At least Facebook and Google give you something for it and you can route around them if you desire. No routing around ISPs unless you use a VPN but even then they are blocking those.
Broadband/cable/telcos capture everything you do and can now sell that information and do. That bill was the pre-cursor to removing net neutrality by taking privacy and policy from the FCC to the FTC.
Part of Jeff Flakes argument for getting rid of the privacy protections were so that ISPs can compete with Facebook and Google and sell your data/offer ads to you. Yet Facebook and Google at least built products you wanted that you willingly gave up privacy to use and at least got something for it .
ISPs you have to pay to use and they still take your data as if you are the product. ISPs could have built products people wanted to get that data but they instead bribed 'representatives' to get it via legislation with their local monopolies. Noone wanted this bill but ISPs.
Your ISP soon won't be able to see anything you do online. But Google will see it all.
> The number one creepiest thing on our list of privacy-invasive practices comes courtesy of Verizon (and AT&T, which quickly killed a similar program after Verizon started getting blowback).
> Snooping through your traffic and inserting ads Which ISPs did it before? AT&T, Charter, CMA
> Hijacking your searches Which ISPs did it before? Charter, Cogent, DirecPC, Frontier, Wide Open West
All of these areas are going to be tried again by the ISPs with this law.
Ok, so Google doesn't inject ads into your web traffic. But they inject ads into websites using AdSense, and into search results, and their products, and any technology linked to their ad platform (which is basically all technology related to the web). To increase ad revenue, they snoop on any personal data you store with Google. And they use their ads to collect more info about where you go on the web.
> Hijacking your searches
So, Google doesn't need to hijack your search, because they are most people's preferred search engine. But they do proxy your browser's connection when you click on a search result from a mobile browser (AMP). They're starting to do this with your e-mail, too. And they sometimes do this with your DNS records, so they know every site you load, period. I would call that connection hijacking, tracking, and snooping.
Re: the other points in that article, they already sell your data to marketers, all their software is already pre-installed on your phone/tablet/chromebook/desktop/laptop, and they definitely track you with cookies.
Google has a competitive advantage in that they have a walled-off platform where nobody else can make money off of you. The ISPs want a shot at making money off you, too. Since both are doing virtually the same thing, I don't see a big difference. Just the means by which they do them.
Google has been reshaping the entire internet and web just to maximize the way they can profit off my personal information. I don't see the ISPs doing that. What I'm curious about is, why is the EFF so upset about what ISPs do, but not upset about what Google does, when Google's actions are literally affecting an entire industry and most of the world, and not just its own customers?
- Do you want your ISP tracking you and selling your private data? Do you think that is the place of an ISP?
- Does it bother you you are PAYING your ISP and they are reselling your data as well?
- Do you trust Comcast and Verizon and like that you are paying them to sell your data when you just want to use them to get online and are ok with this?
I don't think anyone argues Google has power but they aren't your 'gateway' to the internet that you pay for privacy.
Your argument is basically that you think Google has overreach so you want ISPs to take that from them or also do that?
I am against Google Fiber ISP having access that ISPs just won with bribery over innovation/product offerings that people want.
If Facebook had an ISP I wouldn't want them doing it either via the ISP.
> What I'm curious about is, why is the EFF so upset about what ISPs do, but not upset about what Google does, when Google's actions are literally affecting an entire industry and most of the world, and not just its own customers?
Products built on top of the internet are way different than products that are the base of the network. You should not be tracked at the network/gateway level ever.
If ISPs 'want a shot at making money off you' then let them build a service such as a search engine, social network or maybe like Comcast is doing with Hulu. Don't give up your rights at the gateway of the web just because you have a grudge or bias against Google.
> Google has been reshaping the entire internet and web just to maximize the way they can profit off my personal information. I don't see the ISPs doing that.
Also your points about Google are rich considering you have a @gmail account in your HN profile. If they are so overpowering why do you use them and not your ISPs email system?
Since you have no issue with ISPs selling data that you are paying them to keep private, you would be fine with Google Fiber ISP also doing that? Careful what you wish for and freedoms you give up due to bias ...
I care a teeny bit about privacy, but I care a whole lot more about anticompetitive monopolistic practices. IMO, ISPs are absolutely guilty of those - but my point is, so is Google. I care when somebody changes the design of the entire web for their company's sole profit.
That's why I'm pointing out Google's practices, and how I think they're doing much worse things than ISPs. If you don't care about anticompetitive monopolistic practices, and only care about privacy, then I can see how you might not mind what Google is doing. But soon, Google will be doing to you what they're making impossible for the ISP to do.
- Since you have no issue with ISPs selling data that you are paying them to keep private, you would be fine with Google Fiber ISP also doing that?
I am against Google Fiber ISP having access that ISPs just won with bribery over innovation/product offerings that people want. This is about the level of privacy and access ISPs should have not about Google.
- The ISPs already charge too much and little of it is going towards innovations/network advancement, instead they want to be content creators and ad platforms instead of charging more to get to gigabit and beyond. ISPs need to get back to innovating on providing better/faster internet service, what they are are network providers.
- ISPs should not be involved in content/ads/selling private data as that leads to bias and throttling, we need to have a separation of power from ISPs, the network gateway to the internet, and content creators on top of the internet.
When is it a good idea to have content creators own the network outright? All that leads to is bias, preferential treatment and monopolies (furthering them).
We have made immense mistakes in 2017 allowing ISPs to sell your private data, remove privacy protections at the network level AND the removal of net neutrality.
Net neutrality makes the network provider neutral, simple as that. ISPs you pay to get access to the network which is a utility today and to keep your data private, not sell it.
Why do you think ISPs like Comcast lobbied so hard to bribe their way into the ad/tracking market instead of winning it on the market with products people want? Do you think they did that so that to waste profits? Or to gain them?
We pay ISPs for secure and private internet access, not to also sell off our private data.
Google and Facebook are ad/marketing companies, you expect tracking and they use your data and give you a free service in exchange.
ISPs we pay for internet access and privacy, noone expects ISPs to be selling your data or would call them ad networks, though that is what they want to be and are building with this privacy law change.
There's some discussion of known Comcast injection here: https://news.ycombinator.com/item?id=15890551
The response from Comcast was :
> This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. It presents an overlay service message on non-TLS-based HTTP sessions. If you click the X box or otherwise acknowledge the notice it should immediately go away. If that is not the case let me know and we'll have a look at what may be happening. 
But ultimately no, however there may be some possibilities:
- ISP offered 'apps'. Get people to agree to an install of some monitoring app for some [insert random marketing benefit] from ISP. Maybe if you install the app you get more data cap space etc and they can monitor browser access. Further, install this in known apps or as add-ons on setup for other apps.
- ISP offered 'VPN client' that again, gives some cheaper monetary benefit like more data cap space or more speed 'free', strips out other advertising or tracking as a benefit.
- ISP offered 'email client' that does all of the above.
- Check for subsequent request after page loads to known ad networks and replace with their own in HTTPS
- ISP level proxy MITM, modem customization for 'fast lanes' that are actually slow lanes.
- DNS level data collection not to inject but to sell marketing profiles via metadata and correlate with other data from apps.
First one is the most probable but as of right now HTTPS injection is obviously hard to do if not impossible without some social or security hole.
Nobody in here would probably fall for these attempts but most would considering the outrage that they didn't know friend harvesting was happening on Facebook. If whatever they try lowers their monthly data caps or limits then majority of people will do it.
Since ISPs are your 'gateway' to the internet and you pay them, most people assume trust and privacy, most don't know they bribed their way into the tracking/ad business, many didn't know cable tv modems had mics either. With that assumption of trust since people are paying them, they'll more easily fall for any of the possible attack/tracking vectors listed and more probably.
With the ISP privacy protections removed , my guess is most ISPs, due to lack of competition, end up more like hotel wifi where tracking/injection is the norm  as it is completely legal now. With the removal of privacy protections and net neutrality, we have killed the pristine, non tracked, private gateways to the internet we cherish.
I was planning literally this month to figure out how to implement domain traffic analytics on my LAN by using SNI via libpcap or similar (something tiny).
Will I have to configure a root cert and build a full DPI proxy to make this futureproof? >_<
Time to go learn how to do DPI...
But a large amount of sites won't work without it. It's very common to run multiple sites on same ip/port. Not sure if it's technically possible to make that work without SNI or a similar technology.
Considering CloudFlare offers to do SSL on their end, it'd be technically viable to only tell CF which domain you want.
Mozilla implementing it: https://www.ghacks.net/2018/03/20/firefox-dns-over-https-and...
Google's: https://developers.google.com/speed/public-dns/docs/dns-over... Apparently Chrome uses this over QUIC, and Chrome's Data Saver also uses it
IETF charter: https://datatracker.ietf.org/wg/doh/about/
The unfortunate side-effect of preventing your OS from doing DNS queries is DNS-based ad blockers and privacy proxies no longer work.
This way your dns traffic is still encrypted,
and you retain the capability to block/proxy.
Only if you are smart enough to know the browser has its own resolver, and that you need to turn it off first. We may not be able to turn it off in the future, meaning if you want to have privacy you have to run a privacy-specific browser.
This may end up breaking traffic as Google shifts more and more of the web into its proprietary products. For example, Google owns the .DEV gTLD, and makes .DEV domains "completely closed for the sole use of Google". It may at some point buy some other gTLD (such as ".BLOG", which it was outbid for) and decide that the only way for you to access websites with domains using that gTLD is to use Google's DNS API. It may sound crazy, but if they already shut out everyone in the entire world from having a .DEV domain, this doesn't seem much crazier to me.
After all, DOH is mainly a technical answer to hijacks (and monitoring). Some ASes seem to have a policy on that... Once it's ready, if it's enforced, you'll have a way to provide a custom resolver you control.
It came out that in a world of reverse proxies, ddos protection and large tech conglomerates, reverse dns is not a big deal (depends on you behaviour too, smaller websites with a dedicated IP are easier to catch).
But traffic analysis may be a big deal, and the risk of this kind of exposure is not something you can evaluate by yourself. Mix networks are a mitigation.
Note, that URL (and search term as GET parameter) is visible to your ISP.
* Build a list of domains you're interested in. There's fun community build blocking lists that can help you, if you need it.
* Periodically resolve every domain. Odds are if you're an ISP your servers already have the records cached, but it isn't too hard to resolve them all.
* Dynamically adjust your routing to specifically re-route those IP addresses to your special infrastructure (or maybe null route it if you want to block access)
* Use your special infrastructure to build up whatever profile you want about the source IP address, which of course being an ISP you'll be able to link directly to a user. Your end user won't even know.
You'll know when they access sites, be able to build up patterns of websites they access, in which order, and spot variations in that pattern.
There's a lot you can infer from metadata without decrypting the traffic. Everything from which domains you access, ports used for the communication, what order, and what sort of size the payloads are. You could identify that someone has an email account they only access after visiting, say, the Ashley Madison website. By tracking the size of communication on that is being sent to figure out if someone is sending dick picks or some such, or if it's likely just plain text.
Of course, when states tried to reintroduce privacy protections... That covered ISPs and tech companies alike... Big tech stepped in and opposed. They weren't interested in protecting users, they just didn't want the competition.
There's a lot of consolidation happening in that space. Verizon offers FiOS and phone service. Comcast is getting into the mobile game. That aside, any device by itself is enough to get a picture of the user using only tracing IP addresses (i.e. DNS lookups and outbound requests). They don't need to stitch together your mobile and home connections. It's enough to have two profiles on you when you're using each one.
AT&T is probably the biggest player in succeeding at being the ISP for you everywhere though.
True, all tracking/privacy issues are bad but you can still route around Google/Facebook with simple things even such as hosts file loopbacks, browser extensions, using Firefox instead of Chrome and using different search/social networks.
Google and Facebook are blockable, ISPs can never be blocked.
Even with a VPN you are still going through an ISP gateway with that encrypted traffic and performing DNS lookups. This will lead to throttled bandwidth, can Google and Facebook throttle you down? Facebook/Google/etc have zero control over you if you want, ISPs always got your information.
ISPs can also track entire companies now, Facebook and Google do it by individual but ISPs capture everything, you always have to connect to an ISP.
The privacy overreach by ISPs is immense due to not being able to choose to be tracked, and they are lower on the service level as they are the base entry to the web.
ISPs are your entry/gateway to the internet and now track you and can sell your data, Facebook/Google ride on top of that. ISPs could also crush others tracking, replace ads in place of other networks which was in the bill, and will squash any small/medium advertising networks outright.
ISP tracking and privacy overreaches are definitely the biggest encroachment on internet freedom ever and much more of a problem than destination/apps built on it that you have to go to or can route around.
ISPs also bought/bribed their way into this monopoly reach, they did not earn it with providing products people desire, they have local monopolies with false competition that lessen the ability of people to change providers.
Also, given the HTTPS Everywhere push (mostly led by Google), usually only sites like Google and Facebook get to see your traffic, ISPs get cut out of most of the deal.
And for most people, Google or Facebook is, in fact, their gateway to the Internet: They get everywhere they go through one of these two captive environments.
Finally, telecoms are already subject to significant regulation, even with the recently repealed privacy rule, no, ISPs can't just go selling your search history, marketing by certain political groups to the contrary. (Whereas Google and Facebook both, effectively, can.) Meanwhile, tech companies have operated with little to no regulation at all, and unlike telecoms, which have a whole federal agency dedicated to regulating them, tech companies' reach isn't restrained by much outside of the FTC, which isn't even fully staffed, and definitely isn't doing their jobs.
Google and Facebook are ad networks that tracking is inherent because they are free and they make their money from ads.
ISPs are for internet access and privacy, you pay them so they don't sell your data. Now they want to be Google/Facebook without building a search engine or social network. They bought their monopoly with bribes so they could become ad networks/tracking networks. People have the expectation that their data isn't being sold by their ISP currently, but they are and it is fully legal now.
Google and Facebook aside, do you want your ISP tracking you and selling your private data?
When you say "Google and Facebook aside", it feels like you are literally missing the entire point... You have an elephant in your sinking boat, and you're worried about the weight of the dog.
Do you want your ISP tracking you and selling your private data? Do you think that is the place of an ISP?
If you do like your ISP tracking and selling your private data, we'll have to agree to disagree. I think there is no place for ISPs to be evading privacy and selling your data. It isn't about competition.
I expect tracking from free services I am not paying for that my data is the product. I expect tracking from companies that make their money from ad/marketing to do that.
I do not expect tracking and privacy invasions from my ISP, my front door to the internet.
My ISP is also not a small dog, it is a massive media company and a monopoly in addition to my provider. At least with Google/Facebook you can use DuckDuckGo/bing/etc or other social networks and block Google/Facebook if desired.
I can't route around my ISP, there is no local competition and what competition there is amounts to false competition. From the FCCs own data, most people only have 1 or maybe 2 real competitive ISPs in their area and virtually no competition at 100Mbps, zero options for gigabit .
I can easily walk around Google and Facebook and block them, my ISP is a big big mean dog because I am paying for my privacy invasion, services that run on the internet are corgis and they are free but fun to play so they attracted people's data by providing something people want. They do both lobby but that is primarily because ISPs and others do so heavily and you must compete at that level or lose.
> FCC report finds almost no broadband competition at 100Mbps speeds 
> Even at 25Mbps, 43 percent of the US had zero ISPs or just one. 
You ignored that Google and Facebook are also the front door to the Internet, and that you cannot evade their privacy violations by just "not using them". You've also continued to not address that Google is a much larger monopoly than any company you're upset about. Adding all of the ISPs together would not even approach the scale of threat provided by Google, in money or reach.
You've seemed to decide that violating your privacy and security is okay for some companies and not others without really a reasonable distinction how. Especially given that Google and Facebook are both media companies (and ISPs), and so are Comcast and Verizon.
It is funny you keep evading those important questions and flipping back to Facebook/Google. Just want to get you on record on the ISP question. I have already stated all are powerful and there is an expectation of tracking from advertising companies like Google/Facebook, that was not possible until the ISP privacy bill that removed privacy protections.
Also that data from broadband numbers is DIRECTLY from the FCC report the FCC created, it is just summarized on ars, does the FCC have a Google bias?.
The fact that you supposedly know the guys bias and associate it with Google is probably a hint of bias on your side. Maybe you just like ISPs selling your private data while paying for the service.
> You've seemed to decide that violating your privacy and security is okay for some companies and not others without really a reasonable distinction how.
I believe I explained this clearly multiple times. ISPs are literally the definitely of a 'gateway' or doorway to the internet. Facebook/Google are built on top of it and yes you can route around them or block them easily with host loopback or at firewall/routers etc, there are competitors to those apps, not so much with network gateways/ISPs . Is the EFF also in Google's bias? 
You've seemed to decide that violating your privacy and security is okay for ISPs who previously were not able to but lobbied to have those privacy protections removed without answering whether you think that they should.
I don't believe any ISP should have access to your private data nor sell it, especially because you are paying for it. I say the same for Google Fiber and and Facebook ISP overseas if they have them. ISPs SHOULD NOT be accessing private data and selling it, they are the gateway to the internet and that is TOO MUCH POWER. If ISPs want advertising networks or tracking, build a search engine or a social network or like Comcast has in Hulu, or buy one. Only track on a destination site that I can CHOOSE NOT to use that doesn't double as my entry to the web, that has way more monopolistic tendencies in terms of control of your data.
I'd rather Comcast didn't touch my data, but no, in the end I would trust them with it far more than I would trust Google or Facebook.
I never agreed to FB collecting data on me. I have no account with them. I do not use their services. Yet here we are.
I have never seen so many pro ISP tracking/privacy people on HN.
The pro-ISP part was more about the thread and that ISPs are paid for internet access for privacy, without an expectation of tracking.
Google and Facebook are free and have an expectation of tracking because they make their money from ads/tracking.
It feels like a good compromise between privacy and speed.
You’re currently leaking a ton of data via DNS and HTTP certs, aren’t you?
You are indeed protected against active content injection, but that’s rarely the problem with a for-pay ISP
Latency through the VPN is worse. It's not super-worse, but it is worse.
> You’re currently leaking a ton of data via DNS and HTTP certs, aren’t you?
I'm putting DNS through the VPN as well, so no.
But HTTPS certs - yes I am. It's a compromise.
> You are indeed protected against active content injection, but that’s rarely the problem with a for-pay ISP
This is literally one of the specific problems I was trying to avoid. My ISP is Comcast (the only choice where I live) and they routinely practice HTTP injection: https://gist.github.com/ryankearney/4146814
It's not just injection, though. With plain HTTP Comcast gets to see the contents of every page I visit, if they want to. And I do not want them to.
It's a PC Engines APU2 running pfSense.
Just thinking from the perspective of remote support, I can't really walk my folks through a pfsense setup over the phone if there is a hardware failure... :/
Best router I've ever had, and I run it with a PiHole on a Pi 3.
For those really serious about privacy that's why I think actually owning a colo space where you own and control the hardware can be a preferable solution. For those who don't like that try setting up your own VPN on a VPS, etc.
One of the key things most people miss is DNS. I personally also suggest running your own DNS server, even if just a local dnsmasq that's outgoing to opendns or internic or something.
One more thing most people don't think about is attackers pivoting from other compromised devices on the internal network. If you think that Amazon/Apple/Microsoft etc device isn't sending checks out on the local network and then reporting back stuff like internal IP topology and MAC addresses you got another thing comin. Check your iptables or nftables (bpf?) and block internal hosts you know don't need access.
It's not as bad as you're making it seem.
Given the current usage, I would say that most people value the latency and throughput a lot.
TL;DR Very different incentives
That's not true for many parts of the world, especially Central/Eastern Europe.
$ whois AS204880
As a bonus their software works very well, better than most generic VPN clients.
I previously was using my own private VPN servers set up with Streisand, but those provide no anonymity, only masking of the endpoint.
Do any American ISPs routinely Blick VPNs?
> 2003—Cox and Comcast block VPNs: Back in the early internet, both Comcast and Cox Communications placed bans on Virtual Private Networks (VPNs). This was before VPNs became as ubiquitous as they are now. Back then, the only people who really used VPNs were doing so to access a work computer remotely. Which made Cox and Comcast’s choices to block them even weirder.
What are some ways to prevent all the tracking? I get HTTPS makes things better in terms of confidentiality, but it does nothing to prevent the ISPs from scraping the URLs, which exposes scary amount of information, too.
You need to know that the Tor Browser disables a lot of stuff that Firefox has to lower the attack surface, and you can lock it down further using the Security Settings in the Torbutton.
Also you should look into a Whonix+Qubes OS setup, just because there's a sandbox doesn't mean you can't get hacked.
For speed: It's not really that bad for general browsing.
I wasn’t aware of the attack surface reduction, I’ll take a look at that, thanks for the recommendation.
My ground truth for this is usually to ask full-time exploit dev friends which is a harder target, although that’s probably flawed in that if you’re targeted by someone determined it probably doesn’t matter the cost.
With Qubes you can have a Whonix-ws VM have all its traffic go through Tor, and have another VM with all its traffic through some VPN to use with streaming.
For iOS there's Onion Browser by Mike Tigas, but it's definitely NOT as privacy resistant as a Tor Browser. For Android there's Orfox and official Tor Browser builds for Android are coming this year.
You may be able to bypass Google but almost everybody else won't.
It's time to open your eyes for what they are.
Those little ISPs like Comcast, Verizon, Cox, AT&T etc. I can't imagine those small companies would want your data or want to use it after bribing politicians to get the right to do it.
Everyone knows Google tracks you, same with Facebook. They offer a service and people understand that. You aren't paying you are the product.
You are paying your ISP for access to the internet and privacy, or at least that used to be a selling point. You are paying AND you are the product and they have competitive services they want you to use so they'll mess with competitors. Your entry to the internet should be objective and independent, what you use on top of that is up to you. You can still route around Google and Facebook, you simply cannot route around your ISP.
No they don't. Maybe in a superficial sense, but the vast majority of the public doesn't have any clue how data can be combined and mined to reveal far more than they thought they were bargaining for.
Otherwise there would be no sudden Facebook scandal.
People know that Google and Facebook track as they are ultimately ad companies, and if you get a free service people know that your data is the product.
We pay for ISPs to protect privacy, not sell it off, that is the big difference.
Many people have seen Facebook tracking from the marketing/business or even small group/page side with their analytics and Facebook is known for their ads and sponsored content. Facebook is a marketing platform, everyone knows they use your data. ISPs are what you use to get online, not known as marketing companies that have ad networks, though they want to be.
The scandal is that FB sold or allowed the ability for third party companies like Cambridge Analytica to harvest the whole social graph and FB sold or allowed the ability for them to use that same data on FB to target and manipulate people.
I know this because we used to do lots of Facebook apps/games and back then, once someone gave you access to their information, you could get all their friends and all their information and recursively pull down most of the social graph for public information. Most games were just using it for friend names, if they played the games, invites and competing with friends but there were bad apple apps out there harvesting it all down. The facebook app revolution was partly due to the data element and was open for many years.
It always surprised me how much data could be pulled, it is part of the reason Zynga was so effective as well and attracted some oligarch money. Part of the reason Facebook started locking it down is game/apps were getting more adept at pulling all data and Facebook was scared someone would become a social graph competitor, so they locked it down mainly for their own needs not really privacy.
Who knows if Cambridge Analytica had extra access beyond that to get to profiles that weren't public, but most profiles were public by default back then and people only put information online that they wanted to share publicly without as much expectation of privacy. Over time people for some reason started to trust that Facebook was protecting their data but still had the friend permissions access hole.
Back in the late 90s and early 00s people were very against sharing any real info on the web with sites previous to and like Facebook, it slowly changed as the appearance of privacy was added but truly it was still wide open if even one of your friends gave access to the app until Facebook v2 OpenGraph. With the OpenGraph v2 friend lockdown changes, you could only get a friend ref id only available to your one app that wasn't their actual facebook id and was different per app, and you could send them an invite but not pull their data until they agreed which it should have been all along.
After that change it was an era of tons of invites on Facebook and companies like Zynga threatened to leave and did try to build their own, it also shut down many Facebook game companies that could no longer get the numbers, many moved to mobile that was still wide open. Zynga was given special privileges by Facebook for a while due to this where others didn't have that access, others may have also had those special privileges. Facebook transition to mobile took a long time and some people even thought Facebook wouldn't be able to make the leap. At that time, the app/game companies on Facebook considered it Facebook killing the viral nature of some of those apps/games which was ultimately good. It was a huge mistake for Facebook not to separate app/gaming from your personal info and friends but that was the product then, they should have allowed people to setup app/gaming profiles that other app/gamer users could friend each other and not pollute your main friends list and pull all your social graph data. Games were a bit of a trojan into your social graph due to the setup back then.
It is possible that Cambridge Analytica had other access to non public data but as I mentioned, most data was public by default then and in a way CA was late to the game, many companies probably had people internally that could pull it down and possibly even from data centers, Facebook eventually built their own data centers. Then there is the whole side where the NSA had any access they wanted or needed as well to both public and private data, who knows if that was exploited or not. Cambridge Analytica used their data for nefarious purposes against the ToS of Facebook but that was bound to happen because it was the move fast days and security was an afterthought. In theory you could still have a network of apps that combine to get people to give you access to their data and friends approve it as well but most of that has moved to mobile rather than facebook apps as that is easier on mobile now and people moved there including Facebook themselves.
Really this whole adventure was spurred by the Web 2.0 era that people were being social and sharing more online and it was democracy online, more public, previous to that it was very limited. Web 2.0 launched this site, reddit, Facebook, Google social products, comment systems etc. So I think there was a temporary time where it was the Wild West of data mining and people sharing more than they should with the expectation of privacy because Facebook was a walled garden and people thought it made their data safer. Turns out that was not the case if they didn't specifically mark it private.
Many of these issues still affect mobile but that is getting better, however the Facebook apps probably pull more from mobile to build the social graph than they ever could on the web including calls, audio and other things that mobile allows you to do as it is native and not sandboxed like the web. Sandboxing via web browsers was huge back in the day because people were so worried about their private data and hacking, that went away for a while, Web 2.0 happened, mobile happened, data was misused, now it will tighten to more private/permissions again and has been for the last few years. Ultimately people knowing that data you put online or when you use apps isn't private is probably a good thing as the good that will come of all this. We might get to a right to your own data Bill of Rights amendment or similar one day.
Ultimately Facebook was not necessarily nefarious in this, companies like Cambridge Analytica that exploited Web 2.0/mobile and social networks to use that data against you, rather than just serve up ads, is where things went too far and thus the backlash. Facebook since v2 OpenGraph has been privacy/security conscious both for them to protect the social graph data and to create trust in users.
Now ISPs are getting in the game with removing privacy protections with their new law and they don't care about consumer trust as much, that is the scary one.
Tor isn't that bad actually for browsing, while i2p needs more love regarding speed.
> difficult to configure correctly,
For Tor: You just download the Tor Browser. Already pre-configured.
> and make you more conspicuous to most three-letter agencies.
Good argument for actually using them.
Isn't Tor Browser fairly bad due to it being a target? I'm not sure if that changed recently, but I recall seeing lots of "don't use the Tor Browser bundle".
Tor also relies on exit nodes to exist, yet it's considered very dangerous to run one.
> Tor also relies on exit nodes to exist, yet it's considered very dangerous to run one.
It's dangerous in some places to run an exit, not everywhere.
Not to be rude, but you clearly don't work in advertising or know much about it.
The major ISPs already create profiles on users & sell them to agencies & the like for physiographic profiles.
This is why Verizon's "Super-Cookie" -- not really a cookie, but a forced modification of all HTTP headers by the ISP to enable universal tracking of their users -- was all about.
I would say “that giant ISP corporation who had enough power to lobby the government into changing laws so they can get access to your browsing history to sell”
Which is a little more worrying