Given enough opposition, Verizon, Comcast, etc, could strongly embrace personal data privacy and still continue as companies. Yes, they'd lose a business opportunity, but they still make a lot of money selling you internet access and that wouldn't go away. The same is not really true of companies like Google or Facebook. Collecting and making money off your personal data is the foundation of their business. Strongly protecting your privacy would require them to change their entire way of making money.
I think you could argue either way whether Google or Verizon has more ability to spy on you, but Google absolutely has a stronger business motivation to collect your data than Verizon does.
For Facebook maybe, but Google was a large and successful business before its 'personalized' targeting was really that advanced. AdWords ran for a full four years without any kind of search personalization, and up until 2012, it was possible to turn off search personalization entirely. Google made $37bn in 2011.  Google Display Network, the area of Google's business that would most obviously be disrupted by a move toward strong user privacy, only makes a fraction of that still. 
While I completely agree that Facebook would struggle without behavioral targeting, being able to buy ads on a PPC basis for users with 'intent' will always be a valuable product for advertisers, regardless of targeting.
But as a company it never really needed to do those. Heck, Google doesn't even need to be in the self-driving business.
I think it's a failure of competition and anti-trust laws that companies are allowed to grow this big to get their fingers into all the pies out there. The only reason they even go into all of these different industries is because they've made so much money they don't know what to do with it.
Sooner or later we're going to have to deal with this rampant increase in monopolies and we'll have to take some drastic measures to do it. We may even have to break-up companies such as Google, Amazon, Facebook, Walmart, Comcast, Disney, Goldman Sachs, and others, because they were never supposed to turn into such large conglomerates. The fact that they did was a failure of competition laws to stop them from growing this big in the first place.
Comcast, AT&T, and Verizon are now allowed to spy on you, then buy media and ad companies, and then use that data to manipulate you for political purposes so you end-up voting for the candidates that will help them further consolidate their power. We should have put a stop to that along the way.
Per Thiel's "theory" (as seen in Zero to One) most of Google's "failures" are a cover for their search monopoly.
You can also be targeted with ads based on emails you receive in Gmail - it was possible to target down to keywords in emails, but that was discontinued. Now, the emails you receive, domains your getting them from etc. influence signals, that puts you into an 'audience' that can be used for targeting across the Google network.
Without the ability to do targeting, or personalization, as Google calls it, their business will fall apart. Everything they do is geared to collecting more information about users to improve "personalization" - from Google Assistant, to Google Home . It's so advanced that your experience (results) on their platfrom, especially within Search -- will be unique to you.
Google will fight alongside AT&T, Comcast, etc to protect their business model, in-fact Google is trying to reach their ranks with the 5G war 
 https://www.bloomberg.com/news/articles/2018-03-29/google-le... - (search for: Spectrum Access System )
There is potential here for new business model for privacy based ISPs (ex: think duckduckgo for ISP) where customers pay a premium for such an offering.
Mind you many of them have no idea, but as their goto I could make a smart recommendation and they would likely follow.
Oh! And package it with a better than average 2FA. Maybe a Yubikey or similar.
More or less sec in a box. Perhaps not 100% complete and bulletproof but better than the current situation.
But from what I've heard practically anywhere in Europe, and definitely in Japan.
as an american living in a major city, this exceeds my wildest dreams of internet service.
It's one of the negative consequences of mainstream media / political free market rhetoric considering regulation harmful.
Well regulation can be harmful if it protects the incumbents and prevents the introduction of new players. Lobbyists are usually pushing for more regulation, not the opposite.
It's not about regulation or not regulation, it's about what kind of regulation makes sense for a free market.
A surprising number of sites (and/or assets, images, etc) still don't use TLS, and so for those it's also possible for an ISP to understand what the user was reading/accessing.
Even for sites which do support TLS, if the ISP hypothetically had a partnership with a single data broker / advertiser which was also on the page, it's likely not hard to have a pretty precise idea of their interests/viewing.
You're right that Google and Facebook will continue to have very narrow and precise information about people's daily lives; it's simultaneously true that ISPs will continue to have broad & ongoing profiling information across any touchpoints as people use the internet.
I think if the article was written in the spirit of "watch out for the ISPs too" instead of "the ISPs are so much worse" I would have been more onboard.
I think it's a bit apples and oranges: all my traffic with low resolution or just my social traffic in high resolution. I don't clearly see one being far more dangerous/valuable than the other.
Bank vault analogues for private data do exist: iCloud, Dropbox, Crashplan, etc. If “your data” needs to leave your physical possession, that’s the sort of service it should go to.
Dropbox: Dropbox has the keys :(
Crashplan: I have the keys :)
Do you really? They offer a web interface with access to your data. Do you enter the encryption keys when you access the web interface, or do you enter a username and password which then provides access to the encryption keys?
In that situation, who really has the keys?
It's easily blockable for people who care, but still many don't, and for those people it makes all the pretty transport encrytpion a sham.
We, the ones that they'll have to spend undue effort to sniff out a profile about, are not targets to them. We are much too resistant to it that we have gone all through the effort of setting up a private VPN with good encryption.
* On NordVPN through US servers you can't access Amazon (!) Although through Canadian servers you are ok.
* Costco, Apple store, Business Insider, YouTube, google, netflex, dell, consumer reports, ebay - either don't work, or are a pain to make work
* On PureVPN you can't send email - until you have your domain whitelisted
* On PureVPN it's a crap shoot if you get a connection
More detail on experiences with PureVPN and NordVPN are here..
You're right that VPN usage is technically a minority , but it is well beyond fringe usage.
1- I did not audit the script myself, and they may have injected various malware to the VPN server it spun up during the setup. I am not concerned enough to not trust them, but I could just read the script thoroughly to eliminate the necessity for trust.
2- DigitalOcean has the access to hardware, so it might be doing whatever while I am not looking, and I just never look. Similarly, I could monitor the activity on the server to assume some control.
I chose DO for being the cheapest ($5/month).
The only company I know of that puts everything in public so to speak is google.
So VPN traffic is very common.
Most hotspot providers are probably tracking your physical locations by MAC address, which can be linked with other data. It looks like Peet's recently started doing that as well.
I used a fake address yesterday without issue.
- ISP offered 'apps'. Get people to agree to an install of some monitoring app for some [insert random marketing benefit] from ISP. Maybe if you install the app you get more data cap space etc and they can monitor browser access. Further, install this in known apps or as add-ons on setup for other apps.
- ISP offered 'VPN client' that again, gives some cheaper monetary benefit like more data cap space or more speed 'free', strips out other advertising or tracking as a benefit.
- ISP offered 'email client' that does all of the above.
- Check for subsequent request after page loads to known ad networks and replace with their own in HTTPS
- ISPs like you said may start throttling encrypted content down, or charging extra to allow it.
- ISP level proxy MITM, modem customization for 'fast lanes' that are actually slow lanes.
- DNS level data collection not to inject but to sell marketing profiles via metadata and correlate with other data from apps.
Since ISPs are your 'gateway' to the internet and you pay them, most people assume trust and privacy, most don't know they bribed their way into the tracking/ad business, many didn't know cable tv modems had mics either. With that assumption of trust since people are paying them, they'll more easily fall for any of the possible attack/tracking vectors listed and more probably.
With the ISP privacy protections removed , my guess is most ISPs, due to lack of competition, end up more like hotel wifi where tracking/injection is the norm  as it is completely legal now. With the removal of privacy protections and net neutrality, we have killed the pristine, non tracked, private gateways to the internet we cherish.
Your other points about how they can (ab)use their position as the gateway to chip away the effect of encryption by laying various roadblocks (I guess the proverbial "stick" in the "carrot/stick" trope) seems like it could have some teeth if the ISPs really doubled down on this strategy. I expect they will have to overcome significant controversy in order to be successful on a mass scale (but we'll see I guess).
Encryption has gotten much easier and more widespread in recent years, and is growing. If the ISPs had really focused on attacking it a few years ago, they could've nipped their surveillance competition in the bud, but now it's a harder problem for them to deal with. Not 100% insurmountable, as parent explained.
When you only have a handful of large ISPs where AT&T has been known to split your data to share with the NSA and authorities, that is dangerous thinking .
> Room 641A is a telecommunication interception facility operated by AT&T for the U.S. National Security Agency that commenced operations in 2003 and was exposed in 2006
That was over a decade ago, I am sure by now they have privilege to lots of that data and technology.
There was a #deletefacebook movement which proves that you can get rid of Facebook and people use it by choice. There cannot be a #deleteISP movement as that is the 'trusted' network gateway you can't route around.
All it takes is scaring people who use ISPs to allow in more monitoring 'for your safety' or 'more data cap space' or 'faster internet' or 'lower costs', they can legally sell that data now so there is an incentive to do these things. There is a reason they lobbied for this right and removal of net neutrality, it wasn't to play nice.
Hotel wifi like ISPs here we come.
Is it _your_ data, or is it _their_ data? I'm asking in both the literal (based on terms of service, etc) and the more abstract way? Obviously, for the latter, it is a combination. I wish the narrative was discussed with that in mind. Most of what I tend to see is a widespread assumption that the user owns the data, and has given companies like Facebook very limited powers, and that somehow Facebook is breaking that trust. That narrative is, IMO, rubbish. We gave them very broad powers, and the users should accept the consequences.
>However, Google/Facebook break all the security layers because we explicitly _trust_ them with all our data.
If we explicitly _trust_ them, then are they _breaking_ anything? It just seems silly when we explicitly say (as many of my friends have said in the past) "I don't care what Facebook does with my information" and then we talk about it as if they are doing something wrong (using words like "break").
When I give my bank all my money with the understanding that they can hold it, as well as lend it, we don't refer to it as "breaking" anything.
For example, are $US_ISP and F-Secure in the same bucket in practice?
They are worse because you are forced to use an ISP if you wish to access the internet.
Nobody informed who cares about their privacy ever entrusted Google or Facebook with any personal information.
Google and Facebook have detailed social graph and search query, but your ISP could piece together a lot of that information by tracking your DNS queries, unencrypted HTTP traffic, email if you use their mail servers, and offline information.
Also, Facebook and Google can both determine your home address by where your phone (and it's location tracking) idles for several hours a day.
Google buys access to credit card providers so they can link the ads displayed to you with purchases you make, to report how effective the ads are to the advertisers.
Which will include everything interesting about your identity. It literally is equivalent to using a debit or credit card
There's no 3rd party payment processor involved that could collect a bunch of my activity and then sell it to someone. With wire transfers, they'd have to go to everybody who I'm paying and ask for the data. Which is much less likely.
The others can follow you everywhere. They know where you live. They know who you phone. They know who phones you.
It's even. Death by drowning, or death by car crash is still death.
The fact that Uncle Sam isn't concerned about the intrusions tells us whose side he's on.
Liking a comment has to be tough to surmise "intent."
p.s. fwiw I'm getting to the point where I'm going to like and follow things just to leave a false trail. Can't hurt.
The fact that typically my FB feed is so shite only tells me they have a long way to go before they analyze the signals I provide them.
But there are borwser extensions to block that, yes?
Note: That's not a tit for tat counter attack but a question. Tia
The web requests your browser sends to ad networks (or other colluding web properties) from vpn exit addresses, when analyzed as an aggregate, can be identified based on their time/length signatures. These would be correlated by the isp with traffic between vpn termination addresses and customer addresses. ISP can resolve a customer address to person.
Advertisers could add unique timing and size features to make this easier.
Outside of the telecom industry itself there was quite a bit of resistance to this sort of thing, and we had to go before the US Congress to explain what we were up to. Profiling for the sake of profiling was not smooth sailing, but if it was for the purpose of "security" then it was more or less a free pass. The forcus of our DPI technology turned to the task of network-based threat detection as its primary raison d'être, with customer profiling being an opt-in service by which users could obtain the security service in exchange for targeted ads.
In the years since, I don't expect that Telecom's desire to be much more than a "dumb pipe" has diminished in the least. They view the traffic they carry on their networks to be their property, in a way. They feel entitled to inspect it, throttle it, slice and dice it any conceivable way they can to maximise their profits. Its one of the reasons I quit.
Imagine the US postal service steaming open every letter and opening every package that went through their system, so they could plug your mailbox with targeted special offers or increase the delivery fees for certain things. Its all similar BS with ISPs, but it's all techie stuff and heavily lobbied so the public gets bamboozled.
You raise a really good point about wide-spread encryption being an impediment to ISP profiling. But there is a LOT you can surmise from user traffic even if you don't know the exact content of the encrypted payloads. Just analyzing IP addresses and times can reveal a ton of information about a person. My first patent [US20100161795] was in fact a NAT session detection and tracking technique to identify and track individual users within a household through TCP/IP analysis. Using this technique someone could get a pretty clear picture of how many people were in a household, their ages, genders, interests and patterns of activity, even without delving into the http payload of the packets. We didn't, but this kind of thing is most definitely possible, and I wouldn't trust other shady entities not to do it.
Encryption doesn't matter.
Automated deep packet and encrypted packet inspection is burgeoning with advances that put the single-actor work-arounds to shame.
1). Your ISP knows your traffic is encrypted. It knows what cipher and protocol you're using, and its routing is not protocol-agnostic.
2). Your ISP knows beyond "mostly confident" the type of files your packets contain. If you don't keep your connection open and use any of the public encryption methods, your ISP will know exactly what you've downloaded to a reasonable degree.
3). HTTPS is only as good as all the different pieces combined (browser, root CA, server, site, client). And if one of those goes bad, it's worthless.
4). If you use encryption heavily, you're already flagged.
5). If you don't use your ISP's CDN, you're already flagged.
6). If you connect to any other site besides Google, YouTube, Reddit, Twitter, Facebook, Wikipedia, or Instagram your aggregate data will be quickly analyzed and compared with a threat table, and appropriately flagged.
7). Traffic analysis is trivial when you're the one routing the traffic.
Google is Dunning Kruger evil. ISPs are "pick up that can" evil. The lack of serious developments in HTTPS are "see no evil" stupid. The thought that HTTPS is anything but a red hearing is "Ivan the Fool" stupid.
Huh? What are you
>If you use encryption heavily, you're already flagged.
>If you don't use your ISP's CDN, you're already flagged.
What types of encryption? Since when did ISPs make users use a CDN? Again, I don’t get what you’re saying.
Sources and more information would be greatly appreciated.
They can certainly tell whether you're using streaming video with this type of analysis.
If people start using VPNs en masse, ISPs and/or other interested actors will develop this technology, if they have not already. (I would guess it already has been, albeit perhaps not widely deployed.)
If the ISP is the same as the ad network, or a data broker with one (and some are, see: Verizon Wireless), they can then link your IP address to a cookie-based profile. (Yes, there are counter-measures there, like disabling third-party cookies. And there are countermeasures to that, like browser fingerprinting.)
Today. But in terms of risk moving forward, I think ISPs are way worse. Two reasons:
1) I really can choose not to use Google/Facebook. There exist very solid, privacy-respecting alternatives for every service these two companies offer. It's a matter of consumer choice.
This is not the case for ISPs. If my (one) local "high-speed" ISP demands that I install a new root cert so they can MITM all my traffic, my choices are to a) capitulate, or b) find a way to live with very low-speed DSL/dial-up.
Monopoly power backed up by a vast network of cables has way more staying power than monopoly power backed up by social network effects (FB) or superior software offerings (Gmail).
2) You might argue that history demonstrates we don't have to worry about ISPs demanding to MITM customer traffic. But Historically, ISPs weren't incentivized to snoop because of regulatory barriers that prevented collection/use of data for advertising purposes. In the case of US ISPs, changes in regulator landscape suggest that past behavior doesn't guarantee future behavior.
In the same way, many would argue leaving Google or Facebook requires they give up on key features and benefits of living on the Internet. Like, you know, talking to your friends.
I don't see what sense it makes to worry about that before it actually happens. Especially when there's no reason to believe it is going to happen.
>>I recently received a "terms of service" update from Comcast, with the notification that they can now "monitor and record anything going through the network. Including, but not limited to: audio recording, video recording, ..."
I mean, look, if they're not going to do it, then why did they lobby so hard and successfully to do it?
Frankly, I have a had time imagining that this won't eventually happen. And sooner rather than later.
Not to mention there's a LOT of useful stuff on the internet that's not hosting on sites with Facebook trackers.
I don't even have an alternative in my area.
`Monitoring and Recording. You agree that Comcast and its agents may monitor and record any telephone calls or other voice, data or image communications that are transmitted between: (1) Comcast and its agents and (2) you, your agents, any user of your Service(s) or Equipment, or any user of any phone numbers associated with your account.`
IANAL, but this seems like clever lawyering to make consumers think they're only referring to customer service calls.
I read that the wire is owned by Comcast. Its agents roam free and everything traversing that wire is monitored. 100%.
The numbering and the "and" clearly mean that one of the two endpoints must be "Comcast and its agents." The language is there to allow them to record customer service calls because otherwise in some states that would be a violation of wiretap consent laws.
I agree that it seems to be worded to imply that it's just CS monitoring but I don't believe that `transmitted between` would necessitate that the party be the intended endpoint.
"We do not proactively monitor what content you download or access, however, we must act on lawful requests for information and/or interception as well as infringement notices which we receive under the Copyright (Infringing File Sharing) Amendment Act 2011. This action may include sending you an infringement notice"
I'm curious where you are located [if you don't mind sharing]?
Thanks, I needed a good laugh this morning.
The complaints likely won't go anywhere anytime soon. But when Pai's successor is working to repair the damage, there's a decent chance that one of the things they'll have to do is go through the agency's records to figure out what was ignored. Having a record of the complaint will at least give them options in the future.
So file the complaint, even if it's unlikely to matter in the short-term. :)
In fact, the FCC's response to the bot activity was to point out that they aren't permitted to delete the comments, though a former FCC special counsel was quoted as suggesting that the FCC "might have an obligation under the Administrative Procedure Act to remove fake comments from its consideration." But "removing fake comments from its consideration" isn't the same as actually deleting them, so I'd imagine that just means labeling them as "likely fake" and ignoring them in their deliberations. The same would apply to official FCC complaints. The FCC might ignore them, but they can't outright delete them without violating the law.
Comments are collected in case there are scenarios the regulatory agency didn't consider. They considered them, and decided a way you didn't like.
Don't worry, I'm not promoting DirectTV Now because it sucks balls. I have ad blocking at the router level at home and DirectTV basically won't work because of it. Even when it does work the picture quality is awful, you can't easily skip commercials, changing channels is painfully slow. And there are ads everywhere.
But, my main point is that a few weeks after getting it, I get a mailer from Charter asking me why would I want to pay for channel bundles (I get only internet from Charter)... the only way that mailer makes sense is if they were watching my traffic and seeing that I'm a subscriber to a channel package from their competitor. (I've never gotten a similar mailing and it doesn't make sense absent spying, otherwise they're kind of arguing against their own main cable service.)
It really made me want to get VPN setup whole-house.
If that isn’t enough, your next option is a VPN or Tor.
Hm, thinking about it as I write, I could see how encrypted DNS plus everything being encrypted and served via CDN could actually cut down a lot on what carriers can see. Still far from perfect, but not quite as bad as I was originally thinking.
Edit: I wasn't familiar with Server Name Indication (destination hostname is unencrypted even though the rest of the URL and session are encrypted).
With encryption (https), they can see who you talk to, the rate, the frequency, from where and when. They can't see the actual URL (just the hostname) or data (encrypted).
With VPN, they see you are talking to a VPN, the rate, the frequency, from where and when. VPNs cut down on knowing who you are talking to (assuming they aren't logging or being monitored which they could easily do).
Other services could be added to obfuscate rate, frequency and when I would assume, but even then those services would only be additive obfuscation (unless you cache packets for a short term... just thinking as I type).
Someone check me if i'm off on this these points...
One simple technique is to always transmit X packets/sec where Y packets/sec are real and the other packets are dummy packets (Y < X). If the channel is encrypted, it's impossible to distinguish the dummy traffic from the real traffic, and if you're over a VPN, it's difficult to identify the destination.
A slightly more sophisticated approach is to vary X over time, to make it shaped like streaming video, for example, to obfuscate the fact that you're using traffic analysis countermeasures.
It’s similar to differential privacy where even with a bunch of bogus data patterns in aggregate can be determined.
One approach that could work around this in many cases is to run a VPS with a private VPN server on a cloud provider. This is beyond the technical ability of the average user though and costs more than most VPN services.
I had to disable router-level vpn for exactly this reason, which is frustrating.
Amusingly enough, when I did have it on, my Chromecast showed weather data for the vpn endpoint so it's using IP-based geolocation for weather. It could be smarter.
That is pretty awesome. I feel your pain and that is why I haven't gone and flashed my router even though I finally bought one that will let me.
Next you can choose a cloud provider, which is metered (GCE, AWS, etc), or non-metered like OVH, or Digital Ocean(they don't charge you if you go over the 1TB for now).
Or you can choose a VPN service provider like Mullvad who have wireguard option (PIA should be getting it soon), if you trust them.
Be careful in choosing your provider since you might be annoyed with the latency over time, or just get used to it.
There are tutorials for all this.
A personalized router is very powerful.
Also, why Bind9? I don't see what's wrong with dnsmasq, and changing hosts file for blocklist. Also, I often advise against network wide blocklists unless you're the only one using the network, since subtle things break.
Here's what I do: https://news.ycombinator.com/item?id=14780738
The only thing different is that I use wireguard and dnsmasq now.
Bind9 seems to be better for blocking. RPZ is made for it. I don't think dnsmasq supports RPZ though projects like Pi-Hole use dnsmasq. I'm not positive, but I think RPZ is more flexible. Bind9 seems to do anything you like. I may want to resolve DNS myself and not just forward.
I'm starting to look into configuring Bind9 to have different blocking per user using "views." Some want Facebook, some don't, so I can block accordingly. I'm not sure you can do that in dnsmasq. I did discover subtle things break, like you can't block Facebook and still access Instagram, thus the "views" approach. I don't want to change hosts file on every device, especially mobiles, and can even provide some protection for guests this way. I might do a captive page for a blocked domain and let people bypass in their view if they like, then I can have a "block-first" approach.
I do like network-wide blocking for the malware lists - if anyone acquires malware, it can't phone home (if it's on the list) and I can detect via logs. DNS as firewall seems to be a trend. I'm looking into blocking IPs via iptables as well using public lists. Maybe I'll even setup Snort or Bro. The possibilities are endless.
Doesn't that mean your ISP will now see what domains you are looking up?
(the VPN comment was several levels up so some might miss it)
"In order to server our customers better and provide the best possible experience, VPN services will be blocked and will require a Business Tier service. We feel that unless you have a legitimate business reason to anonymize your network traffic we will provide this service in order to protect our subscribers and network integrity. Click Here to Speak to our Sales Representative"
If they're transmitting properly over TLS then no patient info would be divulged.
At least FB is making changes to address the issues, unlike At&t who keeps screwing people over more and more every year.
Do you think most people have actually thought about how their ISPs must track their every interaction with the web and read all of their unencrypted chats and traffic?
I think that what's needed is more awareness about what the ISPs are doing, but I really don't like headlines and articles like this one that try to minimize what Facebook and Google are doing.
The ISPs tracking may be more all-encompassing, but a large portion of the web, especially popular websites are becoming "dark" to them, as major sites adopt HTTPS encryption. Their next most valuable tracking tool besides HTTP is probably the DNS server. And to get people to change that you'll need raise a lot of awareness about it.
I guess Microsoft, Google, and Apple enabling their own DNS resolvers by default on their operating system would be a small improvement, but you're kind of moving the problem instead of solving it. And Google already does that with recent versions of Android, I believe.
The author's LinkedIn includes recently working for a law firm, Fenwick & West, which proudly brags about Google being one of their clients on their career page.
If an article is doing "whataboutism" that minimizes the danger of big tech, check their resume, it's probably their job.
Yes, but because it's your ISP and your data it's snooping, it suddenly becomes important.
As they say, one death is a tragedy. A thousand deaths is a statistic.
This said, Comcast (which owns NBC universal), has been able to use cable boxes to improve ad targeting for decades, trace that back to internet usage, and apply it to models already built for NBC usage. A
n even more powerful one though is Verizon, where with their now acquisition of yahoo can use that data as well, which is combined with both all of the home data collection comcast has, but with 80+ million mobile users as well.
It's not obvious to me that ISPs would bother (except where required to do so by law). They could just route traffic and not inspect anything.
The issue is mainly that ISPs are also, by and large, the Cable Companies. Cable is dying. It's dying quickly. Cable companies are seeing dwindling revenue streams from their cable packages and are going to be looking for ways to bolster their shareholder's profits despite the inevitable death of traditional cable programming schemes.
How do they do that?
They do it by selling anything and everything they can to advertisers, exactly like what they've been doing with cable. Coincidentally that's also exactly the reason that cable is dying.
TLS limits what your ISP can see. So until they block encrypted traffic it doesn't scare me too much.
1. I don't think people have thought about it enough. I know I haven't. I think part of the reason is AT&T et. al. seem "inevitable" whereas Facebook is conveniently "quittable".
2. FB's lack of privacy has been discussed in the open and in the news recently, making it stand out.
3. (One of) FB's goals is to sell you to advertisers...
Because we choose to use AT&T and other ISPs. Facebook has enough beacons spread across millions of websites that even if you choose not to have a Facebook account, it's still monitoring you.
The role call vote breakdown
Ars Technica's coverage of the bill (now law) with context
Google and CloudFlare can see probably more than 90% of your traffic without even trying. Google's business model is dependent on selling advertisement based on your data. Your ISP can see maybe 50%, and it's shrinking fast.
All of these companies exist because you agreed to them. You're paying them to continue this behavior, or using their free services. Stop agreeing to free services and stop using monopolies. Lobby your local government to overturn laws preventing municipal internet providers.
That won't happen though, because people don't really care that much about surveillance to go to those lengths just to stop it. Hell, the NSA is still illegally wiretapping US citizens.
Can you elaborate on how Chrome and Firefox hide your traffic from your ISP, and what privacy advantages they have over IE, Safari or Opera?
DNS over HTTPS doesn't actually hide the domains you're visiting, because TLS SNI means the server hostname is sent in plaintext as part of the TLS handshake.
And for major sites, they probably aren't sharing their public IPs with other sites, hence the ISP can know what site you're connecting to via knowing what IP you're sending datagrams to.
It appeared to be disabled by default in my Firefox install - for anyone else, I followed these instructions to enable it:
The article has this bit in it:
"Your internet provider doesn’t just know what you do on Facebook – it sees all the sites you visit and how much time you spend there. Your provider can see where you shop, what you watch on TV, where you choose to eat dinner, what medical symptoms you search, where you apply for work, school, a mortgage. Everything that is unencrypted is fair game. "
The last part is the important part: hardly anything is unencrypted these days (and if it isn't it really should get with the times). So if that part of the article would have been adjusted to the present day situation that only thing that remains is that if these parties are your provider then they can indeed see which IP addresses you connect to (if you don't use a VPN).
They can't see what you watch on TV unless you configure your TV to tell them (or use a set-top box to choose your channels for you), they do not know where you choose to eat your dinner unless your smartphone leaks GPS coordinates to them (regular triangulation is too coarse for this) and they do not know where you apply for work and school or a mortgage.
In general this is a whole bunch of alarmist hoopla, yes, providers see too much data, no it's nothing compared to Facebook and Google.
What should worry you is AT&T and other cellular services providers access to your call records (which they are required by law to keep for a long time in most places) and SMS data as well as the possibility of them recording all your voice calls without your consent.
You're saying that like it's nothing. Whatever happened to "metadata is often more revealing than data"?
> As opposed to Facebook and Google being present on just about every webpage and gobbling up data about all the people on the planet that have internet access.
You can trivially install Privacy Badger, Ghostery or any other number of tracker blockers that are available for free. Firefox comes built-in with a tracker blocker that's pretty good too. Every person on the planet has the option to opt out from FB and Google tracking.
Using a VPN costs money. Some websites (eg. retailers, Netflix) aggressively block connections from VPN IPs which means you have to turn off your VPN and sacrifice your privacy to access those sites. Whereas I've never seen a site block you because you have Privacy Badger installed.
That's true, but the article claims that the actual data is accessible which it isn't in most cases.
And it's a bit in the nature of being an ISP, after all the only thing they are supposed to do is to take your packets and deliver them elsewhere, if they didn't do that then they wouldn't be in business at all. To the extent that this raises awareness of how the internet works under the hood I'm all for it but it is designed that way, it is not as if AT&T, Comcast and Verizon have gone out of their way to get this ability by injecting their content into each and every web page.
> You can trivially install Privacy Badger, Ghostery or any other number of tracker blockers that are available for free.
Yes, and I do. And most people do not.
> Every person on the planet has the option to opt out from FB and Google tracking.
Yes, but only a small percentage actually does so. And Google is present in so many market segments that in practice you will be interacting with it whether you want it or not even if you have a blocklist a mile long. Because that email you just sent to that innocent looking domain is actually gmail masquerading as some other domain.
> Whereas I've never seen a site block you because you have Privacy Badger installed.
I see this several times per week actually, usually related to some over-eager adblocker detector.
But they can and its free to do so. Opting out of ISP tracking costs money, when I'm already paying my ISP money.
> it is not as if AT&T, Comcast and Verizon have gone out of their way to get this ability by injecting their content into each and every web page.
Not for lack of trying. Also Verizon now owns Yahoo and AOL which have some pretty large ad networks of their own.
All you will end up doing is giving someone else the same capability that your ISP has today. A VPN solves exactly nothing.
> Not for lack of trying
Yes, that's true they did try that. But then again, so did some registrars by hijacking domain names that were not in use. (And sometimes even when they were in use).
But end-to-end encryption took care of that in a pretty definitive manner.
Maybe, maybe not. US ISPs operate as virtual monopolies in many markets - even if an ISP was tracking and monetizing online activity most customers don't have any recourse.
In contrast, the VPN market is extremely competitive; there are dozens, maybe hundreds of providers. Privacy is one of the differentiating factors between them. It would be extremely risky for a VPN provider to claim "no logs" but actually store logs - a single data breach, rogue employee, or whistleblower could end their business.
I'm not claiming VPNs are a desirable solution. The desirable solution is that ISPs don't track or otherwise monetize their customers' online activity.
They can see the hostname, actually, because DNS isn't encrypted. And even if you run DNS over TLS, it doesn't matter because of SNI (https://en.wikipedia.org/wiki/Server_Name_Indication).
It's always nice to see
Everyone can do something to help increase this!
(On the other hand, there's still an information leakage from the volume and timing of communications, like inferring that two people are communicating with one another in real time because their traffic flows are correlated, or figuring out what page someone's reading on a site from that total volume of encrypted traffic downloaded.)
Yes, this is a problem. But it is also totally inherent to the role of being a provider. And as long as the internet is roughly structured the way it is today that will continue.
And of course, when you compare to the tech industry alternative: Microsoft knows who is talking to who straight up (and on a global scale), whereas the ISP can only guess. And while the ISP's understanding of who is calling who ends at the household, Microsoft knows which user accounts made the call, which is much more likely to correlate to individual people.
cable providers can legally encrypt all channels, even basic/OTA ones, which essentially makes set-top boxes mandatory.
That's likely incorrect. You're traveling across their networks in routine use of the US Internet and its services/sites. In addition to consumer services, they all have substantial business services. They probably have less data on you than Facebook & Google.
The worst that I can think of that AT&T would have is some traffic stats, and they wouldn't know that it was me, just that some traffic from some random EU IP made it through one of their choke points. That entirely does not worry me.
Then: You go to foxnews.com, then you go to pornhub.com. Based on hostnames we can make some inferences about you and your behaviors.
Now: You go to reddit.com(/thedonald), then you go to reddit.com(/twerkinggifs). Thanks to HTTPS, the specific subs you're visiting aren't visible to the ISP; all they can see is you going to reddit a bunch of times.
My ISP is welcome to know what sites I connect to because I pay them to do exactly that. Facebook and Google inserting their riders everywhere I go is not part of something I consent to.
And that's the root of the problem, if I send an envelope with my return address on the back the postal services have access to the meta-data and it is my decision to let them.
But it is not my decision to let a bunch of unrelated third parties use the contents of the letters to build up profiles on me and my counterparty.
For your statement to be true you would have to go without credit, a vehicle, a house, an internet connection, a cable TV, a connection to a cell tower.
It is more likely that you are not familiar of the size and complexity of their data collection and aggregation system.
It would be good to see data on the relative monopoly market concentrations between the cable/telcos vs Facebook/Google.
FB goes so far as to buy your data from others, which is why I block all trackers. I'm sure I still leak data to FB, even though I never joined, and never will.
They know which IP addresses you connect to. Many of those host large numbers of websites.
> what types of data you pass to them
What do you mean with 'what types of data'? They can't access the headers of encrypted traffic.
> every single DNS lookup you make
Yes, that's true. And you can cache those locally.
> etc. Sorry, but this is FAR more intrusive than Facebook, which you CLAIM has lots of data on you even if you don't use their service.
Shadow profiles are a thing.
> It's harder to avoid Google than it is to avoid Facebook, but again, it's doable.
It's just about impossible. Every other email you send ends up in a gmail inbox. So even if you don't use their services at all your data still ends up with them. Even if you don't have a smartphone enough people around you will have them that your social graph will end up with Google anyway. And so on.
And SNI reveals which one of the Web sites you are accessing.
What privilege is being referenced here?
Your ISP does not have access to most of your communication, social media usage and searches as that runs thru https.
That is why Facebook and others is completely blocked in China. Had the national carriers been able to surveil and block select communication they would have been asked to do so by the government.
Secondly an ISP charges you a subscription and that is their revenue model. They are not incentivised to build an elaborate profile on your in order to deliver advertisement.
Thirdly ISPs in most countries are required by law to support the police with surveillance information. That is done in transparent way (you can read the laws and ask your politicians).
This police support has always existed sinces the days of the tele monopolies. However now that more communication runs via internet, https and social media, it creates this strange inbalance where the police cannnot get the same access to Facebook (or similar) communication as they can to SMS or voice communication.
Also Facebook provides different level of access to the NSA, the police in Denmark and the police in Myanmar. And do that in a non-transparent manner.
Please, everyone, stop saying things like this. Just because you pay a company money for a service does not mean you magically have a perfectly balanced relationship with them. They are in a position of extreme power and will not stop caring about aggregating what you do in a machine readable format in fine detail, all the while doing so behind a veil of legalese opt-out style tactics.
Beyond the lobbying for more relaxed data collection / monetization laws, ISPs have been fined in the past for injecting tracking cookies to keep better record of your browsing habits. They’ve been caught selling IP identification api’s. No, they don’t care about delivering advertising to you, they just want to broker your data to companies who will.
Access to TLS certs is plenty enough to sell. You hit pornhub.com at 2AM, or expecting-parents.com at 9am, or foxnews.com at midday? Each tells a significant story. I dare you to take a month of time stamped DNS requests and share with the internet.
> Secondly an ISP charges you a subscription and that is their revenue model. They are not incentivised to build an elaborate profile on your in order to deliver advertisement.
Are you trying to claim that a for-profit enterprise who has an opportunity to increase revenues using their current business model will decide against it, because it might be a bit of work? Explain to me who was responsible for the law change allowing ISPs to sell customer data? It sure wasn’t the customers.
> Thirdly ISPs in most countries are required by law to support the police with surveillance information. That is done in transparent way (you can read the laws and ask your politicians
LEA access is not what this article was about.
That's exactly the opposite of how corporations work. Especially corporations in monopoly/duopoly markets.
In fact, US ISPs lobbied heavily for the right to do exactly that, without user permission, and got their way.
> Thirdly ISPs in most countries are required by law to support the police with surveillance information. That is done in transparent way (you can read the laws and ask your politicians).
But that's not what this is about.
Two great ones in SF, MonkeyBrains and Sonic. Both support net neutrality, and don't do any of this evil shit.
I have a pfsense box for firewalling the whole connection. I should look and see if I can integrate VPN with this as well.
Right now I use a personal router with Astrill VPN for when I am out and about at coffee places. This: https://www.amazon.com/gp/product/B01K6MHRJI/ref=oh_aui_sear...
Plus I also have this Ubiquite Edge Router I carry around too for wired connections. https://www.amazon.com/gp/product/B00YFJT29C/ref=oh_aui_sear...
Telephone is an audio stream, so speech-to-text is a bit more wobbly. SMS, on the other hand... well, at least their price gouging was cost prohibitive for a few decades.
It feels like a good compromise between privacy and speed.
Facebook, Twitter and Google have persuaded all of the major internet sites to add code to their pages in the hope that it will drive more page views. At this point they have implemented enough code to reap the same level of benefit that you might get from passively MITM’ing all internet traffic. What’s “worse”, is that Facebook and Google are campaigning heavily to move all web traffic to encrypted. The end result: a “more secure” internet that just happens to fend off a competitive threat.
The author should be ashamed of themselves. I think this falls under the “relative privation” fallacy. Google and FB are peerless when it comes to surveillance.
If you're on Android, this is an excellent app that allows you to set a custom DNS server across all apps and connections, without root: https://f-droid.org/en/packages/org.jak_linux.dns66/. As a bonus it also lets you blacklist domains, though of course that's not relevant to concerns about your ISP.
Be wary of third-party VPNs, though (bottom section titled "VPNs could put you at risk"): https://arstechnica.com/information-technology/2016/06/aimin...
And more about Google and Facebook because of their global reach, access to location and content across all devices, an insatiable greed for user data including collation from all available sources to build detailed long term profiles of individuals, not unlike files by the stasi.
Here is Facebook trying to get user data from hospitals. . This is truly sinister.
And beyond that, we're so centralized these days that most websites people spend time on are generic. For example, you have no idea what someone's interests are because they connect to Reddit, Google, Facebook, Twitter, and YouTube, nor who they might be communicating with over those domains.
Which search engines are unencrypted these days?
On the one hand, maybe worrying sooner prevents issues. On the other hand, I don't want to assume a slippery slope out of principle.
What makes you think they aren't? They have influencers in Washington, just like any political group does.
The only difference between what the ISPs did and CA did is that the ISPs sell the data, whereas CA stole it. Your data still gets transferred.
Can you link me to what Cambridge Analytica actually did with the data? I've been really curious about it but I can't find anything concrete.
And the 2016 election was flooded with targetted fake news from obscured foreign sources. I don't personally have access to CA's operations and communications. It's for investigators to prove if A and B are connected.
It's up to us to deploy Occam's razor.
It is the great circle of life. The incumbents love to be privacy-centric, but as soon as they become big enough, they realize that they can make a shitload of money with data//metadata now that they got a captive set of customers