Hacker News new | comments | show | ask | jobs | submit login
Comcast, AT&T and Verizon pose a greater surveillance risk than Facebook (theguardian.com)
1075 points by pmoriarty 79 days ago | hide | past | web | favorite | 276 comments



Yes, ISPs can snoop on you to a degree, but I don't see how it's worse than Facebook or Google. ISPs have to work around widespread (and growing) encryption, while Google/Facebook have your _actual_ data... plus, they know way more about you in minute detail via their mobile apps and devices. My home internet is VPN'ed and unless my ISP is expending undue effort on monitoring me, it can't see much detail about what I do on the Internet. However, Google/Facebook break all the security layers because we explicitly _trust_ them with all our data. Unless something fundamentally changes (maybe via net neutrality somehow allowing ISPs to penalize encrypted traffic or something), I don't see how Facebook/Google don't run away with all the power here.


I agree with you, but there's also a business model aspect I think you're missing. Your ISP might be interested in monetizing your personal data to add to the ways they make money, but for companies like Google and Facebook, making money from your personal data is basically their entire business model.

Given enough opposition, Verizon, Comcast, etc, could strongly embrace personal data privacy and still continue as companies. Yes, they'd lose a business opportunity, but they still make a lot of money selling you internet access and that wouldn't go away. The same is not really true of companies like Google or Facebook. Collecting and making money off your personal data is the foundation of their business. Strongly protecting your privacy would require them to change their entire way of making money.

I think you could argue either way whether Google or Verizon has more ability to spy on you, but Google absolutely has a stronger business motivation to collect your data than Verizon does.


> The same is not really true of companies like Google or Facebook. Collecting and making money off your personal data is the foundation of their business. Strongly protecting your privacy would require them to change their entire way of making money.

For Facebook maybe, but Google was a large and successful business before its 'personalized' targeting was really that advanced. AdWords ran for a full four years without any kind of search personalization, and up until 2012, it was possible to turn off search personalization entirely. Google made $37bn in 2011. [1] Google Display Network, the area of Google's business that would most obviously be disrupted by a move toward strong user privacy, only makes a fraction of that still. [2]

While I completely agree that Facebook would struggle without behavioral targeting, being able to buy ads on a PPC basis for users with 'intent' will always be a valuable product for advertisers, regardless of targeting.

[1] https://www.wordstream.com/blog/ws/2012/01/23/google-revenue...

[2] https://www.statista.com/statistics/266245/advertising-reven...


Indeed. Google never really had to go this "ultra-targeted ads" approach. Perhaps it's the difference between Google making $30 billion in profit a year and "only" $10 billion in profit a year, and the difference between them mainly sticking to the search business and them paying for all of these failed projects like the $12 billion Motorola acquisition, Boston Dynamics, (even Nest, I'd say), and so on.

But as a company it never really needed to do those. Heck, Google doesn't even need to be in the self-driving business.

I think it's a failure of competition and anti-trust laws that companies are allowed to grow this big to get their fingers into all the pies out there. The only reason they even go into all of these different industries is because they've made so much money they don't know what to do with it.

Sooner or later we're going to have to deal with this rampant increase in monopolies and we'll have to take some drastic measures to do it. We may even have to break-up companies such as Google, Amazon, Facebook, Walmart, Comcast, Disney, Goldman Sachs, and others, because they were never supposed to turn into such large conglomerates. The fact that they did was a failure of competition laws to stop them from growing this big in the first place.

Comcast, AT&T, and Verizon are now allowed to spy on you, then buy media and ad companies, and then use that data to manipulate you for political purposes so you end-up voting for the candidates that will help them further consolidate their power. We should have put a stop to that along the way.


Motorola wasn't the failure you think it was. That was, as I understand it, about patent acquisition. They got what they want and then dumped what they didn't.

Per Thiel's "theory" (as seen in Zero to One) most of Google's "failures" are a cover for their search monopoly.


GDN is not the only piece of business that'll be impacted by strong user privacy. Search and YT will also be impacted, given there's ability to buy ads based on users being in-market for a product/service etc [1]

You can also be targeted with ads based on emails you receive in Gmail - it was possible to target down to keywords in emails, but that was discontinued. Now, the emails you receive, domains your getting them from etc. influence signals, that puts you into an 'audience' that can be used for targeting across the Google network.

Without the ability to do targeting, or personalization, as Google calls it, their business will fall apart. Everything they do is geared to collecting more information about users to improve "personalization" - from Google Assistant, to Google Home [2]. It's so advanced that your experience (results) on their platfrom, especially within Search -- will be unique to you.

Google will fight alongside AT&T, Comcast, etc to protect their business model, in-fact Google is trying to reach their ranks with the 5G war [3]

[1] https://searchengineland.com/google-adwords-in-market-audien...

[2] https://twitter.com/benthompson/status/864293485439893505

[3] https://www.bloomberg.com/news/articles/2018-03-29/google-le... - (search for: Spectrum Access System )


There was an ISP called NetZero that used this business model to provide free dial up and I think later on, free DSL in the 2000s. So this isn't a new concept, except what everyone is saying they (the ISPs) are now doing it without any kind of exchange of value apparently.


Oh, man, I remember NetZero. Hadn’t thought about them in ages. There was another similar company called Juno, iirc. I almost miss the days of free dialup services—where I explicitly chose to see ads in exchange for a free service, and the company was upfront that this was the exchange being performed.


I used both of those services and it is really amazing that the quality of ads from Google and Facebook 16+ years later is pretty much the same as NetZero/juno


I agree with you, but there is one key difference...you are paying your ISP for the service. Google, FB, etc. provide free service offerring in exchange for your data.

If ISPs are going to monetize customers traffic then their terms of use better damn well call that out.

There is potential here for new business model for privacy based ISPs (ex: think duckduckgo for ISP) where customers pay a premium for such an offering.


Do you need an ISP? How about a preconfigured router / modem that uses a privacy-minded DNS + VPS? My parents and most of my friends for example wouldn't know how to do any of that.

Mind you many of them have no idea, but as their goto I could make a smart recommendation and they would likely follow.

Oh! And package it with a better than average 2FA. Maybe a Yubikey or similar.

More or less sec in a box. Perhaps not 100% complete and bulletproof but better than the current situation.


bahnhof.se is an example of this. (swedish isp).


No there isn’t. Where in the world can you select your ISP? in a meaningful way.


Not the U.S, that's for sure.

But from what I've heard practically anywhere in Europe, and definitely in Japan.


You have Internet choice in most of Europe if you count DSL, but people in the U.S. tend to dismiss DSL out of hand. Excluding DSL, in German you've got cable ISPs which largely don't compete in the same geographic area, and almost no fiber penetration. France is similar, though with more fiber (but still less than in the U.S.).


yeah in Japan you have major net providers and there is even a difference between the network you rent and the ISP. For example you can be on a NTT fiber line but use a different ISP on that line.


> For example you can be on a NTT fiber line but use a different ISP on that line

as an american living in a major city, this exceeds my wildest dreams of internet service.


It's the difference between a regulated pro-consumer free market, and a lobbyist controlled market presenting a duopoly as a free market.

It's one of the negative consequences of mainstream media / political free market rhetoric considering regulation harmful.


The difference is that NTT lost money for years offering wholesale fiber below cost: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.489... (pages 11, 16). It could do that because it has a national near-monopoly in the wholesale space (it get some money from every subscriber, no matter what ISP they use), Japan's economy offers much lower returns than the U.S.'s (making low return infrastructure investments relatively more attractive), and NTT is 1/3 owned by the government (which ordered it to deploy fiber, regardless of profits).


> It's one of the negative consequences of mainstream media / political free market rhetoric considering regulation harmful.

Well regulation can be harmful if it protects the incumbents and prevents the introduction of new players. Lobbyists are usually pushing for more regulation, not the opposite.

It's not about regulation or not regulation, it's about what kind of regulation makes sense for a free market.


If this is a serious question in Kiev I had a choice of 4 high speed providers at a cost of about 1/10 what equivalent xfinity service is costing me here :)


Your random eastern european country? My apartment complex is wired by at least 2 ISPs. If I don't feel like using any of them, LTE-for-home boxes are available for reasonable price with reasonable data caps from a couple other ISPs.


pretty much everywhere in europe.


In India, most metro have 2-3 broadband providers, and most of country have 4-6 mobile internet provider.


I have three major ISPs available where I live that can over 100+ meg service.


Four here (Portuguese city near Lisbon) offering at least 250mbps.


For the layman user (likely 99%+ of these ISP user populations), using an ISP essentially provides near-entire browser history to them, at least to the granularity of domain name.

A surprising number of sites (and/or assets, images, etc) still don't use TLS, and so for those it's also possible for an ISP to understand what the user was reading/accessing.

Even for sites which do support TLS, if the ISP hypothetically had a partnership with a single data broker / advertiser which was also on the page, it's likely not hard to have a pretty precise idea of their interests/viewing.

You're right that Google and Facebook will continue to have very narrow and precise information about people's daily lives; it's simultaneously true that ISPs will continue to have broad & ongoing profiling information across any touchpoints as people use the internet.


I mostly agree with you. From my perspective the data that Facebook has on me is far better than anything my ISP could have collected thus-far. I am in an area where I have more than one option for high speed internet and it is a pain to change but not even close to the amount of pain I would experience by deleting Facebook and Instagram. Doing that would cause fundamental changes to my social life. None of my friends are even aware that I switched ISPs last year.

I think if the article was written in the spirit of "watch out for the ISPs too" instead of "the ISPs are so much worse" I would have been more onboard.

I think it's a bit apples and oranges: all my traffic with low resolution or just my social traffic in high resolution. I don't clearly see one being far more dangerous/valuable than the other.


Facebook and Google are not repositories to which you entrust your data for private safekeeping. The point of Facebook is to communicate with other people. The point of Google is to interact with shared repository of knowledge that learns from its own utilization. There is inherently a multi-party interest in everything Google or Facebook has about you, except for maybe never-shared Google Docs.

Bank vault analogues for private data do exist: iCloud, Dropbox, Crashplan, etc. If “your data” needs to leave your physical possession, that’s the sort of service it should go to.


iCloud: Apple has the keys :(

Dropbox: Dropbox has the keys :(

Crashplan: I have the keys :)


> Crashplan: I have the keys :)

Do you really? They offer a web interface with access to your data. Do you enter the encryption keys when you access the web interface, or do you enter a username and password which then provides access to the encryption keys?

In that situation, who really has the keys?


IIRC, with Crashplan (RIP) you get a choice of whether to encrypt everything with a local key, in which case you're SOL if you lose it, or to encrypt with a key known to Crashplan, in which case you can reset your password and they can see your data. That seems like a reasonable trade-off to me, where different users will make different choices.


Crashplan still works fine, you just have to get the business-branded version.


Google doesn't need to break encryption for other reasons too. It has JavaScript execution access and thus access to all the client side data on at least the half of the top 1mil. websites on the internet.

It's easily blockable for people who care, but still many don't, and for those people it makes all the pretty transport encrytpion a sham.

Seriously, companies afford third parties JavaScript execution on pages where they expect me to enter CC or other sensitive info. Half of the web at this point is a joke when it comes to security and privacy.


I, too, use encrypted VPN, but we are just a minority. Many people use the services provided as-is without taking any extra measures, and I think that those are the people more likely to be influenced by the influencers anyway.

We, the ones that they'll have to spend undue effort to sniff out a profile about, are not targets to them. We are much too resistant to it that we have gone all through the effort of setting up a private VPN with good encryption.


Whilst a VPN is an important and arguably now necessary way to protect yourself on the internet, it's use in practice is very far from a sliver bullet. Ignoring the somewhat inevitable problems of latency and bandwidth - much of the internet appears hostile to VPNs. A significant number or sites either don't work at all, or are a pain to use.

For example

* On NordVPN through US servers you can't access Amazon (!) Although through Canadian servers you are ok.

* Costco, Apple store, Business Insider, YouTube, google, netflex, dell, consumer reports, ebay - either don't work, or are a pain to make work

* On PureVPN you can't send email - until you have your domain whitelisted

* On PureVPN it's a crap shoot if you get a connection

More detail on experiences with PureVPN and NordVPN are here..

https://www.toytheory.com/?p=295

https://www.toytheory.com/?p=273

https://www.toytheory.com/?p=321

(edit: formatting)


> I, too, use encrypted VPN, but we are just a minority.

You're right that VPN usage is technically a minority [1], but it is well beyond fringe usage.

[1] https://cdn2.hubspot.net/hubfs/304927/Downloads/VPN-Usage-Ar...


Just wondering, what makes you trust your VPN provider more than your ISP?


I use DigitalOcean as my VPN provider and make my connections to there over IPSEC. I did not set the server up myself alone, but used the Algo VPN [1] script to do it for me. With this setup, I have two things to be concerned about:

1- I did not audit the script myself, and they may have injected various malware to the VPN server it spun up during the setup. I am not concerned enough to not trust them, but I could just read the script thoroughly to eliminate the necessity for trust.

2- DigitalOcean has the access to hardware, so it might be doing whatever while I am not looking, and I just never look. Similarly, I could monitor the activity on the server to assume some control.

I chose DO for being the cheapest ($5/month).

[1] https://github.com/trailofbits/algo


It's more VPN'ing into your own router and trusting your own ISP more than some random free wifi provider.


I am the same as you, but I worry the opposite. Using an encrypted VPN in a sea of unencrypted traffic paints a big target on you that says "Im doing things I don't want you to see". You can bet they are working on / can already decrypt and some three letter agency is targeting specifically VPN traffic.


I don'ẗ think you have to worry, I have never had a job that didn't require encrypted vpn to access the internal networks away from the office.

The only company I know of that puts everything in public so to speak is google.

So VPN traffic is very common.


Good to know , thanks


Hopefully no more than using an envelope instead of a postcard marks you as hiding something.


There are other privacy problems with wireless hotspots too. A new example: you can't log in to Starbucks' wifi (via Google) without verifying a real email address through Experian's API. (Open the browser console and watch the requests -- see if you can use a fake email address.) Who knows where all that data is going.

Most hotspot providers are probably tracking your physical locations by MAC address, which can be linked with other data. It looks like Peet's recently started doing that as well.


> A new example: you can't log in to Starbucks' wifi (via Google) without verifying a real email address through Experian's API. (Open the browser console and watch the requests -- see if you can use a fake email address.)

I used a fake address yesterday without issue.


A fake address meaning one that you don't own, or a fake address meaning one that doesn't exist at all? You might have entered someone else's real email account that exists in Experian's databases, which could be another serious problem waiting to happen.


Couple devil's advocate points on what ISPs can do to get encrypted traffic, since they are your network gateway there is more instilled trust:

- ISP offered 'apps'. Get people to agree to an install of some monitoring app for some [insert random marketing benefit] from ISP. Maybe if you install the app you get more data cap space etc and they can monitor browser access. Further, install this in known apps or as add-ons on setup for other apps.

- ISP offered 'VPN client' that again, gives some cheaper monetary benefit like more data cap space or more speed 'free', strips out other advertising or tracking as a benefit.

- ISP offered 'email client' that does all of the above.

- Check for subsequent request after page loads to known ad networks and replace with their own in HTTPS

- ISPs like you said may start throttling encrypted content down, or charging extra to allow it.

- ISP level proxy MITM, modem customization for 'fast lanes' that are actually slow lanes.

- DNS level data collection not to inject but to sell marketing profiles via metadata and correlate with other data from apps.

Since ISPs are your 'gateway' to the internet and you pay them, most people assume trust and privacy, most don't know they bribed their way into the tracking/ad business, many didn't know cable tv modems had mics either. With that assumption of trust since people are paying them, they'll more easily fall for any of the possible attack/tracking vectors listed and more probably.

With the ISP privacy protections removed [1], my guess is most ISPs, due to lack of competition, end up more like hotel wifi where tracking/injection is the norm [2] as it is completely legal now. With the removal of privacy protections and net neutrality, we have killed the pristine, non tracked, private gateways to the internet we cherish.

[1] https://www.flake.senate.gov/public/index.cfm/2017/3/flake-i...

[2] https://medium.com/@nicklum/my-hotel-wifi-injects-ads-does-y...


This makes sense, though I don't see how various "carrots" like faux-value-add spyware will penetrate the market significantly, since they likely can't beat Google/Facebook in actual delivered value. Also, spyware / crapware already has a pretty bad rep, and will likely be flagged by system scanning tools on traditional PCs (maybe not mobile devices though).

Your other points about how they can (ab)use their position as the gateway to chip away the effect of encryption by laying various roadblocks (I guess the proverbial "stick" in the "carrot/stick" trope) seems like it could have some teeth if the ISPs really doubled down on this strategy. I expect they will have to overcome significant controversy in order to be successful on a mass scale (but we'll see I guess).

Encryption has gotten much easier and more widespread in recent years, and is growing. If the ISPs had really focused on attacking it a few years ago, they could've nipped their surveillance competition in the bud, but now it's a harder problem for them to deal with. Not 100% insurmountable, as parent explained.


> Encryption has gotten much easier and more widespread in recent years, and is growing.

When you only have a handful of large ISPs where AT&T has been known to split your data to share with the NSA and authorities, that is dangerous thinking [1].

> Room 641A is a telecommunication interception facility operated by AT&T for the U.S. National Security Agency that commenced operations in 2003 and was exposed in 2006

That was over a decade ago, I am sure by now they have privilege to lots of that data and technology.

There was a #deletefacebook movement which proves that you can get rid of Facebook and people use it by choice. There cannot be a #deleteISP movement as that is the 'trusted' network gateway you can't route around.

All it takes is scaring people who use ISPs to allow in more monitoring 'for your safety' or 'more data cap space' or 'faster internet' or 'lower costs', they can legally sell that data now so there is an incentive to do these things. There is a reason they lobbied for this right and removal of net neutrality, it wasn't to play nice.

Hotel wifi like ISPs here we come.

[1] https://en.wikipedia.org/wiki/Room_641A


>while Google/Facebook have your _actual_ data...

Is it _your_ data, or is it _their_ data? I'm asking in both the literal (based on terms of service, etc) and the more abstract way? Obviously, for the latter, it is a combination. I wish the narrative was discussed with that in mind. Most of what I tend to see is a widespread assumption that the user owns the data, and has given companies like Facebook very limited powers, and that somehow Facebook is breaking that trust. That narrative is, IMO, rubbish. We gave them very broad powers, and the users should accept the consequences.

>However, Google/Facebook break all the security layers because we explicitly _trust_ them with all our data.

If we explicitly _trust_ them, then are they _breaking_ anything? It just seems silly when we explicitly say (as many of my friends have said in the past) "I don't care what Facebook does with my information" and then we talk about it as if they are doing something wrong (using words like "break").

When I give my bank all my money with the understanding that they can hold it, as well as lend it, we don't refer to it as "breaking" anything.


If you use a VPN then you have just moved all the access that your ISP had to your VPN service provider. It doesn't really change much.


Technically not but in terms of company practices or legal environment it can change a lot.

For example, are $US_ISP and F-Secure in the same bucket in practice?


I think using a VPN actually increases risk, because it makes you suspicious.


Nowadays, not really, plenty of people use them to avoid geo blocking.


Plenty like under 0,1% ? That doesn’t make it less of a target.


It's hard to get reliable numbers, but Global Web Index puts it at about 5% of the US internet users, so over 10 million people.


That's an absurd number for users of any kind of geo-unblocking DNS service, especially in the US where you barely need it.


>but I don't see how it's worse than Facebook or Google.

They are worse because you are forced to use an ISP if you wish to access the internet.

>However, Google/Facebook break all the security layers because we explicitly _trust_ them with all our data.

Nobody informed who cares about their privacy ever entrusted Google or Facebook with any personal information.


ISPs have your credit card number and home address. They can link your online and offline lives.

Google and Facebook have detailed social graph and search query, but your ISP could piece together a lot of that information by tracking your DNS queries, unencrypted HTTP traffic, email if you use their mail servers, and offline information.


Anyone who's ever bought an Android app has also given Google their credit card number and home address.

Also, Facebook and Google can both determine your home address by where your phone (and it's location tracking) idles for several hours a day.

Google buys access to credit card providers so they can link the ads displayed to you with purchases you make, to report how effective the ads are to the advertisers.


Why would ISP have credit card number? I pay my ISP with old good wire transfer.


> wire transfer

Which will include everything interesting about your identity. It literally is equivalent to using a debit or credit card


My ISP already knows my name. Nothing else gets sent along. My bank account number is not useful unless they get my history from my bank. Which is not likely to happen.

There's no 3rd party payment processor involved that could collect a bunch of my activity and then sell it to someone. With wire transfers, they'd have to go to everybody who I'm paying and ask for the data. Which is much less likely.


FB sees you on FB.

The others can follow you everywhere. They know where you live. They know who you phone. They know who phones you.

It's even. Death by drowning, or death by car crash is still death.

The fact that Uncle Sam isn't concerned about the intrusions tells us whose side he's on.


I think you underestimate the prevalence of the like button. Facebook runs code in your browser on lot of other web pages out there. Probably second only to Google.


Yes. I agree. That said I can't remember the last time I liked something outside FB.

Liking a comment has to be tough to surmise "intent."

p.s. fwiw I'm getting to the point where I'm going to like and follow things just to leave a false trail. Can't hurt.

The fact that typically my FB feed is so shite only tells me they have a long way to go before they analyze the signals I provide them.


You don't have to explicitly like anything for FB to track your usage on practically every website that has a Facebook button. The fact that the site displays the like button in your browser is enough to give Facebook whatever info Facebook wants about your activity on the site.


Ok. Fair enough.

But there are borwser extensions to block that, yes?

Note: That's not a tit for tat counter attack but a question. Tia


If your isp colludes with advertisers, they can associate the vpn traffic using traffic analysis.


Can you explain how this works?


I don't know if it's being done.

The web requests your browser sends to ad networks (or other colluding web properties) from vpn exit addresses, when analyzed as an aggregate, can be identified based on their time/length signatures. These would be correlated by the isp with traffic between vpn termination addresses and customer addresses. ISP can resolve a customer address to person.

Advertisers could add unique timing and size features to make this easier.


They know the address they provide service to.


Several years ago I joined a stealth-mode spinoff of a large telecom equipment manufacturer, and worked on deep-packet inspection (DPI) on 10Gb/s fiber-optic networks. The initial motivation for the project was a desire by telecom companies to obtain personally identifiable information and profiles for targeted advertising, and as we learned, a number of other interesting use cases, like reducing customer churn. At the NOCs there were a number of various servers in racks that were getting a feed of raw traffic for a variety of purposes. It wasn't a free-for-all, but it was eye-opening. I recall reading through a Cisco router manual for example (not the company I worked for) and seeing its port-mirroring capabilities blatantly promoted as a means for customer profiling and targeted advertising.

Outside of the telecom industry itself there was quite a bit of resistance to this sort of thing, and we had to go before the US Congress to explain what we were up to. Profiling for the sake of profiling was not smooth sailing, but if it was for the purpose of "security" then it was more or less a free pass. The forcus of our DPI technology turned to the task of network-based threat detection as its primary raison d'être, with customer profiling being an opt-in service by which users could obtain the security service in exchange for targeted ads.

In the years since, I don't expect that Telecom's desire to be much more than a "dumb pipe" has diminished in the least. They view the traffic they carry on their networks to be their property, in a way. They feel entitled to inspect it, throttle it, slice and dice it any conceivable way they can to maximise their profits. Its one of the reasons I quit.

Imagine the US postal service steaming open every letter and opening every package that went through their system, so they could plug your mailbox with targeted special offers or increase the delivery fees for certain things. Its all similar BS with ISPs, but it's all techie stuff and heavily lobbied so the public gets bamboozled.

You raise a really good point about wide-spread encryption being an impediment to ISP profiling. But there is a LOT you can surmise from user traffic even if you don't know the exact content of the encrypted payloads. Just analyzing IP addresses and times can reveal a ton of information about a person. My first patent [US20100161795] was in fact a NAT session detection and tracking technique to identify and track individual users within a household through TCP/IP analysis. Using this technique someone could get a pretty clear picture of how many people were in a household, their ages, genders, interests and patterns of activity, even without delving into the http payload of the packets. We didn't, but this kind of thing is most definitely possible, and I wouldn't trust other shady entities not to do it.


I was hoping to read through the comments and find someone would correct you, but it seems everyone is under the same false belief.

Encryption doesn't matter.

Automated deep packet and encrypted packet inspection is burgeoning with advances that put the single-actor work-arounds to shame.

1). Your ISP knows your traffic is encrypted. It knows what cipher and protocol you're using, and its routing is not protocol-agnostic.

2). Your ISP knows beyond "mostly confident" the type of files your packets contain. If you don't keep your connection open and use any of the public encryption methods, your ISP will know exactly what you've downloaded to a reasonable degree.

3). HTTPS is only as good as all the different pieces combined (browser, root CA, server, site, client). And if one of those goes bad, it's worthless.

4). If you use encryption heavily, you're already flagged.

5). If you don't use your ISP's CDN, you're already flagged.

6). If you connect to any other site besides Google, YouTube, Reddit, Twitter, Facebook, Wikipedia, or Instagram your aggregate data will be quickly analyzed and compared with a threat table, and appropriately flagged.

7). Traffic analysis is trivial when you're the one routing the traffic.

Google is Dunning Kruger evil. ISPs are "pick up that can" evil. The lack of serious developments in HTTPS are "see no evil" stupid. The thought that HTTPS is anything but a red hearing is "Ivan the Fool" stupid.


>If you connect to any other site besides Google, YouTube, Reddit, Twitter, Facebook, Wikipedia, or Instagram your aggregate data will be quickly analyzed and compared with a threat table, and appropriately flagged.

Huh? What are you talking about?

>If you use encryption heavily, you're already flagged.

>If you don't use your ISP's CDN, you're already flagged.

What types of encryption? Since when did ISPs make users use a CDN? Again, I don’t get what you’re saying.

Sources and more information would be greatly appreciated.


The grandparent doesn't say this specifically, but I've long suspected that a middleman adversary can identify, with high accuracy, which top-1000 website you are accessing (even through a VPN) based on the timing and bandwidth signature of the encrypted traffic. Probably to a lot more detail if they gather and analyze longer-term traffic pattern data.

They can certainly tell whether you're using streaming video with this type of analysis.

If people start using VPNs en masse, ISPs and/or other interested actors will develop this technology, if they have not already. (I would guess it already has been, albeit perhaps not widely deployed.)

If the ISP is the same as the ad network, or a data broker with one (and some are, see: Verizon Wireless), they can then link your IP address to a cookie-based profile. (Yes, there are counter-measures there, like disabling third-party cookies. And there are countermeasures to that, like browser fingerprinting.)


This sounds about right. I came to most of these conclusions myself after trying to build a secure personal VPN . Oh what a fool I was.


> ISPs have to work around widespread (and growing) encryption, while Google/Facebook have your _actual_ data.

Today. But in terms of risk moving forward, I think ISPs are way worse. Two reasons:

1) I really can choose not to use Google/Facebook. There exist very solid, privacy-respecting alternatives for every service these two companies offer. It's a matter of consumer choice.

This is not the case for ISPs. If my (one) local "high-speed" ISP demands that I install a new root cert so they can MITM all my traffic, my choices are to a) capitulate, or b) find a way to live with very low-speed DSL/dial-up.

Monopoly power backed up by a vast network of cables has way more staying power than monopoly power backed up by social network effects (FB) or superior software offerings (Gmail).

2) You might argue that history demonstrates we don't have to worry about ISPs demanding to MITM customer traffic. But Historically, ISPs weren't incentivized to snoop because of regulatory barriers that prevented collection/use of data for advertising purposes. In the case of US ISPs, changes in regulator landscape suggest that past behavior doesn't guarantee future behavior.


You just admitted you do have the same choice for ISPs: You can choose to live with a degraded option/experience.

In the same way, many would argue leaving Google or Facebook requires they give up on key features and benefits of living on the Internet. Like, you know, talking to your friends.


> If my (one) local "high-speed" ISP demands that I install a new root cert so they can MITM all my traffic

I don't see what sense it makes to worry about that before it actually happens. Especially when there's no reason to believe it is going to happen.


See (2) from my post. Also, from another top-level comment ATM:

>>I recently received a "terms of service" update from Comcast, with the notification that they can now "monitor and record anything going through the network. Including, but not limited to: audio recording, video recording, ..."

I mean, look, if they're not going to do it, then why did they lobby so hard and successfully to do it?

Frankly, I have a had time imagining that this won't eventually happen. And sooner rather than later.


So choose a different ISP not all countries have the USA's broken telco regulation LLU is what you need.


You can't choose to not use Facebook unless you just go completely offline


https://gist.github.com/thomasbilk/1506210/2d20f47bbcca75b2f...

Not to mention there's a LOT of useful stuff on the internet that's not hosting on sites with Facebook trackers.


I recently received a "terms of service" update from Comcast, with the notification that they can now "monitor and record anything going through the network. Including, but not limited to: audio recording, video recording, ..."

I don't even have an alternative in my area.


for anyone interested I pulled up the Terms and found what I believe the OP is referencing:

`Monitoring and Recording. You agree that Comcast and its agents may monitor and record any telephone calls or other voice, data or image communications that are transmitted between: (1) Comcast and its agents and (2) you, your agents, any user of your Service(s) or Equipment, or any user of any phone numbers associated with your account.`


What's so weird about that? Every company seems to record communication between itself and its customers; Comcast is saying it can do the same.


This is far broader. No where in the Subscription Agreement[0] is the scope or the uses defined or limited. From what's written here, any form of information sent to Comcast in any way will can be stored and monitored for any purposes.

IANAL, but this seems like clever lawyering to make consumers think they're only referring to customer service calls.

[0]: https://www.xfinity.com/corporate/customers/policies/subscri...


Well doesn't that just mean they're allowed to record the conversations between me and their tech support? How is that worrisome? I assumed the person you were replying to was asserting that Comcast had proclaimed its right to record all communications I had over the internet.


I don't know. I'm reading it differently. I'm reading it in a way that almost any other entity with the power to execute on a term like that probably would - liberally and with deference to their own interpretation of lawful. Not too mention the 100% murky scope of requests and behests of government.

I read that the wire is owned by Comcast. Its agents roam free and everything traversing that wire is monitored. 100%.


If you're going to read the language non-sensically, why even bother to point to the text? Why not just make up whatever you want?

The numbering and the "and" clearly mean that one of the two endpoints must be "Comcast and its agents." The language is there to allow them to record customer service calls because otherwise in some states that would be a violation of wiretap consent laws.


I think this language could allow for Comcast to monitor any traffic passing through their proxies?

I agree that it seems to be worded to imply that it's just CS monitoring but I don't believe that `transmitted between` would necessitate that the party be the intended endpoint.


Here's mine in New Zealand (Slingshot), which sounds a bit more fair

"We do not proactively monitor what content you download or access, however, we must act on lawful requests for information and/or interception as well as infringement notices which we receive under the Copyright (Infringing File Sharing) Amendment Act 2011. This action may include sending you an infringement notice"


WTF?


It's Comcast, they are a terrible company. They manage to somehow rank worse than haliburton and BP after that oil spill


Yikes. I'd be sure to lodge a complaint here, note about the local monopoly: https://consumercomplaints.fcc.gov/hc/en-us

I'm curious where you are located [if you don't mind sharing]?


Lodge a complaint with Pai’s FCC!

Thanks, I needed a good laugh this morning.


You have to get this stuff on record in real-time so the adminstration after Pai's will have timestamped evidence to act on. Stop being so short-sighted and defeatist about this stuff, think strategically.


Well, yeah. But on the other hand, the complaint records aren't going to be deleted even under Pai.

The complaints likely won't go anywhere anytime soon. But when Pai's successor is working to repair the damage, there's a decent chance that one of the things they'll have to do is go through the agency's records to figure out what was ignored. Having a record of the complaint will at least give them options in the future.

So file the complaint, even if it's unlikely to matter in the short-term. :)


Why wouldn't they be deleted? They were stuffed with bot complaints, FCC could remove any and say it was a bot.


Federal record-keeping rules are pretty stringent. Generally speaking, you can't delete stuff. Especially important records. And public comments are a required part of federal rulemaking procedures--see 5 U.S. Code § 553(c) [0]--so they'd definitely fall into the "important" category.

In fact, the FCC's response to the bot activity was to point out that they aren't permitted to delete the comments, though a former FCC special counsel was quoted as suggesting that the FCC "might have an obligation under the Administrative Procedure Act to remove fake comments from its consideration."[1] But "removing fake comments from its consideration" isn't the same as actually deleting them, so I'd imagine that just means labeling them as "likely fake" and ignoring them in their deliberations. The same would apply to official FCC complaints. The FCC might ignore them, but they can't outright delete them without violating the law.

0. https://www.law.cornell.edu/uscode/text/5/553

1. https://www.wired.com/story/fccs-broken-comments-system-coul...


So many comments to the FCC ignored. Complaints won't go anywhere, either.


Comments were collected. No obligation existed to treat them as a vote. Very few contained new information to the FCC, so they weren't valuable. The entire "millions of comments" nonsense is wholesale irrelevant, because the process doesn't exist for the purpose of voting or conveying public opinion.

Comments are collected in case there are scenarios the regulatory agency didn't consider. They considered them, and decided a way you didn't like.


I recently signed up for a promo from DirectTV Now where the promo was cheaper than the free AppleTV that came with it.

Don't worry, I'm not promoting DirectTV Now because it sucks balls. I have ad blocking at the router level at home and DirectTV basically won't work because of it. Even when it does work the picture quality is awful, you can't easily skip commercials, changing channels is painfully slow. And there are ads everywhere.

But, my main point is that a few weeks after getting it, I get a mailer from Charter asking me why would I want to pay for channel bundles (I get only internet from Charter)... the only way that mailer makes sense is if they were watching my traffic and seeing that I'm a subscriber to a channel package from their competitor. (I've never gotten a similar mailing and it doesn't make sense absent spying, otherwise they're kind of arguing against their own main cable service.)

It really made me want to get VPN setup whole-house.


I think in your case its more likely they mass mailed a neighborhood minus their cable subscribers.


I just received a similar mailer from Time Warner, and we use Sling. However, I think they are just trying to capture a market segment that they entirely missed the boat on, and that it is coincidental. I guess I could ask my neighbors if they received the same mailer.


What you can do is use a third party DNS resolver like 1.1.1.1, ideally over HTTPS or TLS, and use HTTPS for all your web traffic. That dramatically reduces what they can inspect.

If that isn’t enough, your next option is a VPN or Tor.


Third party DNS is at best a very minor hiccup in the ease of an ISP monitoring where you're going, though in combination with things like HTTPS Everywhere it's a start - mostly if you're going to good-sized sites where most of your traffic actually goes to CDN providers.

Hm, thinking about it as I write, I could see how encrypted DNS plus everything being encrypted and served via CDN could actually cut down a lot on what carriers can see. Still far from perfect, but not quite as bad as I was originally thinking.

Edit: I wasn't familiar with Server Name Indication (destination hostname is unencrypted even though the rest of the URL and session are encrypted).


Without encryption, they can see who you talk to, what you are saying, the rate, the frequency, from where and when.

With encryption (https), they can see who you talk to, the rate, the frequency, from where and when. They can't see the actual URL (just the hostname) or data (encrypted).

With VPN, they see you are talking to a VPN, the rate, the frequency, from where and when. VPNs cut down on knowing who you are talking to (assuming they aren't logging or being monitored which they could easily do).

Other services could be added to obfuscate rate, frequency and when I would assume, but even then those services would only be additive obfuscation (unless you cache packets for a short term... just thinking as I type).

Someone check me if i'm off on this these points...


You're close. There's actually well understood technology for obfuscating the rate and frequency - the field for manipulating these variables is called "traffic analysis".

One simple technique is to always transmit X packets/sec where Y packets/sec are real and the other packets are dummy packets (Y < X). If the channel is encrypted, it's impossible to distinguish the dummy traffic from the real traffic, and if you're over a VPN, it's difficult to identify the destination.

A slightly more sophisticated approach is to vary X over time, to make it shaped like streaming video, for example, to obfuscate the fact that you're using traffic analysis countermeasures.


If you are repeatedly going to sites A,B,C, then over time even if you are sending bogus packets, the sites you do go to will rise to the top.

It’s similar to differential privacy where even with a bunch of bogus data patterns in aggregate can be determined.


It's not one of encryption or tunneling or packet shaping that does the work, but rather all of these techniques together work to reduce an adversary's traffic analysis capability.


I'm not familiar with how to set this up. Do you have a link to a guide to use such a service for me and others?


Add an always-on VPN tunnel to your router with the tunnel exit on someone else's (not Comcast) network.


Time to shell out for a VPN service.


One of the problems I've run into with using a vpn service is that many services block IPs from common vpn services. While this may be due to abuse originating from those IPs this still seems like a lazy approach to abuse prevention.

One approach that could work around this in many cases is to run a VPS with a private VPN server on a cloud provider. This is beyond the technical ability of the average user though and costs more than most VPN services.


I run a private VPN server on Digital Ocean and still get blocked by some sites. Zillow.com comes to mind as one I was unable to access recently.


If you can't access Zillow, nothing of value was lost.


Same -- Netflix, craigslist as well


FYI NordVPN works on Netflix. At least it does at the current time. Though I've been blocked on Amazon even just while shopping.


Why would Amazon care? I think I've went to Amazon over Tor and had no problem. I never tried to log in, but they let me browse just fine.


In practice this isn't much of a problem, and I get it with Netflix. I turn off my VPN if I am watching Netflix on my computer and I don't think my privacy suffers too much for it. It feels bad not to have 100% coverage but I honestly don't care who knows what I watch / how often I watch Netflix.


It is more of a problem if you want to run the VPN on your router upstream of your devices, which simplifies management and ensures all devices are protected from ISP snooping, including devices where I don't control the software like a Chromecast.

I had to disable router-level vpn for exactly this reason, which is frustrating.

Amusingly enough, when I did have it on, my Chromecast showed weather data for the vpn endpoint so it's using IP-based geolocation for weather. It could be smarter.


> my Chromecast showed weather data for the vpn endpoint

That is pretty awesome. I feel your pain and that is why I haven't gone and flashed my router even though I finally bought one that will let me.


Are VPN Routers a good option, or do you recommend VPN on each device?


Depends on the traffic from devices. If you don't have crazy high traffic, flash your router with openwrt and install wireguard. If the flash is too small, you can compile your own image with wireguard selected which doesn't need as much flash space.

Next you can choose a cloud provider, which is metered (GCE, AWS, etc), or non-metered like OVH, or Digital Ocean(they don't charge you if you go over the 1TB for now).

Or you can choose a VPN service provider like Mullvad who have wireguard option (PIA should be getting it soon), if you trust them.

Be careful in choosing your provider since you might be annoyed with the latency over time, or just get used to it.

There are tutorials for all this.


You can mitigate the speed issue by adding your own DNS local caches and then start blocking ads, trackers and malware sites and whomever you want (FB is added to the spyware list) using publicly available lists. All of this speeds browsing considerably.

A personalized router is very powerful.


Openwrt by default caches using dnsmasq, but the blocklist is a good idea. The problem is, even the blocklist is sometimes too big for the tiny flashes of some routers.


As another poster said, go with a mini-pc like Qotom. Uses little power, configure however you want (memory, SSD). Most web pages load instantly, and it handles a massive blocklist (Bind9). I'm slowly adding a list of always on packages like sync tools. Also, you can use an AP instead of router attached wifi. Move the Power-over Ethernet AP where you want. Ubiquiti Unifi is far better coverage than my previous consumer grade wifi. Do it all in your favorite Linux flavor.


The average user doesn't want to buy more hardware, and flashing an existing router can be done in an evening.

Also, why Bind9? I don't see what's wrong with dnsmasq, and changing hosts file for blocklist. Also, I often advise against network wide blocklists unless you're the only one using the network, since subtle things break.

Here's what I do: https://news.ycombinator.com/item?id=14780738

The only thing different is that I use wireguard and dnsmasq now.


I find having one piece of low-power hardware that is always on a handy tool. A homeserver+router, basically. I can decloud a lot of things. Having a beefier piece of hardware makes it a non-issue. I try to run things in Docker for modularity. Total hardware cost is competitive with a high-end router, but I think I get more.

Bind9 seems to be better for blocking. RPZ is made for it. I don't think dnsmasq supports RPZ though projects like Pi-Hole use dnsmasq. I'm not positive, but I think RPZ is more flexible. Bind9 seems to do anything you like. I may want to resolve DNS myself and not just forward.

I'm starting to look into configuring Bind9 to have different blocking per user using "views." Some want Facebook, some don't, so I can block accordingly. I'm not sure you can do that in dnsmasq. I did discover subtle things break, like you can't block Facebook and still access Instagram, thus the "views" approach. I don't want to change hosts file on every device, especially mobiles, and can even provide some protection for guests this way. I might do a captive page for a blocked domain and let people bypass in their view if they like, then I can have a "block-first" approach.

I do like network-wide blocking for the malware lists - if anyone acquires malware, it can't phone home (if it's on the list) and I can detect via logs. DNS as firewall seems to be a trend. I'm looking into blocking IPs via iptables as well using public lists. Maybe I'll even setup Snort or Bro. The possibilities are endless.


I use a Qotom mini pc as a router. I configure it with NixOS. It's amazing.


> your own DNS local caches

Doesn't that mean your ISP will now see what domains you are looking up?


Not if you use DNS-over-HTTPS with cloudflare or google.

https://github.com/aarond10/https_dns_proxy


Just clarifying your comment for others: Your ISP would still see the IPs of the sites your packets visit unless you are using an encrypted VPN connection. The DNS-over-HTTPS is a great addition to a VPN.

(the VPN comment was several levels up so some might miss it)


Righto!


Netflix and other video sites will be blocked from a lot of VPS providers. You may be better off going with a professional service that can keep their ips clean


True, but it can be mitigated by setting the routing table for Netflix IPs to avoid the tunnel. There's no standard way this can be done, but it's not impossible.


I did this for a while, and it was a decent headache to maintain. I had pfSense running at the Comcast edge and configured it to route all but specifically whitelisted traffic through a VPN I controlled. Speed was slower than max but acceptable due to choosing a VPS provider close to me, but the maintenance on the whitelist was cumbersome.


I'm interested in the implementation of this, but do not have the technical background to begin. Would you have any go to resources for a beginner?


careful because I already see this coming:

"In order to server our customers better and provide the best possible experience, VPN services will be blocked and will require a Business Tier service. We feel that unless you have a legitimate business reason to anonymize your network traffic we will provide this service in order to protect our subscribers and network integrity. Click Here to Speak to our Sales Representative"


Aren't all ISPs required to comply with lawful intercept regulation that includes data retention?


That can potentially be a HIPAA violation unless medical providers/platforms get a Business Associates Agreement with the ISP. This could be a nightmare.


The HIPAA violation would be on the care provider by transmitting in cleartext over the internet.

If they're transmitting properly over TLS then no patient info would be divulged.


I've always wondered why people are so hard on Facebook, but give At&t and the other ISPs a free pass to do whatever they want. If you ask me, the ISP cartels are orders of magnitude more evil than FB.

At least FB is making changes to address the issues, unlike At&t who keeps screwing people over more and more every year.


People should also include credit card companies as they've been tracking purchases and inferring data long before Facebook has existed.


you forgot selling all of the purchase data.


Do you have a source for this?



of which I'm sure facebook buys...


Largely because FB is mining your data today and has built a half-trillion dollar business doing it. For ISPs it's mostly theoretical and attempts here and there. (That's why this article uses the phrase "pose a greater surveillance risk").


Spoiler Alert: ISPs also already sell your data to advertisers and data middle-men. They also have built a business selling your data.


I agree, though I'd say that this is because of general ISP incompetence, not because the ISPs don't want to do this.


Whenever you think "why don't users care about this privacy issue" stop and ask yourself "wait, do people actually know about this privacy issue and do they understand the implications, though?"

Do you think most people have actually thought about how their ISPs must track their every interaction with the web and read all of their unencrypted chats and traffic?

I think that what's needed is more awareness about what the ISPs are doing, but I really don't like headlines and articles like this one that try to minimize what Facebook and Google are doing.

The ISPs tracking may be more all-encompassing, but a large portion of the web, especially popular websites are becoming "dark" to them, as major sites adopt HTTPS encryption. Their next most valuable tracking tool besides HTTP is probably the DNS server. And to get people to change that you'll need raise a lot of awareness about it.

I guess Microsoft, Google, and Apple enabling their own DNS resolvers by default on their operating system would be a small improvement, but you're kind of moving the problem instead of solving it. And Google already does that with recent versions of Android, I believe.


Don't ISPs like Comcast have access to orders of magnitude fewer users? I think it has to do with scale and the fact the Cambridge Analytica used Facebook data and not, it seems, Comcast data. Overall Facebook is just the focal point of the ire. The ire though is really not Facebook as such but rather unregulated data collection by private companies.


Yes. Google and Facebook both have global reach and billions of users, but they also spend millions of dollars on PR to convince you the ISPs are the real privacy threat.

The author's LinkedIn includes recently working for a law firm, Fenwick & West, which proudly brags about Google being one of their clients on their career page.

If an article is doing "whataboutism" that minimizes the danger of big tech, check their resume, it's probably their job.


> Don't ISPs like Comcast have access to orders of magnitude fewer users?

Yes, but because it's your ISP and your data it's snooping, it suddenly becomes important.

As they say, one death is a tragedy. A thousand deaths is a statistic.


Yes, they have far less users, but they also have a much longer history when it comes to user tracking and measurement in the name of ad targeting. Although I think the big difference is they can't do network analysis.

This said, Comcast (which owns NBC universal), has been able to use cable boxes to improve ad targeting for decades, trace that back to internet usage, and apply it to models already built for NBC usage. A

n even more powerful one though is Verizon, where with their now acquisition of yahoo can use that data as well, which is combined with both all of the home data collection comcast has, but with 80+ million mobile users as well.


Facebook is mildly transparent about it so it's easy to criticize, the ISPs are black boxes.


Because Facebook is in the business of monetising data about people and ISPs aren't.

It's not obvious to me that ISPs would bother (except where required to do so by law). They could just route traffic and not inspect anything.


"It's not obvious to me that ISPs would bother"

The issue is mainly that ISPs are also, by and large, the Cable Companies. Cable is dying. It's dying quickly. Cable companies are seeing dwindling revenue streams from their cable packages and are going to be looking for ways to bolster their shareholder's profits despite the inevitable death of traditional cable programming schemes.

How do they do that?

They do it by selling anything and everything they can to advertisers, exactly like what they've been doing with cable. Coincidentally that's also exactly the reason that cable is dying.


ISPs also are in the business of selling your data.


FB (and other data collection businesses) pose a greater threat because they have direct access to your content rather than passive streams of increasingly encrypted data. And web trackers get access to your browsing behavior even if you aren't a user in a way that gives them more oversight on TLS connections since they're embedded (somewhat unwittingly) by webpages throughout the internet.

TLS limits what your ISP can see. So until they block encrypted traffic it doesn't scare me too much.


Good question... Maybe:

1. I don't think people have thought about it enough. I know I haven't. I think part of the reason is AT&T et. al. seem "inevitable" whereas Facebook is conveniently "quittable".

2. FB's lack of privacy has been discussed in the open and in the news recently, making it stand out.

3. (One of) FB's goals is to sell you to advertisers...


> I've always wondered why people are so hard on Facebook, but give At&t and the other ISPs a free pass to do whatever they want.

Because we choose to use AT&T and other ISPs. Facebook has enough beacons spread across millions of websites that even if you choose not to have a Facebook account, it's still monitoring you.


Majority of people in the USA don't choose their ISP, their city zones IPSs per neighborhood.


...mostly in the US.


Because most people haven't actually thought about this very deeply and if they did they would realize Facebook doesn't "know" a fraction of the things people claim they do[1] which makes the whole CA hysteria even more absurd.

[1] https://www.ft.com/content/d7c955ac-3213-11e8-ac48-10c6fdc22...


The text of Joint Resolution 34 when it passed in the Senate last year https://www.congress.gov/bill/115th-congress/senate-joint-re...

The role call vote breakdown https://www.senate.gov/legislative/LIS/roll_call_lists/roll_...

Ars Technica's coverage of the bill (now law) with context https://arstechnica.com/tech-policy/2017/03/senate-votes-to-...


If you use Chrome or Firefox, almost all of your data is hidden from the ISP - increadingly more sites use HTTPS, and use a CDN, and browsers are implementing DNS over HTTPS and have their own DNS resolvers. In addition, providers like Google are literally proxying your mobile requests to unrelated sites to capture even more data.

Google and CloudFlare can see probably more than 90% of your traffic without even trying. Google's business model is dependent on selling advertisement based on your data. Your ISP can see maybe 50%, and it's shrinking fast.

All of these companies exist because you agreed to them. You're paying them to continue this behavior, or using their free services. Stop agreeing to free services and stop using monopolies. Lobby your local government to overturn laws preventing municipal internet providers.

That won't happen though, because people don't really care that much about surveillance to go to those lengths just to stop it. Hell, the NSA is still illegally wiretapping US citizens.


> If you use Chrome or Firefox, almost all of your data is hidden from the ISP

Can you elaborate on how Chrome and Firefox hide your traffic from your ISP, and what privacy advantages they have over IE, Safari or Opera?


Sure. Chrome and Firefox both implement (or are implementing) DNS over HTTPS, which hides what domains you're visiting by passing the request encrypted through a provider such as Google. Chrome also has a "data saver" on mobile that passes your traffic through Google's servers. Opera has had similar functionality for some time. Safari and IE will implement DNS over HTTPS once it's a standard, which should be soon. Don't know if they have plans to support tunneling too.


> Chrome and Firefox both implement (or are implementing) DNS over HTTPS, which hides what domains you're visiting by passing the request encrypted through a provider such as Google.

DNS over HTTPS doesn't actually hide the domains you're visiting, because TLS SNI means the server hostname is sent in plaintext as part of the TLS handshake.

And for major sites, they probably aren't sharing their public IPs with other sites, hence the ISP can know what site you're connecting to via knowing what IP you're sending datagrams to.


Ah, I had no idea it was already implemented in those browsers!

It appeared to be disabled by default in my Firefox install - for anyone else, I followed these instructions to enable it:

https://www.ghacks.net/2018/04/02/configure-dns-over-https-i...


What is stopping yourisp from doing reverse dns and looking up what domain is pointing to the IP you are connecting to?


You can't do reverse DNS for sites using SNI. Multiple hosts use the same IP.


Further expanding on the article, ATT sells a spy service to police departments and many police departments are paying 100k and more yearly to ATT for this.

https://mashable.com/2016/10/25/att-selling-data-police/#DuI...


Comcast, AT&T and Verizon don't have a single bit of data on me, I'm not a customer. As opposed to Facebook and Google being present on just about every webpage and gobbling up data about all the people on the planet that have internet access.

The article has this bit in it:

"Your internet provider doesn’t just know what you do on Facebook – it sees all the sites you visit and how much time you spend there. Your provider can see where you shop, what you watch on TV, where you choose to eat dinner, what medical symptoms you search, where you apply for work, school, a mortgage. Everything that is unencrypted is fair game. "

The last part is the important part: hardly anything is unencrypted these days (and if it isn't it really should get with the times). So if that part of the article would have been adjusted to the present day situation that only thing that remains is that if these parties are your provider then they can indeed see which IP addresses you connect to (if you don't use a VPN).

They can't see what you watch on TV unless you configure your TV to tell them (or use a set-top box to choose your channels for you), they do not know where you choose to eat your dinner unless your smartphone leaks GPS coordinates to them (regular triangulation is too coarse for this) and they do not know where you apply for work and school or a mortgage.

In general this is a whole bunch of alarmist hoopla, yes, providers see too much data, no it's nothing compared to Facebook and Google.

What should worry you is AT&T and other cellular services providers access to your call records (which they are required by law to keep for a long time in most places) and SMS data as well as the possibility of them recording all your voice calls without your consent.


> So if that part of the article would have been adjusted to the present day situation that only thing that remains is that if these parties are your provider then they can indeed see which IP addresses you connect to

You're saying that like it's nothing. Whatever happened to "metadata is often more revealing than data"?

> As opposed to Facebook and Google being present on just about every webpage and gobbling up data about all the people on the planet that have internet access.

You can trivially install Privacy Badger, Ghostery or any other number of tracker blockers that are available for free. Firefox comes built-in with a tracker blocker that's pretty good too. Every person on the planet has the option to opt out from FB and Google tracking.

Using a VPN costs money. Some websites (eg. retailers, Netflix) aggressively block connections from VPN IPs which means you have to turn off your VPN and sacrifice your privacy to access those sites. Whereas I've never seen a site block you because you have Privacy Badger installed.


> Whatever happened to "metadata is often more revealing than data"?

That's true, but the article claims that the actual data is accessible which it isn't in most cases.

And it's a bit in the nature of being an ISP, after all the only thing they are supposed to do is to take your packets and deliver them elsewhere, if they didn't do that then they wouldn't be in business at all. To the extent that this raises awareness of how the internet works under the hood I'm all for it but it is designed that way, it is not as if AT&T, Comcast and Verizon have gone out of their way to get this ability by injecting their content into each and every web page.

> You can trivially install Privacy Badger, Ghostery or any other number of tracker blockers that are available for free.

Yes, and I do. And most people do not.

> Every person on the planet has the option to opt out from FB and Google tracking.

Yes, but only a small percentage actually does so. And Google is present in so many market segments that in practice you will be interacting with it whether you want it or not even if you have a blocklist a mile long. Because that email you just sent to that innocent looking domain is actually gmail masquerading as some other domain.

> Whereas I've never seen a site block you because you have Privacy Badger installed.

I see this several times per week actually, usually related to some over-eager adblocker detector.


> Yes, but only a small percentage actually does so.

But they can and its free to do so. Opting out of ISP tracking costs money, when I'm already paying my ISP money.

> it is not as if AT&T, Comcast and Verizon have gone out of their way to get this ability by injecting their content into each and every web page.

Not for lack of trying[1]. Also Verizon now owns Yahoo and AOL which have some pretty large ad networks of their own.

1. https://arstechnica.com/tech-policy/2014/09/why-comcasts-jav...


> Opting out of ISP tracking costs money, when I'm already paying my ISP money.

All you will end up doing is giving someone else the same capability that your ISP has today. A VPN solves exactly nothing.

> Not for lack of trying

Yes, that's true they did try that. But then again, so did some registrars by hijacking domain names that were not in use. (And sometimes even when they were in use).

But end-to-end encryption took care of that in a pretty definitive manner.


> A VPN solves exactly nothing.

Maybe, maybe not. US ISPs operate as virtual monopolies in many markets - even if an ISP was tracking and monetizing online activity most customers don't have any recourse.

In contrast, the VPN market is extremely competitive; there are dozens, maybe hundreds of providers. Privacy is one of the differentiating factors between them. It would be extremely risky for a VPN provider to claim "no logs" but actually store logs - a single data breach, rogue employee, or whistleblower could end their business.

I'm not claiming VPNs are a desirable solution. The desirable solution is that ISPs don't track or otherwise monetize their customers' online activity.


> they can indeed see which IP addresses you connect to

They can see the hostname, actually, because DNS isn't encrypted. And even if you run DNS over TLS, it doesn't matter because of SNI (https://en.wikipedia.org/wiki/Server_Name_Indication).


Ah right you are, so yes, they can get to that. Even so, that's just a host, which is a far cry from the full URL which is typically what Facebook and Google have access to through 'like' buttons and analytics.


> The last part is the important part: hardly anything is unencrypted these days (and if it isn't it really should get with the times).

It's always nice to see

https://letsencrypt.org/stats/#percent-pageloads

Everyone can do something to help increase this!

(On the other hand, there's still an information leakage from the volume and timing of communications, like inferring that two people are communicating with one another in real time because their traffic flows are correlated, or figuring out what page someone's reading on a site from that total volume of encrypted traffic downloaded.)


> On the other hand, there's still an information leakage from the volume and timing of communications, like inferring that two people are communicating with one another in real time because their traffic flows are correlated

Yes, this is a problem. But it is also totally inherent to the role of being a provider. And as long as the internet is roughly structured the way it is today that will continue.


It's pretty hard for ISPs to do that on a large scale: ISPs are only regional monopolies, in the areas they are monopolies at all. There's likely a relatively small percentage of your communications where both ends of the communication are using the same ISP.


On the other hand, most people communicate most often with people in their own geographic region, and in the U.S. the "two people on the same ISP" probably happens pretty frequently with Comcast and AT&T (as well as national mobile carriers in the case of mobile data service, where you might not immediately realize that the carrier could learn that information in the way that it would if you were making a phone call or sending a text message).


With calls and texts, certainly, but with Internet traffic? Bear in mind as well, ISPs tend to be monopolies in more rural areas, where the distance between people is higher to begin with. And most of your communications on the Internet will go to or from a server, which is likely not local.


In this case, the ISP can correlate the timing of the communications activity in order to confirm that it involves two particular customers.


Give me an example, what kind of communication?


Like a Skype call. If user A calls user B (of the same regional ISP), the communications don't go directly from A to B (rather they go from A to Skype and Skype to B, and vice versa), but the timing and volume of the traffic flows are extremely well correlated.


Alright, I can grant that is true, although if you assume an ISP like Comcast has thousands (or more) simultaneous Skype calls, and they come and go often enough that it's likely you'll be dealing with many starting at close to the same time... there's a lot to track there. Also, bear in mind, you have to weed this out from all the unidirectional calls: Comcast to [other ISP] and [other ISP to Comcast] calls, so you can't even make one-to-one matches reliably.

And of course, when you compare to the tech industry alternative: Microsoft knows who is talking to who straight up (and on a global scale), whereas the ISP can only guess. And while the ISP's understanding of who is calling who ends at the household, Microsoft knows which user accounts made the call, which is much more likely to correlate to individual people.


MS has access to the payload as well.


>They can't see what you watch on TV unless you configure your TV to tell them (or use a set-top box to choose your channels for you),

cable providers can legally encrypt all channels, even basic/OTA ones[1], which essentially makes set-top boxes mandatory.

[1] https://hometheaterreview.com/fcc-rules-to-make-it-harder-to...


> Comcast, AT&T and Verizon don't have a single bit of data on me, I'm not a customer.

That's likely incorrect. You're traveling across their networks in routine use of the US Internet and its services/sites. In addition to consumer services, they all have substantial business services. They probably have less data on you than Facebook & Google.


I highly doubt there is a recognizable profile for me on Comcast, AT&T or Verizon servers, I'm 100% sure there is a recognizable profile of me on FB's servers. And I'm not a customer of any one of them.

The worst that I can think of that AT&T would have is some traffic stats, and they wouldn't know that it was me, just that some traffic from some random EU IP made it through one of their choke points. That entirely does not worry me.


I think you're encrypted argument is falling prey to the common fallacy of "it's only metadata". Knowing when you interact with which sites is more important than 90% of what you're doing on those sites, in terms of profiling you and monetizing you with data brokers.


The irony is that with more and more sites wanting to be "portals", more traffic is centralized within a single domain and none of the lateral movements are visible to the ISP.

Then: You go to foxnews.com, then you go to pornhub.com. Based on hostnames we can make some inferences about you and your behaviors.

Now: You go to reddit.com(/thedonald), then you go to reddit.com(/twerkinggifs). Thanks to HTTPS, the specific subs you're visiting aren't visible to the ISP; all they can see is you going to reddit a bunch of times.


Yes, but it is far harder for my ISP do monetize that data than it is for the two largest ad networks on the planet.

My ISP is welcome to know what sites I connect to because I pay them to do exactly that. Facebook and Google inserting their riders everywhere I go is not part of something I consent to.

And that's the root of the problem, if I send an envelope with my return address on the back the postal services have access to the meta-data and it is my decision to let them.

But it is not my decision to let a bunch of unrelated third parties use the contents of the letters to build up profiles on me and my counterparty.


No. AT&T has DPI on all packets that traverse its network and it cross licenses and shares financials with an extremely large number of network, credit, and transportation firms. This includes their cell network which tracks users at GPS accuracy.

For your statement to be true you would have to go without credit, a vehicle, a house, an internet connection, a cable TV, a connection to a cell tower.

It is more likely that you are not familiar of the size and complexity of their data collection and aggregation system.


You're a small minority, when you include both cell phone and broadband the vast majority of the country is a customer of one of at least one of them.

It would be good to see data on the relative monopoly market concentrations between the cable/telcos vs Facebook/Google.


For the vast majority of customers, Comcast, AT&T, and Verizon know what sites you visit, what types of data you pass to them, every single DNS lookup you make, etc. Sorry, but this is FAR more intrusive than Facebook, which you CLAIM has lots of data on you even if you don't use their service. It's harder to avoid Google than it is to avoid Facebook, but again, it's doable.


It's well known, not the poster's personal claim:

https://boingboing.net/2017/11/08/involuntary-profiling.html

FB goes so far as to buy your data from others, which is why I block all trackers. I'm sure I still leak data to FB, even though I never joined, and never will.


Interesting! Thanks for the informative reply. This feels like the kind of thing I probably read about at some point but subsequently forgot.


> For the vast majority of customers, Comcast, AT&T, and Verizon know what sites you visit

They know which IP addresses you connect to. Many of those host large numbers of websites.

> what types of data you pass to them

What do you mean with 'what types of data'? They can't access the headers of encrypted traffic.

> every single DNS lookup you make

Yes, that's true. And you can cache those locally.

> etc. Sorry, but this is FAR more intrusive than Facebook, which you CLAIM has lots of data on you even if you don't use their service.

Shadow profiles are a thing.

> It's harder to avoid Google than it is to avoid Facebook, but again, it's doable.

It's just about impossible. Every other email you send ends up in a gmail inbox. So even if you don't use their services at all your data still ends up with them. Even if you don't have a smartphone enough people around you will have them that your social graph will end up with Google anyway. And so on.


> They know which IP addresses you connect to. Many of those host large numbers of websites.

And SNI reveals which one of the Web sites you are accessing.


> Many – though by no means all – of us are privileged enough to #DeleteFacebook, or at least reduce the time we spend there.

What privilege is being referenced here?


There are countries where Facebook is a primary means of communication.


I wasn't aware of that. I know of places where it is popular and a reflex for quick communication but I didn't think it would be a/the primary tool.


This is a somewhat misguided article.

Your ISP does not have access to most of your communication, social media usage and searches as that runs thru https.

That is why Facebook and others is completely blocked in China. Had the national carriers been able to surveil and block select communication they would have been asked to do so by the government.

Secondly an ISP charges you a subscription and that is their revenue model. They are not incentivised to build an elaborate profile on your in order to deliver advertisement.

Thirdly ISPs in most countries are required by law to support the police with surveillance information. That is done in transparent way (you can read the laws and ask your politicians).

This police support has always existed sinces the days of the tele monopolies. However now that more communication runs via internet, https and social media, it creates this strange inbalance where the police cannnot get the same access to Facebook (or similar) communication as they can to SMS or voice communication.

Also Facebook provides different level of access to the NSA, the police in Denmark and the police in Myanmar. And do that in a non-transparent manner.


>Secondly an ISP charges you a subscription and that is their revenue model. They are not incentivised to build an elaborate profile on your in order to deliver advertisement.

Please, everyone, stop saying things like this. Just because you pay a company money for a service does not mean you magically have a perfectly balanced relationship with them. They are in a position of extreme power and will not stop caring about aggregating what you do in a machine readable format in fine detail, all the while doing so behind a veil of legalese opt-out style tactics.

Beyond the lobbying for more relaxed data collection / monetization laws, ISPs have been fined in the past for injecting tracking cookies to keep better record of your browsing habits. They’ve been caught selling IP identification api’s. No, they don’t care about delivering advertising to you, they just want to broker your data to companies who will.


> Your ISP does not have access to most of your communication, social media usage and searches as that runs thru https.

Access to TLS certs is plenty enough to sell. You hit pornhub.com at 2AM, or expecting-parents.com at 9am, or foxnews.com at midday? Each tells a significant story. I dare you to take a month of time stamped DNS requests and share with the internet.

> Secondly an ISP charges you a subscription and that is their revenue model. They are not incentivised to build an elaborate profile on your in order to deliver advertisement.

Are you trying to claim that a for-profit enterprise who has an opportunity to increase revenues using their current business model will decide against it, because it might be a bit of work? Explain to me who was responsible for the law change allowing ISPs to sell customer data? It sure wasn’t the customers.

> Thirdly ISPs in most countries are required by law to support the police with surveillance information. That is done in transparent way (you can read the laws and ask your politicians

LEA access is not what this article was about.


> Secondly an ISP charges you a subscription and that is their revenue model. They are not incentivised to build an elaborate profile on your in order to deliver advertisement.

That's exactly the opposite of how corporations work. Especially corporations in monopoly/duopoly markets.

In fact, US ISPs lobbied heavily for the right to do exactly that, without user permission, and got their way.

> Thirdly ISPs in most countries are required by law to support the police with surveillance information. That is done in transparent way (you can read the laws and ask your politicians).

But that's not what this is about.


came here to say this, surprised i had to dig so far to find this view


If you have a local independent ISP, use them!

Two great ones in SF, MonkeyBrains and Sonic. Both support net neutrality, and don't do any of this evil shit.

https://www.monkeybrains.net/ https://www.sonic.com/


Doesn't Comcast even require a special router, where they install custom certs and packet analysis software. Remember a friend of mine was on the phone long with their support, because he just wanted to use his own router, but Comcast wouldn't wanna patch him through. Anyone had similar experience? I can ask him again for details.


Can anyone talk about hardware and software one can run at home to help protect themselves more?

I have a pfsense box for firewalling the whole connection. I should look and see if I can integrate VPN with this as well.

Right now I use a personal router with Astrill VPN for when I am out and about at coffee places. This: https://www.amazon.com/gp/product/B01K6MHRJI/ref=oh_aui_sear...

Plus I also have this Ubiquite Edge Router I carry around too for wired connections. https://www.amazon.com/gp/product/B00YFJT29C/ref=oh_aui_sear...


They can't read the contents of conversations masked by TLS, but Facebook can. This is incredibly relevant to modern services and technology.

Telephone is an audio stream, so speech-to-text is a bit more wobbly. SMS, on the other hand... well, at least their price gouging was cost prohibitive for a few decades.


I've been forwarding all outgoing connections on port 80 (and a selection of other commonly-unencrypted ports) through a VPN (in the router) for a while now - but leaving all other ports (including most importantly 443) connecting directly.

It feels like a good compromise between privacy and speed.


I think this is fear mongering in the extreme.

Facebook, Twitter and Google have persuaded all of the major internet sites to add code to their pages in the hope that it will drive more page views. At this point they have implemented enough code to reap the same level of benefit that you might get from passively MITM’ing all internet traffic. What’s “worse”, is that Facebook and Google are campaigning heavily to move all web traffic to encrypted. The end result: a “more secure” internet that just happens to fend off a competitive threat.

The author should be ashamed of themselves. I think this falls under the “relative privation” fallacy. Google and FB are peerless when it comes to surveillance.


plus google amp, where google serves your site from their servers. and 4.4.4.4 and 8.8.8.8 dns servers, where they can see which ssl site you visit that still haven't added their spy code


The good news is, HTTPS is pretty common these days and Cloudflare just launched encrypted DNS (1.1.1.1). Those two things cover a large portion of exposed data.

If you're on Android, this is an excellent app that allows you to set a custom DNS server across all apps and connections, without root: https://f-droid.org/en/packages/org.jak_linux.dns66/. As a bonus it also lets you blacklist domains, though of course that's not relevant to concerns about your ISP.

Be wary of third-party VPNs, though (bottom section titled "VPNs could put you at risk"): https://arstechnica.com/information-technology/2016/06/aimin...


Whining about Comcast might be actually valid, but for most people of this world it's largely irrelevant. People from every place have Facebook access. Comcast customers are minority - Americans are minority. That's why Facebook has a lot harder time (also, ditching Facebook is more achievable).


Either you are concerned about surveillance or you are not. If you are then you would have to be concerned about both.

And more about Google and Facebook because of their global reach, access to location and content across all devices, an insatiable greed for user data including collation from all available sources to build detailed long term profiles of individuals, not unlike files by the stasi.

Here is Facebook trying to get user data from hospitals. [1]. This is truly sinister.

[1] https://www.cnbc.com/2018/04/05/facebook-building-8-explored...


When the article says "what medical symptoms you search"... Comcast can't see what you search if you're connected to a page using https, right? All of the major search engines and medical sites all use https... so, what are they talking about?


Indeed. They can know you're at WebMD, not that you looked up erectile dysfunction symptoms at WebMD. Only the ad companies get that kind of detail.

And beyond that, we're so centralized these days that most websites people spend time on are generic. For example, you have no idea what someone's interests are because they connect to Reddit, Google, Facebook, Twitter, and YouTube, nor who they might be communicating with over those domains.


The article doesn't address strategies for avoiding such surveillance. How well does it work? Does it prevent you from doing anything you might need to do? How hard is it? How much slower? Can it be done on a mobile device?


You can setup your own VPN on a provider with generous transfer allocations. You can buy an off the shelf vpn. You could also use DNSCurve and exclusive https.


I recommend installing a VPN right on your router. Flash your router with something like dd-wrt


Most web traffic is encrypted these days so ISPs can only see what sites you’re visiting via DNS and SNI. While that is worrisome, I fail to see how that is greater data than my search history.


a key difference here is the data structures behind the scenes, dont you think? FB built a state-of-the-art pipeline designed for graph analytics, and sold that as a revenue source. Meanwhile, the ISPs spent money on attorneys to secure favorable legal terms, and the "moron count" inside the company is likely quite high.. A zillion streams of sequential records are more like the 90s data warehouse situation, not FB graph search.


> Your provider can see [...] what medical symptoms you search [...]. Everything that is unencrypted is fair game.

Which search engines are unencrypted these days?


Does that matter much when your next DNS lookup is erectiledysfunction.org and your next ip packets go to the ip address of that domain?


I don't think I've ever visited a website that had name of an illness in the domain name. But maybe it's just me.


I'm not as concerned about CA having data I've given to FB as I am about their admission of using it to spread false information. If cable and phone companies were politically weaponizing my data the same way I'd be just as concerned.

On the one hand, maybe worrying sooner prevents issues. On the other hand, I don't want to assume a slippery slope out of principle.


>If cable and phone companies were politically weaponizing my data the same way I'd be just as concerned.

What makes you think they aren't? They have influencers in Washington, just like any political group does.

The only difference between what the ISPs did and CA did is that the ISPs sell the data, whereas CA stole it. Your data still gets transferred.


Of course they lobby, and for self-serving purposes. And that could use reform. But it's not related to the FB/CA story. They use our data to participate in the ad-tech ecosystem but that's separate from lobbying, which doesn't benefit from having my likes or social graph in any way I'm aware of.


> admission of using it to spread false information . . . weaponizing my data

Can you link me to what Cambridge Analytica actually did with the data? I've been really curious about it but I can't find anything concrete.


Well the founder was recorded admitting to creating fake news for political purposes in an untraceable manner. The FB data would have let them target and personalize it.

And the 2016 election was flooded with targetted fake news from obscured foreign sources. I don't personally have access to CA's operations and communications. It's for investigators to prove if A and B are connected.

It's up to us to deploy Occam's razor.


Yet another reason Musk's new satellite internet will be awesome. I'd personally sacrifice some bandwidth for privacy.


what makes you feel that one will be "private"? Please don't tell me that you believe into the Musk PR. Google used to be the same way "Don't be evil...".

It is the great circle of life. The incumbents love to be privacy-centric, but as soon as they become big enough, they realize that they can make a shitload of money with data//metadata now that they got a captive set of customers


True, I have more faith in that guy though. Maybe he is just another money grubbing hackjob that will eventually morph his companies into evil enterprises but it just doesn't seem like thats his schtick atm.


No he just releases software that kills a customer, and then publicly releases the data from the car sensors to paint the now dead customer as an incompetent driver. Sounds like exactly the person to trust with my privacy.


That guy is a scam artist. Tesla accounting is very abnormal; it's probably why the CFO quit.


If you talk to a sales person from any third party ad service and ask questions about what you can do with data—you'll find there is an entire market of buying and selling data from every cell company, credit card company, banks, corporate rewards cards, voting records and donations, etc.


Yeah, sure, agreed, but why call the article that? Don't we want them all to stop sucking?


I’m disappointed that a respectable website like the guardian is trying to take the heat away from Facebook and google in this recent privacy fiasco. Please don’t click on that article and give them your cookies/clicks/profile/$$$

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: