Broadband Industry 'Studies' Claim Users Don't Need Privacy Protections Because ISPs Are Just Harmless, Innovative Sweethearts
from the watching-the-watchers dept
With few protections in play, most of the last decade broadband ISPs have collected any and every shred of data about their customers' online behavior. It began with clickstream data, which ISPs sold to third parties, then either refused to comment on or outright lied about. Since then, more intelligent network hardware has let ISPs use deep packet inspection to track and monetize user online behavior down to the second. In wireless, carriers like AT&T and Verizon not only collect and sell user online behavior and location data, but now embed stealth packet headers to track and profile users across the entire Internet.It was that last decision that raised eyebrows at the FCC, prompting the agency recently to consider whether it should use its new Title II authority to build at least some basic rules of the road regarding broadband user privacy. This has, of course made the broadband industry rather nervous. After all, the telecom industry has grown very comfortable with the fact that nobody has bothered to give half a damn about broadband privacy for the better part of a generation.
Enter the telecom-industry funded Information Technology and Innovation Foundation, which has released a new "study" (pdf) that argues no privacy protections are necessary because you can trust broadband providers to do the right thing. The report starts off on a highly scientific note, insulting those who'd like some basic broadband privacy protections as "broadband populists" that are pushing an agenda that will -- you guessed it -- will hurt puppies, innovation, broadband deployment, and tear giant holes in the time-space continuum.
Amusingly, the report claims that basic privacy protections would prevent ISPs from providing "numerous benefits" to consumers. The report also tries to claim that basic privacy protections will somehow stop ISPs from properly managing their networks:
"Limiting the use of broadband data...would constrain broadband providers’ ability to provide numerous benefits to consumers. Analyzing data is essential for ISPs to understand patterns and trends in Internet traffic and allows for informed adjustments to network functions and capacity, both in the long and the short term. Customer data is also important to help diagnose problems within the network and facilitate responses to customer requests for assistance with various issues."The report goes on to claim consumers really don't need privacy protections because they have the option of using VPNs and encryption to hide their traffic from ISPs. But Nick Feamster over at Freedom to Tinker does a nice job explaining why it's not really that simple. ISPs can still observe user online behavior based on overall traffic pattern and volume, unencrypted portions of communication, and the growing volume of unencrypted Internet of Things traffic. And a VPN is no guaranteed blockade to ISP snooping either, since again IOT devices won't use the VPN, and ISPs can often still monitor user behavior via DNS anyway.
To be clear, what the FCC is proposing isn't particularly heavy-handed, nor would it stop ISPs from managing their networks or even profiting from snoopvertising. With the FCC's recent Title II move, ISPs are now subject to Title II’s Section 222 privacy protections regarding "customer proprietary network information" (CPNI). But since those rules were crafted for older phone companies, the FCC's looking to modernize them for the modern era. We're talking about relatively basic protections, such as requirements that you inform customers if you're tracking them and selling their data, and give them opt out tools that actually work.
Given the billions everyone is happily making hoovering up user data from Silicon Valley to K Street, there's really no serious political motivation to go beyond that, "populist" outcry or not. But the report argues that broadband users don't need privacy protections at all because hey, ISPs don't actually know much about you and industry "self regulation" works exceptionally well to thwart bad behavior:
"The privacy policies of operating systems like Apple’s OS X and Google Android are also subject to FTC enforcement if they misrepresent how they use their users’ personally-identifiable information. This is the model for a well-functioning, self-regulatory environment that maintains the flexibility needed for rapid innovation and experimentation with welfare-enhancing business models. Broadband providers should not face steeper burdens for implementing advertising than already exist.Except not. One, broadband is notably different from Apple and Google because telecom operators hold a monopoly over the last mile. Whereas an Apple smartphone customer annoyed at Apple's privacy policies can migrate to Android, or a Google search customer can pick a new engine, most broadband customers don't have a real choice of providers. Meanwhile, the FTC has proven all but useless in telecom privacy enforcement, and the self-regulatory approach has worked about as well in telecom as it has in the banking industry thanks to generations of cronyism and dysfunction.
For years, Verizon repeatedly stated that more meaningful privacy protections weren't necessary for broadband providers because "public shame" would keep the company honest. Verizon-owned AOL recently parroted that idea when it insisted "the market" would keep companies on their best behavior. How does that actually work in practice? As we've seen with Verizon's "zombie cookies," not at all.
In fact, it took months for security researchers to even realize that Verizon was embedding user wireless packets with stealth tracking technology. It took another six months of public pressure before Verizon even gave users the option to opt out. The self-regulatory approach just doesn't work in telecom. What we get in reality are companies like AT&T that are now charging broadband users a $60 premium if they want to opt out of invasive snoopvertising, then calling that innovation.
Alongside the ITIF report, the industry is pushing a second report this week (pdf), funded by telecom-industry lobbying group "Broadband for America." While most people familiar with sockpuppetry and astroturf will disregard these reports as the conflicted proxy musings of the telecom industry, the press usually isn't so savvy. In fact, ReCode ran an article on the study with a headline informing readers that ISPs know "less than you might think" about them, and an opening paragraph claiming ISPs "have limited access to consumer data." Only in a later update at the bottom of the story did ReCode disclose the study was funded by AT&T, Comcast and Verizon.
It's clear the broadband industry is now engaged in a full court press to derail rules that might take a small bite out of billions in user-tracking revenues. And in typical telecom-industry fashion, that involves creating a sound wall of fauxcademics, fake consumer advocates, third-party consultants and other mouthpieces who will be spending the next six months informing you that ISPs are utter angels when it comes to respecting and protecting consumer privacy, and that the status quo (read: no real privacy protections whatsoever) is good enough.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: broadband, fcc, privacy, studies
Companies: itif
Reader Comments
Subscribe: RSS
View by: Time | Thread
Just as with advertising, I want them to have as little data as possible because once it is on the net, you can't claw it back. No one asked me if I wanted to be part of this, instead I find various groups doing everything they can to protect their extra income streams by making false claims about how it doesn't matter or apply. Anything but actually taking up the topic and address it in a reasonable manner on the issues. Misdirection being the theme of the day.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The problem is the company executives and politicians only give a damm about maximising their incomes or campaign donations.
[ link to this | view in chronology ]
Re:
Context is everything ... do you mean no one in a position to do something about it? - or do you mean absolutely no one anywhere? Because the latter is obviously incorrect.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
users don't need things
[ link to this | view in chronology ]
Re: users don't need things
[ link to this | view in chronology ]
My banks security is a joke, the saving grace is that I am known by face. Every brokerage is a laughingstock that depends upon ignorance rather than safety.
[ link to this | view in chronology ]
An interesting aside
[ link to this | view in chronology ]
Re: An interesting aside
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
As in...*I* will not misuse or sell your data to third party advertisers. Yes the guy at the door won't but AT&T will sell every fucking thing you do, including bank access/passwords/security info to whoever wants it.
AT&T has for YEARS sold all sorts of info to China, Russia and basically any shady asshole that wants to get into the scamming business.
[ link to this | view in chronology ]
Benefits
[ link to this | view in chronology ]
Re: Benefits
The benefit to you is - the enjoyment you get from giving them all your hard earned money is seeing how much they enjoy the opulence they have become accustom to. This coupled with the disdain they have for their "customers" is really all you need in life, they know how to spend your money better than you do.
[ link to this | view in chronology ]
I read the section in the linked article as well, and this is not accurate. You are generally stuck with whatever is configured for a resolver address at the VPN server.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I've seen a lot of this, people complaining that they are not using such and such resolver (especially OpenDNS if they use the domain filtering and suddenly it isn't working) and why is this happening? Turns out they are using a VPN if it isn't the ISP hijacking their requests or they seriously didn't configure things correctly.
[ link to this | view in chronology ]
Let's Encrypt
* the less my ISP knows about what I'm doing
* the less they can deeply inspect my packets
* the less they can inject zombie super cookies
* the less they can inject unwanted ads
* the less they can inject unwanted javascript (aka malware)
Encrypting web traffic is probably as much about protecting oneself from their own ISP as it is from the NSA.
[ link to this | view in chronology ]
Re: Let's Encrypt
The proper security mindset is to assume that anything that you don't have direct physical control over is actively malicious in nature (and the things you do have physical control over are viewed with a suspicious eye).
[ link to this | view in chronology ]
Re: Let's Encrypt
Because using encryption = you are a terrorist, ergo you HAVE murdered people via explosives, therefore you must die.
case proven. the defence rests (and seals everything under National Security)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This is a layer 3 or layer 4 problem.
IMHO:
The fix is re-engineering something like DNS to run at layer 3, with some native cyptographic signature features, adding at least one bit to the layer 4 header to allow end users to designate that they "reserve all rights without prejudice" on every single datagram, and to implement those features in an open source replacement for Berkeley Sockets, or whatever has since replaced it in the kernel.
What is happening instead, is the cable cabal is aligning with their neighbors over at the wintel alliance, and building networks around an end-node distribution model using teredo. Effectively this forks the whole Internet. The move towards "competative markets for cable boxes" is nothing more than a marketing move. If the Internet is a "box" in the consumers mind, it isn't a community, speech or a civil right. They don't want you to interface with your computer, they want you to interface with a box, because they can CONTROL the box.
What about TOR? TOR is not a solution. It is a symptom of the larger problem: TCP is deprecated. Which is also a smaller problem, considering that protocol code is TINY compared application code.
So what fixes this? Again, a drop in replacement for the system protocol stack that's what. What doesn't fix this? Anything currently being flogged by any of the big players.
Network engineers need to start looking at the law as a loadable module. It is no different that calling into C from python, perl or ruby. But YOU DO have to read the code, and implement references to the respective methods.
In a nutshell the software license for the new protocols has to say something like: "If you run this code you agree that if bit position N is true during transmission, it designates that the transmitting party reserves all of their rights without prejudice. This convention must cascade to all derived works, or any technology using this protocol."
That simple phrase, or something like it, is all that is needed to facilitate the 1st, and 4th amendments across the Internet in a way the cabal can do nothing about. It is a nail on which to hang litigation.
After 20 years of Internet, we still haven't standardized a simple mechanism for citizens to DECLARE a reservation of their civil rights. This can be attributed to ignorance or arrogance on the part Internet architects, and to bad civics teachers everywhere. "certain unalienable rights" was not law, it was a part of a hate mail letter.
Internet is layer 3. A consumer SHOULD be able to pass ANY conforming datagram over it. If this is still the case, then really ANYONE could do this. If my C was good enough I'd have done it years ago.
[ link to this | view in chronology ]
Re: This is a layer 3 or layer 4 problem.
IMHO, the essential problem is that security was not a design goal for TCP/IP in the first place (survivability was the focus instead). All security mechanisms available are effectively "aftermarket add-ons" a/k/a "bags on the side" a/k/a "elegant hacks".
In an ideal world, the entire system would be redesigned with security as one of the goals. But, unfortunately, we don't live in an ideal world.
[ link to this | view in chronology ]