As it turns out, new Verizon customers (although there are reports existing customers are getting notified too) have 30 days to opt out of something really nasty: Verizon will sell your browsing history and location history to marketers. Apparently, AT&T does something similar. Doesn’t matter what phone – iOS, Android, anything. Incredibly scummy and nasty. I quickly checked my own Dutch T-Mobile terms, and they don’t seem to be doing this.
Imagine that…the two largest carriers in the U.S., with the most expensive contract packages by far, are willing to sell their subscribers’ information to make even more money.
Not to say that Sprint and T-Mobile USA wouldn’t necessarily do the same one day. I’m just glad they don’t right now.
It’s a bit funny, though, that the two largest U.S. carriers are now slightly worse re: privacy invasion than pretty much all smartphone malware out in the wild. At least with normal sandboxing, most malware won’t have access to your browsing history. Carriers have (although not for wifi).
How do you know they don’t already? Hell, I would be surprised if they didn’t. Just like we share information with each other (esp copyrighted content), these companies are going to share whatever information they have about us.
The sooner that everybody understands that sharing is inevitable whether it works for us or against us, and can never be stopped, the sooner we can all learn to live with the reality that privacy no longer exists, and never will again as long as the Internet exists.
Just like piracy, the question of whether it is right or wrong for these companies to share stuff like our browsing history with each other is irrelevant. It is what it is.
Edited 2012-10-09 22:16 UTC
Well honestly I don’t know for sure, but my Sprint agreement doesn’t mention anything about selling my browsing or location data. I have to take them on faith else I won’t be able to have any cellphone service if I don’t wish to be tracked.
Correction, you won’t be able to have any internet service, period. The fact is, your ISP could be selling information to marketers too. Come to that, your phone company could be selling information about the calls you make, and it doesn’t matter if we’re talking about a cel phone or a land line. Let’s all face facts, in this interconnected world we’re living in, we will never have complete privacy. If you want to keep something private, it’s best not to even put it out there or, if you absolutely must send it through the internets, encrypt it. Unless you have complete and total control over everything from the origin to the destination endpoints (and you never will) your privacy doesn’t exist. It never did, once telephones became widespread.
Once again, it comes down to how much you trust the service provider. My Comcast agreement explicitly states that they will not sell or otherwise use my browsing and location information outside of a law enforcement subpoena or warrant. I have to believe them if I want to have a home internet connection; as of this news piece I’m certainly not going with AT&T DSL. Once again, Comcast could be lying to me but at least I have it on paper that they don’t track and sell info. That’s something that can be held over their head in court if necessary.
Morgan,
“Once again, it comes down to how much you trust the service provider.”
Voted you up…unless all your traffic is encrypted, you have to trust your ISP & it’s partners.
I attempted to play devil’s advocate and find some dirt on comcast, but I didn’t find much recently; I did find this tidbit a decade ago however:
http://usatoday30.usatoday.com/life/cyber/tech/2002/02/13/comcast-p…
“Comcast, the nation’s third-largest cable company, acknowledged this week that it is recording which Web pages each customer visits as part of a technology overhaul that it hopes will save money and speed up its network. The company said the move was not intended to infringe on privacy.”
However amid political criticism, they’ve officially stopped tracking web requests.
There has been more recent criticism about comcast’s use of DPI to block legit customer traffic, the feds intervened in that case, but it’s arguable whether that fits under the classification of a “privacy” violation? It’s kind of similar to having a mail man use some kind of xray to inspect the documents inside an envelope to determine the mail’s priority. On the other hand, some people will argue the ISP should be entitled to shape traffic based on it’s contents. My own view is that the ISP is to blame if they are over subscribing their service in the first place.
Encrypting your traffic would only hide the content of your traffic, but that data isn’t really of interest anyway. It’s who connected to where, when the connection was made and from where. You cannot encrypt that data as you have to go via your ISP / cell carrier.
However, what you can do is run a proxy (VPN, SSH tunnel or even just a straight up web proxy). At least then all of your traffic appears to be going to the same destination (the proxy) and thus their records of you are worthless.
Laurence,
“Encrypting your traffic would only hide the content of your traffic, but that data isn’t really of interest anyway.”
Really? The DPI contents reveals specific search terms, the videos you watch, etc. This is far more personal than knowing which IPs you’ve connected to. It’s the difference between knowing you’ve connected to ebay, or knowing exactly which products you’ve been browsing (*).
* Not that I know what ATT & Verizon are actually doing with the data, but there’s no doubt the URL/contents can reveal much more about you than the IPs do.
“However, what you can do is run a proxy (VPN, SSH tunnel or even just a straight up web proxy). At least then all of your traffic appears to be going to the same destination (the proxy) and thus their records of you are worthless.”
Yes, onion routing tunnels like tor are probably the best defence against ISP tracking today & in the future.
http://www.torproject.org/
A side benefit is that it can be used to work around censorship as well.
Another thing to consider is that one’s browser may be “leaky” regardless of the transport encryption. There is a chromium fork designed to strip out identifying bits from packets sent to google.
http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php
Ahh yes, good point. I forgot that URIs and query strings are sent in the HTTP headers *facepalm*
Don’t run Iron, it’s a scam:
http://insanitybit.wordpress.com/2012/06/23/srware-iron-browser-a-r…
Laurence,
“Don’t run Iron, it’s a scam:”
Your link made some valid points, however I feel it is overreaching to call it a scam, at worst it’d be FUD. If Iron does what it claims to do (stop the browser from phoning home), then it seems legitimate to me even if chrome could manually be configured in a similar manor.
I guess instead of creating a chrome fork, he could provide instructions to end users on how to disable the phone home mechanisms in mainline chrome, but it still might be more convenient to install a browser which isn’t hard coded to call google by default in the first place.
I know when I install firefox, I go into about:config and strip out all references to google’s web services, but what sucks is that this has to be repeated for each user account on the system. Once in a while I’ll forget to do this for new accounts and the browser starts making unrequested connections to google. It would be better for me to have a firefox executable where defaults were not hardcoded to contact google.
Edit: I also install adblock, ghostery, etc, but it has to be repeated for each user/computer/etc… It would be useful to me if someone released a version with these configured as defaults. I could probably do it myself, but then it would be criticised as a scam
Edited 2012-10-11 14:20 UTC
The reason people call Iron a scam is because it’s primary function is to trick people into downloading an unnecessary browser pure to get money from ad sales.
Granted it’s a pretty harmless scam in that it doesn’t directly hurt users (though I’d argue it does promote complacency, which is harmful).
You can disable most of what Iron does in regular Chrome and those that you cannot, are disabled in Chromium. Iron offers no security benefits what-so-ever.
It depends how you market it. If you advertised it as the a “secured version of Firefox”, then you would be misleading people into believing you’ve fixed some security flaws within Firefox. However if you advertised it as “Firefox with more secure defaults”, then that would be fine.
The problem is most people don’t understand this stuff, and the Iron devs are deliberately exploiting those users for their own personal financial gain.
In many ways, they’re little better than the fake security software and some inexperienced users fall for.
Laurence,
“The reason people call Iron a scam is because it’s primary function is to trick people into downloading an unnecessary browser pure to get money from ad sales.”
So he has ads on his website, do you criticise every project that makes money from web ads? I for one don’t like ads, but I’m not convinced this is worth fussing over.
“You can disable most of what Iron does in regular Chrome and those that you cannot, are disabled in Chromium. Iron offers no security benefits what-so-ever.”
Of course chrome’s default behaviour can be overridden, but there’s still nothing scam-like about releasing a browser where the defaults are set to send less information to google.
I’m just not clear on if your opposition is *really* to the browser itself (which I think is a perfectly fine idea), or if you are uncomfortable of the hypocrisy of using google tracking javascripts on the same pages hosting the Iron browser project. I wonder if he’d receive more or less criticism by going with yahoo for ad revenue?
If you think he shouldn’t be entitled to any ad revenue at all, well…Haha, I don’t have the answers Laurence, but gosh that’s mean.
If they’re tricking users on to their site, then yes.
There is if you’re tricking people into thinking your browser is more than it is.
I don’t really know how many different ways I can emphasis this, but I’ll try one last time:
Iron does /NOTHING/ to make Chrome more secure, period. It only exists to raise their own profile. Much like any dishonest FUD campaign.
A scam is defined as: A dishonest scheme; a fraud.
That perfectly sums this scheme up.
I don’t think any scam is entitled to ad revenue.
Edited 2012-10-11 16:44 UTC
Laurence,
“If they’re tricking users on to their site, then yes.”
“There is if you’re tricking people into thinking your browser is more than it is.”
What misleading facts are on the comparison page I linked? They literally say “Depending on the configuration…”. It might be nice if they went further and instructed how to change the default chrome configurations, but this argument that they’re tricking users is really being stretched thin in my opinion.
“I don’t really know how many different ways I can emphasis this, but I’ll try one last time: Iron does /NOTHING/ to make Chrome more secure, period.”
But does iron claim to be more secure? It only claims to be more private by default, which is factually true. As you said, chrome’s privacy settings can be configured to match Iron, but as I said, sometimes it’s more practical to have an executable where the defaults are set to maximum privacy.
“A scam is defined as: A dishonest scheme; a fraud.
That perfectly sums this scheme up.”
I think there’s some underlying conflict that you are not letting on, but truth be told I’m happy you are bashing Iron instead of bashing *me* Have a virtual beer on me: [_])
They must have changed their site then (presumably due to the criticisms raised).
It used to make a lot bolder claims. Which is how it’s name got spread (after all, most people wouldn’t bother otherwise)
hehe thanks for the beer, I was actually quite parched. Cheers [_])
Nope. What you searched for and what pages you visited is also interesting. The fact that you connected to one of the servers of BBC falls under a lot of categories – news, sports, entertainment, weather and a lot more. Or take visiting any of Google’s services – there is known difference only with regard to GMail, while most other services have been moved under the http://www.google.com domain(ex. https://www.google.com/calendar/ is indistinguishable from https://www.google.com/search?q=test)
If people are that concerned about their privacy then trust shouldn’t even be a factor. All of these privacy policies are worded in a way that leaves backdoors open and subject to change at any time without prior notice (ie: they’ll tell you after the fact). Also, they’re not going to give you ammunition to use against them in court. In theory those privacy policies are a nice little security blanket, but in practice they’re usually worth little more than the actual paper they’re printed on after you get through the wording and fine print.
Not sure where you stand in the US, but in the UK there are watch dogs like Trading Standards. If it’s deemed that a company is deliberately misleading consumers (eg Comcast cleverly wording their agreement so customers are tricked into thinking no browsing data will be sold), then the offending company will be penalised.
In fact I’m fairly sure (though I might be wrong here) that ISPs got a warning over their “up to 20Mb” adverts in the national media (TV / newspapers / etc) because most customers were only receiving ADSL speeds due to ADSL2+ not being available in their area. And, on that occasion, I actually sympathised with the ISPs as I’m not really sure how you advertise broadband packages when different streets in the same town can have vastly different cabling – let alone the different towns across the country.
There are several groups that attempt to watchdog on behalf of users/customers but the truth is the chance of any significant fine or punishment is so low that many companies blatantly push their luck, if not outright doing exactly what they’re not supposed to. And then our “justice” system is such that it’s possible to drag things out for years & years, until people lose interest or forget about it.
When the worst you’re likely to get, if anything, is a slap on the hand, it’s pretty easy to misbehave.
Does it say your browsing/location information or personally identifiable browsing/location information? If it’s the latter, then be sure that they are.
Same can probably be said for any carrier in the world, I would think.
At least these two are notifying customers of the opt out option (though you have to wonder if that really does anything). Pretty sure some carriers have been doing it without informing anyone.
My point exactly. In fact, I bet they’re ALL doing it, unless they specifically have said they aren’t, and even then, I still wouldn’t be surprised if they’re doing it anyway. Me? I have an ad blocker on my phone, so they’re welcome to collect all the info they want
Edited 2012-10-09 22:24 UTC
What I find funny is the average American’s addiction to worshipping business but hate the idea of having a public health care system because it would be ‘too much power centralised in the hands of a few’ – but it’s ok for large businesses to be in that very same position.
You’d be surprised at how many of us support the better health care initiative. We’re not all gun-toting toothless rednecks here, despite the stereotype perpetuated by those across the pond. I happen to lean Libertarian on most things, but on this I support our president’s ideals, if not necessarily his implementation.
But here is the problem – I watch news from the United States on Sky TV (unrelated to BSkyB) and I see pole after pole pointing to a dissatisfaction with Obama’s healthcare legislation then the pole numbers for the Republican candidate promising to scrap the legislation then the results from the congressional election where the Republicans have a majority off the back of feeding into the anti-Obama Care legislation. I wish that the anti-Obama Care was a demand for a single payer healthcare system but the feedback I’ve seen is that the US don’t want any healthcare provided through the government because apparently all of us living outside the US are living under tyranny.
Edited 2012-10-11 02:34 UTC
TMo US most certainly does sell that. As well as Cricket.
People may not be aware that there is already precedent for broadband ISP tracking:
NebuAd was an early pioneer in buying personal information from ISPs and reselling it. They’d install tracking systems at the ISP and pay ISPs $5/user/month for the privilege. However it turned out that customers weren’t aware of what was going on and lawsuits caused them to go defunct.
http://www.wired.com/threatlevel/2008/05/theres-no-optin/
http://www.dslreports.com/shownews/NebuAD-Officially-Closes-102517
Phorm is another notorious user packet tracking company that signed with large UK ISPs and is growing worldwide. The company and it’s conglomerates have been responsible for numerous spyware software.
http://www.nytimes.com/2008/03/20/business/media/20adcoside.html
https://en.wikipedia.org/wiki/Phorm
The opt-out controls at the heart of these systems is not at the ISP account level, but rather based on cookies, which is extremely problematic if one wanted to just opt out from ISP tracking all together without regards to user-login, browser, computer, tablet, etc. Users who want the most privacy typically disable cookies entirely so that third parties cannot track them, however this configuration would “permit” the ISPs & partners to track each request.
Obviously, invasive packet tracking should be “opt-in” (even though we all know this would render the business model totally useless). Legally though I think the problem with NebuAd was that ISPs failed to disclose the tracking in their terms and conditions, which Phorm required ISPs to do. I’m sure both ATT & verizon will cross their T’s and dot their I’s in the terms of use, but never the less, I do wonder how many users’ web sessions are being tracked by ISP/partners without user knowledge?
In such cases always remember that everything is different when you’re talking about U.S. companies regarding users’ data use, handling, protection (as if…), etc. I always wonder how it is that the U.S. still doesn’t have proper federal user data protection laws and regulations and why they allow so much power in this area to the companies. Yet they do, and it doesn’t seem to change in the foreseeable future.
It makes signals intelligence gathering easier.
Check Google, Facebook, DoubleClick…
capi_x,
“Check Google, Facebook, DoubleClick…”
Well, those are invasive too, but there’s a rather large technical difference with those tracking services because one party to the communication (the hosting website) explicitly agreed to the tracking when they intentionally installed the tracking scripts. Javascript cannot reach the depth of ISP based tracking, which can track all unencrypted traffic.
The trouble with man in the middle tracking being discussed in this article is that potentially neither the user nor the website will have given express permission before being tracked (not opt-in). An ISP may just give itself that right by changing it’s terms of use.
In any case your conclusion is still correct, the practice of selling user data is more widespread than ATT & Verizon. A bit OT, but I’m particularly peeved that banks/credit cards get away with sharing user purchase history with advertisers. I think it’s a primary source of personalized snail-mail spam.
Edited 2012-10-10 14:13 UTC
Oops… you are right.