Hacker News new | comments | show | ask | jobs | submit login

The common response to this is that ISPs have access to everything you do (which is true), and that they could sell that (which is false).

The regulations being overturned here are ones that have only recently taken effect, and non-anonymized, non-aggregate selling of ISP data is still outlawed by the Cable Communications Act of 1984, which protects subscriber privacy is 47USC § 551[1].

Put simply, neither the most recent executive order, nor a reversal on Net Neutrality overturns that law on the federal register.

Of course, if Congress were to draft a bill that does so, the current fears would be well justified.

https://www.law.cornell.edu/uscode/text/47/551




"Anonymized" aggregate data is not as anonymous as you might think. This study [1] was able to accurately de-anonymize users based on internet history and public social media 70% of the time.

[1] http://randomwalker.info/publications/browsing-history-deano...


Legally, is there a minimum requirement for what it takes for data to be considered "anonymized"? Just because the customers' billing info isn't included doesn't mean you can't figure out who is responsible for traffic.


There might be multiple options that the federal government would respect:

* https://www.gpo.gov/fdsys/pkg/USCODE-2010-title5/html/USCODE...

* http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=904990

Legally, I can't think of a case where it's been tested that didn't lean the government's way, so who knows?


So you're saying this most recent regulation does absolutely nothing, even though it was the highest priority for the incoming industry friendly regulator. Seems doubtful that some 1984 law is going to protect our browsing data.


I'm not saying it does nothing. I'm saying it doesn't do what people think it does.

Repealing the Obama rule does mean that you can't opt out of data collection or sale. It does not mean that your individual browsing records are available to anyone with enough cash. Moreover, much of the rules Trump's executive order overturn had either very recently taken effect, or not yet taken effect.

There may be much theoretical damage from overturning the regulations, but the practical effect here will be minimal, and limited because of the other laws that already exist to prevent exactly the doomsday scenario many are predicting.

I'm not saying that Trump isn't after your privacy rights, but the surest test of that will be whether or not he goes after or seeks to circumvent the 1984 protections I referenced earlier.


You're correct. But only because - per Chaos Monkeys, Dragnet Nation, and the like - your data is already being captured, aggregated, and sold. If that's your concern, you're too late. On the other hand if your concern is specify to ISPs (as opposed to other entities you don't even know) then sure worry and complain. But at least your ISP has an incentive to not go too crazy, as the data they sell could be used to market to you to leave that ISP ;)


You can turn cookies off or similar, or you can choose to not use or employ such services. That the ISP can do this, without your consent - each DNS lookup, each TCP connection you're making - is a whole different thing.

I think it is truly insane.


Fyi...They can, with reasonable accuracy, track you across multiple devices. And that was 3+ years ago. I'm sure it's only gotten better since.

I do agree. There are somethings you can do to mitigate things. But at some point you have to be you (e.g., FB, etc.) and as small and minor as such digital breadcrumbs might seem, they add up.


Using Facebook is a rather large bread "crumb" though. Not using it is easy enough and you're making it easier for your other privacy-conscious friends to do the right thing.

I don't know anyone who would fault me for not being on Facebook (yes I know this has a strong selection bias). Only time was at a convenience store, looking a bit puzzled I had to scan my ID-card in some device (to buy cigarettes[0]), the guy explained this was announced on Facebook, I (completely neutral, matter-of-factly, already having complied with the ID-device thing) replied I don't have an account on Facebook which he took as a cue to start some anti-privacy diatribe at me. My guess he was probably having a bad day, possibly from other people giving him a much harder time about the ID thing. I finished the transaction, excused myself because I (really) had to catch a bus, and wished him a very nice day.

My point is, when I look around, it seems like Facebook is going the way of the cigarettes. The majority of people (that I know) know of at least one or two scandalous things that are deeply wrong about the way Facebook treats privacy and manipulates its users. Of those people, a good chunk hate it, really want to quit, but feel they can't due to social pressure or addiction. Just like cigarettes. Others make excuses about convenience, little vices, relaxing. Just like cigarettes.

I don't know how many of you are old enough to remember that you could smoke in trains, bars, in restaurants while people were still eating 2 metres next to you. As late as the early 90s. And only after those bans people started to dare to ask if you could maybe smoke outside, in home situations, even if they're the guests and it's your home (I was younger and inconsiderater).

If you don't remember you maybe also don't remember how thoroughly ingrained the social act of smoking was in society. Only a few decades ago, nobody could imagine where we are today. Smoking was just so normal, even if you didn't really, you would occasionally, your friends would offer, people just liked it too much, were addicted too much.

The almost-entirely-non-smoking-everywhere society we have today was seen as an impossibility. We could never get there, we couldn't change or impose, people wanted it too much. And it was a hard transition before it got momentum, but it did in the end. I personally, as a smoker, welcomed these bans, because I figured it would make it easier for me to quit (hint: if you're addicted, you still have to quit by yourself. those bans maybe helped me the first 5% of quitting).

The point is, it may seem impossible to imagine a way out of this anti-privacy swamp. But it's not too late. Just remember the cigarettes and how far we got. DON'T let anyone tell you it's useless to refrain from using surveillance tech X just because "you're going to be tracked any way because P, Q and R" (being your phone, CCTV and the NSA). The fight is NOT lost, not at all. It's just getting started, now that people are slowly realizing they don't actually really want this, they are mostly made to want this, and more and more people want it to stop, and it would help if only everybody else would stop shoving it in their face.

Just because it seems impossible now doesn't mean we should roll over, curl up and stop voicing your dissent, ever.

Then maybe our kids (or other people's kids--who didn't ask for this either) can grow up in a society where they're not quite as pervasively tracked and surveilled as our generation.

If it helps maybe to imagine the next impossible thing, imagine everybody securely wiping the exabytes of private data they've collected on us so far. I really can't see that happening either and it kind of gives me hope in a weird "wishing on a star" kind of way, because other important things used to seem just as impossible.

[0] I've quit since. It's hard. Very hard. Unfathomably harder for some people than others. I will never judge an addict in my life.


But NOT being on FB is also a signal. A signal I presume can be detected and noted somewhere. Frankly, I don't think staying off FB is enough. And not being there, should you make the evening news for some strange reason, will mean you're labeled as antisocial, loner, etc.


That section of law says they can sell your data with prior written or electronic permission.

47 U.S. Code § 551 (c)(1)

Except as provided in paragraph (2), a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned

So this section of the law, though another might, does not support your statement that "that they could sell that (which is false)".


I think you're misreading it, unless you have reason to believe that you've already given your permission. Either way, the regulation that Trump's EO overturns also allowed you to opt in if you wanted to.


non-anonymized, non-aggregate selling of ISP data is still outlawed by

Your statement is too strong. It's not outlawed. There is a relatively easy avenue for ISPs to sell this type of data, and it's written into the law, and not some sort of weird loophole. It is voluntary that they have not pursued it on their part.


I believe that pretty much every single customer has given their "permission" in that sense, the standard contract or terms&conditions would include language that says that you consent to such information "being processed by selected partners" or something like that.


Wouldn't a privacy policy cover "the prior written or electronic consent of the subscriber concerned"


If so, I don't know how the Obama regulation would have been any different.


47 USC 551 only applies to cable operators, and the 6th Circuit ruled that it doesn't apply to Internet service.[1]

[1] http://www.opn.ca6.uscourts.gov/opinions.pdf/06a0366p-06.pdf


The law section you linked to is concerned with PII, personally identifiable information. But what ISPs are most likely to sell is anonymized browsing data, i.e. when an advertiser goes to display an ad the ISP will tell them what other URLs you've been to but they won't tell the advertiser your name, address, social, etc.


Agreed, with the caveat that there are also restrictions requiring aggregation as well.


The only thing your link says about aggregate data is that PII is not aggregate data, meaning that aggregate data is exempt from these restrictions.


So, that's applicable to every instance except where being provided to the government (section h), and . It's somewhat circular in that regard. Combined with disclosure restrictions, specifically 2(c)(ii), the net result is that only aggregate disclosure is allowed unless specifically permitted by the end users.


My reading of it is that anonymized individual non-PII data, such as browsing history, is allowed to be sold.


You may be correct, now that I re-read it again. There may be something in a subsequent act that prevents non-aggregate data, but until/unless I find that, I'm working under the assumption that you are right and I am wrong, regarding aggregation.




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: