No, You Can't Buy Congress's Internet Data, Or Anyone Else's

from the this-won't-fix-piracy dept

In the wake of yesterday's unfortunate Congressional vote to kill broadband privacy protections (which had only just been put in place a few months ago, and hadn't yet taken effect) we've been seeing a lot of... bad ideas. People are rightfully angry and upset about this. The privacy protections were fairly simple, and would have been helpful in stopping truly egregious behavior by some dominant ISPs who have few competitors, and thus little reason to treat people right. But misleading and misinforming people isn't helpful either.

The story that's getting the most attention and seems to be going viral (or at least on the verge) is this GoFundMe campaign set up by Misha Collins to buy and release Congress's internet data:

Congress recently voted to strip Americans of their privacy rights by voting for SJR34, a resolution that allows Internet Service Providers to collect, and sell your sensitive data without your consent or knowledge. Since Congress has made our privacy a commodity, let’s band together to buy THEIR privacy.

This GoFundMe will pay to purchase the data of every Congressperson who voted for SJR34 and to make it publicly available.

PS: No, we won't "doxx" people. We will not share information that will impact the safety & security of their families (such as personal addresses). However, all other details are fair game. It says so right in the resolution that they voted to approve.

Game on, Congress.

As I type this, the campaign is rapidly approaching $30,000 raised (though it claims it has a $500 million goal). The campaign also promises that any leftover money will go to the ACLU — and I love the ACLU, but I'd argue that other organizations were much more involved in this particular fight than they were, so that's an odd choice). Update: Turns out this isn't the only such campaign. There's another one here that has raised even more and doesn't say what it will do with the money if it can't buy the data.

But here's the real problem: you can't buy Congress' internet data. You can't buy my internet data. You can't buy your internet data. That's not how this works. It's a common misconception. We even saw this in Congress four years ago, where Rep. Louis Gohmert went on a smug but totally ignorant rant, asking why Google won't sell the government all the data it has on people. As we explained at the time, that's not how it works*. Advertisers aren't buying your browsing data, and ISPs and other internet companies aren't selling your data in a neat little package. It doesn't help anyone to blatantly misrepresent what's going on.

When ISPs or online services have your data and "sell" it, it doesn't mean that you can go to, say, AT&T and offer to buy "all of Louis Gohmert's browsing history." Instead, what happens is that these companies collect that data for themselves and then sell targeting. That is, when Gohmert goes to visit his favorite publication, that website will cast out to various marketplaces for bids on what ads to show. Thanks to information tracking, it may throw up some demographic and interest data to the marketplace. So, it may say that it has a page being viewed by a male from Texas, who was recently visiting webpages about boardgames and cow farming (to randomly choose some items). Then, from that marketplace, some advertisers' computerized algorithms will more or less say "well, I'm selling boardgames about cows in Texas, and therefore, this person's attention is worth 1/10th of a penny more to me than some other company that's selling boardgames about moose." And then the webpage will display the ad about cow boardgames. All this happens in a split second, before the page has fully loaded.

At no point does the ad exchange or any of the advertisers know that this is "Louis Gohmert, Congressional Rep." Nor do they get any other info. They just know that if they are willing to spend the required amount to get the ad shown via the marketplace bidding mechanism, it will show up in front of someone who is somewhat more likely to be interested in the content.

That's it.

* Amusingly, Rep. Gohmert voted to repeal the privacy protections, which makes no sense if he actually believed what he was saying in that hearing a few years ago...

Now, what is true is that it's still a bad thing to have companies holding this much data about our private internet usage. And there are real privacy risks of data leaking, and potentially then being tied back to individuals, because it's basically impossible to anonymize that kind of data entirely. But no one is out there "selling your browsing history" in a way that someone else can go buy it.

I know that some people don't care about this distinction, and even some people I know and trust are cheering on this crowdfunding campaign, at the very least to try to make a point about how Congress is voting against their own privacy in favor of some of their largest campaign donors. And that point is not wrong. But if we continue to push this myth that companies are selling direct dossiers on each individual surfer, people will start believing other wrong and misleading stuff, and that makes it more difficult to tackle the actual problems here.

And that's not the only kind of myth we've seen. We've already talked about people now falsely believing that VPNs are a solution here (they are not, and at best might solve some small problems while creating others). But then you have MSNBC, with a TV news correspondent (who you'd think would know better) tweeting out complete nonsense, telling people to "delete" their browsing history hourly:

That's just... embarrassingly uninformed, to the same level as the people insisting you can walk up to Comcast or AT&T and buy Louis Gohmert's browsing history (or, for that matter, Louis Gohmert's belief that the government can just buy advertising data to find terrorists).

We don't solve problems by misrepresenting what the real scenario is. It's true that ISPs have way too much power over these markets, and they can see and collect a ton of information on you which can absolutely be misused in privacy-damaging ways. But let's at least be honest about how it's happening and what it means. That's the only way we're going to see real solutions to these issues.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TechDescartes (profile), 29 Mar 2017 @ 1:47pm

    Oddly Specific

    So, it may say that it has a page being viewed by a male from Texas, who was recently visiting webpages about boardgames and cow farming (to randomly choose some items).

    Since you don't specify, we just will assume that you randomly chose these items from your browser history. Using a Tor exit node in Texas.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Fool, 29 Mar 2017 @ 1:54pm

    I donated

    Yea, I know they can't actually buy the info ... Legally.
    I gave $10 just because.

    I'll probably give some to the EFF asking to target this issue.
    Congresskritters are scum.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Mar 2017 @ 6:33pm

      Re: I donated

      Yea, I know they can't actually buy the info ... Legally.

      Really? What law would make that illegal?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Mar 2017 @ 12:51am

        Re: Re: I donated

        Terrorism laws. Because apparently, if you use laws against politicians, you're a terrorist.

        reply to this | link to this | view in chronology ]

      • icon
        JackL (profile), 30 Mar 2017 @ 12:02pm

        Re: Re: I donated

        An inability to buy 'the info' does not necessarily mean that it is illegal to buy/sell such information. That information is simply not available on the open market. ISPs do not provide raw-data to the general public. Even if I want my browsing information in a marketable, commercial-ready format, the big ISPs will not ordinarily gather and deliver it. If I did somehow get it, it would have to be in an accessible and usable format.

        A marketable format would probably be a readable format. That readable format then becomes content based information, rather than code-based-metadata.

        'Content' enjoys a number of protections, including the IV Amendment. Federal law prohibits many forms of content acquisition, e.g.: wire-tapping, electronic eavesdropping, surreptitious recording, and digital interception. You can’t gather the content of someone’s private communications without consent or a warrant based on probable cause.

        'Metadata' protections are more ambiguous, as the term is more vague. Regardless of how it is may be defined, it is not 'content'. If metadata is gotten by an unauthorized access, that would violate the Stored Communications Act (SCA) (18 U.S.C. § 2701 et seq.).

        So who owns 'my' metadata and browsing-patterns?
        Better read the Terms & Conditions of Use (for EVERY website you visit and EVERY App you apply), to see what you've waived.

        reply to this | link to this | view in chronology ]

      • identicon
        Barry L Melton, 31 Mar 2017 @ 5:56am

        Re: Re: I donated

        What law would make that illegal?

        47 U.S. Code § 551, which houses the Protection of subscriber privacy provisions as enacted in The Cable Communications Policy Act of 1984.

        https://www.law.cornell.edu/uscode/text/47/551

        reply to this | link to this | view in chronology ]

        • identicon
          Lisha Sterling, 1 Apr 2017 @ 12:22am

          Re: Re: Re: I donated

          I just read that and didn't see anywhere in there where it said that information couldn't be sold. I only saw where it said that the personally identifiable information had to be disclosed to subscribers. Also, this only covers cable companies, and not all ISPs are cable companies.

          reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 29 Mar 2017 @ 6:33pm

      Re: I donated

      So instead of paying off an ISP executive, you pay off a hacker. Either way, the information gets into the public view.

      reply to this | link to this | view in chronology ]

      • identicon
        andy, 29 Mar 2017 @ 10:09pm

        Re: Re: I donated

        The most fun will be when someone manages to get data on the browsing habits of those in the capitol in specific areas, namely where the government is situated.

        I am sure that somewhere along the line people are going to find ways to embarrass the people who have been bribed to let this bill pass.

        And there is always the hacking that be used to get browsing data as it is not illegal yet.

        reply to this | link to this | view in chronology ]

    • identicon
      anonymous, 30 Mar 2017 @ 5:52am

      Re: I donated

      ...or the slant put into news articles has become abhorrently misleading. It may not be "fake" news, but it seems to me that Google is on the front line of distributing misconceptions. I'm fairly sure that is by design.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 2:02pm

    Oh, it's all okay. Because power-mad politicians, rabid "law enforcement", greedy corporations, malicious nerds, or the evil ??AAs, won't ever go further.

    Whew. I was worried before this assurance from someone who sells every scrap of information that site visitors provide.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 29 Mar 2017 @ 2:02pm

    Oh, it's all okay. Because power-mad politicians, rabid "law enforcement", greedy corporations, malicious nerds, or the evil ??AAs, won't ever go further.

    Whew. I was worried before this assurance from someone who sells every scrap of information that site visitors provide.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 2:02pm

    Here's Masnick yet again as ever assuring us that THIS step is minor, ignoring that all lead to complete lack of privacy.

    Undercutting his own prior story. Despite some handwringing, always ends up downplaying the surveillance state, especially its commercial front: Google.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Mar 2017 @ 9:58pm

      Re: Here's Masnick yet again as ever assuring us that THIS step is minor, ignoring that all lead to complete lack of privacy.

      Don't worry. Your loving boyfriends at the NSA have you covered. Specifically your ass, with copious amounts of surveillance sperm. Yeah, fuck that, piracy!

      reply to this | link to this | view in chronology ]

  • identicon
    SpaceLifeForm, 29 Mar 2017 @ 2:11pm

    You can't buy it

    But they can give it away.
    Qrid pro quo.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 2:13pm

    How do they plan on sending me those targeted ads when I routinely surf sans javascript ?

    I laugh at their feeble attempts.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 29 Mar 2017 @ 2:27pm

    Why not?

    We can't purchase anything from an ISP unless it is willing to sell it, but what's to stop the ISP from acting as a man-in-the-middle and scooping up all communications from a given IP addy?

    What is to prevent the ISP from, then, compiling a dossier on its location, and the users that connect to and from that ISP, including reading anything that it can decrypt,much the way the NSA uses only metadata?

    Google has everything about me in its database. Google's policy stops it from using that data to dox me or stalk me. According to Google's policy, they'll defend my from government access except as required by a warrant or due process. And they sell analyses of data that includes my data, without ever mentioning me specifically.

    But without the limitations of this policy, a Google agent could determine what I read on the potty and what I think about when I masturbate.

    Comcast (a monopoly in my town) doesn't have these policies. What stops them from selling an extensive dossier of me to whoever wants it?

    reply to this | link to this | view in chronology ]

    • identicon
      stine, 29 Mar 2017 @ 10:40pm

      Re: Why not?

      Unfortunately, the only thing stopping them is ... nothing.

      reply to this | link to this | view in chronology ]

    • identicon
      Bruce C., 30 Mar 2017 @ 3:59am

      Re: Why not?

      My thoughts exactly. Just because the current business model involves selling advertising targets, there's nothing to stop them from selling your name, address and browsing history to insurance companies, credit reporting bureaus, LexisNexis and other information aggregators and consumers.

      OTOH, there's nothing to stop Google from doing it either with your search history. They might not have your name and address, but they'll have your (generally identifiable) hardware/browser configuration.

      reply to this | link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 30 Mar 2017 @ 6:29am

        Why Google won't

        The difference is that I can personally stop using Google and there are competitors to the services Google provides. That way, they have a strong motivation to play nice with the data of mine they sell (e.g. not even anonymizing my profile, but actually only selling analyses of bulk data that includes my profile.)

        But I (now) live in a Comcast monopoly zone. If I don't use Comcast, I don't use the internet.

        So they have zero motivations to be nice regarding my personal and private date.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Mar 2017 @ 10:23am

          Re: Why Google won't

          The difference is that I can personally stop using Google

          It's not easy though. You won't be able to post on some web sites, because they use Recaptcha which is a Google service. You'd have to block all Google-owned ad servers—you'd probably want to do anyway, but it would be easy to miss one. Google Analytics, of course, needs to be blocked; I think disabling JS will do it. You have to be careful when using a search box on a web site, because many of them redirect these site-local searches to Google. The people you communicate with might be using Gmail, with or without a gmail.com address. You'd have to avoid anything running on Google's cloud service, and I don't know how to even check that...

          Avoiding Google is about as practical as using satellite internet, which is an option for you. Some terrible (capped) cellular service might be available too. Dialup still exists; an unlimited services would give you about 15 GB a month for $25 plus the cost of a landline.

          reply to this | link to this | view in chronology ]

          • icon
            Uriel-238 (profile), 30 Mar 2017 @ 2:15pm

            Leaving Google isn't easy.

            Well, I was referring to Google's direct services, such as search, email, calendar, contacts, etc. al.

            As for evading their advertising tags, I started using NoScript a few years ago after a Chinese phisher got me and shanghaied my browser. After that debacle, I've become careful to the point of paranoid what kind of scripts I let the system run, sometimes to the point of just not using websites if its resources are too complex to untangle.

            That said, few websites require googletagservices or the other auxiliary Google-related sites, so for they degree Google does track me, it works for it.

            Not that this helps anyone else. I don't really recommend going as paranoid as I have. But also my web-browsing sometimes takes me to some pretty exotic places.

            reply to this | link to this | view in chronology ]

        • identicon
          Rana, 30 Mar 2017 @ 11:29am

          Re: Why Google won't

          But I (now) live in a Comcast monopoly zone. If I don't use Comcast, I don't use the internet.

          Oh boo-hoo. If you don't like your ISP, move somewhere else! Don't be such a cry-baby!

          /s

          reply to this | link to this | view in chronology ]

  • identicon
    Scote, 29 Mar 2017 @ 2:32pm

    "That's just... embarrassingly uninformed, to the same level as the people insisting you can walk up to Comcast or AT&T and buy Louis Gohmert's browsing history "

    We actually don't know what the ISPs will do. They may sell targeted ads using their own delivery network to inject HTML. Or they may connect with existing ad trackers. They may sell data that can be de-anonymized to data companies (eg, one email from someone may give you their IP which may allow you to pick out their data from an "anonymous" collection). Or they may actually sell people's browsing history *by name* to data agregators.

    So, if you want to dispel misinformation about this don't add more of your own to the mix.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 2:36pm

    What of profiling firms such as LexisNexis? Wouldn't they be a potential customer for Internet histories with names attached?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 2:37pm

    Why?

    But no one is out there "selling your browsing history" in a way that someone else can go buy it.

    Is that because there's a privacy law stopping them, or just because they've chosen not to--maybe because they think it's less profitable or that users would revolt. If it's a choice, they can always change their mind, maybe given the right price.

    Anyway, it's only been a day or two since the rules changed. So of course they're not doing it right now.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Mar 2017 @ 9:39am

      Re: Why?

      The point is that no rules were changed. They were GOING to change (for the better) and now they aren't. What the bill in question did is preserve the status quo, a point that most people seem to be missing.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 3:16pm

    I understand the main point of this article.. However it does need correcting to point out how the campaigns could reap real world data.. For example Russia could purchase targeted advertising to Congress figure out what websites when people are eating lunch etc..

    reply to this | link to this | view in chronology ]

  • identicon
    Thad, 29 Mar 2017 @ 3:20pm

    We've already talked about people now falsely believing that VPNs are a solution here (they are not, and at best might solve some small problems while creating others).

    Using a VPN absolutely creates new problems, and merely kicks others down the road (you're now trusting your VPN not to sell the same data that you don't trust your ISP not to sell). But I disagree with the argument that they "at best might solve some small problems".

    The specific problem we're talking about here is my ISP retaining data on my Internet usage, and, potentially, selling that data to advertisers. A decent VPN vastly decreases the amount of information my ISP is able to retain on me. At best, the VPN does not retain my browsing history either. That sounds like more than a small problem solved to me.

    reply to this | link to this | view in chronology ]

    • icon
      Dismembered3po (profile), 29 Mar 2017 @ 5:55pm

      Response to: Thad on Mar 29th, 2017 @ 3:20pm

      Exactly!

      There is ample competition in the VPN marketplace, there are reputable organizations vetting how they work, and you can, in fact, vote with you wallet.

      With a properly functional VPN, the only thing your ISP would be able to see is THAT you connected to the VPN. They wouldn't be able to see what you did over it. And even in the case of a tagging technique like Verizon was using, that tag would be outside the SSL/IPSEC protected channel (it would break the packet authentication, otherwise), so it would not survive into the plaintext traffic exiting the VPN node on the other end.

      Obviously,a leaky VPN doesn't do anyone any good.

      The big deal with ISPs is that to them, you aren't simply a demographic. The ISP has the goods to bridge the gap between you as a demographic, and you as a specific human (OK, account holder) with a social security number and a functional bank account, a physical address, a telephone number and a name.

      Just because the WEB advertising market isn't currently trading in these details (that we know of), it does not mean that there ISN'T a market for them. Or that the web ad business wouldn't jump at the chance to be able to send you physical marketing (like, you know... Postal SPAM).

      ...Or that the people wanting to buy these details are even as legitimate as the shadiest purveyor of online ads. We know, for certain, that the big ISPs already go out of their way to help third parties screw over their phone customers (what with the AT&T cramming debacle and all) if there's money to be made.

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 30 Mar 2017 @ 10:27am

        Re: Response to: Thad on Mar 29th, 2017 @ 3:20pm

        With a properly functional VPN, the only thing your ISP would be able to see is THAT you connected to the VPN.

        It also sees when you connect to the VPN, and how much data you send and receive. Those details are enough to make certain assumptions about when you're home and awake (you could mitigate that by adding noise -- say, seed a bunch of popular Linux distro torrents -- but they're still probably going to notice things like, say, your connection always using heavy bandwidth at 6 PM when you get home from work and turn on Netflix. Unless you saturate your connection all the time, in which case you're probably going to get a stern warning about your bandwidth use). Plus, the mere fact that you're using a VPN suggests certain things about you (you're technically inclined and politically informed).

        Still, while they can do certain things to build a profile on you if you use a VPN, it'll be a much less detailed profile than if they could actually monitor what sites you were visiting.

        reply to this | link to this | view in chronology ]

      • identicon
        John, 31 Mar 2017 @ 12:08am

        Re: Response to: Thad on Mar 29th, 2017 @ 3:20pm

        Google merged their Gmail adverising with the DoubleClick ad neteork last year.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 3:25pm

    Yes, you can buy Internet (browsing or other) data

    You just can't do it above board. There are many -- MANY -- marketplaces on the darknet where databases of all descriptions are available, some rather cheaply. Coverage isn't complete, of course, but it's quite extensive and the level of detail is often superb: timestamps, full URLs, DNS queries, SMTP/POP/IMAP transactions, FTP/SSH transactions, and so on.

    Where's it coming from? How's it being acquired? Sellers are invariably silent but in some cases it's not hard to figure out. The more interesting question is whether this is being done officially by ISPs (and then sold under the table by employees who know a cash cow when they see one) or whether the instrumentation necessary to collect it has been installed by rogue engineers without the knowledge of company management. (The average CEO with a McDegree like an MBA couldn't possibly find this stuff: it's way beyond their pitiful technical skills.)

    So don't make the mistake of presuming that just because YOU don't know where to buy this data that it can't be bought. There is always someone willing to pay.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 3:26pm

    But we could buy ads targeted at congress

    Maybe the Kick-Starter could buy an ad targeted at specific reps. For instance you could purchase an ad targeting people over the age of 70 living in KY, employed as a US senator. Maybe seeing an ad that says "Mr. Mitch McConnell, why did you vote to eliminate our privacy? - signed the internet", might creep him out.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Mar 2017 @ 3:34pm

      Re: But we could buy ads targeted at congress

      If the targeting of your ad was further narrowed to include only those who recently visited certain embarrassing websites , you could make the message even creepier ("Senator, I know you went to website XXXX yesterday").
      And assuming the ISP gave the ad-purchaser feedback on if the ad got any views, you could very well track what websites they visited.

      reply to this | link to this | view in chronology ]

  • icon
    PrattleOnBoyo (profile), 29 Mar 2017 @ 4:00pm

    Get a Clue, Masnick

    I can't discern whether Masnick is being disingenuous or just plain dense. ISPs have just been given carte blanche by Congress to do whatever the hell they want with user data. Data privacy? Poof! Gone. Permanently. Data rights? What data rights? Poof! Gone away also. Historically, when there isn't a law prohibiting any given thing, the sky is the limit. Whose to do say definitively that the bobbleheaded executive boards of big ISPs that stand to gain from S.J.Res.34 won't decide to start selling piecemeal individual internet histories? You don't know, Masnick, and neither does anyone else. It doesn't help that you're spreading FUD and speculation as fact rather than opinion.

    reply to this | link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 4 Apr 2017 @ 7:29am

      Re: Get a Clue, Masnick

      Erm... try thinking about how they'd go about the business of doing that as a business without requiring ever-increasing numbers of human eyeballs to check that the data has value.

      Think about the amount of posting you do. Think about the reasons people may have more than one email account (even if they don't use them). What about prolific posters? If you're going to sell stuff you need a buyer. Who is going to pay for Wendy Cockcroft's internet history? Is there enough data in there to even get your money back?

      This is why they use trends rather than individual bits of data — there's too much info to sift through.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 4:07pm

    I can't tell if people are this stupid, or these claims were deliberately planted to weaken opposition.

    reply to this | link to this | view in chronology ]

  • identicon
    Shmerl, 29 Mar 2017 @ 4:12pm

    The way it works

    Just because it used to work a certain way, doesn't mean ISPs can't go ahead and do something else now. Since legal situation is now different, can't they decide to re-interpret what they can do?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 4:24pm

    While you can't buy a person's internet traffic metadata, you can bid on a location's internet traffic metadata. I'd assume some smart person will dredge up the public IP of whatever shared network congress members use at work and buy the data from that location (precision to be negotiated).

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 4:42pm

    I am going to write a program that deletes browsing history of the website you just visited just before you visit it. Well, I will do that after I add that secure back door to encryption.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 5:47pm

    I hate to say this, but it doesn't matter one bit whether the ISP is selling customer data directly, or keeping it for themselves ala Google for targeted ad injection schemes. Why? BECAUSE THEY SHOULDN'T BE SNOOPING ON YOUR TRAFFIC TO BEGIN WITH! The average American would be rightly pissed off if someone could pay to snoop on their snail mail post to give them targeted circulars and that's a federal offense to tamper with the mail! Our web traffic shouldn't be any different as it's basically the same thing: letters (e'mail), commerce (paying bills), research (library access), real time communications (telephone), etc. None of these things can normally be intercepted and read by third parties (except the government with a for-cause warrant). People SHOULD be pissed off about ISPs snooping on the contents of traffic, and they SHOULD be on the verge of mutiny over this "let the market decide", "cuz capitalism", and other bullshit excuses. This article is essentially correct in that most companies may not sell customer data directly, but they still engage in regular trust violations that should never have been allowed to begin with, and those databases are rarely secure. Most of this data can be bought on the black market for a pittance, so while the ISPs may not be selling this information directly, don't believe it's not for sale at all!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 6:40pm

    But could they?

    Mike says that ISP's don't sell customer data. Okay, but with no laws against it, how do we know that they won't do so in the future?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 6:40pm

    meta-data

    All it takes is a few pieces of meta-data to identify who the information belongs to. The 20 plus apps that most have installed on their phones, with permissions to access contacts, wireless connections, call history, etc., are one of many ways to get that meta-data. Users of those 20 plus apps, have given explicit permissions for that data to be sold.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 7:19pm

    That's right nobody is buying the data. The feds are getting it for free. No money necessary. For example, Google is flat giving you data to the feds. When they get caught doing it they deny it, but they are nevertheless doing it. The information that was released by Snowden wasn't a lie - there is an absolute direct connection between the feds and that data. Mike, and other Google cronies are paid top-dollar to distract and deceive people about this truth, but it's not working - not then - not now - not ever.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 7:20pm

    "I know that some people don't care about this distinction..."

    You Sir, are correct.

    ...and the reason we don't care is that the distinction between 'what they currently do' and 'what they could do if they ever decide to', is so technically infinitesimally small, it becomes irrelevant to the conversation surrounding the serious potential for abuse that is almost guaranteed to eventually occur.

    It's distinctions like yours that are the real distraction from the crux of the issue. That crux being, if we allow this sort of data to be collected in the first place (esp., with near zero protection under the law and never any meaningful consequences to the data rapists), it will eventually result in ever increasing, massive/systemic abuses of the public good. And when you make such distinctions, you only serve to move the conversation further away from the point.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Mar 2017 @ 11:10pm

    Targeting

    Mike, maybe you are right. Maybe it isn't possible to buy a particular person's information yet, but I will tell you a story which will illustrate how an advertiser can indeed uniquely target a specific person, or a tiny group of specifically chosen people; and further, that such targeting requires a very detailed knowledge of targets' media consumption. This is knowledge that an ISP would be in an especially privileged position to collect.

    Two years ago, my son was one of the most sought after high-school students in the country by a number of elite academic institutions. He received so-called "likely letters", phone calls and free plane tickets from Ivy League and other top-tier schools who were hoping he would choose their university.
    As you might expect, my son generally has not had much time to watch TV, but he did have a couple of TV shows that he would catch up on when he had the time -- usually at late hours on a weekend evening. About 3-4 days after he received a likely letter from Duke University, he and I happened to watch an episode of Grimm. During a commercial break at 12:30AM on a Friday night, lo and behold-- a television ad for Duke University. I'm sorry, but Duke just is not a normal sponsor of Grimm, and I guarantee that our neighbors were not getting Duke University advertisements on TV. Even within our family, other family members did not see a single Duke ad when they were watching TV. That ad was targeted directly at him. It implied that Duke was able to determine who our ISP was (Comcast), and then Comcast could offer them the ability to display an ad during the specific show that he would most probably watch. Note that they were able to do this even though we do not have a smart-TV that would have helped them determine which family member was in the room when the TV was on. Perhaps they are able to correlate precision cell-phone location data with their cable-box data.
    I have to say, that ad felt just a little bit creepy and uncomfortable. We didn't like it.

    So you say that ISP's don't sell specific individual's media consumption information, and to that I would say:
    1) What is your evidence to back that statement up? For all we know, given the right price, ISP's may indeed do exactly that and;
    2) Even if they don't sell that information, but just keep it to themselves and use it to act as consultants for would-be advertisers, what is the practical difference? In our case it felt invasive, regardless of how it was accomplished.

    reply to this | link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 4 Apr 2017 @ 7:32am

      Re: Targeting

      Reminds me of that time Target targeted a pregnant woman with ads for nappies following an online search. As a former web designer who continues to be interested in web design I'm forever getting ads about web hosting and developer courses.

      This is down to their algorithms picking up on keywords as Mike describe.

      reply to this | link to this | view in chronology ]

  • icon
    David (profile), 30 Mar 2017 @ 12:44am

    But my ISP is Comcast.

    Those lying bottom dwelling scum will actually do the other version. The one that lists EVERYTHING that has ever happened via my connection to them. Then they will offer bundles (they do love dem some bundles) to advertisers of Area Man's traffic and how many others follow a similar trend.

    Considering how hamfisted they are, and how miserably they run their network stack just so they can charge customers for DDoS traffic, they will screw this up. Initially, then someone will fix that and Comcast customers will be fucked.

    Of course, it is so much easier to do this if there are laws that *force* them to. Which is exactly how Comcast will read this.

    reply to this | link to this | view in chronology ]

  • icon
    Stan (profile), 30 Mar 2017 @ 2:10am

    Shhhhhh ! ! !

    Mike wrote: "No, You Can't Buy Congress's Internet Data..."

    Correct, but does Congress know that? Not likely! And the thought of THEIR browser histories being sold might have caused them to reverse themselves.

    Too late now, I suppose...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Mar 2017 @ 8:24am

      Re: Shhhhhh ! ! !

      Exactly what I was thinking. Yes, probably too late, but most Congress-critters are too brain-dead technologically to understand the folly of the idea. And it would be highly entertaining to watch them squirm/vote themselves an exemption when people started making up stories about the data they have purchased.

      Let's face it, all we have to do is fool some Congressional representatives. Pretty low bar, right there.

      reply to this | link to this | view in chronology ]

  • icon
    bosson (profile), 30 Mar 2017 @ 3:03am

    Tracking on swedish government offices and browsing

    Well, tracking can be a lot more personal.

    Look at Creeper, it was created in the wake of the EU Data retention directive. It tracks IP's of Swedish government offices using images for tracking on several sites as to remind government about the effects of data-retention. This could of course be combined with cookies to gather several locations of government employees and target groups specifically. Any US projects like this?

    http://www.gnuheter.com/creeper/senaste

    There are several data hoarders that work in a similar fashion to source tracking and they profile employees combined with home, airport, and library IPs or other stops as daily routines. Telcos would do well here in tracking companies for direct marketing.

    Google masks the last byte of the client IP in its Ad-exchange but others don't. Even without exact IPs, the Ad-tech cookie can be bound to the ad-exchange-cookie to get direct hits by way of redirecting the tracking-image one more step once a new targeting pixel is triggered and source-matched.

    Senators must be seeing this already.

    reply to this | link to this | view in chronology ]

  • identicon
    Jim, 30 Mar 2017 @ 5:37am

    But!

    Data collected, is a profile. It is stored somewhere, like the new had to expand their storage several years ago. It needs to be accessable for an immediate use. I remember, early advertising for ATM services...Safe, secure, immediate access. It proved to be hackable. And the information found an open market. Or, how about the cookies they will be using. How long till the company supplying the cookie, decides, it needs your credit card data, or your pin number? After all it is on your phone from your last purchase. How long before they make a purchase? Or track you out of the house in real time and feed the information to someone who better deserves your TV. Interesting concepts? No, those are old court cases.
    Oh, and VPN, private? When did I read it was the after, 2012 or earlier?

    reply to this | link to this | view in chronology ]

  • icon
    Teamchaos (profile), 30 Mar 2017 @ 5:48am

    More please

    The rule, which as you point out hadn't even taken effect yet, is just one example of the massive bureaucratic over reach that was the Obama administration. Instead of making laws, they made rules and executive orders which are much easier to nullify. We need to reel in the power of the deep state and get back to making laws that have some teeth and will stick. Of course, in order to do that the laws need mainstream support beyond some left wing, nanny state, big government types. I look forward to more reversals of Obama era overreach and the return of government for the people by the people.

    reply to this | link to this | view in chronology ]

  • identicon
    Jake, 30 Mar 2017 @ 9:47am

    What You CAN Do Is Set By the Law

    This post seems pretty much entirely focused on past and likely future business practices, and from that assumes that you CAN'T do something (in this case, buy a specific person or IP adddress' web browsing history).

    But what you can do is set by law and technical limitations, and now there is neither limit in tech or law to stop ISP's from personally selling web browsing history. Maybe they'll be reluctant to do so and it would be more expensive, maybe you'd have to request the IP address of someone's home rather than their name, but it can happen. ISP's are not bound by how this data has been used by browsers and websites using cookies in the past, they're bound by law, and the law preventing sale of browsing history just went out the window

    reply to this | link to this | view in chronology ]

  • icon
    John85851 (profile), 30 Mar 2017 @ 10:03am

    I think there's a larger problem

    And the problem is that people are ignorant and have short attention spans.
    Which version will most people read?
    A) "Congress will allow ISP's to sell your data".
    B) "But here's the real problem: you can't buy Congress' internet data. You can't buy my internet data. You can't buy your internet data.
    [Three paragraphs of explanation about the inner workings of Google AdWords.]
    That's it."

    Or, more importantly, which version will the local news station broadcast? I guarantee it's some form of "Congress wants to sell your data. Tonight at 11:00".

    reply to this | link to this | view in chronology ]

  • identicon
    Sualocin, 30 Mar 2017 @ 5:08pm

    It might not be cheap (yet)...

    but with enough money I'm pretty sure you can get almost anyone's data, if it's being collected.

    reply to this | link to this | view in chronology ]

  • icon
    SoreGums (profile), 2 Apr 2017 @ 5:48am

    Been happening in Australia for ages...

    There is a company in Australia that has been doing exactly this probably ever since the internet became a thing back in the 90s...

    They purchase all the data from all the main datacentres in Australia then put it all into a giant database and as a customer you bbuy access to categories.

    Then what you can do is figure out how well your sites does compared to others based on criteria. Mostly useful for figuring out where to spend ad dollars or how you are doing with keywords etc. Obviously not restricted to jsut your site - however that is usually why you subscribe to the data feed to use the information to make more money for your company as it is pretty expensive.

    Too bad I have forgotten the name of the company, people here probably know what I'm talking about though...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Apr 2017 @ 8:03pm

    Kinda like "According to the new report, though, Hemisphere isn’t a partnership at all—it’s a product."? https://www.technologyreview.com/s/602728/att-is-selling-law-enforcement-access-to-its-customers-dat a/

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Apr 2017 @ 1:29am

    We do know AT&T is actually selling our data to the NSA and other law enforcement agencies, though.

    Although it may not mean that they're selling data on "John Doe" to other companies, but they're still selling his data...they just don't put a name on it. So it's not as bad, but still pretty bad.

    Plus, ISPs alreayd get paid. They shouldn't be allowed to mine your data, unless they plan to offer their services for free.

    reply to this | link to this | view in chronology ]

  • identicon
    Boyd F., 5 Apr 2017 @ 8:52pm

    Privacy law

    While your art isle is basically at the moment. Th law undoes all privacy protections with isp.

    So now an isp could sell your internet usage data if they want and it would be legal.

    They may and probably will get sued, hopefully out of business, if they do that but it's allowed.

    We need to create a gofundme site to fund the lawsuit to block the law. Tie it up in the courts for years and it won't take affect until a democratic pres/congress can undo it.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.