No, You Can't Buy Congress's Internet Data, Or Anyone Else's
from the this-won't-fix-piracy dept
In the wake of yesterday's unfortunate Congressional vote to kill broadband privacy protections (which had only just been put in place a few months ago, and hadn't yet taken effect) we've been seeing a lot of... bad ideas. People are rightfully angry and upset about this. The privacy protections were fairly simple, and would have been helpful in stopping truly egregious behavior by some dominant ISPs who have few competitors, and thus little reason to treat people right. But misleading and misinforming people isn't helpful either.
The story that's getting the most attention and seems to be going viral (or at least on the verge) is this GoFundMe campaign set up by Misha Collins to buy and release Congress's internet data:
Congress recently voted to strip Americans of their privacy rights by voting for SJR34, a resolution that allows Internet Service Providers to collect, and sell your sensitive data without your consent or knowledge. Since Congress has made our privacy a commodity, let’s band together to buy THEIR privacy.
This GoFundMe will pay to purchase the data of every Congressperson who voted for SJR34 and to make it publicly available.
PS: No, we won't "doxx" people. We will not share information that will impact the safety & security of their families (such as personal addresses). However, all other details are fair game. It says so right in the resolution that they voted to approve.
Game on, Congress.
As I type this, the campaign is rapidly approaching $30,000 raised (though it claims it has a $500 million goal). The campaign also promises that any leftover money will go to the ACLU — and I love the ACLU, but I'd argue that other organizations were much more involved in this particular fight than they were, so that's an odd choice). Update: Turns out this isn't the only such campaign. There's another one here that has raised even more and doesn't say what it will do with the money if it can't buy the data.
But here's the real problem: you can't buy Congress' internet data. You can't buy my internet data. You can't buy your internet data. That's not how this works. It's a common misconception. We even saw this in Congress four years ago, where Rep. Louis Gohmert went on a smug but totally ignorant rant, asking why Google won't sell the government all the data it has on people. As we explained at the time, that's not how it works*. Advertisers aren't buying your browsing data, and ISPs and other internet companies aren't selling your data in a neat little package. It doesn't help anyone to blatantly misrepresent what's going on.
When ISPs or online services have your data and "sell" it, it doesn't mean that you can go to, say, AT&T and offer to buy "all of Louis Gohmert's browsing history." Instead, what happens is that these companies collect that data for themselves and then sell targeting. That is, when Gohmert goes to visit his favorite publication, that website will cast out to various marketplaces for bids on what ads to show. Thanks to information tracking, it may throw up some demographic and interest data to the marketplace. So, it may say that it has a page being viewed by a male from Texas, who was recently visiting webpages about boardgames and cow farming (to randomly choose some items). Then, from that marketplace, some advertisers' computerized algorithms will more or less say "well, I'm selling boardgames about cows in Texas, and therefore, this person's attention is worth 1/10th of a penny more to me than some other company that's selling boardgames about moose." And then the webpage will display the ad about cow boardgames. All this happens in a split second, before the page has fully loaded.
At no point does the ad exchange or any of the advertisers know that this is "Louis Gohmert, Congressional Rep." Nor do they get any other info. They just know that if they are willing to spend the required amount to get the ad shown via the marketplace bidding mechanism, it will show up in front of someone who is somewhat more likely to be interested in the content.
That's it.
* Amusingly, Rep. Gohmert voted to repeal the privacy protections, which makes no sense if he actually believed what he was saying in that hearing a few years ago...
Now, what is true is that it's still a bad thing to have companies holding this much data about our private internet usage. And there are real privacy risks of data leaking, and potentially then being tied back to individuals, because it's basically impossible to anonymize that kind of data entirely. But no one is out there "selling your browsing history" in a way that someone else can go buy it.
I know that some people don't care about this distinction, and even some people I know and trust are cheering on this crowdfunding campaign, at the very least to try to make a point about how Congress is voting against their own privacy in favor of some of their largest campaign donors. And that point is not wrong. But if we continue to push this myth that companies are selling direct dossiers on each individual surfer, people will start believing other wrong and misleading stuff, and that makes it more difficult to tackle the actual problems here.
And that's not the only kind of myth we've seen. We've already talked about people now falsely believing that VPNs are a solution here (they are not, and at best might solve some small problems while creating others). But then you have MSNBC, with a TV news correspondent (who you'd think would know better) tweeting out complete nonsense, telling people to "delete" their browsing history hourly:
That's just... embarrassingly uninformed, to the same level as the people insisting you can walk up to Comcast or AT&T and buy Louis Gohmert's browsing history (or, for that matter, Louis Gohmert's belief that the government can just buy advertising data to find terrorists).
We don't solve problems by misrepresenting what the real scenario is. It's true that ISPs have way too much power over these markets, and they can see and collect a ton of information on you which can absolutely be misused in privacy-damaging ways. But let's at least be honest about how it's happening and what it means. That's the only way we're going to see real solutions to these issues.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ad exchanges, congress, internet ads, marketplaces, privacy, real time buying
Reader Comments
Subscribe: RSS
View by: Time | Thread
Oddly Specific
Since you don't specify, we just will assume that you randomly chose these items from your browser history. Using a Tor exit node in Texas.
[ link to this | view in chronology ]
I donated
I gave $10 just because.
I'll probably give some to the EFF asking to target this issue.
Congresskritters are scum.
[ link to this | view in chronology ]
Re: I donated
Really? What law would make that illegal?
[ link to this | view in chronology ]
Re: Re: I donated
[ link to this | view in chronology ]
Re: Re: I donated
A marketable format would probably be a readable format. That readable format then becomes content based information, rather than code-based-metadata.
'Content' enjoys a number of protections, including the IV Amendment. Federal law prohibits many forms of content acquisition, e.g.: wire-tapping, electronic eavesdropping, surreptitious recording, and digital interception. You can’t gather the content of someone’s private communications without consent or a warrant based on probable cause.
'Metadata' protections are more ambiguous, as the term is more vague. Regardless of how it is may be defined, it is not 'content'. If metadata is gotten by an unauthorized access, that would violate the Stored Communications Act (SCA) (18 U.S.C. § 2701 et seq.).
So who owns 'my' metadata and browsing-patterns?
Better read the Terms & Conditions of Use (for EVERY website you visit and EVERY App you apply), to see what you've waived.
[ link to this | view in chronology ]
Re: Re: I donated
47 U.S. Code § 551, which houses the Protection of subscriber privacy provisions as enacted in The Cable Communications Policy Act of 1984.
https://www.law.cornell.edu/uscode/text/47/551
[ link to this | view in chronology ]
Re: Re: Re: I donated
[ link to this | view in chronology ]
Re: I donated
[ link to this | view in chronology ]
Re: Re: I donated
I am sure that somewhere along the line people are going to find ways to embarrass the people who have been bribed to let this bill pass.
And there is always the hacking that be used to get browsing data as it is not illegal yet.
[ link to this | view in chronology ]
Re: I donated
[ link to this | view in chronology ]
Oh, it's all okay. Because power-mad politicians, rabid "law enforcement", greedy corporations, malicious nerds, or the evil ??AAs, won't ever go further.
[ link to this | view in chronology ]
Oh, it's all okay. Because power-mad politicians, rabid "law enforcement", greedy corporations, malicious nerds, or the evil ??AAs, won't ever go further.
[ link to this | view in chronology ]
Here's Masnick yet again as ever assuring us that THIS step is minor, ignoring that all lead to complete lack of privacy.
[ link to this | view in chronology ]
Re: Here's Masnick yet again as ever assuring us that THIS step is minor, ignoring that all lead to complete lack of privacy.
[ link to this | view in chronology ]
You can't buy it
Qrid pro quo.
[ link to this | view in chronology ]
I laugh at their feeble attempts.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Javascript
[ link to this | view in chronology ]
Why not?
We can't purchase anything from an ISP unless it is willing to sell it, but what's to stop the ISP from acting as a man-in-the-middle and scooping up all communications from a given IP addy?
What is to prevent the ISP from, then, compiling a dossier on its location, and the users that connect to and from that ISP, including reading anything that it can decrypt,much the way the NSA uses only metadata?
Google has everything about me in its database. Google's policy stops it from using that data to dox me or stalk me. According to Google's policy, they'll defend my from government access except as required by a warrant or due process. And they sell analyses of data that includes my data, without ever mentioning me specifically.
But without the limitations of this policy, a Google agent could determine what I read on the potty and what I think about when I masturbate.
Comcast (a monopoly in my town) doesn't have these policies. What stops them from selling an extensive dossier of me to whoever wants it?
[ link to this | view in chronology ]
Re: Why not?
[ link to this | view in chronology ]
Re: Why not?
OTOH, there's nothing to stop Google from doing it either with your search history. They might not have your name and address, but they'll have your (generally identifiable) hardware/browser configuration.
[ link to this | view in chronology ]
Why Google won't
The difference is that I can personally stop using Google and there are competitors to the services Google provides. That way, they have a strong motivation to play nice with the data of mine they sell (e.g. not even anonymizing my profile, but actually only selling analyses of bulk data that includes my profile.)
But I (now) live in a Comcast monopoly zone. If I don't use Comcast, I don't use the internet.
So they have zero motivations to be nice regarding my personal and private date.
[ link to this | view in chronology ]
Re: Why Google won't
It's not easy though. You won't be able to post on some web sites, because they use Recaptcha which is a Google service. You'd have to block all Google-owned ad servers—you'd probably want to do anyway, but it would be easy to miss one. Google Analytics, of course, needs to be blocked; I think disabling JS will do it. You have to be careful when using a search box on a web site, because many of them redirect these site-local searches to Google. The people you communicate with might be using Gmail, with or without a gmail.com address. You'd have to avoid anything running on Google's cloud service, and I don't know how to even check that...
Avoiding Google is about as practical as using satellite internet, which is an option for you. Some terrible (capped) cellular service might be available too. Dialup still exists; an unlimited services would give you about 15 GB a month for $25 plus the cost of a landline.
[ link to this | view in chronology ]
Leaving Google isn't easy.
Well, I was referring to Google's direct services, such as search, email, calendar, contacts, etc. al.
As for evading their advertising tags, I started using NoScript a few years ago after a Chinese phisher got me and shanghaied my browser. After that debacle, I've become careful to the point of paranoid what kind of scripts I let the system run, sometimes to the point of just not using websites if its resources are too complex to untangle.
That said, few websites require googletagservices or the other auxiliary Google-related sites, so for they degree Google does track me, it works for it.
Not that this helps anyone else. I don't really recommend going as paranoid as I have. But also my web-browsing sometimes takes me to some pretty exotic places.
[ link to this | view in chronology ]
Re: Leaving Google isn't easy.
[ link to this | view in chronology ]
Re: Why Google won't
Oh boo-hoo. If you don't like your ISP, move somewhere else! Don't be such a cry-baby!
/s
[ link to this | view in chronology ]
We actually don't know what the ISPs will do. They may sell targeted ads using their own delivery network to inject HTML. Or they may connect with existing ad trackers. They may sell data that can be de-anonymized to data companies (eg, one email from someone may give you their IP which may allow you to pick out their data from an "anonymous" collection). Or they may actually sell people's browsing history *by name* to data agregators.
So, if you want to dispel misinformation about this don't add more of your own to the mix.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why?
Is that because there's a privacy law stopping them, or just because they've chosen not to--maybe because they think it's less profitable or that users would revolt. If it's a choice, they can always change their mind, maybe given the right price.
Anyway, it's only been a day or two since the rules changed. So of course they're not doing it right now.
[ link to this | view in chronology ]
Re: Why?
[ link to this | view in chronology ]
Re: Re: Why?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Using a VPN absolutely creates new problems, and merely kicks others down the road (you're now trusting your VPN not to sell the same data that you don't trust your ISP not to sell). But I disagree with the argument that they "at best might solve some small problems".
The specific problem we're talking about here is my ISP retaining data on my Internet usage, and, potentially, selling that data to advertisers. A decent VPN vastly decreases the amount of information my ISP is able to retain on me. At best, the VPN does not retain my browsing history either. That sounds like more than a small problem solved to me.
[ link to this | view in chronology ]
Response to: Thad on Mar 29th, 2017 @ 3:20pm
There is ample competition in the VPN marketplace, there are reputable organizations vetting how they work, and you can, in fact, vote with you wallet.
With a properly functional VPN, the only thing your ISP would be able to see is THAT you connected to the VPN. They wouldn't be able to see what you did over it. And even in the case of a tagging technique like Verizon was using, that tag would be outside the SSL/IPSEC protected channel (it would break the packet authentication, otherwise), so it would not survive into the plaintext traffic exiting the VPN node on the other end.
Obviously,a leaky VPN doesn't do anyone any good.
The big deal with ISPs is that to them, you aren't simply a demographic. The ISP has the goods to bridge the gap between you as a demographic, and you as a specific human (OK, account holder) with a social security number and a functional bank account, a physical address, a telephone number and a name.
Just because the WEB advertising market isn't currently trading in these details (that we know of), it does not mean that there ISN'T a market for them. Or that the web ad business wouldn't jump at the chance to be able to send you physical marketing (like, you know... Postal SPAM).
...Or that the people wanting to buy these details are even as legitimate as the shadiest purveyor of online ads. We know, for certain, that the big ISPs already go out of their way to help third parties screw over their phone customers (what with the AT&T cramming debacle and all) if there's money to be made.
[ link to this | view in chronology ]
Re: Response to: Thad on Mar 29th, 2017 @ 3:20pm
It also sees when you connect to the VPN, and how much data you send and receive. Those details are enough to make certain assumptions about when you're home and awake (you could mitigate that by adding noise -- say, seed a bunch of popular Linux distro torrents -- but they're still probably going to notice things like, say, your connection always using heavy bandwidth at 6 PM when you get home from work and turn on Netflix. Unless you saturate your connection all the time, in which case you're probably going to get a stern warning about your bandwidth use). Plus, the mere fact that you're using a VPN suggests certain things about you (you're technically inclined and politically informed).
Still, while they can do certain things to build a profile on you if you use a VPN, it'll be a much less detailed profile than if they could actually monitor what sites you were visiting.
[ link to this | view in chronology ]
Re: Response to: Thad on Mar 29th, 2017 @ 3:20pm
[ link to this | view in chronology ]
Yes, you can buy Internet (browsing or other) data
Where's it coming from? How's it being acquired? Sellers are invariably silent but in some cases it's not hard to figure out. The more interesting question is whether this is being done officially by ISPs (and then sold under the table by employees who know a cash cow when they see one) or whether the instrumentation necessary to collect it has been installed by rogue engineers without the knowledge of company management. (The average CEO with a McDegree like an MBA couldn't possibly find this stuff: it's way beyond their pitiful technical skills.)
So don't make the mistake of presuming that just because YOU don't know where to buy this data that it can't be bought. There is always someone willing to pay.
[ link to this | view in chronology ]
But we could buy ads targeted at congress
[ link to this | view in chronology ]
Re: But we could buy ads targeted at congress
And assuming the ISP gave the ad-purchaser feedback on if the ad got any views, you could very well track what websites they visited.
[ link to this | view in chronology ]
Get a Clue, Masnick
[ link to this | view in chronology ]
Re: Get a Clue, Masnick
Think about the amount of posting you do. Think about the reasons people may have more than one email account (even if they don't use them). What about prolific posters? If you're going to sell stuff you need a buyer. Who is going to pay for Wendy Cockcroft's internet history? Is there enough data in there to even get your money back?
This is why they use trends rather than individual bits of data — there's too much info to sift through.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The way it works
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
But could they?
[ link to this | view in chronology ]
meta-data
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"I know that some people don't care about this distinction..."
You Sir, are correct.
...and the reason we don't care is that the distinction between 'what they currently do' and 'what they could do if they ever decide to', is so technically infinitesimally small, it becomes irrelevant to the conversation surrounding the serious potential for abuse that is almost guaranteed to eventually occur.
It's distinctions like yours that are the real distraction from the crux of the issue. That crux being, if we allow this sort of data to be collected in the first place (esp., with near zero protection under the law and never any meaningful consequences to the data rapists), it will eventually result in ever increasing, massive/systemic abuses of the public good. And when you make such distinctions, you only serve to move the conversation further away from the point.
[ link to this | view in chronology ]
Targeting
Two years ago, my son was one of the most sought after high-school students in the country by a number of elite academic institutions. He received so-called "likely letters", phone calls and free plane tickets from Ivy League and other top-tier schools who were hoping he would choose their university.
As you might expect, my son generally has not had much time to watch TV, but he did have a couple of TV shows that he would catch up on when he had the time -- usually at late hours on a weekend evening. About 3-4 days after he received a likely letter from Duke University, he and I happened to watch an episode of Grimm. During a commercial break at 12:30AM on a Friday night, lo and behold-- a television ad for Duke University. I'm sorry, but Duke just is not a normal sponsor of Grimm, and I guarantee that our neighbors were not getting Duke University advertisements on TV. Even within our family, other family members did not see a single Duke ad when they were watching TV. That ad was targeted directly at him. It implied that Duke was able to determine who our ISP was (Comcast), and then Comcast could offer them the ability to display an ad during the specific show that he would most probably watch. Note that they were able to do this even though we do not have a smart-TV that would have helped them determine which family member was in the room when the TV was on. Perhaps they are able to correlate precision cell-phone location data with their cable-box data.
I have to say, that ad felt just a little bit creepy and uncomfortable. We didn't like it.
So you say that ISP's don't sell specific individual's media consumption information, and to that I would say:
1) What is your evidence to back that statement up? For all we know, given the right price, ISP's may indeed do exactly that and;
2) Even if they don't sell that information, but just keep it to themselves and use it to act as consultants for would-be advertisers, what is the practical difference? In our case it felt invasive, regardless of how it was accomplished.
[ link to this | view in chronology ]
Re: Targeting
This is down to their algorithms picking up on keywords as Mike describe.
[ link to this | view in chronology ]
But my ISP is Comcast.
Considering how hamfisted they are, and how miserably they run their network stack just so they can charge customers for DDoS traffic, they will screw this up. Initially, then someone will fix that and Comcast customers will be fucked.
Of course, it is so much easier to do this if there are laws that *force* them to. Which is exactly how Comcast will read this.
[ link to this | view in chronology ]
Shhhhhh ! ! !
Correct, but does Congress know that? Not likely! And the thought of THEIR browser histories being sold might have caused them to reverse themselves.
Too late now, I suppose...
[ link to this | view in chronology ]
Re: Shhhhhh ! ! !
Let's face it, all we have to do is fool some Congressional representatives. Pretty low bar, right there.
[ link to this | view in chronology ]
Tracking on swedish government offices and browsing
Look at Creeper, it was created in the wake of the EU Data retention directive. It tracks IP's of Swedish government offices using images for tracking on several sites as to remind government about the effects of data-retention. This could of course be combined with cookies to gather several locations of government employees and target groups specifically. Any US projects like this?
http://www.gnuheter.com/creeper/senaste
There are several data hoarders that work in a similar fashion to source tracking and they profile employees combined with home, airport, and library IPs or other stops as daily routines. Telcos would do well here in tracking companies for direct marketing.
Google masks the last byte of the client IP in its Ad-exchange but others don't. Even without exact IPs, the Ad-tech cookie can be bound to the ad-exchange-cookie to get direct hits by way of redirecting the tracking-image one more step once a new targeting pixel is triggered and source-matched.
Senators must be seeing this already.
[ link to this | view in chronology ]
But!
Oh, and VPN, private? When did I read it was the after, 2012 or earlier?
[ link to this | view in chronology ]
More please
[ link to this | view in chronology ]
What You CAN Do Is Set By the Law
But what you can do is set by law and technical limitations, and now there is neither limit in tech or law to stop ISP's from personally selling web browsing history. Maybe they'll be reluctant to do so and it would be more expensive, maybe you'd have to request the IP address of someone's home rather than their name, but it can happen. ISP's are not bound by how this data has been used by browsers and websites using cookies in the past, they're bound by law, and the law preventing sale of browsing history just went out the window
[ link to this | view in chronology ]
I think there's a larger problem
Which version will most people read?
A) "Congress will allow ISP's to sell your data".
B) "But here's the real problem: you can't buy Congress' internet data. You can't buy my internet data. You can't buy your internet data.
[Three paragraphs of explanation about the inner workings of Google AdWords.]
That's it."
Or, more importantly, which version will the local news station broadcast? I guarantee it's some form of "Congress wants to sell your data. Tonight at 11:00".
[ link to this | view in chronology ]
It might not be cheap (yet)...
[ link to this | view in chronology ]
Been happening in Australia for ages...
They purchase all the data from all the main datacentres in Australia then put it all into a giant database and as a customer you bbuy access to categories.
Then what you can do is figure out how well your sites does compared to others based on criteria. Mostly useful for figuring out where to spend ad dollars or how you are doing with keywords etc. Obviously not restricted to jsut your site - however that is usually why you subscribe to the data feed to use the information to make more money for your company as it is pretty expensive.
Too bad I have forgotten the name of the company, people here probably know what I'm talking about though...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Although it may not mean that they're selling data on "John Doe" to other companies, but they're still selling his data...they just don't put a name on it. So it's not as bad, but still pretty bad.
Plus, ISPs alreayd get paid. They shouldn't be allowed to mine your data, unless they plan to offer their services for free.
[ link to this | view in chronology ]
Privacy law
So now an isp could sell your internet usage data if they want and it would be legal.
They may and probably will get sued, hopefully out of business, if they do that but it's allowed.
We need to create a gofundme site to fund the lawsuit to block the law. Tie it up in the courts for years and it won't take affect until a democratic pres/congress can undo it.
[ link to this | view in chronology ]