
No privacy rules needed: ISPs say Web browsing isn’t “sensitive” data - af16090
https://arstechnica.com/tech-policy/2017/03/isps-say-your-web-browsing-and-app-usage-history-isnt-sensitive/
======
shshhdhs
If I visit a healthcare information website, like webmd.com, and it's
unencrypted, then my service provider knows my name, address, and health
attributes. If they kept logs about my visit to those pages, would this be
considered PHI under the context of HIPAA? If so, perhaps a lawsuit could
force a judge to claim service provider logs are indeed sensitive.

Looking for other's thoughts...

~~~
omouse
Tor and VPN up. If this is how ISPs feel we should be treating
encryption/privacy as a self-defense thing, kinda like insurance or home
security.

~~~
cmurf
AT&T, Charter, and others, have toyed with the idea of blocking Tor and VPN
unless you buy a higher tier permissing those services. AT&T was charging $30
a month extra for this tier. And even now there are many reports still of
performance tuning when using VPN, slowing down the connection.

These are classist policies and should be illegal. It is not OK in a civil
society to say privacy is a product people buy, rather than a right.

------
towb
Swedish ISP Bahnhof used the argument that an ISP shouldn't be seen as
anything else than a postal service delivering packages. So this sort of feels
like they want to open your letters, scan them, and maybe throw in a few
coupons on matched words. But worse.

~~~
yogenpro
That's exactly what Chinese ISPs have been doing. They occasionally insert an
HTML snippet to HTTP responses to create pop-up ads.

(Scanning the data is done on government level so I won't even bother to
mention it)

~~~
em3rgent0rdr
Xfinity WiFi tried this in 2014: [https://arstechnica.com/tech-
policy/2014/09/why-comcasts-jav...](https://arstechnica.com/tech-
policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-
neutrality/)

------
jlgaddis
I work for an ISP and I can't imagine looking our customer's web browsing and
such. The closest I come to that is Netflow data but (in our case) that's
aggregated and doesn't identify specific customers.

> _" Web browsing and app usage history are not 'sensitive information,'" CTIA
> said_

I wonder if they might feel differently if someone hacked them or their ISP
and posted a month's worth of traffic logs, etc., for the public to see.

Maybe if the Internet histories of a handful of the top-level folks at these
organizations were shared with the world (along with their identities, of
course), they would change their mind.

~~~
toyg
I wish every reporter ever interviewing people like this would just reply "can
I see your browser history then? Right now? Why not?"

------
username223
> Moreover, CTIA claims that Section 222's use of the phrase "customer
> proprietary network information" demonstrates that the regulation doesn't
> necessarily cover "personal" information. Section 222 provisions "apply only
> to commercially valuable—not personal—information," the group said.

Since the ISPs are planning to sell that personal information, it sure seems
commercially valuable. It's a shame that, instead of ISPs simply not being
dicks (er, "unlocking value"), we will have to waste time and money to encrypt
everything and route it through TOR.

~~~
m3ta
TOR is free and is specifically for the purpose of anonymizing your connection
to the website you're visiting. This article isn't about authenticity of your
identity, it's about confidentiality of your browsing history.

Using a simple free VPN to encrypt your traffic is enough. This does not cost
time or money. Neither does TOR.

You shouldn't trust your ISP to not be collecting your information in either
case. Even if they say they aren't spying on you that does not mean they
should be trusted with any of your plaintext data.

~~~
bluehazed
Please don't use free VPNs. Good VPNs that don't keep logs are not expensive,
usually a few bucks a month.

~~~
m3ta
Of course you shouldn't use a free VPN for anything sensitive, but to obscure
your browsing data (like what you search for or what media you consume) it's
completely fine.

~~~
bluehazed
No, it's really not. Free VPNs aren't free for the sake of it; as the old
adage goes "if you're not the customer you're the product".

~~~
btrask
Even if you're paying you're still an additional revenue stream, as this
article about paid ISPs demonstrates.

------
guelo
For some reason Oracle came out today in support of the ISPs and against
privacy: [http://www.multichannel.com/news/policy/oracle-pai-
repudiate...](http://www.multichannel.com/news/policy/oracle-pai-repudiate-
wheelers-tech-favoritism-policies/411586)

~~~
c0nducktr
If there's one company you can always count on to do the wrong thing, it's
Oracle.

~~~
ebcode
Bryan Cantrill gave the most wonderful rant on Oracle/Ellison at LISA XXV:
[https://www.youtube.com/watch?v=-zRN7XLCRhc](https://www.youtube.com/watch?v=-zRN7XLCRhc)
(rant starts at 33:00)

Two gems from the rant are, "You actually don't need to be open-minded about
Oracle," and "Don't anthropomorphize the lawnmower."

~~~
nickpsecurity
That was great. Moreover, it gave me an idea. Oracle has been going after
Android in patent suits. Joyent had patents on Solaris-based technology for
cloud-style stuff Oracle might be interested in. Joyent was acquired by
Samsung, a major Android vendor. I wonder if part of Samsung's motivation was
countering Oracle with the I.P. Joyent had.

------
pasbesoin
And yet, someone hits a publicly visible (no authentication) AT&T URL
repeatedly, and he gets convicted of "hacking".

If so, then why should AT&T get a pass for repeatedly snooping and recording
my activity?

------
TheAdamist
Who wants to chip in to help buy the web browsing histories of all the
politicians who support this? For advertising purposes.

------
killerpopiller
as a European I pity you for not having data protection regulations. Instead
you have to deal with unregulated, unreasonable despotism.

ISPs are telecommunication providers and bound to special secrecy, disclosing
browsing history is punishable by criminal law (§ 88 TKG in Germany).

Cambridge Analytics showed us, how dangerous it is for democracy to know users
habits, values, attitudes, preferences and their contact details and how easy
it is to manipulate individuals.

US-Americans, you seriously need to wake up and get your democracy back before
your society is to Orwellian.

Also, you are giving a bad example. And stop cheering USA USA USA, your
society is malformed and dysfunctional, you shouldn't be proud of it and lie
to your self about it.

------
otempomores
Well thats great.. Now if every employee has zero secrets..there is absolutely
no chance this is used for industrial spionage.

------
BrailleHunting
"You are not just the consumer, you are also the product."

------
simplehuman
Same argument as Google. When I use an ISP, I willingly forego my data. This
is fine. I have nothing to hide. Who will come after me?

/s

------
Taniwha
Surely this for us to decide, not our ISPs?

------
ReverseCold
Only read the title but I'm assuming the title is sensationalized, no one
would say that, right?

~~~
bo1024
There's a link[1] to their filing in the article. The title of Section II.B.1
is

> Web browsing and app usage history are not “sensitive information.”

[1]
[https://ecfsapi.fcc.gov/file/1031683478226/170316%20CTIA%20R...](https://ecfsapi.fcc.gov/file/1031683478226/170316%20CTIA%20Reply%20to%20Oppositions%20to%20Petition%20for%20Reconsideration.pdf)

------
shmerl
No opt-in. So how can one opt out of ISP snooping?

~~~
TheAdamist
vpn to a server you control and hope that isp isn't snooping too?

------
noja
Then what is

------
canadian_voter
_The FCC defined Web browsing history and app usage history as sensitive
information, along with other categories such as geo-location data, financial
and health information, and the content of communications. If the rules are
overturned, ISPs would be able to sell this kind of customer information to
advertisers._

Don't Facebook, et. al. do this already? Don't most people spend most of their
time on Facebook anyway? ISPs just want a cut of the action.

~~~
paol
Facebook is an endpoint people choose to interact with explicitly and
voluntarily. If FB collects information, they are collecting information about
communication to which they are a 1st party.

This is very different from a service provider collecting and selling
information about communications between third parties.

~~~
ocdtrekkie
I'd argue on the contrary, that both Facebook and Google via their ad networks
and analytics tools embedded on websites collect an incredible amount of
information that was not explicitly or voluntarily permitted by the user.

~~~
paol
I don't necessarily disagree, but even then they can only do that if the user
is visiting a FB or Google property, or a property that has entered into a
relationship with them.

A service provider, on the other hand, is in a position that has absolutely no
legitimate claim on the contents of communications between third parties.

Postal services are not expected to rifle through the contents of their
customer's packages. Phone companies are not expected to record people's phone
calls (or even reveal who's calling who). There is no reason why data
communication providers should be allowed to do these things.

~~~
eveningcoffee
In principle nor ISP, nor Facebook is different from postal service. Their
only function is to be an intermediate between users.

I would argue that as postal services can not force you to give up you a
privacy with the contract terms (you are entering into a contract by sending a
mail), so should not Facebok or ISP.

