Senate votes to let ISPs sell your Web browsing history to advertisers

"Encryption Won’t Stop Your Internet Provider From Spying on You

...[E]ven if 100 percent of the web were encrypted, ISPs would still be able to extract a surprising amount of detailed information about their customers’ virtual comings and goings...

Although the exact URL of a page accessed through HTTPS is hidden to the provider, the provider can still see the domain the URL is on...

The Upturn report also sets out some of the sneaky ways that user activity can be decoded based only on the unencrypted metadata that accompanies encrypted web traffic—also known as “side channel” information. (These methods probably aren’t widely in use right now, but they could be deployed if ISPs decided it’s worthwhile to try and learn more about encrypted traffic.)...

In November, a group of researchers from Israel’s Ben-Gurion and Ariel Universities demonstrated a way to extend the idea behind website fingerprinting to videos watched on YouTube. By matching the encrypted data patterns created by a user viewing a particular video to an index they’d created previously, they could tell what video the user was watching from within a limited set, with a startling 98 percent accuracy...

'The network patterns that belong to each video title have very, very strong meaning,” Dubin said. “I found out that I could actually recognize each stream....'

The giveaway, he found, was embedded in the way devices choose a bitrate—an indicator of video quality—at which to stream the video. At the beginning of a stream, the player receives quick spurts of data, which begin to space apart after the video has been playing for a while and the player has settled on a bitrate. The pattern of these spikes helps identify each individual video...

As online encryption spreads further and further across the internet, there will be monetary incentives to dig up as much information on users as possible, to offset the loss of access to more detailed unencrypted data..."

https://www.theatlantic.com/technol...-internet-provider-from-spying-on-you/521208/

Game On !

By what justifiable pretense can an ISP claim ownership, of my personal information, my personal data and browsing behavior (other than it will now be in their revised Terms of Service) ? Outrageous !

 

Yep, good news for VPN providers.

 

NOT SO:

"Republicans argued that the Federal Trade Commission should be the agency to regulate ISPs, since it already regulates privacy practices of other companies including website operators. But that's impossible under current regulations, because the FTC is barred from regulating common carriers such as ISPs and phone companies. The FCC would have to change its classification of ISPs—a step that would also eliminate net neutrality rules—in order to return jurisdiction to the FTC. Even if the FCC does that, further congressional action may be needed to give the FTC authority over ISPs because of a federal appeals court ruling in August 2016 that said AT&T was exempt from FTC oversight even when it offers non-common carrier services.


The FTC privacy guidelines are also less strict than the ones written by the FCC for Internet service providers. As we've previously written, the FTC recommends opt-in consent before selling or sharing the most sensitive information, such as Social Security numbers, the content of communications, financial and health information, information about children, and precise geo-location data. But the FTC guidelines allow an opt-out system for everything else, including Web browsing and app usage history."

https://arstechnica.com/tech-policy...-pai-celebrate-death-of-online-privacy-rules/

Commentary by Terrell McSweeny a commissioner on the Federal Trade Commission -- 3/5/17:

"FCC should not leave broadband privacy rules to FTC...

...The Federal Trade Commission does not have jurisdiction over the security and privacy practices of broadband, cable and wireless carriers...

The FTC does not have rule making authority in data security, as the FCC has...

When it comes to privacy, we seek to protect consumers from unfair and deceptive acts and practices...

As a privacy and data security enforcer, what is most troubling about this debate [FCC Privacy Rules and which Agency should have jurisdiction] is that it appears to be part of a larger effort to substantially shift the risks of data security from companies to consumers and to weaken consumer privacy choices."

http://thehill.com/blogs/pundits-bl...ould-not-leave-broadband-privacy-rules-to-ftc

The "FTC makes everything OK" argument is a smoke screen, and even if legislative and other factors were changed, i.e., the re-classification of ISPs, it would take the FTC years to promulgate a Final Privacy Rule. The FCC has limited experience with ISPs and even if it did the development and issuance of a final major rule is a long and labor intensive effort frought with internal agency policy bickering that further delays the rulemaking process.

The FTC's privacy experience has been limited to individual websites. The Republican argument is that both websites and ISPs should be subject to the same rules. An argument that totally ignores the fact that an internet user has the choice of which webites he/she visits or joins, e.g., FaceBook.

 

Flagged as a fake news site by Stephen Black's hosts list via uBlockO: https://github.com/StevenBlack/hosts

 

With increased demand for a fixed level of supply, I would anticipate this will at least for a time make VPNs more expensive. I would imagine that the market would see people rush to provide the service thus raising supply, and thus prices would lower over time. Maybe not many people will even care (it seems unfortunately that people in the US are oblivious), and so VPN sales wont increase that much.

Another bad thing is that VPNs have crap for oversight, and lack of oversight generally brings corruption. I would expect many VPNs gather and sell usage data themselves, and its hard to say for sure even if they promise that not to be the case. I know PIA was tested in court, but they're also US based which is a mark against them for obvious reasons.

OTOH, VPN providers dont have a monopoly on the market like ISP providers typically do in the US, and they have an incentive not to get caught logging or selling data (since for many that defeats the purpose of the VPN in the first place).

Now that we know ISPs will be logging/selling (unless you're lucky to have a small one dedicated to privacy), VPNs at least give us a chance, and are still useful to protect LAN/open wifi privacy.

 

Listing Raw Story as a "fake news" site is totally absurd. The site has been around for years (2004) and I have never seen a false article posted on it.

They do have a somewhat progressive outlook, but they frequently post "scoops" later picked up by "mainstream media" sites. They are a well-established investigative news site.

https://en.wikipedia.org/wiki/The_Raw_Story

 

OK, I've never come across it. Just stating what Steven Black hosts 'fake news' extension (572 entries) picked up. I temporarily allowed it.

 

Hi paulderdash My post was not intended to be directed at you personally.

Just pointing out the dangers of who are the "proper" judges of "fake news," and the dangers to free speach of such lists -- "who judges the judges?"

My post was inartfully written and I have changed it accordingly.

I apologize for any misunderstanding.

hawki

 

No problem! I agree that judging what is 'fake news', other than by strict fact checking, could be problematic.

 

https://www.forbes.com/sites/thomas...y-rules-how-isps-will-actually-sell-your-data

 

This is a grossly flawed article. For example it states:

"...Some, like the Cards Against Humanity creator Max Temkin, have promised to buy and publish the browsing histories of those congressmen and women who voted to abolish the privacy rules. As Russel Brandom at The Verge has already pointed out, this would most likely be straight up illegal, and those campaigns are probably doomed to failure..."

http://www.theverge.com/2017/3/29/15115382/buy-congress-web-history-gop-fake-internet-privacy

In the article referenced in The Forbes article, Russel Brandon at The Verge relies on The Telecommunications Act itself for the proposition that buying/selling of the personal browsing data of Congressmen would be illegal. That is an innccurate reading of The Act. The Telecommunications Act only restricts the sale of "customer proprietary network information."

The Act defines "customer proprietary network information." as:

"(1) Customer proprietary network informationThe term “customer proprietary network information” means—

(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and

(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier;
except that such term does not include subscriber list information..."

https://www.law.cornell.edu/uscode/text/47/222

Furthermore, The FCC has determined that that the "Privacy" restrictions of section 222 were intended to apply only to telephone services and have no applicability to broadband services:

"...The FCC has since sought to distinguish itself as the primary data protection authority for Broadband ISPs in the U.S., largely through enforcement of Section 222(c)(1) of the Communications Act and the FCC's rules that implement its provisions.Shortly after the reclassification of Broadband ISPs, however, the FCC separately determined that these regulations should not be applied to Broadband ISPs because they contemplate telephone services rather than Broadband Internet. The proposed rules are the FCC's first attempt to promulgate a discrete set of standards to govern the privacy and security practices of Broadband ISPs since announcing its plans to do so in April 2015."

https://www.whitecase.com/publicati...ses-formal-privacy-regulations-broadband-isps

Also, much of the article is based on presumed future behaviors of ISPs that may not materialize, e.g., keeping info private as a competitive tool, and that all broadband users have access to more than one ISP.

"Fake News"

 

If that Forbes article was designed for large-scale reassurance, it ain't working. Smells faintly yellow to me.

Yeah. But the damage is done.

 

I think the answer to fake news- especially in a time when any Joe Butthead can write an article/blog- is to write something refuting the claims of something you see as fake news.

Not censorship like many are dangerously suggesting (not you). With all the crap we've seen done to the 4th amendment (and the 5th/6th), its certainly not unreasonable to cringe every time we see this "fake news website" on a blocklist crap. Even if 100% of initial entries on some blocklist are 100% clickbait bull, it sets a dangerous precedent and is prone to eventually incite bias by incorporating the bias of the maintainer in terms of the sites you see. Scary times...

 

Absolutely!

 

Now that ISP's have free reign to sell your data Verizon is pre-installing a 'Spyware' app on its Android phones to collect user data.

http://thehackernews.com/2017/03/ve...ackersNews (The Hackers News - Security Blog)

 

"Congress’s vote to eviscerate Internet privacy could give the FBI massive power"

By Paul Ohm professor at Georgetown University Law Center and faculty director of the Georgetown Center on Privacy and Technology.

"...I worked for the Justice Department and spent a lot of my time advising law-enforcement agents and prosecutors who wanted to track Internet behavior. Many of our investigations led directly to a specific IP address — the identifier for a particular computer or device — which then prompted a request to an ISP for more information. Tens of thousands, if not hundreds of thousands, of these requests arrive at ISPs around the country every year...

...Many — perhaps most — of these requests do not involve criminals; instead, they lead to victims of crimes, mere witnesses or otherwise innocent people.

These requests have typically sought only information about the identity of the person associated with the IP address because the FBI understands that this is the only information ISPs tend to collect...

But because of the way ISPs are likely to react to this law, FBI agents and other law-enforcement officials will understand that ISPs will be able to reveal much more about every one of us. By adding a single short paragraph to an application for a court order through the Stored Communications Act (this wouldn’t even a require a search warrant), the FBI would be able to order your ISP to divulge every website you have contacted and every app you have used. In cases in which the FBI has obtained a search warrant, it could ask your ISP to reveal every single piece of content that it has a record of you having viewed — over the course of years. Our government-access laws do not require the FBI to tell you about these requests, and the FBI almost always forces a gag order on ISPs, ensuring that you will never find out...

What the new law would do is give ISPs the incentive and the congressional and presidential seal of approval to construct the richest database of Web surfing and app-usage behavior the world has ever seen. This will be a honeypot attracting the FBI and other law-enforcement agencies like flies..."

https://www.washingtonpost.com/opinions/congresss-vote-to-eviscerate-internet-privacy-could-give-the-fbi-massive-power/2017/03/30/0feae55e-1550-11e7-9e4f-09aa75d3ec57_story.html?hpid=hp_no-name_opinion-card-c:homepage/story

 

https://www.theregister.co.uk/2017/03/30/states_rebel_against_isp_internet_history_grab/

 

"Verizon Rebuts Critics of Data-Collecting App...

Verizon said in a statement:

'As we said earlier this week, we are testing AppFlash to make app discovery better for consumers. The test is on a single phone – LG K20 V – and you have to opt-in to use the app. Or, you can easily disable the app. Nobody is required to use it. Verizon is committed to your privacy.'

The move forced the Electronic Frontier Foundation to retract a highly critical blog post about Verizon that slammed it for taking advantage of a likely rollback of consumer ISP privacy protections...

It’s unclear if Verizon had backed off rolling out AppFlash to a wider selection of its phones and changed its opt-in policy when faced with a public outcry. When Threatpost asked, Verizon stated: 'The team isn’t able to provide answers at this time.'... "

https://threatpost.com/verizon-rebuts-critics-of-data-collecting-app/124688/

 

Calls to limit restrictions on use of personal data in Australia

 

https://www.forbes.com/sites/kalevl...band-privacy-vote-might-actually-help-privacy

 

Five Creepy Things Your ISP Could Do if Congress Repeals the FCC’s Privacy Protections

-- Tom