purchase transactions and have
partnerships with Facebook, Google and others,
[http://blogs.wsj.com/digits/2014/05/14/data-broker-acxiom-
mo...](http://blogs.wsj.com/digits/2014/05/14/data-broker-acxiom-moves-to-tie-
physical-world-to-online-data/)

~~~
MichaelGG
From that link: > The company was censured by Facebook for the practice, which
involved pulling data from apps against the social network’s rules.

Sounds like they just ran an app and misused the API? Are FB and Google really
allowing this kind of stuff? Random companies like United, meh I don't expect
them to have much scruples. But Google and FB?

Any info on which banks/companies do this? Does it happen with debit cards,
too?

~~~
nstj
> Yes, Your Credit Card Company Is Selling Your Purchase Data To Online
> Advertisers[0]

[0]: [http://www.businessinsider.com/credit-cards-sell-purchase-
da...](http://www.businessinsider.com/credit-cards-sell-purchase-data-to-
advertisers-2013-4)

~~~
MichaelGG
That's not even close. That's CC companies selling aggregated data. That
generally won't identify a user, to link their CC purchase of a watch with
watch related ads. (Unless they were the only customer in that region.)

The link says MasterCard sells info on which ZIP codes have which purchases.
That's extremely different than offering a cookie (or somehow identifying) to
say "this guy bought a watch".

------
bogomipz
"Most of us agree to give up our data in exchange for using online services
such as Google, Netflix and Facebook. Cable and Internet providers have said
it's only fair for them to compete on the same playing field."

No Google and FB are free. Comcast is not only not free but an expensive
service and often a monopoly in a market.

This is how it starts, Comcast dips their toe into the water and if it cant
get away with this on some limited basis, then it will eventually become the
default. AT&T and Verizon are already doing this with wireless businesses.
Their argument was also that FB, and Google were doing this and they needed to
as well in order to compete.

If this happens we will need to purchase VPN service from a third party in
order to protect us from the monopoly internet provider. What a sad state of
affairs this will be.

P.S., Can you anyone tell me what I would agree to give up with a Netflix
account? This is news to me.

~~~
Amir6
Your browsing pattern on their archive, your watching history, your watching
pattern (in terms of time of day, days of week, time of year) as well as
location history and ... .

~~~
bogomipz
Oh sure but they aren't selling that data to third parties are they?

------
eatbitseveryday
Wouldn't use of VPN bypass their ability to collect my browsing habits?

If difference in cost of service > cost of monthly VPN, this might be an
interesting loophole.

~~~
Klathmon
Sadly using a VPN for general usage is getting more difficult.

Many sites block traffic from known VPN providers (PCPartPicker.com just
leaves an unhelpful message similar to " we are down right now" of you connect
over some VPN providers), and sites like Netflix are blocking all VPNs they
can in an effort to stop people from watching things outside their region.

I used to run my whole house through a VPN 24/7, but now I need to only turn
it on when I know it won't cause issues.

~~~
whoopdedo
What about data center IPs? A pay-by-the-hour VPS can be cheaper than any VPN
service. I've been using one recently and it hasn't been flagged by any site I
care about.

~~~
ryan-c
I had a bank account locked to the "show up in a branch with id" level for
this.

~~~
michaelmrose
So explain that if it happens again you intend to switch banks.

~~~
vkjv
Not me. I'm very happen when this happens. When it comes to identity, it's far
easier to deal with false positive than theft. For example, my credit card
gets flagged for fraud every holiday when I go on a gift card purchasing
spree. I have no problem with this.

------
Esau
This might be one of the reasons Comcast is so keen to put cable modems with
built in WiFi into people's homes. This would allow them to track Web history
all the way down to a particular device. (It could also probably be used to
track down who's particular computer was used in file sharing.)

------
eternalban
How is this different that a telephone company selling the record of phones
you have called?

[https://www.fcc.gov/consumers/guides/protecting-your-
telepho...](https://www.fcc.gov/consumers/guides/protecting-your-telephone-
calling-records)

~~~
hammock
Verizon actually already sells your web history.

------
sbw1
Wait, are they planning to track data and sell targeted ads, or to literally
sell web history? The headline implies the latter but I can't see in the
article where it says that.

That is a pretty huge distinction..

~~~
_archon_
There is a significant distinction here, but I opine that either behavior is
unacceptable for an ISP. I'm reading this and the comments and imagining a
telco switchboard operator listening to my call, and then randomly either
breaking into my call to suggest I buy something (targeted ads), or then
publish the full text of my conversations to any third party (history). And I
do mean the full text. The link from home to your ISP must necessarily contain
all the inputs you request of the web. This is not analogous to your call
history; your computer is only making one "call" (to the ISP) and is having a
long "conversation" (all your Internet activity) within that "call".

Disclaimer: I'm not very proficient at how the Internet works at this level.
My comment's making it sound more and more like a pen register.

------
nkrisc
I wouldn't be so opposed to this if we had more choice of an ISP.

~~~
UnoriginalGuy
If we had more choice they wouldn't try to do this to begin with. They're only
doing this because so many of their customers effectively have no other viable
choice.

------
cmurf
Google gets web history via Google DNS, and they're the advertiser. So, I
don't know that we really care about ISPs collecting and selling similar data.
Probably the distinction is we trust Google more than Comcast with the
handling of this data, and possibly to what degree we as individuals are
abstracted from aggregated data, compared to what Comcast is capable of
collecting.

If the trust is low enough to prompt paying more money to Comcast for a non-
tracking tier of service, why trust that Comcast is in fact not tracking their
non-tracking tier anyway? Why not just pay for VPN service? Or maybe some
combination of OpenDNS's DNSCrypt plus HTTPS is sufficient?

~~~
medmunds
I think the distinction is Google has specifically said they _won 't_
correlate Google Public DNS data for targeting advertising [1], while Comcast
is specifically saying that's exactly what they _do_ want the option to do.

If you don't trust either company, that distinction won't matter. But if you
take their statements at face value, there is a difference.

[1]
[https://en.m.wikipedia.org/wiki/Google_Public_DNS#Privacy](https://en.m.wikipedia.org/wiki/Google_Public_DNS#Privacy)

------
gggggg11111
People keep recommending VPSs or ssh/vps/socks running on a VPS

the problem is that if you go to likes of amazon and then place an order your
account will be yanked in minutes

good luck then trying to get anyone human there to help you, you are
automatically blacklisted

~~~
Sir_Cmpwn
Not if you use SSL on top of your proxy/VPN.

~~~
gggggg11111
You dont get it, =commercial datacenter ip ranges are blacklisted or trigger
flags

------
cpeterso
I would be surprised if they didn't already track their customers' browsing
history (and DNS lookups for insight into HTTPS browsing). Maybe they have to
announce it now that they want to sell the data.

~~~
userbinator
_and DNS lookups for insight into HTTPS browsing_

No need, SNI will tell you the hostname in the stream itself.

~~~
eatbitseveryday
I was going to suggest we can change our DNS to someone other than our ISP,
but if what you say is correct, then that becomes irrelevant, too.

~~~
ekimekim
That doesn't help, they can read your DNS requests as they pass through.
Unless you do as some others here suggested and use a full VPN.

------
Keverw
Wow. As long as they don't try to do it for https which is probably impossible
unless some major flaw is found or you install some plugin. I think in 2016,
installing software for an ISP is so outdated, reminds me of AOL and if they
went that route I doubt they'd be able to even write software/plugins for all
the devices people use such as iOS. It'd basically be spyware.

I do know though with my ISP DNS, I do get ads and search like results on
domains where DNS doesn't resolve, but with Google DNS that never happens :)

~~~
AndyMcConachie
HTTPS doesn't encrypt the SNI information so Comcast can still tell what sites
you're visiting. They can also sniff all your DNS traffic even if it's going
to Google's DNS server. DNSoTLS is not deployed anywhere except in testing at
this point.

~~~
Keverw
DNS isn't widely encrypted yet? That's scary.

So does that mean if a rogue ISP wanted to, they could serve up Twitter.com on
their internal network and return their fake DNS record instead assuming the
user's cache expired?

Kinda like a man in the middle but at the DNS level... Only problem is pretty
much every, if not all SSL cert company requires domain verification. So they
couldn't probably easily fake the SSL part for Twitter.

~~~
hawski
With DNS encryption your ISP still sees IPs correct? Then it can do reverse
DNS lookup. Then it can also serve whatever it wants on said IP.

When I write in browser twitter.com/give-me-lots-of-pr0n does it first connect
with twitter.com's port 80 and sends an unencrypted GET request with /give-me-
lots-of-pr0n to receive redirect to
[https://twitter.com/](https://twitter.com/)?

~~~
Spoom
> When I write in browser twitter.com/give-me-lots-of-pr0n does it first
> connect with twitter.com's port 80 and sends an unencrypted GET request with
> /give-me-lots-of-pr0n to receive redirect to
> [https://twitter.com/](https://twitter.com/)?

Probably not, in this case, because Twitter has implemented HSTS[1], and
are[2] in a list that comes with your browser that specifies _never_ to
connect to the site unencrypted. If they're in the browser list, your browser
will never actually connect on port 80; it will silently redirect client-side
to HTTPS.

1\.
[https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

2\.
[https://hstspreload.appspot.com/?domain=twitter.com](https://hstspreload.appspot.com/?domain=twitter.com)

------
criddell
Of course Comcast wants to do it. If it makes them more money, don't they have
a duty to their shareholders to use that asset to generate profit?

It does bother me that privacy is turning into something for the wealthy.

I also think about how companies like Facebook gather an unbelievable amount
of information about me and use that to generate $15 every 3 months (I'm in
the US). I wish I could just pay $5 every month for an ad-free version.

~~~
eropple
_> If it makes them more money, don't they have a duty to their shareholders
to use that asset to generate profit?_

Unless explicitly laid out in their corporate charter, no. There is no default
effective fiduciary duty to do _anything_ related to profitability, be it
"maximize" or otherwise.

This is one of the more pernicious myths about the idea of the corporation
that needs to be killed.

~~~
ImprovedSilence
>> here is no default effective fiduciary duty to do anything related to
profitability, be it "maximize" or otherwise

I'm not entirely sure that's 100% true. I know the one thing I've seen before
when "duty" to shareholders comes up:
[https://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Co](https://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Co).

~~~
eropple
"Interests of shareholders" does not mean the same thing as "maximizing
profits." For example, a forward-thinking Comcast executive could make the
argument that the goodwill from not looking like creepy spying dudes hiding in
your hedges outweighs the short-term increase in revenue.

~~~
lawnchair_larry
That's exactly the same as maximizing profits.

~~~
eropple
That depends on where you're standing and what your timeframe is. Which, by
itself, is enough to put the boot to the aforementioned pernicious lie: it's
impossible to "maximize profit" for the shareholders, because the shareholders
aren't unified in purpose.

------
sandworm101
VPN. Turn them into the dumb pipes they should be.

~~~
ocdtrekkie
The challenge is, then your VPN endpoint has access to all of this data. So
who's your trustworthy VPN endpoint?

~~~
socceroos
Your own VPS, I guess.

~~~
mrweasel
Now you're just trusting the VPS provider.

~~~
superuser2
At least you can pick between VPS providers. The only way to opt out of
Comcast (generally) is to move.

------
larrik
This wouldn't be that bad, except for the fact that they won't properly
disclose it, and I bet the "non-discounted" plans either won't exist or will
be extremely expensive

------
matthewcford
What do you think Facebook and Google are doing...

