Linked by Thom Holwerda on Tue 9th Oct 2012 21:18 UTC
Privacy, Security, Encryption As it turns out, new Verizon customers (although there are reports existing customers are getting notified too) have 30 days to opt out of something really nasty: Verizon will sell your browsing history and location history to marketers. Apparently, AT&T does something similar. Doesn't matter what phone - iOS, Android, anything. Incredibly scummy and nasty. I quickly checked my own Dutch T-Mobile terms, and they don't seem to be doing this.
Order by: Score:
Wow...
by Morgan on Tue 9th Oct 2012 21:59 UTC
Morgan
Member since:
2005-06-29

Imagine that...the two largest carriers in the U.S., with the most expensive contract packages by far, are willing to sell their subscribers' information to make even more money.

Not to say that Sprint and T-Mobile USA wouldn't necessarily do the same one day. I'm just glad they don't right now.

Reply Score: 5

RE: Wow...
by No it isnt on Tue 9th Oct 2012 22:04 UTC in reply to "Wow..."
No it isnt Member since:
2005-11-14

It's a bit funny, though, that the two largest U.S. carriers are now slightly worse re: privacy invasion than pretty much all smartphone malware out in the wild. At least with normal sandboxing, most malware won't have access to your browsing history. Carriers have (although not for wifi).

Reply Score: 3

RE: Wow...
by WorknMan on Tue 9th Oct 2012 22:14 UTC in reply to "Wow..."
WorknMan Member since:
2005-11-13

Not to say that Sprint and T-Mobile USA wouldn't necessarily do the same one day. I'm just glad they don't right now.


How do you know they don't already? Hell, I would be surprised if they didn't. Just like we share information with each other (esp copyrighted content), these companies are going to share whatever information they have about us.

The sooner that everybody understands that sharing is inevitable whether it works for us or against us, and can never be stopped, the sooner we can all learn to live with the reality that privacy no longer exists, and never will again as long as the Internet exists.

Just like piracy, the question of whether it is right or wrong for these companies to share stuff like our browsing history with each other is irrelevant. It is what it is.

Edited 2012-10-09 22:16 UTC

Reply Score: 2

RE[2]: Wow...
by Morgan on Tue 9th Oct 2012 22:18 UTC in reply to "RE: Wow..."
Morgan Member since:
2005-06-29

Well honestly I don't know for sure, but my Sprint agreement doesn't mention anything about selling my browsing or location data. I have to take them on faith else I won't be able to have any cellphone service if I don't wish to be tracked.

Reply Score: 2

RE[3]: Wow...
by darknexus on Tue 9th Oct 2012 23:07 UTC in reply to "RE[2]: Wow..."
darknexus Member since:
2008-07-15

Well honestly I don't know for sure, but my Sprint agreement doesn't mention anything about selling my browsing or location data. I have to take them on faith else I won't be able to have any cellphone service if I don't wish to be tracked.

Correction, you won't be able to have any internet service, period. The fact is, your ISP could be selling information to marketers too. Come to that, your phone company could be selling information about the calls you make, and it doesn't matter if we're talking about a cel phone or a land line. Let's all face facts, in this interconnected world we're living in, we will never have complete privacy. If you want to keep something private, it's best not to even put it out there or, if you absolutely must send it through the internets, encrypt it. Unless you have complete and total control over everything from the origin to the destination endpoints (and you never will) your privacy doesn't exist. It never did, once telephones became widespread.

Reply Score: 2

RE[4]: Wow...
by Morgan on Tue 9th Oct 2012 23:19 UTC in reply to "RE[3]: Wow..."
Morgan Member since:
2005-06-29

Once again, it comes down to how much you trust the service provider. My Comcast agreement explicitly states that they will not sell or otherwise use my browsing and location information outside of a law enforcement subpoena or warrant. I have to believe them if I want to have a home internet connection; as of this news piece I'm certainly not going with AT&T DSL. Once again, Comcast could be lying to me but at least I have it on paper that they don't track and sell info. That's something that can be held over their head in court if necessary.

Reply Score: 7

RE[5]: Wow...
by Alfman on Wed 10th Oct 2012 03:26 UTC in reply to "RE[4]: Wow..."
Alfman Member since:
2011-01-28

Morgan,

"Once again, it comes down to how much you trust the service provider."

Voted you up...unless all your traffic is encrypted, you have to trust your ISP & it's partners.

I attempted to play devil's advocate and find some dirt on comcast, but I didn't find much recently; I did find this tidbit a decade ago however:

http://usatoday30.usatoday.com/life/cyber/tech/2002/02/13/comcast-p...

"Comcast, the nation's third-largest cable company, acknowledged this week that it is recording which Web pages each customer visits as part of a technology overhaul that it hopes will save money and speed up its network. The company said the move was not intended to infringe on privacy."

However amid political criticism, they've officially stopped tracking web requests.


There has been more recent criticism about comcast's use of DPI to block legit customer traffic, the feds intervened in that case, but it's arguable whether that fits under the classification of a "privacy" violation? It's kind of similar to having a mail man use some kind of xray to inspect the documents inside an envelope to determine the mail's priority. On the other hand, some people will argue the ISP should be entitled to shape traffic based on it's contents. My own view is that the ISP is to blame if they are over subscribing their service in the first place.

Reply Score: 3

RE[6]: Wow...
by Laurence on Wed 10th Oct 2012 16:14 UTC in reply to "RE[5]: Wow..."
Laurence Member since:
2007-03-26

unless all your traffic is encrypted, you have to trust your ISP & it's partners.

Encrypting your traffic would only hide the content of your traffic, but that data isn't really of interest anyway. It's who connected to where, when the connection was made and from where. You cannot encrypt that data as you have to go via your ISP / cell carrier.

However, what you can do is run a proxy (VPN, SSH tunnel or even just a straight up web proxy). At least then all of your traffic appears to be going to the same destination (the proxy) and thus their records of you are worthless.

Reply Score: 2

RE[7]: Wow...
by Alfman on Wed 10th Oct 2012 17:54 UTC in reply to "RE[6]: Wow..."
Alfman Member since:
2011-01-28

Laurence,

"Encrypting your traffic would only hide the content of your traffic, but that data isn't really of interest anyway."

Really? The DPI contents reveals specific search terms, the videos you watch, etc. This is far more personal than knowing which IPs you've connected to. It's the difference between knowing you've connected to ebay, or knowing exactly which products you've been browsing (*).

* Not that I know what ATT & Verizon are actually doing with the data, but there's no doubt the URL/contents can reveal much more about you than the IPs do.


"However, what you can do is run a proxy (VPN, SSH tunnel or even just a straight up web proxy). At least then all of your traffic appears to be going to the same destination (the proxy) and thus their records of you are worthless."

Yes, onion routing tunnels like tor are probably the best defence against ISP tracking today & in the future.

http://www.torproject.org/

A side benefit is that it can be used to work around censorship as well.

Another thing to consider is that one's browser may be "leaky" regardless of the transport encryption. There is a chromium fork designed to strip out identifying bits from packets sent to google.

http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php

Reply Score: 2

RE[7]: Wow...
by JAlexoid on Thu 11th Oct 2012 08:21 UTC in reply to "RE[6]: Wow..."
JAlexoid Member since:
2009-05-19

Nope. What you searched for and what pages you visited is also interesting. The fact that you connected to one of the servers of BBC falls under a lot of categories - news, sports, entertainment, weather and a lot more. Or take visiting any of Google's services - there is known difference only with regard to GMail, while most other services have been moved under the www.google.com domain(ex. https://www.google.com/calendar/ is indistinguishable from https://www.google.com/search?q=test)

Reply Score: 2

RE[5]: Wow...
by ilovebeer on Wed 10th Oct 2012 04:03 UTC in reply to "RE[4]: Wow..."
ilovebeer Member since:
2011-08-08

Once again, it comes down to how much you trust the service provider. My Comcast agreement explicitly states that they will not sell or otherwise use my browsing and location information outside of a law enforcement subpoena or warrant. I have to believe them if I want to have a home internet connection; as of this news piece I'm certainly not going with AT&T DSL. Once again, Comcast could be lying to me but at least I have it on paper that they don't track and sell info. That's something that can be held over their head in court if necessary.

If people are that concerned about their privacy then trust shouldn't even be a factor. All of these privacy policies are worded in a way that leaves backdoors open and subject to change at any time without prior notice (ie: they'll tell you after the fact). Also, they're not going to give you ammunition to use against them in court. In theory those privacy policies are a nice little security blanket, but in practice they're usually worth little more than the actual paper they're printed on after you get through the wording and fine print.

Reply Score: 2

RE[6]: Wow...
by Laurence on Wed 10th Oct 2012 16:28 UTC in reply to "RE[5]: Wow..."
Laurence Member since:
2007-03-26


If people are that concerned about their privacy then trust shouldn't even be a factor. All of these privacy policies are worded in a way that leaves backdoors open and subject to change at any time without prior notice (ie: they'll tell you after the fact). Also, they're not going to give you ammunition to use against them in court. In theory those privacy policies are a nice little security blanket, but in practice they're usually worth little more than the actual paper they're printed on after you get through the wording and fine print.


Not sure where you stand in the US, but in the UK there are watch dogs like Trading Standards. If it's deemed that a company is deliberately misleading consumers (eg Comcast cleverly wording their agreement so customers are tricked into thinking no browsing data will be sold), then the offending company will be penalised.

In fact I'm fairly sure (though I might be wrong here) that ISPs got a warning over their "up to 20Mb" adverts in the national media (TV / newspapers / etc) because most customers were only receiving ADSL speeds due to ADSL2+ not being available in their area. And, on that occasion, I actually sympathised with the ISPs as I'm not really sure how you advertise broadband packages when different streets in the same town can have vastly different cabling - let alone the different towns across the country.

Reply Score: 2

RE[7]: Wow...
by ilovebeer on Thu 11th Oct 2012 03:05 UTC in reply to "RE[6]: Wow..."
ilovebeer Member since:
2011-08-08

Not sure where you stand in the US, but in the UK there are watch dogs like Trading Standards. If it's deemed that a company is deliberately misleading consumers (eg Comcast cleverly wording their agreement so customers are tricked into thinking no browsing data will be sold), then the offending company will be penalised.

There are several groups that attempt to watchdog on behalf of users/customers but the truth is the chance of any significant fine or punishment is so low that many companies blatantly push their luck, if not outright doing exactly what they're not supposed to. And then our "justice" system is such that it's possible to drag things out for years & years, until people lose interest or forget about it.

When the worst you're likely to get, if anything, is a slap on the hand, it's pretty easy to misbehave.

Reply Score: 2

RE[5]: Wow...
by JAlexoid on Thu 11th Oct 2012 08:16 UTC in reply to "RE[4]: Wow..."
JAlexoid Member since:
2009-05-19

Does it say your browsing/location information or personally identifiable browsing/location information? If it's the latter, then be sure that they are.

Reply Score: 2

RE[2]: Wow...
by gan17 on Tue 9th Oct 2012 22:20 UTC in reply to "RE: Wow..."
gan17 Member since:
2008-06-03

How do you know they don't already? Hell, I would be surprised if they didn't.

Same can probably be said for any carrier in the world, I would think.

At least these two are notifying customers of the opt out option (though you have to wonder if that really does anything). Pretty sure some carriers have been doing it without informing anyone.

Reply Score: 2

RE[3]: Wow...
by WorknMan on Tue 9th Oct 2012 22:22 UTC in reply to "RE[2]: Wow..."
WorknMan Member since:
2005-11-13

Pretty sure some carriers have been doing it without informing anyone.


My point exactly. In fact, I bet they're ALL doing it, unless they specifically have said they aren't, and even then, I still wouldn't be surprised if they're doing it anyway. Me? I have an ad blocker on my phone, so they're welcome to collect all the info they want ;)

Edited 2012-10-09 22:24 UTC

Reply Score: 2

RE: Wow...
by kaiwai on Wed 10th Oct 2012 04:25 UTC in reply to "Wow..."
kaiwai Member since:
2005-07-06

Imagine that...the two largest carriers in the U.S., with the most expensive contract packages by far, are willing to sell their subscribers' information to make even more money.

Not to say that Sprint and T-Mobile USA wouldn't necessarily do the same one day. I'm just glad they don't right now.


What I find funny is the average American's addiction to worshipping business but hate the idea of having a public health care system because it would be 'too much power centralised in the hands of a few' - but it's ok for large businesses to be in that very same position.

Reply Score: 4

RE[2]: Wow...
by Morgan on Wed 10th Oct 2012 11:39 UTC in reply to "RE: Wow..."
Morgan Member since:
2005-06-29

You'd be surprised at how many of us support the better health care initiative. We're not all gun-toting toothless rednecks here, despite the stereotype perpetuated by those across the pond. I happen to lean Libertarian on most things, but on this I support our president's ideals, if not necessarily his implementation.

Reply Score: 1

RE[3]: Wow...
by kaiwai on Thu 11th Oct 2012 02:28 UTC in reply to "RE[2]: Wow..."
kaiwai Member since:
2005-07-06

You'd be surprised at how many of us support the better health care initiative. We're not all gun-toting toothless rednecks here, despite the stereotype perpetuated by those across the pond. I happen to lean Libertarian on most things, but on this I support our president's ideals, if not necessarily his implementation.


But here is the problem - I watch news from the United States on Sky TV (unrelated to BSkyB) and I see pole after pole pointing to a dissatisfaction with Obama's healthcare legislation then the pole numbers for the Republican candidate promising to scrap the legislation then the results from the congressional election where the Republicans have a majority off the back of feeding into the anti-Obama Care legislation. I wish that the anti-Obama Care was a demand for a single payer healthcare system but the feedback I've seen is that the US don't want any healthcare provided through the government because apparently all of us living outside the US are living under tyranny.

Edited 2012-10-11 02:34 UTC

Reply Score: 3

RE: Wow...
by JAlexoid on Wed 10th Oct 2012 14:09 UTC in reply to "Wow..."
JAlexoid Member since:
2009-05-19

TMo US most certainly does sell that. As well as Cricket.

Reply Score: 2

Already happening at ISPs.
by Alfman on Wed 10th Oct 2012 02:52 UTC
Alfman
Member since:
2011-01-28

People may not be aware that there is already precedent for broadband ISP tracking:

NebuAd was an early pioneer in buying personal information from ISPs and reselling it. They'd install tracking systems at the ISP and pay ISPs $5/user/month for the privilege. However it turned out that customers weren't aware of what was going on and lawsuits caused them to go defunct.

http://www.wired.com/threatlevel/2008/05/theres-no-optin/

http://www.dslreports.com/shownews/NebuAD-Officially-Closes-102517


Phorm is another notorious user packet tracking company that signed with large UK ISPs and is growing worldwide. The company and it's conglomerates have been responsible for numerous spyware software.

http://www.nytimes.com/2008/03/20/business/media/20adcoside.html

https://en.wikipedia.org/wiki/Phorm


The opt-out controls at the heart of these systems is not at the ISP account level, but rather based on cookies, which is extremely problematic if one wanted to just opt out from ISP tracking all together without regards to user-login, browser, computer, tablet, etc. Users who want the most privacy typically disable cookies entirely so that third parties cannot track them, however this configuration would "permit" the ISPs & partners to track each request.


Obviously, invasive packet tracking should be "opt-in" (even though we all know this would render the business model totally useless). Legally though I think the problem with NebuAd was that ISPs failed to disclose the tracking in their terms and conditions, which Phorm required ISPs to do. I'm sure both ATT & verizon will cross their T's and dot their I's in the terms of use, but never the less, I do wonder how many users' web sessions are being tracked by ISP/partners without user knowledge?

Reply Score: 2

selling user data
by l3v1 on Wed 10th Oct 2012 06:39 UTC
l3v1
Member since:
2005-07-06

In such cases always remember that everything is different when you're talking about U.S. companies regarding users' data use, handling, protection (as if...), etc. I always wonder how it is that the U.S. still doesn't have proper federal user data protection laws and regulations and why they allow so much power in this area to the companies. Yet they do, and it doesn't seem to change in the foreseeable future.

Reply Score: 2

RE: selling user data
by Flatland_Spider on Wed 10th Oct 2012 15:16 UTC in reply to "selling user data"
Flatland_Spider Member since:
2006-09-01

It makes signals intelligence gathering easier.

Reply Score: 2

Not only Verizon or AT&T
by capi_x on Wed 10th Oct 2012 09:41 UTC
capi_x
Member since:
2012-08-29

Check Google, Facebook, DoubleClick...

Reply Score: 1

RE: Not only Verizon or AT&T
by Alfman on Wed 10th Oct 2012 14:12 UTC in reply to "Not only Verizon or AT&T"
Alfman Member since:
2011-01-28

capi_x,

"Check Google, Facebook, DoubleClick..."

Well, those are invasive too, but there's a rather large technical difference with those tracking services because one party to the communication (the hosting website) explicitly agreed to the tracking when they intentionally installed the tracking scripts. Javascript cannot reach the depth of ISP based tracking, which can track all unencrypted traffic.

The trouble with man in the middle tracking being discussed in this article is that potentially neither the user nor the website will have given express permission before being tracked (not opt-in). An ISP may just give itself that right by changing it's terms of use.

In any case your conclusion is still correct, the practice of selling user data is more widespread than ATT & Verizon. A bit OT, but I'm particularly peeved that banks/credit cards get away with sharing user purchase history with advertisers. I think it's a primary source of personalized snail-mail spam.

Edited 2012-10-10 14:13 UTC

Reply Score: 2

RE[2]: Not only Verizon or AT&T
by capi_x on Wed 10th Oct 2012 16:48 UTC in reply to "RE: Not only Verizon or AT&T"
capi_x Member since:
2012-08-29

Oops... you are right.

Reply Score: 1