ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent

from the more-of-the-same dept

Back around 2007 or so there was a bit of a ruckus when broadband ISPs were found to be selling your “clickstream” data (which sites you visit and how long you’re there) to any nitwit with a nickel, then basically denying they were even doing that. Concerns about that now seem quaint.

In the years since, technologies like deep packet inspection have allowed ISPs to collect and sell details on every aspect of your online life, then, through obfuscation, proxies, and empty promises of “anonymization,” insist they’re not doing exactly that. Or, as the wireless industry’s location data scandals have shown, collect and sell your daily movement habits, initially with only a fleeting concern about user privacy and security.

Now, sources in the infosec community tell Motherboard ISPs are also (again, via proxies) selling access to “netflow data.” As the name suggests, netflow data details the day to day broader stroke network traffic (pdf), whether that’s overall network loads, which servers are talking to one another, network topology, etc. The data is generally beneficial to researchers to understand network and user behavior, and to security experts to help mitigate network attacks. But it’s also valuable, and increasingly, it’s being offloaded to businesses who are then turning around and selling it:

“I’m concerned that netflow data being offered for commercial purposes is a path to a dark fucking place,” one source familiar with the data told Motherboard. Motherboard granted multiple sources anonymity to speak more candidly about industry issues.”

Recall that modest FCC broadband privacy rules designed to give users a little more transparency into this stuff were killed by the GOP in 2017 (using the Congressional Review Act at telecom industry behest) before they could even take effect. And recall that, thanks to a cross-industry coalition of lobbyists, the United States still doesn’t have even a basic privacy law for the internet era. As a result, any shred of data that can be collected and sold is, securing that data is often an afterthought, and consumers more often than not have absolutely no transparency into anything.

The data provides comprehensive insight into not just what’s happening on the originating ISPs network, but everybody’s network, including what data is being pushed through VPNs. ISPs offload this data to security vendors in exchange for security threat analysis work. Those vendors then turn around and act as data brokers, selling access to this data to a wide variety of third parties… without consumer awareness or consent. ISPs then can tell reporters “we don’t sell access to user data” because, technically, they aren’t directly “selling” it:

“The continued sale of sensitive data could present its own privacy and security concerns, and the news highlights that ISPs are providing this data at scale to third parties likely without the informed consent of their own users.

“The users almost certainly don’t [know]” their data is being provided to Team Cymru, who then sells access to it, the source familiar with the data said.

Again, there’s always a lot of hand-wringing about the potential impossibility of privacy legislation given the potential for harm. But it remains entirely possible to craft comprehensive, basic federal rules that, at the very least, mandate absolute transparency with the end user. Instead of doing what we’ve created with a wild west like ecosystem of app makers, phone makers, software giants, telecoms and others selling every shred of data they can find, often failing to adequately secure it, and with consumer protection (or even awareness) a distant, belated afterthought.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
Sok Puppette says:

Re: Pay for some privacy

Against somebody with a broad enough view of Netflow, VPNs don’t do anything. The article is talking about Cymru, and if I wanted to name anybody outside of government spies who might have that kind of broad view, it would be them. They’ve been doing deals to get data for ages. In fact the article specifically mentions deanonymizing VPN traffic.

I’ve seen people at least claim to have deanonymized even Tor flows, although they were relatively big, conspicuous flows.

Plus, of course, you’re putting total trust in the VPN.

ECA (profile) says:

For all the ways

That tese corps make money of of us. It gets real silly, on their side, That most of the corps have our Data anyway. Including Overseas.
We know our gov. is monitoring us, which is abit silly, but from What location? Is the ISP the one doing all this work? Because then they would be getting very good money, and all this should be Allot cheaper, as we are paying with our taxes. If the gov. has enough people and programs to Monitor even 1/2 of the chats and forums, that is even More money we are paying in taxes. And then we can consider all the Grants given to the corps to get things Done, and still Not done over the past 20 years. Still it is our taxes. And I still wonder about the backbone, and if it has been fully upgraded.

That One Guy (profile) says:

... right?

No worries, I’m sure that with the political pressure that has been aimed at the likes of Facebook and Google relating to user privacy those same politicians will be falling over themselves to give similar treatment to ISP’s, dragging them over the coals for excessive data gathering and misuse of that data and threatening them with regulation if they don’t toe the line and respect user privacy.

Any day now…

Anonymous Coward says:

It may sound cynical, but this feels entirely intended.

When anyone who feels "hurt", or "insulted", or "defamed", all they would need to do is find a broker who could sell them sufficient access to combine a twitter timestamp (over a broad period and number of tweets, granted), to pinpoint a source.

Looking at you Devin!

Even with whitenoise apps to attempt to blanket out frame sizes or timings, it could very plausibly used to find who tweeted, who visited, who uploaded whatever content you wish to obliviate, and then never have to publicly announce how you came to your determination.

A simple law would prevent that (obviously, with various caveats for national security, but it would need to be heavily caveated to prevent governmental abuse). But they’re not interested in such things.

Why cut off your nose when you can sniff out a mean person who insults your delicate sensibilities.

Anonymous Coward says:

Whats to stop a bad imposter from accessing this data to find backup repositories, or cross cloud databases, from discovering hidden servers, ones not directly addressable via public DNS in order to attack something that may not be as well defended as publicly known servers.

At my firm, we use proxies to hide our infrastructure addresses, and we continually rotate IPs, yet we still get attempts to access our servers, sometimes minutes after a rotation.

This has shown a potential route that is being used to find them.

Lostinlodos (profile) says:


What are they actually getting from this stuff that can be directly privacy related?
Is it that someone visits a porn site or that a specific person did.

While I generally don’t care some do. Is this any different than cookie data I supply when I allow cross site tracking for relevant advertising?
Or is this an actual case of personal privacy!

I can’t get from this (and hundreds of other) article what data these profiles contain that is related to an individual.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »