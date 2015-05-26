This article is saying, basically, that the tendency of ISPs to try to monetize user data is a natural consequence of capitalism, and trying to curb that tendency with legislation is ineffectual compared to the real solutions (fight monopolies, and everyone use a VPN).
I don't buy it. Roughly the same argument could be made about virtually any regulation. "Corporations are incentivized to pollute, so there's no point trying to stop them. Buy a water filter." "People will always try to get heroin, so there's no point in restricting it. Get some naloxone." Damn near every regulation is an attempt to counteract some profit-motivated tendency which is the unfortunate consequence of capitalism. And as regulations go, user data is a lot easier to regulate than drugs or pollution.
"Just get a VPN" might be good advice for individuals, but it is emphatically not the society-wide solution to data privacy. We can and should continue to fight for good legislation that protects us.
reply
[1] "The eruption of Mt. St. Helens should have alerted everyone to the ever-present processes of natural pollution (...) In sum, no one has a right to clean air, but one does have a right to not have his air invaded by pollutants generated by an aggressor (...) such aggression may take the form of pollution of someone else's air, including his owned effective airspace, injury against his person, or a nuisance interfering with his possession or use of his land (...) this is the case, provided that (...) while visible pollutants or noxious odors are per se aggression, in the case of invisible and insensible pollutants the plaintiff must prove actual harm; the burden of proof of such aggression rests upon the plaintiff; the plaintiff must prove strict causality from the actions of the defendant to the victimization of the plaintiff; the plaintiff must prove such causality and aggression beyond a reasonable doubt; and there is no vicarious liability, but only liability for those who actually commit the deed." https://mises.org/library/law-property-rights-and-air-pollut...
Certain industries have a tendency to be monopolistic, or else have incredibly high barriers to entry. ISPs should be regulated to protect customer privacy. This is the equivalent of USPS, the public library, and the phone company selling your data to whoever wants it, and it's wrong.
> [...] stop relying on governments for self-protection that you can handle yourself. If it’s not the current administration that will repeal our protections, it will be the next one. And what then?
The whole point of a democratic government is to protect the interest of the majority of their citizens, and the selling of personal personal data is clearly against the interest of most Americans. In a democracy the tool we have to protect our interests is the law. Unfortunately this tool sometimes is also used by small but powerful actors for their own purposes, colliding with the will of the majority. That's exactly when we have to fight back to keep the government democratic.
VPNs can be used as a temporary workaround by some people, but it's definitively not a good permanent fix for this constant invasion of privacy that many corporations in the US are so willing to attain. Even if you think you have a perfect technical solution (GNUnet? Tor? I2P?) the next administration can simply say that solution is unlawful, and what then? The fact is, sometimes we have to demand our government to do the right thing, and this now is one of those times.
Can't agree more. Corporatist rent-seeking is the fundamental problem with our political economy and/or society. But both sides keep talking past each other (as they are incentivized to do).
Tangent, thanks. This is the phrase I was trying to conjure to mind earlier today in a discussion about the very topic of this thread. Ended up taking a long, exhaustive and context-laden road to get to my point; after which I had already lost an audience but so it goes.
For the interested: https://www.wikiwand.com/en/Rent-seeking
VPNs are a strategy for mitigating an individual's exposure—leaving the monopoly of the ISP intact.
https://arstechnica.com/business/2014/04/one-big-reason-we-l...
https://motherboard.vice.com/en_us/article/the-fcc-cant-help...
https://consumerist.com/2015/05/26/why-your-cable-company-do...
Government regulation contributes much to the cost of investing in infrastructure and starting an ISP business in most areas. I think it would be interesting to see what would happen if that cost could be brought down.
Anti-cartel ones do the latter. Many properly made regulations are not easier to adhere to by big vs small agents.
Regulation is a tool, and it does more or less what the tool user intends it to.
We've seen what the wrong people in power do. Mussolini, Stalin and his gulags, Pol Pot and his genocides, Kim Jong-il, Slobodan Milošević. This isn't a statement about the current US President, but we depend on having right (enough) people in power in a lot more ways than this one policy decision.
On the other hand, we can work for a decade to introduce regulation over the hard-to-define concept of an ISP monopoly, and then spend more decades going through the inevitable break-up and re-conglomeration of these entities under different forms, like we had with the telcos through the last half of the 20th century. In 50 years we may have a landscape that resembles that of the current cellular carriers: three or four large players in most metro areas, fewer rural options, and little real choice among them in terms of QoS or T&C. I suppose this would represent a slight improvement over the status quo?
This is the problem with so many free-market proposals, they would have you off tilting at windmills instead of directly addressing a fairly straightforward problem.
Ideally, you wouldn't rely on trust, i.e. Policy, you would rely on math. As far as we know, judging from the Wikileaks releases, encryption still works.
With pollution, it is a policy issue, because there's no mathematical way to prevent polluters. So we have to negotiate amongst lawmakers, regular people, and corporations.
I think what the author is saying here is that we shouldn't bet our privacy and safety on who is in charge, as we are always one flick of the pen away from losing those protections. I think this is especially the case when there is a mathematical solution to the problem, that doesn't require trust. Obviously, having math and policy would be an added bonus.
> I think what the author is saying here is that we shouldn't bet our privacy and safety on who is in charge, as we are always one flick of the pen away from losing those protections.
Yes, and what I'm saying is that the same is true of every other regulation, which is why it's not a compelling argument against this one. You may have noticed that the same Congress currently gutting privacy protections is also gutting air quality protections...
So, on this point I agree. We should live in a world where lawmakers protect privacy and the environment, and the fact that they don't is disappointing and a short term (hopefully not long term) failure of government.
So far we are in agreement. In addition to that, I think what I'm trying to add is that VPNs are absolutely a way to mitigate the need for lawmakers to do the right thing, a concept in the abstract we all agree on but in reality proves to be very difficult. I'm not sure you're disagreeing with that point or if you think they're mutually exclusive, maybe you can clarify.
To go with your analogy about water filters being a substitution for having protection for keeping water clean. No, of course I don't think it's an effective substitute, but I'm still going to filter my water in addition to demanding that adequate protection is put in place.
So hopefully we are in agreement on that point as well, as they're not mutually exclusive.
But the overall, larger point to be made is we should just always do what we can. So voting is one thing, among other avenues within the process of government, however I'm also going to use a VPN, because, damn it, it works.
One last thing I'd like to say from another comment that I wrote somewhere else in here is that hopefully this will be an impetus for full decentralization the internet further, because an ideal solution would be to make it logistically intractable to snoop. A distributed internet, similar to how it was originally envisioned.
We are all engineers and can understand the concept of a patch versus a refactor. Yes, a refactor may be harder, but there is never an excuse to rely indefinitely on a patch; that's how you get burned with technical debt.
The government needs to change to be more responsive to the people and not constantly sell them out at the flick of a pen. Yes, use a VPN! But don't buy the message that there isn't more that can be done. There is, and many people are working tirelessly to see it through. Don't ignore or devalue their efforts to make a better system for people.
Google is already toying with the idea of creating VPNs for consumers. In the case of the pixel it's legit because they allow you to opt-in to VPNing to google servers on untrusted WIFI connections. The irony is that now google has even more data on you.
Once your VPN exits, you can still get MitMed/injected on non-TLS resources, so what is the VPN really doing for you? The only thing the VPN does is control which party will spy on you.
The blind lead the blind I guess.
And the FCC has never attempted to regulate that level of privacy.
https://developers.google.com/speed/public-dns/privacy
So they don't track personally-identifiable information directly; it's certainly possible you could de-anonymize someone from their dataset, but most of what they do track is on their end (what machine handled the request, how quickly, etc.)
I think privacy and pollution regulations can be good, but they need to be carefully tracked and aren't always effective.
The best solution for you is always to be a vigilant consumer. Something like this can be protected entirely by doing so. Pollution is harder to defend against. Using a VPN is a great strategy to mitigate these issues before they're allowed to happen to you.
Buying water filters doesn't do anything to the polluting party. They can just keep polluting.
On the other hand, using a VPN makes your data worthless. It allows you to directly hit back at the companies trying to monetize your data. It's entirely different that just avoiding the problem.
Fighting monopolies is an argument for more aggressive application of competition law, to break up monopolies, and disallow anti-competitive conglomeration. But again the article doesn't bring up anti-trust.
The article also doesn't account for the fact that an ISP, without net neutrality regulation, can block or throttle or charge extra, for VPN usage.
edit:
Here's the GofundMe trying to raise money to buy their Internet history. Something tells me this dude is going to run off with the money though
http://resistancereport.com/resistance/crowdfunding-lawmaker...
And even if it was remotely like that, I can guarantee you that the providers will go to lengths to make sure they didn't just lobby millions (speculating, of course) to get this through and then throw the same congress members under the bus that they lobbied to and then hand out their data to get them in trouble with the public.
However, they can do what everyone else does; buy anonymized data for the area person X lives in. They can then use countless techniques (that have been demonstrated repeatedly) to de-anonymize the data and find out about person X.
This is what UK members of parliament did with a very similar bill, where they exempted themselves from the law itself: https://www.independent.co.uk/life-style/gadgets-and-tech/ne...
All-in-all, I think if you donate any money towards these crowdfunding initiatives, you might as well burn that money because it's not going to get people the info they think they are going to get. ¯\_(ツ)_/¯
Politically, it means that people who should be getting angry about reduced privacy are "comfortable" with the fact they can work around it, while a new generation grows up with fewer and fewer expectations of what privacy means. It's short term protection in return for normalization of anti-private behaviours and long term damage.
But I also have a problem with it technically:
Issue: You don't trust ISPs to not sell browsing history.
Solution? Provision a virtual server, set-up a VPN and tunnel.
But your server still has a service provider. It might not be literally tied to your billing information but that was never going to be anyway.
You've shifted which ISP gets to sell the data from "home provider" to "virtual server provider", but there is still browsing data isn't there and it's just as valuable from a private single-use VPN as it is from your home connection.
The idea is to use a VPN provider that keeps no logs and runs many concurrent connections NAT'd behind the same public IP address. That way your traffic is mixed in with everyone else's who's using the service and provides you with an additional layer of anonymity.
I would say the "better" solution would be to find a provider with a good reputation and stick with them, and leave them in a heartbeat if it appears that they've sold your data. It gives them an incentive to continue behaving well through referrals and recurring revenue.
It's disgusting, and I'm disgusted (_yet again_) by the mercenary Republican Party. They are declaring war on me and my loved ones and the vast majority of our fellow Americans and anyone else unfortunate to have to use an internet connection in the US (and live under the rest of their insane policies).
For the record, I signed up for a personal VPN two weeks ago because this anti-consumer outcome was assured with the current party in power in the US.
Stop this BS. The democratic party has done pretty much similar bad things that violate our privacy. Are you just good at selectively ignoring things? This is really the fact that every US govt is not for personal data privacy. You have to just accept it (if you are an american).
It's also a good concrete issue to use in understanding that while arguments like "Democrats Do Bad Stuff Too So IDK Apathy" may be persuasive to some people in justifying not voting, it's ultimately not true. If this issue matters to you, there was a ballot box solution to preventing it. Not enough people used it.
If this recent attack on privacy is something both sides support (as you seem to claim), why did the Obama administration set out those rules? And why did the Democrats in Congress not vote for this repeal?
Don't bring that weak Whataboutism here.
Its a "has power" vs "doesn't have power" split.
The Democrats are just as culpable as Republicans. Don't give either party a pass.
A Democratic president put these protections in place.
He expanded the powers of the NSA because he could, or had to, or whatever. I struggle to imagine that he then turned around and used the FCC to push meaningful reform along for his citizens.
I think the burden of proof is on you to show that his track record with government spying should be ignored when thinking about his track record with FCC/consumer protections.
If when given the option you don't use services that keep your data private, why is this a big deal to you when yet another service you use sells your data? If you want privacy you either need to shop for services that provider it, or like this article states, take measure to ensure some level of privacy.
You can select a paid VPN service that helps protect you from specific adversaries. You can roll your own VPN on your own VPS that helps protect you in some use cases.
You can, and should, advocate for good privacy policy.
It has been a few years since my Econ 101 class, but I suggest the author Google "market for lemons". Users have no way to verify the intentions of VPN providers as there is natural information asymmetry. Trust is not an issue that market economies have come up with a good solution to fix. The solution we often use ironically enough happens to be policy and regulation. So maybe this is a policy problem.
https://en.wikipedia.org/wiki/UL_(safety_organization)
There could be an identical service for privacy/internet tech. There isn't, but I'd trust an "Internet Underwriter Laboratory" group way, WAY more than a group of politicians.
So, while I can't speak to how these things _normally_ come about, this is a compelling example of self-regulation entirely outside of the scope of the government.
[0] https://en.wikipedia.org/wiki/UL_(safety_organization)#Histo...
So, how is that problem solved? I can't see what VPN companies are really doing inside their stack. They might very well be logging everything and I have no way to find out other than to "trust them" - so there's no real market mechanism to choose a VPN provider which doesn't log anything.
I suppose it could be in the contract.. so does VPN contracts have a clause like that, and how is it enforced?
This is just the start though, you'd also have to guard against common keys and other various gotchas.
Also, another idea is VPN providers might start seeing it as a business opportunity to provide robust, secure connections and advertise how they work. These claims could easily be verified.
Just a start, I'm not an expert in networking, but it seems fairly doable. Obviously MITM is always possible if you're not connecting via ssl.
Also, this could be the impetus for further decentralizing the internet, although who knows how far that's out. The centralization of the internet might have taken things too far and killed the golden goose by abusing their position, incentivizing an acceleration of full decentralization, like with IPFS and their ilk.
You can always run your own VPN. Buy a cheap VPS, and set up OpenVPN to route traffic through it.
I ask because, I use a cheap VPS for a VPN, but wonder if it actually accomplishes anything.
A VPN that sells your information and eventually, inevitably is caught, will lose their entire business. Meanwhile they can make a perfectly good profit just... providing the desired service. There are also people who take the time to investigate these various services, and you can do some work to find one that meets standards you deem to be acceptable.
There isn't going to be a perfect solution here, but the issues with VPN's are really not the issues you raise. My concerns are: Google and other major sites endlessly pestering VPN users with CAPTCHA requests, or the government actually making them illegal. Your concerns are largely answered by researching which product you're willing to buy, not unlike all other similar decisions in life.
Yes, a VPN company caught selling info would crash and burn. The invisible hand would ensure this, etc etc. But only if they got caught, and even then it's not like there would be any actual legal punishment (outside of a lawsuit if they were contractually obligated to not sell the info, I guess). And if selling that info meant double the profits, I doubt the owners who were willing to lie to their customers would feel all that bad or embarrassed. They'd probably also be shameless enough to re-brand.
And all that is ignoring the fact that with VPNs privacy becomes a privilege only to people who can a.) afford it and b.) understand how to use it. And finding a VPN that won't sell your info on the side requires the time and know-how to research it, not to mention even considering that a VPN might sell your info requires interacting with news orgs or people who might bring this concept up.
Chalk this up as another "HN readers don't realize most people don't read HN", color me surprised.
So yes, there are better solutions involving the law, but unfortunately the innocent lambs you're defending are the ones calling us nerds and buying IoT junk!
Is there any evidence for this? I'm pretty sure that in the case of Google, at least, it's a flat-out lie. In fact, they state in massive letters: "We do not sell your personal information to anyone." (https://privacy.google.com/how-ads-work.html) Who would they even sell it to? They're at an advantage having that data themselves.
A question which I find interesting is why we can't make these policy choices in the real world. For example, choose which country's social safety net you want and be taxed accordingly. It may be impractical, but are rivers and mountain slopes (aka borders) really the best way to draw a line between two different policies?
I've heard I can just "disable IPv6" on my Mac, but I don't know the full implications of this. If anyone has any input I'd appreciate this, because then I would use a VPN all the time.
EDIT Sorry I meant to type VPN not VPS, stupid typo.
Any sites you use that are exclusively available only via IPv6 will stop working, but due to slow adoption of IPv6, that list of exceptions is quite small. IPv6 adoption is big in China, but even then the major services themselves are available over IPv4. (Weibo.com doesn't even advertise an IPv6 AAAA DNS record, so the things I read about IPv6 adoption in China may be overstated.)
There are, of course, exceptions. There are a number of intentionally ipv6-only test sites like https://ipv6.google.com that won't work. Things like Google.com which are available over both IPv4 and IPv6 will degrade gracefully if you turn off IPv6 on your mac, and just connect over IPv4.
https://www.perfect-privacy.com/vpn-with-ipv6-support/
What I'd really like is a vpn that gives me an ipv4 address and an ipv6/64 so I can have my router do the vpn and route my whole network through a vpn by only configuring one computer.
EDIT: And the full implications of disabling IPv6 are approximately nothing.
It sounds like you're in the UK - I'm a US person, if I give you my traffic, what will courts say about my expectation of privacy?
I already operate https://smsprivacy.org/ which is essentially a VPN for SMS.
I don't have any way to prove I'm not logging your traffic, but I am a big believer in privacy and promise not to. If you don't trust me, you don't have to use it.
I can think of a few off the top of my head that do:
* Linode
* Vultr
* Tilaa
* DigitalOcean.
https://pbs.twimg.com/media/CeqLfB5WIAAPZZh.jpg
https://www.wired.com/how-wired-is-going-to-handle-ad-blocki...
However, either they've removed it or uBlock is currently winning the blocker blocker fight since I actually can read that article (I hadn't tried.)
If another person can't open your mail, then why is it so hard for lawmakers to understand that this adds up to the same? You route my mail/traffic, doesn't give you the right to spy into the contents of it, to know what I buy, what media I consume, what my hobbies are, how often I check my bank balances, whether or not I'm left or right leaning based on the news I consume, whether or not I'm shopping for internet at competing ISPs... List goes on. Imagine the depth of the information an ISP can build on you if they have all your browsing information.
The lack of respect shown towards the people who have made these companies possible by buying their services is appalling. And the fact that they keep competition away is even worse.
Provide your services and stop trying to suck in every penny from every potential revenue stream possible.
To make a comparison, just because my car has GPS, doesn't mean the manufacturer should track and sell my location and build a megacorp ads company to interrupt my radio and force me to listen to ads for businesses in my direct vicinity.
Just because you make shoes, and you could integrate piezoelectric energy capture devices, doesn't mean you should integrate tracking devices into people's shoes so you can sell the data to who ever wants it.
Just because you provide a service and because you've squashed competition by lobbying for everything which gives you monopoly, doesn't mean you should drop all sense of right and wrong.
There's countless business models which could abuse data collection and make a few extra bucks, but they don't. Because you don't always have to be a dick. Because at the end of the day, a businesses image should still be important because it is USUALLY what decides if consumers will keep on buying from them or not.. Unless there's no competition....
This by itself is big enough although some will argue its not a big deal. But once you remove all protections, you have no clue how far they'll go and once they go there, its harder to backtrack.
They understand, they just are rewarded by those with a financial interest for treating the cases differently.
http://f1x-2.deviantart.com/art/Robo-President-K3n3-DY-IV-62...
If you want to be in the ad business, stop being an ISP and go into the ad business, but if you're providing a service and that service is internet-for-pay, and we pay you the money you have said it costs to use your service, then it is not reasonable for you to complain that there is more money to be had, and you want all of it.
That's right folks: the overwhelming power of the state to enact actual policy that can impact millions of lives? It crumbles before the power of my 1ghz Atom router. It has AES-NI, after all. That's, like, impossible to beat.
The only way to break the monopolies is with government regulation forcing them to share the lines, because running the lines is the very costly part that stops new ISPs from competing.
How do you solve the problem without policy then?
I'll quote it in full:
>Hey Google, when all email providers sucked you fixed it with Gmail, you run a DNS at 8.8.8.8, and now -- now, I think you know what you need to do now :)
>(I personally recommend you also do a web-based proxy, because who is going to filter https://www.google.com now or in the future?)
>I believe in you. You can do it!
>Counter this chilling effect today - and show more adwords as a result. (There is no irony in this statement. I mean from web sites that opt into adwords, not from selling VPN traffic logs.)
----
Google, pay attention: step up to the plate. Please!
- The US government tries to restrict 'strong' crypto --> people print PGP source code on t-shirts and the government eventually has to accept SSL/TLS.
- The government starts capturing information directly off devices (using regular search warrants etc. --> people start using encryption (e.g. truecrypt, veracrypt) and large device makers respond to consumer concerns by encrypting by default.
- The government starts MiTM'ing everyone's traffic at the ISP and online service provider (e.g. google, microsoft) level, using their newly created pseudo-court, secret warrant process (FISA) --> people start using VPNs.
- The government starts talking about key escrow, banning encryption.....
You can't eradicate a disease by just treating the symptoms as they pop up (in ever increasing severity). If you do this, you'll die. You have to attack the disease directly (and, in many cases, first convince people that they really are ill). So far, we've made one attempt at the direct approach by 'engaging in public discourse'. It's clear this is not effective in this case.
I doubt protesting in the streets would make much of a difference either, if the lead up to the Iraq war is anything to go by. Consider these two quotes from the previous thread (the second is mine), as just one example of the many possible actions that could be taken:
"The Video Privacy Protection Act was passed after Supreme Court nominee Robert Bork's rental history was leaked to a newspaper."
and
"I've always liked the idea of using the copious public video of these politicians to train voice and face recognition NNs, specifically targeting anti-privacy politicians. Maybe even sell pre-made raspberry pis with all of this stuff preloaded for journalists to scatter around places that politicians congregate.
I think it's only fair that these folks get to be the first ones to live in the kind of world they are creating. And none of them should have a problem with any of this, because I'm certain none of them ever do anything wrong and therefore have nothing to hide."
Although one always tends to like one's own ideas, I think this idea has merit, because:
- It's low effort compared to organising protests and then getting everyone to take to the streets
- It directly attacks the source and (assuming you aren't sent to a Federally funded leisure resort for your efforts), creates a 'heads I win, tails you lose' situation: they either pass laws to stop this kind of privacy invasion, or we end up with a long-term selective pressure against anti-privacy politicians. Everyone has secrets...
- It directly educates the public about their "illness" (through example). It shows them exactly how their life could be in the near future if they don't start paying serious attention to privacy issues. If a bunch of angry nerds can pull it off, imagine what the NSA and CIA are capable of...
The time for 'reasoned public discourse' and 'teching around the problem' is well and truly over. It doesn't hurt to do these things, but it does no good in the long-run either. More drastic measures are required.
If it isn't possible, anyone can explain why?
I don't have and iDevice so I don't know for sure, why do you think this'd be a problem? Or am I misunderstanding your question?
This article is saying, basically, that the tendency of ISPs to try to monetize user data is a natural consequence of capitalism, and trying to curb that tendency with legislation is ineffectual compared to the real solutions (fight monopolies, and everyone use a VPN).
I don't buy it. Roughly the same argument could be made about virtually any regulation. "Corporations are incentivized to pollute, so there's no point trying to stop them. Buy a water filter." "People will always try to get heroin, so there's no point in restricting it. Get some naloxone." Damn near every regulation is an attempt to counteract some profit-motivated tendency which is the unfortunate consequence of capitalism. And as regulations go, user data is a lot easier to regulate than drugs or pollution.
"Just get a VPN" might be good advice for individuals, but it is emphatically not the society-wide solution to data privacy. We can and should continue to fight for good legislation that protects us.
reply