Broadband Industry 'Studies' Claim Users Don't Need Privacy Protections Because ISPs Are Just Harmless, Innovative Sweethearts

from the watching-the-watchers dept

With few protections in play, most of the last decade broadband ISPs have collected any and every shred of data about their customers’ online behavior. It began with clickstream data, which ISPs sold to third parties, then either refused to comment on or outright lied about. Since then, more intelligent network hardware has let ISPs use deep packet inspection to track and monetize user online behavior down to the second. In wireless, carriers like AT&T and Verizon not only collect and sell user online behavior and location data, but now embed stealth packet headers to track and profile users across the entire Internet.

It was that last decision that raised eyebrows at the FCC, prompting the agency recently to consider whether it should use its new Title II authority to build at least some basic rules of the road regarding broadband user privacy. This has, of course made the broadband industry rather nervous. After all, the telecom industry has grown very comfortable with the fact that nobody has bothered to give half a damn about broadband privacy for the better part of a generation.

Enter the telecom-industry funded Information Technology and Innovation Foundation, which has released a new “study” (pdf) that argues no privacy protections are necessary because you can trust broadband providers to do the right thing. The report starts off on a highly scientific note, insulting those who’d like some basic broadband privacy protections as “broadband populists” that are pushing an agenda that will — you guessed it — will hurt puppies, innovation, broadband deployment, and tear giant holes in the time-space continuum.

Amusingly, the report claims that basic privacy protections would prevent ISPs from providing “numerous benefits” to consumers. The report also tries to claim that basic privacy protections will somehow stop ISPs from properly managing their networks:

“Limiting the use of broadband data…would constrain broadband providers? ability to provide numerous benefits to consumers. Analyzing data is essential for ISPs to understand patterns and trends in Internet traffic and allows for informed adjustments to network functions and capacity, both in the long and the short term. Customer data is also important to help diagnose problems within the network and facilitate responses to customer requests for assistance with various issues.”

The report goes on to claim consumers really don’t need privacy protections because they have the option of using VPNs and encryption to hide their traffic from ISPs. But Nick Feamster over at Freedom to Tinker does a nice job explaining why it’s not really that simple. ISPs can still observe user online behavior based on overall traffic pattern and volume, unencrypted portions of communication, and the growing volume of unencrypted Internet of Things traffic. And a VPN is no guaranteed blockade to ISP snooping either, since again IOT devices won’t use the VPN, and ISPs can often still monitor user behavior via DNS anyway.

To be clear, what the FCC is proposing isn’t particularly heavy-handed, nor would it stop ISPs from managing their networks or even profiting from snoopvertising. With the FCC’s recent Title II move, ISPs are now subject to Title II?s Section 222 privacy protections regarding “customer proprietary network information” (CPNI). But since those rules were crafted for older phone companies, the FCC’s looking to modernize them for the modern era. We’re talking about relatively basic protections, such as requirements that you inform customers if you’re tracking them and selling their data, and give them opt out tools that actually work.

Given the billions everyone is happily making hoovering up user data from Silicon Valley to K Street, there’s really no serious political motivation to go beyond that, “populist” outcry or not. But the report argues that broadband users don’t need privacy protections at all because hey, ISPs don’t actually know much about you and industry “self regulation” works exceptionally well to thwart bad behavior:

“The privacy policies of operating systems like Apple?s OS X and Google Android are also subject to FTC enforcement if they misrepresent how they use their users? personally-identifiable information. This is the model for a well-functioning, self-regulatory environment that maintains the flexibility needed for rapid innovation and experimentation with welfare-enhancing business models. Broadband providers should not face steeper burdens for implementing advertising than already exist.

Except not. One, broadband is notably different from Apple and Google because telecom operators hold a monopoly over the last mile. Whereas an Apple smartphone customer annoyed at Apple’s privacy policies can migrate to Android, or a Google search customer can pick a new engine, most broadband customers don’t have a real choice of providers. Meanwhile, the FTC has proven all but useless in telecom privacy enforcement, and the self-regulatory approach has worked about as well in telecom as it has in the banking industry thanks to generations of cronyism and dysfunction.

For years, Verizon repeatedly stated that more meaningful privacy protections weren’t necessary for broadband providers because “public shame” would keep the company honest. Verizon-owned AOL recently parroted that idea when it insisted “the market” would keep companies on their best behavior. How does that actually work in practice? As we’ve seen with Verizon’s “zombie cookies,” not at all.

In fact, it took months for security researchers to even realize that Verizon was embedding user wireless packets with stealth tracking technology. It took another six months of public pressure before Verizon even gave users the option to opt out. The self-regulatory approach just doesn’t work in telecom. What we get in reality are companies like AT&T that are now charging broadband users a $60 premium if they want to opt out of invasive snoopvertising, then calling that innovation.

Alongside the ITIF report, the industry is pushing a second report this week (pdf), funded by telecom-industry lobbying group “Broadband for America.” While most people familiar with sockpuppetry and astroturf will disregard these reports as the conflicted proxy musings of the telecom industry, the press usually isn’t so savvy. In fact, ReCode ran an article on the study with a headline informing readers that ISPs know “less than you might think” about them, and an opening paragraph claiming ISPs “have limited access to consumer data.” Only in a later update at the bottom of the story did ReCode disclose the study was funded by AT&T, Comcast and Verizon.

It’s clear the broadband industry is now engaged in a full court press to derail rules that might take a small bite out of billions in user-tracking revenues. And in typical telecom-industry fashion, that involves creating a sound wall of fauxcademics, fake consumer advocates, third-party consultants and other mouthpieces who will be spending the next six months informing you that ISPs are utter angels when it comes to respecting and protecting consumer privacy, and that the status quo (read: no real privacy protections whatsoever) is good enough.

Filed Under: , , ,
Companies: itif

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Broadband Industry 'Studies' Claim Users Don't Need Privacy Protections Because ISPs Are Just Harmless, Innovative Sweethearts”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I give them just as little info as I can. It is one of the main reasons I use a VPN. Even with that I can not disguise traffic flow if I want to say stream a movie, as opposed to surfing the net.

Just as with advertising, I want them to have as little data as possible because once it is on the net, you can’t claw it back. No one asked me if I wanted to be part of this, instead I find various groups doing everything they can to protect their extra income streams by making false claims about how it doesn’t matter or apply. Anything but actually taking up the topic and address it in a reasonable manner on the issues. Misdirection being the theme of the day.

Anonymous Coward says:

i dont know about other industries but it seems there isn’t a single sector of the broadband/telecom industry that doesn’t lie from one second to the next. everything that is said is a load of complete BS, done so they can (and do)get whatever help is available financially, even when it isn’t meant for them and can stop as many, if not all, new industry competitors as fast and as complete as possible. is it really any wonder why the USA is falling further and further behind, even lesser nations in other respects, and no one seems to give a damn?

Groaker (profile) says:

The financial community either does not care, or is oblivious to cyber crime. The chip tech put being put into use has been broken for at least six years, and possibly ten in other parts of the world. Multiple techniques, from the trivial to the sophisticated are known.

My banks security is a joke, the saving grace is that I am known by face. Every brokerage is a laughingstock that depends upon ignorance rather than safety.

Anonymous Coward says:

An interesting aside

Yesterday a knock on my front revealed a woman that announced ATT (division of the NSA) is now offering TV and internet service in my city. This after over ten years of ignoring offering us service and cable stepping up to fill the void, what a thankless job. It’s really hard to overcome a well earned bad reputation. Go figure, hawking telecom door to door, maybe if they could sell some brushes.

Anonymous Coward says:

Re: Re:

AT&T staff are told to use the word I in their training.

As in…I will not misuse or sell your data to third party advertisers. Yes the guy at the door won’t but AT&T will sell every fucking thing you do, including bank access/passwords/security info to whoever wants it.

AT&T has for YEARS sold all sorts of info to China, Russia and basically any shady asshole that wants to get into the scamming business.

Anonymous Coward says:

Re: Benefits

Such negativity is hashing their buzz.
The benefit to you is – the enjoyment you get from giving them all your hard earned money is seeing how much they enjoy the opulence they have become accustom to. This coupled with the disdain they have for their “customers” is really all you need in life, they know how to spend your money better than you do.

orbitalinsertion (profile) says:

Re: Re: Re:

If you are running your own DNS server and it is in the VPN pipethen sure it would be used if that is what is configured on the local device. Or you could be served out of the local resolver cache anything that hasn’t expired. Or HOSTS, etc. But if you are running your own resolver, requests aren’t going to an ISP reolver anyway. If you run a normal corporate DNS server and that is in the VPN tunnel also and it is configured to query an ISP DNS server, well… But your average user of some VPN service is subject to whatever resolver addresses are configured on exit server unless they specifically respect your local and/or router resolver address settings (and probably have a VPN setting to specify that, with default off).

I’ve seen a lot of this, people complaining that they are not using such and such resolver (especially OpenDNS if they use the domain filtering and suddenly it isn’t working) and why is this happening? Turns out they are using a VPN if it isn’t the ISP hijacking their requests or they seriously didn’t configure things correctly.

DannyB (profile) says:

Let's Encrypt

The more encrypted web sites I visit:
* the less my ISP knows about what I’m doing
* the less they can deeply inspect my packets
* the less they can inject zombie super cookies
* the less they can inject unwanted ads
* the less they can inject unwanted javascript (aka malware)

Encrypting web traffic is probably as much about protecting oneself from their own ISP as it is from the NSA.

John Fenderson (profile) says:

Re: Let's Encrypt

Yes. I think people tend to get a bit distracted by trying to identify the specific parties they fear are going to attack. It doesn’t matter much in the end, because what you have to do to protect yourself is pretty much the same thing regardless.

The proper security mindset is to assume that anything that you don’t have direct physical control over is actively malicious in nature (and the things you do have physical control over are viewed with a suspicious eye).

Anonymous Coward says:

Re: Let's Encrypt

But the more excuse the CIA has for ‘accidentally’ murdering yet another US Citizen with a drone strike on US Soil…..

Because using encryption = you are a terrorist, ergo you HAVE murdered people via explosives, therefore you must die.

case proven. the defence rests (and seals everything under National Security)

Anonymous Coward says:

This is a layer 3 or layer 4 problem.

If you want to fix this, look into IETF working groups. This is where things like this get solved, and where the people who know how to solve these kinds of problems communicate.


The fix is re-engineering something like DNS to run at layer 3, with some native cyptographic signature features, adding at least one bit to the layer 4 header to allow end users to designate that they “reserve all rights without prejudice” on every single datagram, and to implement those features in an open source replacement for Berkeley Sockets, or whatever has since replaced it in the kernel.

What is happening instead, is the cable cabal is aligning with their neighbors over at the wintel alliance, and building networks around an end-node distribution model using teredo. Effectively this forks the whole Internet. The move towards “competative markets for cable boxes” is nothing more than a marketing move. If the Internet is a “box” in the consumers mind, it isn’t a community, speech or a civil right. They don’t want you to interface with your computer, they want you to interface with a box, because they can CONTROL the box.

What about TOR? TOR is not a solution. It is a symptom of the larger problem: TCP is deprecated. Which is also a smaller problem, considering that protocol code is TINY compared application code.

So what fixes this? Again, a drop in replacement for the system protocol stack that’s what. What doesn’t fix this? Anything currently being flogged by any of the big players.

Network engineers need to start looking at the law as a loadable module. It is no different that calling into C from python, perl or ruby. But YOU DO have to read the code, and implement references to the respective methods.

In a nutshell the software license for the new protocols has to say something like: “If you run this code you agree that if bit position N is true during transmission, it designates that the transmitting party reserves all of their rights without prejudice. This convention must cascade to all derived works, or any technology using this protocol.”

That simple phrase, or something like it, is all that is needed to facilitate the 1st, and 4th amendments across the Internet in a way the cabal can do nothing about. It is a nail on which to hang litigation.

After 20 years of Internet, we still haven’t standardized a simple mechanism for citizens to DECLARE a reservation of their civil rights. This can be attributed to ignorance or arrogance on the part Internet architects, and to bad civics teachers everywhere. “certain unalienable rights” was not law, it was a part of a hate mail letter.

Internet is layer 3. A consumer SHOULD be able to pass ANY conforming datagram over it. If this is still the case, then really ANYONE could do this. If my C was good enough I’d have done it years ago.

John Fenderson (profile) says:

Re: This is a layer 3 or layer 4 problem.

Well said!

IMHO, the essential problem is that security was not a design goal for TCP/IP in the first place (survivability was the focus instead). All security mechanisms available are effectively “aftermarket add-ons” a/k/a “bags on the side” a/k/a “elegant hacks”.

In an ideal world, the entire system would be redesigned with security as one of the goals. But, unfortunately, we don’t live in an ideal world.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...