Hacker News new | past | comments | ask | show | jobs | submit login

Your ISP tracking your every move is scarier than all of them after the ISP privacy bill passed.

At least Facebook and Google give you something for it and you can route around them if you desire. No routing around ISPs unless you use a VPN but even then they are blocking those.

Broadband/cable/telcos capture everything you do and can now sell that information and do[1]. That bill was the pre-cursor to removing net neutrality by taking privacy and policy from the FCC to the FTC.

Part of Jeff Flakes argument for getting rid of the privacy protections were so that ISPs can compete with Facebook and Google and sell your data/offer ads to you. Yet Facebook and Google at least built products you wanted that you willingly gave up privacy to use and at least got something for it [2][3].

ISPs you have to pay to use and they still take your data as if you are the product. ISPs could have built products people wanted to get that data but they instead bribed 'representatives' to get it via legislation with their local monopolies. Noone wanted this bill but ISPs.

[1] https://www.eff.org/deeplinks/2017/03/five-creepy-things-you...

[2] https://www.flake.senate.gov/public/index.cfm/2017/3/op-ed-f...

[3] https://www.flake.senate.gov/public/index.cfm/2017/3/flake-i...




Uh, Google and Mozilla and a handful of organizations are converting all web traffic to HTTPS through subtle manipulation of standards and user interface. They even proxy mobile traffic from their search engine. ISPs can't even see what IP you're visiting because it's all fronted by CloudFlare. Even your DNS is being hidden by an HTTPS tunnel in the browser.

Your ISP soon won't be able to see anything you do online. But Google will see it all.


Do you trust the EFF?

> The number one creepiest thing on our list of privacy-invasive practices comes courtesy of Verizon (and AT&T, which quickly killed a similar program after Verizon started getting blowback).

> Snooping through your traffic and inserting ads Which ISPs did it before? AT&T, Charter, CMA

> Hijacking your searches Which ISPs did it before? Charter, Cogent, DirecPC, Frontier, Wide Open West

All of these areas are going to be tried again by the ISPs with this law.

[1] https://www.eff.org/deeplinks/2017/03/five-creepy-things-you...


> Snooping through your traffic and inserting ads

Ok, so Google doesn't inject ads into your web traffic. But they inject ads into websites using AdSense, and into search results, and their products, and any technology linked to their ad platform (which is basically all technology related to the web). To increase ad revenue, they snoop on any personal data you store with Google. And they use their ads to collect more info about where you go on the web.

> Hijacking your searches

So, Google doesn't need to hijack your search, because they are most people's preferred search engine. But they do proxy your browser's connection when you click on a search result from a mobile browser (AMP). They're starting to do this with your e-mail, too. And they sometimes do this with your DNS records, so they know every site you load, period. I would call that connection hijacking, tracking, and snooping.

Re: the other points in that article, they already sell your data to marketers, all their software is already pre-installed on your phone/tablet/chromebook/desktop/laptop, and they definitely track you with cookies.

Google has a competitive advantage in that they have a walled-off platform where nobody else can make money off of you. The ISPs want a shot at making money off you, too. Since both are doing virtually the same thing, I don't see a big difference. Just the means by which they do them.

Google has been reshaping the entire internet and web just to maximize the way they can profit off my personal information. I don't see the ISPs doing that. What I'm curious about is, why is the EFF so upset about what ISPs do, but not upset about what Google does, when Google's actions are literally affecting an entire industry and most of the world, and not just its own customers?


> The ISPs want a shot at making money off you, too

- Do you want your ISP tracking you and selling your private data? Do you think that is the place of an ISP?

- Does it bother you you are PAYING your ISP and they are reselling your data as well?

- Do you trust Comcast and Verizon and like that you are paying them to sell your data when you just want to use them to get online and are ok with this?

I don't think anyone argues Google has power but they aren't your 'gateway' to the internet that you pay for privacy.

Your argument is basically that you think Google has overreach so you want ISPs to take that from them or also do that?

I am against Google Fiber ISP having access that ISPs just won with bribery over innovation/product offerings that people want.

If Facebook had an ISP I wouldn't want them doing it either via the ISP.

> What I'm curious about is, why is the EFF so upset about what ISPs do, but not upset about what Google does, when Google's actions are literally affecting an entire industry and most of the world, and not just its own customers?

Products built on top of the internet are way different than products that are the base of the network. You should not be tracked at the network/gateway level ever.

If ISPs 'want a shot at making money off you' then let them build a service such as a search engine, social network or maybe like Comcast is doing with Hulu. Don't give up your rights at the gateway of the web just because you have a grudge or bias against Google.

> Google has been reshaping the entire internet and web just to maximize the way they can profit off my personal information. I don't see the ISPs doing that.

Also your points about Google are rich considering you have a @gmail account in your HN profile. If they are so overpowering why do you use them and not your ISPs email system?

Since you have no issue with ISPs selling data that you are paying them to keep private, you would be fine with Google Fiber ISP also doing that? Careful what you wish for and freedoms you give up due to bias ...


Your basic complaint is that it isn't fair that you can't opt out of your ISP pilfering your traffic. But 1) you can use https-only services, 2) you can use a vpn, and 3) you can use a different ISP. You obviously have alternatives, so there's no reason I can see that your ISP being unfair.

I care a teeny bit about privacy, but I care a whole lot more about anticompetitive monopolistic practices. IMO, ISPs are absolutely guilty of those - but my point is, so is Google. I care when somebody changes the design of the entire web for their company's sole profit.

That's why I'm pointing out Google's practices, and how I think they're doing much worse things than ISPs. If you don't care about anticompetitive monopolistic practices, and only care about privacy, then I can see how you might not mind what Google is doing. But soon, Google will be doing to you what they're making impossible for the ISP to do.


Dodging questions like these to stay focused on Google only tells great amounts about bias.

- Do you want your ISP tracking you and selling your private data? Do you think that is the place of an ISP?

- Does it bother you you are PAYING your ISP and they are reselling your data as well?

- Do you trust Comcast and Verizon and like that you are paying them to sell your data when you just want to use them to get online and are ok with this?

- Since you have no issue with ISPs selling data that you are paying them to keep private, you would be fine with Google Fiber ISP also doing that?

I am against Google Fiber ISP having access that ISPs just won with bribery over innovation/product offerings that people want. This is about the level of privacy and access ISPs should have not about Google.

- The ISPs already charge too much and little of it is going towards innovations/network advancement, instead they want to be content creators and ad platforms instead of charging more to get to gigabit and beyond. ISPs need to get back to innovating on providing better/faster internet service, what they are are network providers.

- ISPs should not be involved in content/ads/selling private data as that leads to bias and throttling, we need to have a separation of power from ISPs, the network gateway to the internet, and content creators on top of the internet.

When is it a good idea to have content creators own the network outright? All that leads to is bias, preferential treatment and monopolies (furthering them).

We have made immense mistakes in 2017 allowing ISPs to sell your private data, remove privacy protections at the network level AND the removal of net neutrality.

Net neutrality makes the network provider neutral, simple as that. ISPs you pay to get access to the network which is a utility today and to keep your data private, not sell it.


Next from Comcast: You must install this privacy-busting add-on to "optimize your experience".


Or, more likely: a discount for installing it.


And an increased price hike to go with the “discount”


You don't think ISPs inject ads/tracking into requests after the page is rendered on subsequent requests and override ad networks? [1]

> For years, Comcast and other large telecommunication companies around the world have injected javascript into your web browsing experience to serve advertisements and account notices. Their ability to do this stems from their upstream position as your Internet Service Provider (ISP). While Comcast is only currently using their javascript injection ability to serve customer account related information, the same message sending vector could be used to serve phishing expeditions, or other types of attacks. Not to mention that whoever your ISP is has access to your browsing history, your search history, your entire internet history unless you use a VPN. Some, like AT&T, even brazenly sold parts of this information for advertising profit unless you explicitly paid them not to – a pay-for-privacy scheme.

Why do you think ISPs like Comcast lobbied so hard to bribe their way into the ad/tracking market instead of winning it on the market with products people want? Do you think they did that so that to waste profits? Or to gain them?

We pay ISPs for secure and private internet access, not to also sell off our private data.

Google and Facebook are ad/marketing companies, you expect tracking and they use your data and give you a free service in exchange.

ISPs we pay for internet access and privacy, noone expects ISPs to be selling your data or would call them ad networks, though that is what they want to be and are building with this privacy law change.

[1] https://www.privateinternetaccess.com/blog/2016/12/comcast-s...


Can they inject javascript even in an https connection ?


The link I provided [1] has coinmarketcap.com that is forced HTTPS but not sure if that was or not.

There's some discussion of known Comcast injection here: https://news.ycombinator.com/item?id=15890551

The response from Comcast was [2]:

> This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. It presents an overlay service message on non-TLS-based HTTP sessions. If you click the X box or otherwise acknowledge the notice it should immediately go away. If that is not the case let me know and we'll have a look at what may be happening. [2]

But ultimately no, however there may be some possibilities:

- ISP offered 'apps'. Get people to agree to an install of some monitoring app for some [insert random marketing benefit] from ISP. Maybe if you install the app you get more data cap space etc and they can monitor browser access. Further, install this in known apps or as add-ons on setup for other apps.

- ISP offered 'VPN client' that again, gives some cheaper monetary benefit like more data cap space or more speed 'free', strips out other advertising or tracking as a benefit.

- ISP offered 'email client' that does all of the above.

- Check for subsequent request after page loads to known ad networks and replace with their own in HTTPS

- ISP level proxy MITM, modem customization for 'fast lanes' that are actually slow lanes.

- DNS level data collection not to inject but to sell marketing profiles via metadata and correlate with other data from apps.

First one is the most probable but as of right now HTTPS injection is obviously hard to do if not impossible without some social or security hole.

Nobody in here would probably fall for these attempts but most would considering the outrage that they didn't know friend harvesting was happening on Facebook. If whatever they try lowers their monthly data caps or limits then majority of people will do it.

Since ISPs are your 'gateway' to the internet and you pay them, most people assume trust and privacy, most don't know they bribed their way into the tracking/ad business, many didn't know cable tv modems had mics either. With that assumption of trust since people are paying them, they'll more easily fall for any of the possible attack/tracking vectors listed and more probably.

With the ISP privacy protections removed [3], my guess is most ISPs, due to lack of competition, end up more like hotel wifi where tracking/injection is the norm [4] as it is completely legal now. With the removal of privacy protections and net neutrality, we have killed the pristine, non tracked, private gateways to the internet we cherish.

[1] https://www.privateinternetaccess.com/blog/2016/12/comcast-s...

[2] http://forums.xfinity.com/t5/Customer-Service/Are-you-aware/...

[3] https://www.flake.senate.gov/public/index.cfm/2017/3/flake-i...

[4] https://medium.com/@nicklum/my-hotel-wifi-injects-ads-does-y...


There's still SNI in TLS. Hopefully that changes in 1.3, but I don't know how prevalent that is yet.


Wait. Wait a minute.

I was planning literally this month to figure out how to implement domain traffic analytics on my LAN by using SNI via libpcap or similar (something tiny).

Will I have to configure a root cert and build a full DPI proxy to make this futureproof? >_<


It'll be coming, and yes you will. On the bright side, nobody else without a root cert on your box can do it.


Argh. But thanks for the honest headsup.

Time to go learn how to do DPI...


Well, you can use a browser that doesn't support SNI (IE8) or one that makes it configurable (I don't know if any do).

But a large amount of sites won't work without it. It's very common to run multiple sites on same ip/port. Not sure if it's technically possible to make that work without SNI or a similar technology.


On re-reading the grandparent I have to admit I missed the point.

Considering CloudFlare offers to do SSL on their end, it'd be technically viable to only tell CF which domain you want.


Even without SNI the ISP could just check the destination IP themselves to find out what domain resides there.


Considering almost all websites except for largest one are behind one CDN / load balancer or another this is no longer relevant.


They still see every DNS request.


Not if your browser sends it over HTTPS.

Mozilla implementing it: https://www.ghacks.net/2018/03/20/firefox-dns-over-https-and...

Google's: https://developers.google.com/speed/public-dns/docs/dns-over... Apparently Chrome uses this over QUIC, and Chrome's Data Saver also uses it

IETF charter: https://datatracker.ietf.org/wg/doh/about/

The unfortunate side-effect of preventing your OS from doing DNS queries is DNS-based ad blockers and privacy proxies no longer work.


DNS over HTTPS is great for the average Joe/Jane, but if you're technical and care about dns leaks ... I'd suggests a DNS over TLS (unbound) + filter setup.

This way your dns traffic is still encrypted, and you retain the capability to block/proxy.


> you retain the capability to block/proxy

Only if you are smart enough to know the browser has its own resolver, and that you need to turn it off first. We may not be able to turn it off in the future, meaning if you want to have privacy you have to run a privacy-specific browser.

This may end up breaking traffic as Google shifts more and more of the web into its proprietary products. For example, Google owns the .DEV gTLD, and makes .DEV domains "completely closed for the sole use of Google". It may at some point buy some other gTLD (such as ".BLOG", which it was outbid for) and decide that the only way for you to access websites with domains using that gTLD is to use Google's DNS API. It may sound crazy, but if they already shut out everyone in the entire world from having a .DEV domain, this doesn't seem much crazier to me.


Let's see where this gTLD thing goes. I can probably see an ICANN or EU intervention in case of a self-mandated requirement of this kind. But, as long as the market stay healthy, more competition can't be nothing than good.

After all, DOH is mainly a technical answer to hijacks (and monitoring). Some ASes seem to have a policy on that... Once it's ready, if it's enforced, you'll have a way to provide a custom resolver you control.


Can't the ISP still have reverse dns on whatever IPs you connect to?


I logged my own traffic for a while in order to have an insight about this.

It came out that in a world of reverse proxies, ddos protection and large tech conglomerates, reverse dns is not a big deal (depends on you behaviour too, smaller websites with a dedicated IP are easier to catch).

But traffic analysis may be a big deal, and the risk of this kind of exposure is not something you can evaluate by yourself. Mix networks are a mitigation.


I just searched for "privacy" and Google sent me to address: https://www.google.com/search?source=hp&q=privacy&oq=privacy

Note, that URL (and search term as GET parameter) is visible to your ISP.


URL paths are not visible over HTTPS. All they can get is the host name.


On https sites there's not a lot ISPs can track without breaking encryption. With shared IPs they may not even know the domain for certain (although as IPv6 takes off it will be easier to map IP to domain).


They can make a fair guess at which websites you're accessing. A lot of websites that are related to your particular interests aren't behind shared IP addresses these days.

Consider this: * Build a list of domains you're interested in. There's fun community build blocking lists that can help you, if you need it.

* Periodically resolve every domain. Odds are if you're an ISP your servers already have the records cached, but it isn't too hard to resolve them all.

* Dynamically adjust your routing to specifically re-route those IP addresses to your special infrastructure (or maybe null route it if you want to block access)

* Use your special infrastructure to build up whatever profile you want about the source IP address, which of course being an ISP you'll be able to link directly to a user. Your end user won't even know.

You'll know when they access sites, be able to build up patterns of websites they access, in which order, and spot variations in that pattern.

There's a lot you can infer from metadata without decrypting the traffic. Everything from which domains you access, ports used for the communication, what order, and what sort of size the payloads are. You could identify that someone has an email account they only access after visiting, say, the Ashley Madison website. By tracking the size of communication on that is being sent to figure out if someone is sending dick picks or some such, or if it's likely just plain text.



Wholly agree. Your whole life is reflected as in a mirror in the 'metadata' logs collected by ISPs. VPNs are essential.


They can track DNS lookups though. I use DNSCrypt to proxy all that traffic through elsewhere. But that just means I'm trusting some other third party to not log my DNS queries.


DNSCrypt -> private cloud instance DNS Crypt -> root name servers


I use dnscrypt also, figuring that even though that puts my browsing traffic in another persons hands, they can’t easily correlate it with my address, phone number, name, etc etc


Https requests still send the domain name unencrypted in the SNI extension of TLS [1]

[1] https://en.wikipedia.org/wiki/Server_Name_Indication


But your DNS request went through the same ISP; It's very likely that they'd know the domain for certain because you've just looked it up.


Very few ISPs can track you no matter where you physically go, as your mobile, home, and work ISPs are likely all different. And ISPs are regional, none carry the level of threat of Facebook or Google.

Of course, when states tried to reintroduce privacy protections... That covered ISPs and tech companies alike... Big tech stepped in and opposed. They weren't interested in protecting users, they just didn't want the competition.


> Very few ISPs can track you no matter where you physically go, as your mobile, home, and work ISPs are likely all different.

There's a lot of consolidation happening in that space. Verizon offers FiOS and phone service. Comcast is getting into the mobile game. That aside, any device by itself is enough to get a picture of the user using only tracing IP addresses (i.e. DNS lookups and outbound requests). They don't need to stitch together your mobile and home connections. It's enough to have two profiles on you when you're using each one.


Google also has Fiber and Fi, but in reality, I think the likelihood any given user has land and mobile access through the same company is relatively low, and you usually have the option to switch at least one of them.

AT&T is probably the biggest player in succeeding at being the ISP for you everywhere though.


I doubt it's _that_ uncommon in the UK -- most of the mobile providers offer home broadband services, often at a discount for mobile subscribers. Struggling to find specific/up-to-date numbers, but e.g. Vodafone have >300,000 home broadband customers (which is not an insignificant amount) and EE have around 900,000. I'd imagine a fair percentage of those are also mobile subscribers.

https://www.ispreview.co.uk/index.php/2018/02/vodafone-uk-ho...

https://www.choose.co.uk/guide/home-broadband-market-overvie...


> Very few ISPs can track you no matter where you physically go, as your mobile, home, and work ISPs are likely all different. And ISPs are regional, none carry the level of threat of Facebook or Google.

True, all tracking/privacy issues are bad but you can still route around Google/Facebook with simple things even such as hosts file loopbacks, browser extensions, using Firefox instead of Chrome and using different search/social networks.

Google and Facebook are blockable, ISPs can never be blocked.

Even with a VPN you are still going through an ISP gateway with that encrypted traffic and performing DNS lookups. This will lead to throttled bandwidth, can Google and Facebook throttle you down? Facebook/Google/etc have zero control over you if you want, ISPs always got your information.

ISPs can also track entire companies now, Facebook and Google do it by individual but ISPs capture everything, you always have to connect to an ISP.

The privacy overreach by ISPs is immense due to not being able to choose to be tracked, and they are lower on the service level as they are the base entry to the web.

ISPs are your entry/gateway to the internet and now track you and can sell your data, Facebook/Google ride on top of that. ISPs could also crush others tracking, replace ads in place of other networks which was in the bill, and will squash any small/medium advertising networks outright.

ISP tracking and privacy overreaches are definitely the biggest encroachment on internet freedom ever and much more of a problem than destination/apps built on it that you have to go to or can route around.

ISPs also bought/bribed their way into this monopoly reach, they did not earn it with providing products people desire, they have local monopolies with false competition that lessen the ability of people to change providers.


I think you'd be surprised how much more similar Google is to these things. They absolutely bought and bribes their way into their monopoly reach, by paying to be the default on everyone's browsers, having other software bake Google Toolbar into their install wizards (later replaced by Chrome), etc.

Also, given the HTTPS Everywhere push (mostly led by Google), usually only sites like Google and Facebook get to see your traffic, ISPs get cut out of most of the deal.

And for most people, Google or Facebook is, in fact, their gateway to the Internet: They get everywhere they go through one of these two captive environments.

Finally, telecoms are already subject to significant regulation, even with the recently repealed privacy rule, no, ISPs can't just go selling your search history, marketing by certain political groups to the contrary. (Whereas Google and Facebook both, effectively, can.) Meanwhile, tech companies have operated with little to no regulation at all, and unlike telecoms, which have a whole federal agency dedicated to regulating them, tech companies' reach isn't restrained by much outside of the FTC, which isn't even fully staffed, and definitely isn't doing their jobs.


Any big company has to lobby a bit but the ISPs only do that and do have local monopolies with false competition so you can't really choose another competitor in many places. ISPs haven't built any market products people want to use that they will willingly give up their data for.

Google and Facebook are ad networks that tracking is inherent because they are free and they make their money from ads.

ISPs are for internet access and privacy, you pay them so they don't sell your data. Now they want to be Google/Facebook without building a search engine or social network. They bought their monopoly with bribes so they could become ad networks/tracking networks. People have the expectation that their data isn't being sold by their ISP currently, but they are and it is fully legal now.

Google and Facebook aside, do you want your ISP tracking you and selling your private data?


Google and ISPs both have monopolies, but ISPs have local monopolies and Google has global monopolies. In 2017, Google wasn't just "a" lobbyist, they were "the biggest" lobbyist, dwarfing any ISP's.

When you say "Google and Facebook aside", it feels like you are literally missing the entire point... You have an elephant in your sinking boat, and you're worried about the weight of the dog.


We know that the companies are big and possibly seen as monopolies, the question was still unanswered though.

Do you want your ISP tracking you and selling your private data? Do you think that is the place of an ISP?

If you do like your ISP tracking and selling your private data, we'll have to agree to disagree. I think there is no place for ISPs to be evading privacy and selling your data. It isn't about competition.

I expect tracking from free services I am not paying for that my data is the product. I expect tracking from companies that make their money from ad/marketing to do that.

I do not expect tracking and privacy invasions from my ISP, my front door to the internet.

My ISP is also not a small dog, it is a massive media company and a monopoly in addition to my provider. At least with Google/Facebook you can use DuckDuckGo/bing/etc or other social networks and block Google/Facebook if desired.

I can't route around my ISP, there is no local competition and what competition there is amounts to false competition. From the FCCs own data, most people only have 1 or maybe 2 real competitive ISPs in their area and virtually no competition at 100Mbps, zero options for gigabit [1].

I can easily walk around Google and Facebook and block them, my ISP is a big big mean dog because I am paying for my privacy invasion, services that run on the internet are corgis and they are free but fun to play so they attracted people's data by providing something people want. They do both lobby but that is primarily because ISPs and others do so heavily and you must compete at that level or lose.

> FCC report finds almost no broadband competition at 100Mbps speeds [1]

> Even at 25Mbps, 43 percent of the US had zero ISPs or just one. [1]

[1] https://arstechnica.com/information-technology/2018/02/fcc-r...


It's funny that you link Jon Brodkin, because I was going to point out all of what gave you this erroneous impression was from a select handful of media properties which have incredibly close ties with Google...

You ignored that Google and Facebook are also the front door to the Internet, and that you cannot evade their privacy violations by just "not using them". You've also continued to not address that Google is a much larger monopoly than any company you're upset about. Adding all of the ISPs together would not even approach the scale of threat provided by Google, in money or reach.

You've seemed to decide that violating your privacy and security is okay for some companies and not others without really a reasonable distinction how. Especially given that Google and Facebook are both media companies (and ISPs), and so are Comcast and Verizon.


- Do you want your ISP tracking you and selling your private data? Do you think that is the place of an ISP?

- Does it bother you you are PAYING your ISP and they are reselling your data as well?

- Do you trust Comcast and Verizon and like that you are paying them to sell your data when you just want to use them to get online and are ok with this?

It is funny you keep evading those important questions and flipping back to Facebook/Google. Just want to get you on record on the ISP question. I have already stated all are powerful and there is an expectation of tracking from advertising companies like Google/Facebook, that was not possible until the ISP privacy bill that removed privacy protections.

Also that data from broadband numbers is DIRECTLY from the FCC report the FCC created, it is just summarized on ars, does the FCC have a Google bias?[1].

The fact that you supposedly know the guys bias and associate it with Google is probably a hint of bias on your side. Maybe you just like ISPs selling your private data while paying for the service.

> You've seemed to decide that violating your privacy and security is okay for some companies and not others without really a reasonable distinction how.

I believe I explained this clearly multiple times. ISPs are literally the definitely of a 'gateway' or doorway to the internet. Facebook/Google are built on top of it and yes you can route around them or block them easily with host loopback or at firewall/routers etc, there are competitors to those apps, not so much with network gateways/ISPs [1]. Is the EFF also in Google's bias? [2]

You've seemed to decide that violating your privacy and security is okay for ISPs who previously were not able to but lobbied to have those privacy protections removed without answering whether you think that they should.

I don't believe any ISP should have access to your private data nor sell it, especially because you are paying for it. I say the same for Google Fiber and and Facebook ISP overseas if they have them. ISPs SHOULD NOT be accessing private data and selling it, they are the gateway to the internet and that is TOO MUCH POWER. If ISPs want advertising networks or tracking, build a search engine or a social network or like Comcast has in Hulu, or buy one. Only track on a destination site that I can CHOOSE NOT to use that doesn't double as my entry to the web, that has way more monopolistic tendencies in terms of control of your data.

[1] https://transition.fcc.gov/Daily_Releases/Daily_Business/201...

[2] https://www.eff.org/deeplinks/2017/03/five-creepy-things-you...


But the ISP does not follow me from device to device, doesn't (for home providers, anyway) correlate me with location info, and generally knows far less about me.

I'd rather Comcast didn't touch my data, but no, in the end I would trust them with it far more than I would trust Google or Facebook.


> Yet Facebook and Google at least built products you wanted that you willingly gave up privacy to use and at least got something for it

I never agreed to FB collecting data on me. I have no account with them. I do not use their services. Yet here we are.


You can easily block Facebook and Google via host loopback or blocking their scripts.

I have never seen so many pro ISP tracking/privacy people on HN.


That post seems anti-Facebook and Google, not pro-ISP.


I mentioned how you can block Facebook and Google.

The pro-ISP part was more about the thread and that ISPs are paid for internet access for privacy, without an expectation of tracking.

Google and Facebook are free and have an expectation of tracking because they make their money from ads/tracking.


I suppose I can ask all my contacts to remove my details from their address books on their phones. Do not email me from gmail, Tag me should they ever take pictures of me. But that is all besides the point. We _should_ not have to jump through hoops to keep them from spying on me. Besides, _most_ people do not even know how clear the browser cache, let alone running scripts or modify their host files with every changing DNS entries.


I've been forwarding all outgoing connections on port 80 (and a selection of other commonly-unencrypted ports) through a VPN (in the router) for a while now - but leaving all other ports (including most importantly 443) connecting directly.

It feels like a good compromise between privacy and speed.


If you’ve got a VPN, why not everything?

You’re currently leaking a ton of data via DNS and HTTP certs, aren’t you?

You are indeed protected against active content injection, but that’s rarely the problem with a for-pay ISP


> If you’ve got a VPN, why not everything?

Latency through the VPN is worse. It's not super-worse, but it is worse.

> You’re currently leaking a ton of data via DNS and HTTP certs, aren’t you?

I'm putting DNS through the VPN as well, so no.

But HTTPS certs - yes I am. It's a compromise.

> You are indeed protected against active content injection, but that’s rarely the problem with a for-pay ISP

This is literally one of the specific problems I was trying to avoid. My ISP is Comcast (the only choice where I live) and they routinely practice HTTP injection: https://gist.github.com/ryankearney/4146814

It's not just injection, though. With plain HTTP Comcast gets to see the contents of every page I visit, if they want to. And I do not want them to.


What router are you using? I would like to do this for my parents but I don't want a full blown pfsense box as a requirement.


Could you use PiHole and OpenVPN to accomplish what you want at your parents'place? https://www.reddit.com/r/pihole/comments/48zp16/pihole_and_v...


I built this setup a little while back and am very happy with the results. It took only a few hours on a Saturday and most of it was playing with settings for fun.


...I have bad news. :)

It's a PC Engines APU2 running pfSense.


Dang, I suspected it from the description of what you were doing because pfsense is so awesome for that kind of stuff.

Just thinking from the perspective of remote support, I can't really walk my folks through a pfsense setup over the phone if there is a hardware failure... :/


Asus Merlin is nice.


I love Merlin, too. The best deal for budget users is to get the AC1900 but as the T-Mobile version. It can be found for about $60 and and you'll need a few hours to flash the Merlin software over the TMobile firmware.

Best router I've ever had, and I run it with a PiHole on a Pi 3.


Has anybody actually seen an ISP tracking user behavior? I've worked for a few 1998-2005 and never witnessed it.. however I wouldn't be surprised if they had transformed in the years since. Just curious if anyone has ever leaked info about such a program.



Ads yes, but tracking?


Ad networks are tracking by design including ISP injected ones.


Sorry to sidetrack here -- but any good recommendations for paid VPNs?


Pay for a digital ocean/aws/whatever minimally sized instance and run algo: https://github.com/trailofbits/algo


Why would you trust a VPN provider more than your ISP?


To be honest all a VPN does is add another layer of protection. It's not that secure because they can be subpoenaed or NSL'ed into giving data over, which is why a VPN's log policy is important to pay attention to. So in reality, you are mostly just trying to not reveal traffic to your ISP which the various LEA's can get access to far too easily (read: without a warrant).

For those really serious about privacy that's why I think actually owning a colo space where you own and control the hardware can be a preferable solution. For those who don't like that try setting up your own VPN on a VPS, etc.

One of the key things most people miss is DNS. I personally also suggest running your own DNS server, even if just a local dnsmasq that's outgoing to opendns or internic or something.

One more thing most people don't think about is attackers pivoting from other compromised devices on the internal network. If you think that Amazon/Apple/Microsoft etc device isn't sending checks out on the local network and then reporting back stuff like internal IP topology and MAC addresses you got another thing comin. Check your iptables or nftables (bpf?) and block internal hosts you know don't need access.


Why use paid privacy-by-policy systems when you can use free privacy-by-design systems like Tor and i2p?


Latency and throughput


> Latency and throughput

It's not as bad as you're making it seem.


This is a choice you don't make to get. Each one might take different choices on the latency-throughput/privacy trade-off.

Given the current usage, I would say that most people value the latency and throughput a lot.


I'm in UK where the law requires all ISPs to store everyone's browsing history for a year - I browse the web exclusively over VPN and yes, I trust my VPN provider 100x more than I trust the British Government.


Your ISP is a near-monopoly with vast wealth and political connections, and no trust to lose. A VPN is used by a much smaller group of people who will ditch them en masse if any hanky panky comes to light. There is a ton of competition in the VPN space, and they’re mostly selling the same product, so if they lose trust, they’re done.

TL;DR Very different incentives


> Your ISP is a near-monopoly with vast wealth and political connections

That's not true for many parts of the world, especially Central/Eastern Europe.

$ whois AS204880


I can run a Streisand server for about $3-4 / month on a EC2 / Azure instance. I take it offline when I don't use it and can get even cheaper.


Private Internet Access is a common one but there are many. Torrent Freak always has the latest and any encroachments as torrent users are usually the most adamant about privacy.

https://torrentfreak.com/vpn-services-keep-anonymous-2018/


Personally I've settled on ExpressVPN, largely because about 50% of their endpoints work with Netflix. They are also very popular, meaning more protection of anonymity, and I have never seen any evidence to counter their claim that they don't keep logs.

As a bonus their software works very well, better than most generic VPN clients.

I previously was using my own private VPN servers set up with Streisand, but those provide no anonymity, only masking of the endpoint.


> they are blocking those

Do any American ISPs routinely Blick VPNs?


Not outright but they definitely mess with VPNs. Before net neutrality Cox for instance blocked VPNs quite a bit [1], they are holding off for now, but with net neutrality gone expect it to return. Now that they have to inspect traffic for slow lanes, they'll just put VPNs throttled down at a minimum.

> 2003—Cox and Comcast block VPNs: Back in the early internet, both Comcast and Cox Communications placed bans on Virtual Private Networks (VPNs). This was before VPNs became as ubiquitous as they are now. Back then, the only people who really used VPNs were doing so to access a work computer remotely. Which made Cox and Comcast’s choices to block them even weirder.

[1] https://lifehacker.com/what-happens-when-broadband-companies...


Thanks for bringing this up. ISPs are huge dick-heads, and they track the shit out of their users, including censoring some content themselves.

What are some ways to prevent all the tracking? I get HTTPS makes things better in terms of confidentiality, but it does nothing to prevent the ISPs from scraping the URLs, which exposes scary amount of information, too.


Thanks for reminding me about this. I'm seriously thinking about getting a VPN subscription again.


Be very weary- seems many (most? all?) are not the most trustworthy. Look into rolling your own setup.


Behind an untrustworthy ISP to boot? Might want to consider a hosting company that has servers around the world at that point... One in the USA for initial contact and one in the other side of the world for browsing maybe? Or what everyone else will see as your IP.


Why use paid privacy-by-policy systems (VPN) when you can use free privacy-by-design systems like Tor and i2p? In fact, even if you use a VPN browser fingerprinting is still an issue unless you use something like the Tor Browser.


two reasons: speed and security. Speed is self explanatory, security may not be obvious. I don’t believe Firefox to be on par with Chrome. It was years behind getting a sandbox, and doesn’t appear to have the engineering or QA focus on security that Edge/Chrome do.


> I don’t believe Firefox to be on par with Chrome.

You need to know that the Tor Browser disables a lot of stuff that Firefox has to lower the attack surface, and you can lock it down further using the Security Settings in the Torbutton.

Also you should look into a Whonix+Qubes OS setup, just because there's a sandbox doesn't mean you can't get hacked.

For speed: It's not really that bad for general browsing.


If we’re talking about privacy of tor vs VPN, I want my entire network protected at the gateway, so not sure how the tor network keeps up with streaming video etc?

I wasn’t aware of the attack surface reduction, I’ll take a look at that, thanks for the recommendation.

My ground truth for this is usually to ask full-time exploit dev friends which is a harder target, although that’s probably flawed in that if you’re targeted by someone determined it probably doesn’t matter the cost.


> I want my entire network protected at the gateway, so not sure how the tor network keeps up with streaming video etc?

With Qubes you can have a Whonix-ws VM have all its traffic go through Tor, and have another VM with all its traffic through some VPN to use with streaming.


What about my TV, my phone, my iPad? The way I see it the only workable solution to privacy against my ISP is to do it all at the gateway. And in that instance, I need ~50mbit which tor can’t provide.


> What about my TV, my phone, my iPad?

For iOS there's Onion Browser by Mike Tigas, but it's definitely NOT as privacy resistant as a Tor Browser. For Android there's Orfox and official Tor Browser builds for Android are coming this year.


In Germany a friend asked the ISP's "data protection commissioner" (Datenschutzbeauftragter;) if he could regularly get a new IP address for privacy reasons. He did received answer saying: "this will not help you"


Sure, except your ISP probably doesn't have 1 to 2 billion users.


No. Which company is more powerful with your information? That little ISP who has no real use of it, or Google, the most powerful ad agency with ties to American agencies in the world?

You may be able to bypass Google but almost everybody else won't.

It's time to open your eyes for what they are.


> That little ISP who has no real use of it

Those little ISPs like Comcast, Verizon, Cox, AT&T etc. I can't imagine those small companies would want your data or want to use it after bribing politicians to get the right to do it.

Everyone knows Google tracks you, same with Facebook. They offer a service and people understand that. You aren't paying you are the product.

You are paying your ISP for access to the internet and privacy, or at least that used to be a selling point. You are paying AND you are the product and they have competitive services they want you to use so they'll mess with competitors. Your entry to the internet should be objective and independent, what you use on top of that is up to you. You can still route around Google and Facebook, you simply cannot route around your ISP.


>They offer a service and people understand that.

No they don't. Maybe in a superficial sense, but the vast majority of the public doesn't have any clue how data can be combined and mined to reveal far more than they thought they were bargaining for.

Otherwise there would be no sudden Facebook scandal.


The scandal is that third party companies like Cambridge Analytica harvested the whole social graph and used it to manipulate people.

People know that Google and Facebook track as they are ultimately ad companies, and if you get a free service people know that your data is the product.

We pay for ISPs to protect privacy, not sell it off, that is the big difference.

Many people have seen Facebook tracking from the marketing/business or even small group/page side with their analytics and Facebook is known for their ads and sponsored content. Facebook is a marketing platform, everyone knows they use your data. ISPs are what you use to get online, not known as marketing companies that have ad networks, though they want to be.


I'd like to expand this because I don't see it written much, and please correct me if I misunderstand:

The scandal is that FB sold or allowed the ability for third party companies like Cambridge Analytica to harvest the whole social graph and FB sold or allowed the ability for them to use that same data on FB to target and manipulate people.


It is nuanced a bit so some background: Cambridge Analytica did violate Facebook terms of service as that wasn't truly allowed to pull down the whole social graph, but the protections against pulling friend data without their knowledge in the Facebook OpenGraph APIs weren't truly in until v2 around 2013-2014.

I know this because we used to do lots of Facebook apps/games and back then, once someone gave you access to their information, you could get all their friends and all their information and recursively pull down most of the social graph for public information. Most games were just using it for friend names, if they played the games, invites and competing with friends but there were bad apple apps out there harvesting it all down. The facebook app revolution was partly due to the data element and was open for many years.

It always surprised me how much data could be pulled, it is part of the reason Zynga was so effective as well and attracted some oligarch money. Part of the reason Facebook started locking it down is game/apps were getting more adept at pulling all data and Facebook was scared someone would become a social graph competitor, so they locked it down mainly for their own needs not really privacy.

Who knows if Cambridge Analytica had extra access beyond that to get to profiles that weren't public, but most profiles were public by default back then and people only put information online that they wanted to share publicly without as much expectation of privacy. Over time people for some reason started to trust that Facebook was protecting their data but still had the friend permissions access hole.

Back in the late 90s and early 00s people were very against sharing any real info on the web with sites previous to and like Facebook, it slowly changed as the appearance of privacy was added but truly it was still wide open if even one of your friends gave access to the app until Facebook v2 OpenGraph. With the OpenGraph v2 friend lockdown changes, you could only get a friend ref id only available to your one app that wasn't their actual facebook id and was different per app, and you could send them an invite but not pull their data until they agreed which it should have been all along.

After that change it was an era of tons of invites on Facebook and companies like Zynga threatened to leave and did try to build their own, it also shut down many Facebook game companies that could no longer get the numbers, many moved to mobile that was still wide open. Zynga was given special privileges by Facebook for a while due to this where others didn't have that access, others may have also had those special privileges. Facebook transition to mobile took a long time and some people even thought Facebook wouldn't be able to make the leap. At that time, the app/game companies on Facebook considered it Facebook killing the viral nature of some of those apps/games which was ultimately good. It was a huge mistake for Facebook not to separate app/gaming from your personal info and friends but that was the product then, they should have allowed people to setup app/gaming profiles that other app/gamer users could friend each other and not pollute your main friends list and pull all your social graph data. Games were a bit of a trojan into your social graph due to the setup back then.

It is possible that Cambridge Analytica had other access to non public data but as I mentioned, most data was public by default then and in a way CA was late to the game, many companies probably had people internally that could pull it down and possibly even from data centers, Facebook eventually built their own data centers. Then there is the whole side where the NSA had any access they wanted or needed as well to both public and private data, who knows if that was exploited or not. Cambridge Analytica used their data for nefarious purposes against the ToS of Facebook but that was bound to happen because it was the move fast days and security was an afterthought. In theory you could still have a network of apps that combine to get people to give you access to their data and friends approve it as well but most of that has moved to mobile rather than facebook apps as that is easier on mobile now and people moved there including Facebook themselves.

Really this whole adventure was spurred by the Web 2.0 era that people were being social and sharing more online and it was democracy online, more public, previous to that it was very limited. Web 2.0 launched this site, reddit, Facebook, Google social products, comment systems etc. So I think there was a temporary time where it was the Wild West of data mining and people sharing more than they should with the expectation of privacy because Facebook was a walled garden and people thought it made their data safer. Turns out that was not the case if they didn't specifically mark it private.

Many of these issues still affect mobile but that is getting better, however the Facebook apps probably pull more from mobile to build the social graph than they ever could on the web including calls, audio and other things that mobile allows you to do as it is native and not sandboxed like the web. Sandboxing via web browsers was huge back in the day because people were so worried about their private data and hacking, that went away for a while, Web 2.0 happened, mobile happened, data was misused, now it will tighten to more private/permissions again and has been for the last few years. Ultimately people knowing that data you put online or when you use apps isn't private is probably a good thing as the good that will come of all this. We might get to a right to your own data Bill of Rights amendment or similar one day.

Ultimately Facebook was not necessarily nefarious in this, companies like Cambridge Analytica that exploited Web 2.0/mobile and social networks to use that data against you, rather than just serve up ads, is where things went too far and thus the backlash. Facebook since v2 OpenGraph has been privacy/security conscious both for them to protect the social graph data and to create trust in users.

Now ISPs are getting in the game with removing privacy protections with their new law and they don't care about consumer trust as much, that is the scary one.


Wow! Clearly nuanced, this is a fantastic answer, I did not expect a worthwhile reply, let alone such a great synopsis. Thank you for typing it out. This quality dialogue is why I, and so many others frequent this forum! It's definately not an either or situation, and I hate how our regulators have, for about a half century now, sold out to the ISP/Telco mafia, which enables their continually shitty operations and service while holding on to their anti-competitive market positions. AT&T figured out quite long ago that excelling at cronyism was their most effective long-term business model. I am worried the tech giants will embrace regulation and skate the same path.

https://www.fastcompany.com/40520529/big-tech-lobbying-spree...


Not entirely true, you can use a vpn, but then you're placing trust in a vpn provider.


Why use paid privacy-by-policy systems when you can use free privacy-by-design systems like Tor and i2p?


Because they're slow as shit, difficult to configure correctly, and make you more conspicuous to most three-letter agencies.


> Because they're slow as shit,

Tor isn't that bad actually for browsing, while i2p needs more love regarding speed.

> difficult to configure correctly,

For Tor: You just download the Tor Browser. Already pre-configured.

> and make you more conspicuous to most three-letter agencies.

Good argument for actually using them.


> You just download the Tor Browser. Already pre-configured.

Isn't Tor Browser fairly bad due to it being a target? I'm not sure if that changed recently, but I recall seeing lots of "don't use the Tor Browser bundle".

Tor also relies on exit nodes to exist, yet it's considered very dangerous to run one.


> Isn't Tor Browser fairly bad due to it being a target? I'm not sure if that changed recently, but I recall seeing lots of "don't use the Tor Browser bundle"

Just FUD.

> Tor also relies on exit nodes to exist, yet it's considered very dangerous to run one.

It's dangerous in some places to run an exit, not everywhere.


> No. Which company is more powerful with your information? That little ISP who has no real use of it, or Google, the most powerful ad agency with ties to American agencies in the world?

Not to be rude, but you clearly don't work in advertising or know much about it.

The major ISPs already create profiles on users & sell them to agencies & the like for physiographic profiles.

This is why Verizon's "Super-Cookie" -- not really a cookie, but a forced modification of all HTTP headers by the ISP to enable universal tracking of their users -- was all about.

https://www.theverge.com/2016/3/7/11173010/verizon-supercook...


“That little ISP who has no real use of it”

I would say “that giant ISP corporation who had enough power to lobby the government into changing laws so they can get access to your browsing history to sell”

Which is a little more worrying


ISPs collecting data means ISPs selling data to corporations like Google, so the concern is still the same.


ISPs can sell it to Google, no?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: