Hacker News new | comments | show | ask | jobs | submit login

I'm not American, so please correct me if I'm wrong but I have yet to see any proof of this whole 'sell your internet history' complaint that seems to be blatently copied by everyone without any research.

The way I understand it is that ISPs can sell anonymized data from groups of users. Like: people who visit news.ycombinator.com generally also visit stackoverflow. I also don't know how an ISP would get your actual internet history if the website uses HTTPS.

Yes, I am a strong supporter of NN and I was appaled when the EU diluted it, but this reply is directed at your 'ISPs who are allowed to sell users' browsing history' part.

The common response to this is that ISPs have access to everything you do (which is true), and that they could sell that (which is false).

The regulations being overturned here are ones that have only recently taken effect, and non-anonymized, non-aggregate selling of ISP data is still outlawed by the Cable Communications Act of 1984, which protects subscriber privacy is 47USC § 551[1].

Put simply, neither the most recent executive order, nor a reversal on Net Neutrality overturns that law on the federal register.

Of course, if Congress were to draft a bill that does so, the current fears would be well justified.


"Anonymized" aggregate data is not as anonymous as you might think. This study [1] was able to accurately de-anonymize users based on internet history and public social media 70% of the time.

[1] http://randomwalker.info/publications/browsing-history-deano...

Legally, is there a minimum requirement for what it takes for data to be considered "anonymized"? Just because the customers' billing info isn't included doesn't mean you can't figure out who is responsible for traffic.

There might be multiple options that the federal government would respect:

* https://www.gpo.gov/fdsys/pkg/USCODE-2010-title5/html/USCODE...

* http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=904990

Legally, I can't think of a case where it's been tested that didn't lean the government's way, so who knows?

So you're saying this most recent regulation does absolutely nothing, even though it was the highest priority for the incoming industry friendly regulator. Seems doubtful that some 1984 law is going to protect our browsing data.

I'm not saying it does nothing. I'm saying it doesn't do what people think it does.

Repealing the Obama rule does mean that you can't opt out of data collection or sale. It does not mean that your individual browsing records are available to anyone with enough cash. Moreover, much of the rules Trump's executive order overturn had either very recently taken effect, or not yet taken effect.

There may be much theoretical damage from overturning the regulations, but the practical effect here will be minimal, and limited because of the other laws that already exist to prevent exactly the doomsday scenario many are predicting.

I'm not saying that Trump isn't after your privacy rights, but the surest test of that will be whether or not he goes after or seeks to circumvent the 1984 protections I referenced earlier.

You're correct. But only because - per Chaos Monkeys, Dragnet Nation, and the like - your data is already being captured, aggregated, and sold. If that's your concern, you're too late. On the other hand if your concern is specify to ISPs (as opposed to other entities you don't even know) then sure worry and complain. But at least your ISP has an incentive to not go too crazy, as the data they sell could be used to market to you to leave that ISP ;)

You can turn cookies off or similar, or you can choose to not use or employ such services. That the ISP can do this, without your consent - each DNS lookup, each TCP connection you're making - is a whole different thing.

I think it is truly insane.

Fyi...They can, with reasonable accuracy, track you across multiple devices. And that was 3+ years ago. I'm sure it's only gotten better since.

I do agree. There are somethings you can do to mitigate things. But at some point you have to be you (e.g., FB, etc.) and as small and minor as such digital breadcrumbs might seem, they add up.

Using Facebook is a rather large bread "crumb" though. Not using it is easy enough and you're making it easier for your other privacy-conscious friends to do the right thing.

I don't know anyone who would fault me for not being on Facebook (yes I know this has a strong selection bias). Only time was at a convenience store, looking a bit puzzled I had to scan my ID-card in some device (to buy cigarettes[0]), the guy explained this was announced on Facebook, I (completely neutral, matter-of-factly, already having complied with the ID-device thing) replied I don't have an account on Facebook which he took as a cue to start some anti-privacy diatribe at me. My guess he was probably having a bad day, possibly from other people giving him a much harder time about the ID thing. I finished the transaction, excused myself because I (really) had to catch a bus, and wished him a very nice day.

My point is, when I look around, it seems like Facebook is going the way of the cigarettes. The majority of people (that I know) know of at least one or two scandalous things that are deeply wrong about the way Facebook treats privacy and manipulates its users. Of those people, a good chunk hate it, really want to quit, but feel they can't due to social pressure or addiction. Just like cigarettes. Others make excuses about convenience, little vices, relaxing. Just like cigarettes.

I don't know how many of you are old enough to remember that you could smoke in trains, bars, in restaurants while people were still eating 2 metres next to you. As late as the early 90s. And only after those bans people started to dare to ask if you could maybe smoke outside, in home situations, even if they're the guests and it's your home (I was younger and inconsiderater).

If you don't remember you maybe also don't remember how thoroughly ingrained the social act of smoking was in society. Only a few decades ago, nobody could imagine where we are today. Smoking was just so normal, even if you didn't really, you would occasionally, your friends would offer, people just liked it too much, were addicted too much.

The almost-entirely-non-smoking-everywhere society we have today was seen as an impossibility. We could never get there, we couldn't change or impose, people wanted it too much. And it was a hard transition before it got momentum, but it did in the end. I personally, as a smoker, welcomed these bans, because I figured it would make it easier for me to quit (hint: if you're addicted, you still have to quit by yourself. those bans maybe helped me the first 5% of quitting).

The point is, it may seem impossible to imagine a way out of this anti-privacy swamp. But it's not too late. Just remember the cigarettes and how far we got. DON'T let anyone tell you it's useless to refrain from using surveillance tech X just because "you're going to be tracked any way because P, Q and R" (being your phone, CCTV and the NSA). The fight is NOT lost, not at all. It's just getting started, now that people are slowly realizing they don't actually really want this, they are mostly made to want this, and more and more people want it to stop, and it would help if only everybody else would stop shoving it in their face.

Just because it seems impossible now doesn't mean we should roll over, curl up and stop voicing your dissent, ever.

Then maybe our kids (or other people's kids--who didn't ask for this either) can grow up in a society where they're not quite as pervasively tracked and surveilled as our generation.

If it helps maybe to imagine the next impossible thing, imagine everybody securely wiping the exabytes of private data they've collected on us so far. I really can't see that happening either and it kind of gives me hope in a weird "wishing on a star" kind of way, because other important things used to seem just as impossible.

[0] I've quit since. It's hard. Very hard. Unfathomably harder for some people than others. I will never judge an addict in my life.

But NOT being on FB is also a signal. A signal I presume can be detected and noted somewhere. Frankly, I don't think staying off FB is enough. And not being there, should you make the evening news for some strange reason, will mean you're labeled as antisocial, loner, etc.

That section of law says they can sell your data with prior written or electronic permission.

47 U.S. Code § 551 (c)(1)

Except as provided in paragraph (2), a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned

So this section of the law, though another might, does not support your statement that "that they could sell that (which is false)".

I think you're misreading it, unless you have reason to believe that you've already given your permission. Either way, the regulation that Trump's EO overturns also allowed you to opt in if you wanted to.

non-anonymized, non-aggregate selling of ISP data is still outlawed by

Your statement is too strong. It's not outlawed. There is a relatively easy avenue for ISPs to sell this type of data, and it's written into the law, and not some sort of weird loophole. It is voluntary that they have not pursued it on their part.

I believe that pretty much every single customer has given their "permission" in that sense, the standard contract or terms&conditions would include language that says that you consent to such information "being processed by selected partners" or something like that.

Wouldn't a privacy policy cover "the prior written or electronic consent of the subscriber concerned"

If so, I don't know how the Obama regulation would have been any different.

47 USC 551 only applies to cable operators, and the 6th Circuit ruled that it doesn't apply to Internet service.[1]

[1] http://www.opn.ca6.uscourts.gov/opinions.pdf/06a0366p-06.pdf

The law section you linked to is concerned with PII, personally identifiable information. But what ISPs are most likely to sell is anonymized browsing data, i.e. when an advertiser goes to display an ad the ISP will tell them what other URLs you've been to but they won't tell the advertiser your name, address, social, etc.

Agreed, with the caveat that there are also restrictions requiring aggregation as well.

The only thing your link says about aggregate data is that PII is not aggregate data, meaning that aggregate data is exempt from these restrictions.

So, that's applicable to every instance except where being provided to the government (section h), and . It's somewhat circular in that regard. Combined with disclosure restrictions, specifically 2(c)(ii), the net result is that only aggregate disclosure is allowed unless specifically permitted by the end users.

My reading of it is that anonymized individual non-PII data, such as browsing history, is allowed to be sold.

You may be correct, now that I re-read it again. There may be something in a subsequent act that prevents non-aggregate data, but until/unless I find that, I'm working under the assumption that you are right and I am wrong, regarding aggregation.

I have yet to see any proof of this whole 'sell your internet history' complaint

What the bill stripping Broadband Privacy rules does is make it nearly impossible for the law to set a precedent for what should be considered illegal to sell when it comes to users' data. What may have happened if broadband privacy rules were enacted as intended here[https://www.nytimes.com/2016/10/28/technology/fcc-tightens-p...]

... someday somebody who didn't "opt out" would have discovered their [medical, financial, insert whatever] data had been sold to their detriment. Lawsuit. Legal scrutiny. Precedent == Baseline for what is acceptable and what is not for people who don't opt out.

Now, with no consumer privacy rights by default on broadband, and no neutral delivery system (net neutrality), and with provisions the GOP inserted into the Broadband Privacy rollback explicitly to make it harder to sue entities who sell your data, the default situation is already stacked badly against the average person.

> I also don't know how an ISP would get your actual internet history if the website uses HTTPS.

Your ISP can (and likely does) monitor your DNS queries, which (as far as I know) are not encrypted.

Personally I think the net neutrality stuff is a tad overblown. I'd vote for maintaining it, but I've never been particularly convinced by the whole "surveillance state/beyond-orwellian/ISP censoring your speech" arguments that get thrown around on HN, among other places.

I think the problems with ISPs are more practical: they overcharge, provide shitty service, have no incentive to upgrade their infrastructure, and clearly collude with one another. Therefore they need to be regulated.

> I think the problems with ISPs are more practical: they overcharge, provide shitty service, have no incentive to upgrade their infrastructure, and clearly collude with one another. Therefore they need to be regulated.

Agreed. Though I would prefer that we do whatever we can to identify and implement mechanisms to increase competition. I want new ISP options, and several of them, rather than just marginally better behavior from the one or two ISPs I have in my neighborhood. I'd prefer regulation that increases competition (even if that hurts the incumbents) rather than regulation that assumes the incumbents are fixed and therefore just manages how they conduct their business. The prior is designed to create new ISP options, the latter tends to serve to decrease the incidence rate of new options.

I've always been a voracious Internet consumer. For all of its faults, I really enjoyed the regulatory framework of the Communications Act of 1996 that allowed competitive ISPs to lease physical wires.

How about forcing ISPs to lease the last mile to help bolster competition, they did something similar in the UK [1]. Not quite sure how that worked out for them.

[1] https://en.wikipedia.org/wiki/Local-loop_unbundling#United_K...

This was a requirement of EU law, and is presumably a reason why there are more ISPs in the EU than in the US (apart from the density issue, of course).

Yes, I think that would be great!

> > I also don't know how an ISP would get your actual internet history if the website uses HTTPS.

> Your ISP can (and likely does) monitor your DNS queries, which (as far as I know) are not encrypted.

HTTPS does expose the domain name in plain-text through SNI. Yes, DNS is not encrypted.

> I also don't know how an ISP would get your actual internet history if the website uses HTTPS.

Until the world switches to DNSCrypt, DNS-over-HTTPS, or DNS-over-TLS and while most Internet users are using ISP provided DNS resolvers, recent research shows it is possible to narrow down what pages the user browsed based on their DNS queries.

[1] https://www.theregister.co.uk/2017/03/21/dns_records_more_re...

If someone really wanted to, couldn't they buy that anonymized data and then make a series of inferences on which data is yours based on cross-referencing various information? (please correct me if this is wrong)

Like say I run hackernews — couldn't I just cross-reference my own logs with that "anonymized" data and get a pretty good idea of what a specific users' traffic was?

Based on some of the tools Uber has used to pinpoint specific users like, government officials, it doesn't seem too far beyond the realm of possibility.

Exactly. Gather a could sources - as is already happening - and with a graph DB and not even grad level algorithms you could get a pretty accurate picture of enough people, given enough data.

>I also don't know how an ISP would get your actual internet history if the website uses HTTPS.

The ISP could monitor your DNS requests or the SNI[1] in the TLS handshake.

1. https://en.wikipedia.org/wiki/Server_Name_Indication

Back in the 1980's, Robert Bork's video rental history was disclosed during his supreme court nomination. As a result, the Video Privacy Protection Act was passed.

Why shouldn't there be similar provisions to protect my browsing history?

>I also don't know how an ISP would get your actual internet history if the website uses HTTPS.

Charge users extra fees for "premium service" unless they agree to let the ISP their traffic.

How does that change how HTTPS works?

It doesn't, but the ISP still know what pages you went to.

If they want to determine your political leanings your browsing history is enough.

How would the ISP know what pages you went to over HTTPS? Only the domain name would be available, through SNI/DNS.

They could just MITM all connections and say 'for compatibility reasons, please install this root certificate'.

With a fee, this requirement could then be waived.

Dystopian but technically possible.

This type of hypothetical drives me batty, and I was tempted to be snarky. I'm not sure how to respond to the idea that there will ever be a time your ISP requires root cert installation for service, but I will be finding a way to launch a WISP of my own at that point.

It's only slightly hypothetical.


Gogo didn't require installing a root cert, but they DID issue forged certificates to MitM connections to *.google.com (and others).

Also, remember "Superfish"? Their root cert was pre-installed by Lenovo.

My original was already snark. Though I don't think its impossible that a small amount of non-technical people might actually be convinced to do this.

Just the domain names is already a lot of information...

You can't really anonymize data:


It's a fair question to ask! I wrote my representative on this issue actually. I'll let you read for yourself:

"On October 27, 2016, the Federal Communications Commission (FCC) issued a proposed rule that seeks to expand its regulatory jurisdiction, create a two-tiered privacy regime for different types of Internet companies, and impose data restrictions on Internet service providers. These types of regulations have traditionally been under the jurisdiction of the Federal Trade Commission (FTC), which already has in place a regulatory regime to protect consumers. Full implementation of this proposed rule would have, among other things, given consumers a false sense of protection and privacy. As a bipartisan group of representatives stated in a 2016 letter to the FCC in response to its notice of proposed rulemaking:

-We had hoped the FCC would focus on those protections that have traditionally guarded consumers from unfair or deceptive data practices by ISPs and the other companies in the Internet services market. But, based on the [FCC’s] Notice of Proposed Rulemaking, we remain increasingly concerned that the Commission intends to go well beyond such a framework and ill-serve consumers who seek and expect consistency in how their personal data is protected. If different rules apply to the online practices of only selected entities, consumers may wrongly assume that the new rules apply to all of their activities in the Internet. But when they discover otherwise, the inconsistent treatment of consumer data could actually undermine consumers’ confidence in their use of the Internet due to uncertainty regarding the protections that apply to their online activities.-

In response to these actions, the House and Senate introduced legislation in March to disapprove of this proposed FCC rule. The House version of this legislation, H.J.Res.86, was introduced by Rep. Marsha Blackburn (R – TN) on March 8, 2017. The measure seeks to block the proposed FCC rule. On March 28, 2017, the House passed the Senate version, S.J.Res.34, with my support, and the measure now heads to the president’s desk for signature. Again, it must be noted that recent actions in Congress have not changed the status quo in terms of privacy-protection standards for consumers."

That's what they attest. And the Washington Post had a good editorial (which I'm currently at pains to find) explaining how, under Commissioner Wheeler, the FCC pushed for broadband privacy rules, but ran roughshod over the FTC in the process. While it was a win in the sense that a legal gap was closed (more on that in a minute), it wasn't good in that it weakened the definitions between the FTC and FCC, which bother have governance roles to play. While it might sound like needless bureaucracy, firm and clear rules are the underpinnings of strong court rulings, which are essential to good governance.

Except, now that gap still exists. While it's claimed that the FTC will now fill in the gap, the problem is that it couldn't effectively in the first place. WP explains:

"Can't the FTC go after Internet providers with its rules?

At the moment, not really. The reason has to do with the FCC's rules on net neutrality. When the FCC passed those rules, it branded all Internet providers as “common carriers,” essentially a fancy legal term to describe traditional phone companies.

The problem is that the FTC is bound by something called the “common carrier exemption.” The agency isn't allowed to take action against companies that have been labeled common carriers by the FCC. (The idea behind the exemption is to prevent both agencies from going after the same companies twice for the same infraction.)

So if the House vote succeeds and Trump signs the measure, that releases Internet providers from the FCC's privacy regulation but does not do anything to apply the FTC's own privacy guidelines to the industry. The FCC can still sue companies after they have allegedly violated consumer privacy, industry groups say. So can state attorneys general. But the FCC will be unable to write regulations that preemptively bar privacy violations, meaning that Internet providers will be subject to less oversight as a result of the congressional measure."

(From: https://www.washingtonpost.com/news/the-switch/wp/2017/03/28...)

So, with regards to selling data. Is it anonymized? Probably. To an extent. People get assigned an advertising ID, which is a random number in place of your legal name, and your profile is built under that. But you and I both know that it's not really anonymous, and it's trivial to then do a correlation between your, say, name and address, and then your advertising ID and address, and suddenly you have a full profile on someone. That's an issue when other businesses and services begin to take advantage of your health, interests, associations, etc, to charge you more or deny service based on these indicators. ISPs feel they've been at a disadvantage compared to online services like Facebook. Remember, that they do not want to be "just a bit provider". There's a very powerful profit factor if they can use their lock-in to be your content provider as well.

Anyways, hope that helps!

This is well-written, but I worry it will be scanned by a staffer and replied to with a canned response. I'd be interested in hearing about any response if you care to update?

Sorry I wasn't clear, I didn't state it well. That was the response in italics above. The representative (or rather, her staffer) is asserting that the status quo has not changed. That's only half true. The ability for ISPs to sell data was on shaky ground before, until the FCC closed the door. The door has been reopened, and the FTC has weak jurisdiction.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact