AT&T Charging Customers to Not Spy on Them

AT&T is charging a premium for gigabit Internet service without surveillance:

The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program "works independently of your browser's privacy settings regarding cookies, do-not-track and private browsing." In other words, AT&T is performing deep packet inspection, a controversial practice through which internet service providers, by virtue of their privileged position, monitor all the internet traffic of their subscribers and collect data on the content of those communications.

What if customers do not want to be spied on by their internet service providers? AT&T allows gigabit service subscribers to opt out -- for a $29 fee per month.

I have mixed feelings about this. On one hand, AT&T is forgoing revenue by not spying on its customers, and it's reasonable to charge them for that lost revenue. On the other hand, this sort of thing means that privacy becomes a luxury good. In general, I prefer to conceptualize privacy as a right to be respected and not a commodity to be bought and sold.

EDITED TO ADD: It's actually even more expensive.

Posted on February 24, 2015 at 6:33 AM • 90 Comments

Comments

Bob S.February 24, 2015 7:23 AM

It would seem the major telecommunications corporations are acting as subordinate government agencies, doing their bidding, (or vice versa). It any case it seems the corporate-military coalition has coalesced to dominate and control not only the individual citizens of the USA, but the entire world.

And, we get to pay for the privilege of having our basic human rights denied, or in this case having to buy them back. (But, are they really NOT monitoring your every key stroke? We'll never know.)

Bruce, no offense, but when you say, "I have mixed feelings about this" it scares me. I am hoping you will take a side, the right side, without reserve.

MikeFebruary 24, 2015 7:36 AM

Does the privacy fee mean that they won't use the data collected? (Not very private) That they won't collect it? (a little more private, but it could still get inspected) Or that they will disable inspection? The last one would be worth the price.

DrfFebruary 24, 2015 7:37 AM

To be honest as much as I would like to have privacy as a right as opposed to commodity/privilege, the realist in me thinks this is most likely the best we can hope for. The fact that they promise not to do it also seems to imply they might possibly have processes in places that ensure they don't do it, which might make it harder for all kinds of third parties to access that data (NSA, FBI, BSI, GCHQ, your local Target or your next door neighbor). Probably not much harder but somewhat harder. It's much easier to say "We can't give you this data because he opted out so we make sure not to collect it, see pg. XYZ of our internal ISMS policies and the corresponding technical documentation explaining the implementation."

This might be too optimistic, but I doubt it's more optimistic then hoping that regulation will develop and then ensure that our privacy is protected.

markFebruary 24, 2015 7:40 AM

Hopefully, HTTP 2 will put an end to this thanks to required encryption. We no longer want a web of middle-men.

jay bFebruary 24, 2015 7:45 AM

And still, don't you have to just trust them? Feels like I'm paying $29/mo for a rock that keeps tigers away.

Snarki, child of LokiFebruary 24, 2015 7:48 AM

In the current political/economic environment, privacy is likely to be better protected as a "property right" than a "civil right".

So the next question is: who owns the data? If it is things like "what websites you visit, what phone#s you call", it seems clear that the CUSTOMER has an ownership interest...perhaps not 100%, but certainly not less than 50%. Not unlike an author's rights to their creations.

So what AT&T is doing is STEALING from their customers, and having the gall to charge them for not stealing (as much). There are plenty of people that would gladly sign away their privacy for a paltry sum, so what? That doesn't make the theft acceptable.

keinerFebruary 24, 2015 7:51 AM

@jay b

Exactly the reason why this product is BS and should be prohibited by law. They sell you an expensive bottle of air, without any lock...

Capitalism and its monetization of everything will come to an end soon, hopefully...

SoWhatDidYouExpectFebruary 24, 2015 7:56 AM

"In general, I prefer to conceptualize privacy as a right to be respected and not a commodity to be bought and sold."

Replace "prefer to conceptualize" with "DEMAND".

My take...

"I DEMAND privacy as a right to be respected and not a commodity to be bought and sold."

David MFebruary 24, 2015 7:59 AM

Problem with the promise of "no tracking" is the definition that they will use for no tracking.

In my mind, no tracking means absolutely zero tracking. I visit a web page, 5 seconds after I finish the visit AT&T erases anything and everything about my visit, even the fact that I visited at all.

I'm sure AT&T doesn't look at it this way. So unless the user can define what "no tracking" means, there's probably no real difference than what it currently is. So we end up paying for what AT&T already does. The only difference would be that you don't see an ad.

In my mind, that is not "no tracking".

LeeFebruary 24, 2015 8:13 AM

Sure, opt out of your agreement with Edward Teach. Just don't turn your back, and stay away from the gunwales. Really folks, can you all suspend your disbelief in this case? Where's twinkle?

JohnFebruary 24, 2015 8:22 AM

Did you take crazy pills, Bruce? "Forgoing revenue"? AT&T is ALREADY CHARGING customers for their internet service. Stop by my gas station on your way home. I charge $2.25/gallon for gas that is not flammable, $9/gallon for gas that is pretty flammable, and $17/gallon for "Premium Combustible" gas.

HermanFebruary 24, 2015 8:26 AM

And why would one trust AT&T to actually do anything after taking your $29 bribe?

I think the only solution is a user level anonymizer/scrambler/obfuscater/faker/steganographer that makes your data stream useless for analysis.

Tim GFebruary 24, 2015 8:27 AM

It comes down to a lot more than $29/mo if you bundle TV with your Internet service.

$120 (TV and Internet opting in for AT&T Internet preferences)

$149 (TV and Internet w/o AT&T Internet prefereces)
+$7/mo equipment fee
+$10/mo HD service
+$16/mo HBO and HBO Go
+$49 activation fee

= $29 + $7 + $10 + $16 = $62/mo

LeeFebruary 24, 2015 8:38 AM

@Herman "I think the only solution is a user level anon..../scrambler.../..."

That's probably true. But, the only person I could trade steganography with is my mum. The guys at giigle, mywebmail, and the dullynews don't have the time to look at my perty pitchers.

Dr. I. Needtob AtheFebruary 24, 2015 8:42 AM

The Guardian article ends with "AT&T should be ashamed of itself for putting profit over privacy."

That bizarre statement illustrates a basic problem that we have with corporations: We've all bought into the Mitt Romney philosophy that "Corporations are people, my friend." To say a corporation should be ashamed of itself for its profit-oriented policies makes about as much sense as saying a shark ought to be ashamed of itself for eating all those fishes. That's who it is and that's what it does.

brandonFebruary 24, 2015 8:44 AM

I'm sorry but they are not "forgoing revenue" by not spying on me. That's about the craziest thing I've seen in a while. I pay for a service. I shouldn't have to pay more for that service to not watch, track and sell every move I make. I pay for the service - That IS THE REVENUE. There is not an secondary source of revenue from my account which I have to pay for the privilege of them not selling, monitoring or tracking.

"AT&T is forgoing revenue by not spying on its customers, and it's reasonable to charge them for that lost revenue" ... The more I read that the more it pisses me off. I am a customer. And clearly you've lost sight of the relationship one should have with their customer.

LeeFebruary 24, 2015 8:51 AM

If I bribe them, will they stop throttling my bitcoin? Actually, I don't know for certain that they're throttling it, any more than I know their proxies aren't run by Edward Teach's brother in law. BUT - the netgraphs sure look suspicious.

DaveFebruary 24, 2015 8:57 AM

@jay b

Not only do you have to trust AT&T to actually follow through on their agreement to not spy on you, I would expect this to have the exact opposite effect. I'd be very surprised if no FBI agent came to the conclusion that being on the customer list for that $29.99 do-not-spy service meant that someone was more likely to be involved in illegal activity compared to the millions posting cat pictures.

Yes, I know that refusing a search is not probable cause legally speaking, but at this point I doubt that would stop anyone in law enforcement from doing exactly this.

aikimarkFebruary 24, 2015 9:01 AM

AT&T are already being compensated for their services. They sacrificed their customers' privacy to earn a bonus on their regular/expected income.

FranciscoFebruary 24, 2015 9:04 AM

I don't understand how can one have mixed feelings about this.

On one hand, some dude is forgoing revenue by not making his wife become a prostitute. So maybe she should be more lenient towards his totally creepy yet completely legal peanut butter fetish as to compensate for the virtual loss. On the other hand, perhaps his wife does have a word to say about that line of work and his jerk future ex-husband.

Bruce Schneier is a Board member of the EFF. Can I still trust Privacy Badger now? Or is it having weird peanut butter dreams?

LeeFebruary 24, 2015 9:05 AM

@aikimark:

Reminds me of the banks in the third world that apply negative interest rates to your account.

JD BertronFebruary 24, 2015 9:21 AM

Obviously Bruce didn't see this line of reasoning:
His comment, that with this system, privacy becomes a luxury good is mistaken. It doesn't 'become' a luxury good, it already is and has always been. What is different this time is that a company is actively charging for it. In a free Market, I could start my own Telecom and offer it for free, or I would offer you to preserve your political privacy over your religious privacy, but the FCC and other 3 letter government entities would make sure I can't.

BoppingAroundFebruary 24, 2015 9:22 AM

> On one hand, AT&T is forgoing revenue by not spying on its customers, and it's reasonable to charge them for that lost revenue.

I am forgoing revenue each day by not mugging people and not performing burglaries.
That's a dangerous line of thought. What it really means is that our rights are no more if they are treated like that.

mark,
> Hopefully, HTTP 2 will put an end to this thanks to required encryption. We no longer want a web of middle-men.
I am not sure about that. There was a controversial 'feature' introduced, called Explicit Trusted Proxy. It is essentially MitM.

That and what other posters have written about trust.

Scott L.February 24, 2015 9:44 AM

Schneier is right about AT&T forgoing lost revenue, but I think he's wrong to have mixed feelings about it. The data that AT&T collects is sold to advertising firms, and the proceeds of that sale effectively subsidize the costs of an AT&T cellphone plan. Advertisers generate the funds necessary for purchasing AT&T's information by building those costs into the prices of consumer goods, effectively diverting some of the cost of cellphone service to other areas of consumption. (So, for example, you'll pay more for your Gap jeans but less for your cellphone.) Subscribers opting out of data collection are paying for unsubsidized plans, so the higher costs make sense in that regard.

But this is no reason to have "mixed feelings" about the AT&T model. If AT&T did not sell any data, the real costs of cellphone service would be spread out evenly among all of AT&T's subscribers. I cannot say how much more each user would pay per month, but it would certainly not be $30. The issue isn't privacy becoming a luxury, it is about the role of advertising in redistributing the costs of consumption and driving the development of increasingly invasive data-collection techniques. If you're concerned about privacy, the system in which AT&T is operating and creating its pricing policies is the problem and something about which you cannot have mixed feelings.

LeeFebruary 24, 2015 9:46 AM

Bopping "What it really means is that our rights are no more..."

That would have been remarkable thirty years ago.

HTTP2 will be hijacked. Of course it will. One very popular radio talk show host is known for a brave fight for libertarian issues and for adherance to constitutional strictures. Only, this talk show host is soft on the telcom institutional spying infrastructure. The rationale given for this aberation relates to the idea that nobody is trustworthy and the network is hopelessly broken and insecure. "So," the talk show host asserts, "someone" HAS to look at every single thing deeply - including the good, the bad, and the ugly - to keep the nefarious ones at bay. Most security experts would doubt that. Wouldn't they?

This line of thinking puts the TSA in your bedroom. Francisco?

name.withheld.for.obvious.reasonsFebruary 24, 2015 9:52 AM

I assume that this is the type of technological development and innovation that would be quashed by regulating broadband under common carrier (Title II of the telecommunications act)?

bpowricFebruary 24, 2015 10:28 AM

How is this different from phone companies charging you for an unlisted number? You have to pay them to not do something...

GarrettFebruary 24, 2015 10:33 AM

I've got mixed feelings on this. The internet is public. If you went outside into a public forum and decided to speak and someone overheard you, this is not spying. If someone decided to yell louder than the person you were talking to and all you could hear was their yelling, they are effectively doing what ATT is doing. It is a dick move. I don't know if it is illegal or really considered spying. The internet is very much a public space.

Don't like ATT 'spying'? Encrypt your traffic. This will simply push us in the direction of encryption. This is likely a good thing.

LeeFebruary 24, 2015 10:34 AM

@name.withheld "...title II of the telecommunications act..."

The takeover by the FCC is an interesting event. Self governance on the internet has been akin to that of some republics whose main ag export is long yellow fruit. Yet, the FCC has the nasty habit of completely outlawing encryption use in some of the services it governs. It could mandate specific types of encryption. The PFS (DHE) suite that I'm using to connect to this site could be outlawed, or replaced by mandate with something more LEO friendly.

It's a wait and see situation. It probably has the effect of getting the telcos off the hook for ongoing interventions, as one poster said. I won't be surprised, no matter what transpires.

Robert.WalterFebruary 24, 2015 10:58 AM

I don't think any company's right to generate profits trumps my right to privacy.

The whole discussion is upside down when I have to pay for my privacy to be returned after already paying for a service.

The correct scenario is for the company to offer to pay me to let them intrude into my personal sphere.

That we actually discuss anything else is disgusting and shows how far we have, and even Bruce has, been swallowed into the rabbits hole.

Bob S.February 24, 2015 11:03 AM

The powers that be agree with Z.: Privacy is dead (as far as they are concerned.)

A logical response is: Encryption. They anticipated that, too.

There is a world wide ASSAULT on encryption being waged by the military-police arms of world governments to KILL IT DEAD, DEAD, DEAD!!!!!

Supposedly, NSA is in "negotiations" with major US players right now to make encryption transparent for the government....and somehow....only them....and the corporations of course.

Is this the beginning of...THE END?

TelcomDisgustFebruary 24, 2015 11:13 AM

Too bad there isn't a full-speed personal OpenSSL VPN out there - you could pay them and tell AT&T to stick it.

Unfortunately, all those services seem to cap out around 15-20 mpbs (I've tried).

LeeFebruary 24, 2015 11:26 AM

@Bob S. "Privacy is dead"

Only Mr. Schneier and a few others know if encryption is the answer. Probably very few others. All I know is that for three years I had my https encrypted emails read back to me by baristas in coffee shops. It really irritated me. Yes, they were usually trivial emails (Hi Mom, Hi Sis) etc. But nevermind the trivial or non trivial, I cannot subscribe to that abridgement of privacy. So, I started using DHE (non elliptical curve) cipher suites. Baristas have since been quiet. Nice.....

Clive RobinsonFebruary 24, 2015 11:36 AM

@ Dr. I. Needtob Athe,

Remember aside from it's very dodgy ownership that does major tax avoidence, the Guardian is a "European" company.

Under EU legislation you have the cute little expression of "Any person legal or natural", which gives equinimity under EU legislation for just about any registerd company, partnership, or limited liability partnership (the latter brought into law as requested by the "big four bean counters" and is now used for rather more criminal and imoral activity than honest and moral...).

albertFebruary 24, 2015 11:42 AM

AT&T is desperately trying to monetize every aspect of the Internet, just like everyone else: corporations, users, providers, TLAs, and "private" criminals.

They absolutely hate having to support their very expensive land-line infrastructure, and would drop it in a second if they could. Hence their lame attempt at increasing income.

As for their latest offering, the term 'snake oil' comes to mind, if one can imagine virtual snake oil that doesn't really exist. ESnakeOil?

The internet wasn't designed to be secure, and based on what I read here, cannot be made secure. There is no political will to change it, so it's not gonna happen. Maybe the corporatocracy might finally do something about it. They have the power, they just need to grow a pair.

Stop whining about advertising! Shut up! I shouldn't have to point this out, but I will anyway: Advertising exists to sell product, and a 'product' can be anything or anyone, or even an idea. What if the JBlowCo new widget doesn't sell, in spite of a massive ad campaign? Will they cut their losses and drop it? You can bet on it.

Vote with your wallet! It can be done. Gear your purchases away from the ones that are promoted through saturation ads. Don't buy anything advertised on search engines, or directed email.

Avoid MSM for 'news'. It's propaganda, and it's just a vehicle for advertising. What I'd really like to see is single-digit Congressional approval ratings, and a below 10% voter turnout in the next general election. Let the world know what we really think about this system. We're already a laughingstock on the world stage (even among the populations of our lap-dog cheerleader-politicos). Military power creates 'fear', not 'respect'. It's easy to make enemies, difficult to make friends.

Today, folks are literally addicted to social-media and texting (one of the most brilliant tele-scams ever). Psychologists and sociologists a are having a field day with this.

Everyone has a hand in my pocket...It's crowded in there....Where's my wallet?

...

Clive RobinsonFebruary 24, 2015 11:52 AM

@ Scott L.,

ds, effectively diverting some of the cost of cellphone service to other areas of consumption. (So, for example, you'll pay more for your Gap jeans but less for your cellphone.) Subscribers opting out of data collection are paying for unsubsidized plans so the higher costs make sense in that regard.

So when are AT&T giving the "paid for opt out" customers discount vouchers to purchase their GAP jeans?

The problem with the argument you present is that the paid for opt out customers are paying twice, once to opt out, and the second the advertising premium on the goods they buy.

In most places people would look on this as "extortion" or a "protection racket", thus AT&T are giving you the choice of "Pay us to not abuse you more" or "be abused" with the threat of "not get service" as the opt out.

KarstenFebruary 24, 2015 12:02 PM

"... lost revenue"?

This notion is plainly wrong. How can they loose something to which they never have been entitled to?

If this kind of "logic" comes into wide-spread use, then the mafia can sue $random_police_department for lost revenue due to the detention of some high ranking guy.

Note: "lost revenue" is only lost if it a) existed in the first place and b) was legally created.

AnuraFebruary 24, 2015 12:04 PM

@TelcomDisgust

Get something like Amazon AWS and install a VPN. You don't need a very powerful server for that. Hell, they even have a 12 month free trial. I wouldn't use it for stuff like Netflix/Hulu/other video services, just because it's a waste of bandwidth, but you can use it for your PC and phone data connection.

OFebruary 24, 2015 12:27 PM

I think you're wrong. This isn't about AT&T trying to meet expenses. This is about AT&T trying to gouge the customer for every last cent they can get. It's all about raking in as much additional profit as they can.

Plus wasn't this little plan floated for high-speed internet to compete with Google Fiber, with the pricing choice intended to insinuate that unlike with Google Fiber, you could opt out of spying with AT&T. From what I've heard, that's backfiring bigtime. People trust Google a lot more than they trust AT&T, and most believe AT&T will still spy via weasel contracts even after collecting their thirty pieces of silver. Anyone remember when these guys (AT&T) throttled their "unlimited" service in favor of customers who paid by the byte? How about when they paused wired internet rollout supposedly because of pending FCC rules changes, but in actuality it seems to have more to do with cellphone plans being so much more profitable. The list goes on and on.

These folks, after signing a deal with them, you want to count your fingers. And then your toes. And then your relatives.

http://yro.slashdot.org/story/15/02/17/0025237/att-to-match-google-fiber-in-kansas-city-charge-more-if-you-want-privacy

http://yro.slashdot.org/story/14/10/28/1759235/ftc-sues-att-for-throttling-unlimited-data-plan-customers-up-to-90

http://tech.slashdot.org/story/14/11/12/2150201/att-to-pause-gigabit-internet-rollout-until-net-neutrality-is-settled

http://tech.slashdot.org/story/14/04/22/1741241/atts-gigabit-smokescreen

http://yro.slashdot.org/story/14/10/08/1933201/att-to-repay-80-million-in-shady-phone-bill-charges

http://yro.slashdot.org/story/14/03/24/1847254/att-exec-calls-netflix-arrogant-for-expecting-net-neutrality

http://it-beta.slashdot.org/story/07/10/30/1415224/att-invents-surveillance-programming-language

Try searching google. There's a lot more stories out there.

LessThanObviousFebruary 24, 2015 12:41 PM

Good to know AT&T can be added to the list of companies I'd rather not do business with. Wasn't it AT&T that let the NSA secretly set up shop in San Francisco? Oh, yes it was https://en.wikipedia.org/wiki/Room_641A.

I'd say $29 per month now becomes the going rate for commercial high speed anonymizing web proxy and non-logging DNS services. I will never bribe any company to keep their nose out of my data. I'd rather give it to someone who is providing me a service, not a corporation engaging in extortion.

If they want to grant privacy and offer it as a service then I want something in writing stating that due to the nature of our contract I maintain a reasonable expectation of privacy and third party doctrine is expected not to apply. I would want that agreement to apply to both hosted email and DNS services and I would want them to provide an anonymous proxy service over an encrypted channel. If they did all that, it would be an actual service and not simply a digital protection racket.

A Nonny BunnyFebruary 24, 2015 12:59 PM

@Robert.Walter

I don't think any company's right to generate profits trumps my right to privacy.
It does if you use that company and you signed onto those terms of service.
Use another company.

The correct scenario is for the company to offer to pay me to let them intrude into my personal sphere.
That's just a cognitive illusion at work. You have the same choice between two service plans -- a cheap one where you get spied on, and an expensive one where you might not. Which one is considered "baseline" does not change the choices.


@Clive Robinson

The problem with the argument you present is that the paid for opt out customers are paying twice, once to opt out, and the second the advertising premium on the goods they buy.
That sounds to me more a problem with reality than with the argument.
You get to pay for the advertising costs regardless of whether the advertising reaches/targets you (and wouldn't you rather it didn't, anyway? Heck, just consider all the services where we get to pay to not see or hear advertising. And we still get to pay for that advertising as well.)

In most places people would look on this as "extortion" or a "protection racket"
I don't understand, are people in America forced to use AT&T? Are there no other providers servicing those areas? Otherwise I don't see how it can qualify as "extortion" or a "protection racket". It's not extortion if you can just tell them to sod off and take your business elsewhere without suffering any consequences.

AnuraFebruary 24, 2015 1:04 PM

@A Nonny Bunny

"Use another company."

Luckily, we don't have an oligopoly between ISPs in the US. I mean, I have a choice between many different companies, such as AT&T and umm... Time Warner...and... Umm...

dbCooperFebruary 24, 2015 1:26 PM

Troubling that we live in a society where one is instructed to pay a ransom for not divulging personal information.

Seems to me, in times past, an entity would be required to pay a person to use their personal information.

CallMeLateForSupperFebruary 24, 2015 1:32 PM

@Bruce
"this sort of thing means that privacy becomes a luxury good."

Very good point. Just so we maintain perspective, let us also agree that 1-Gbit internet is a luxary good.

I am posting this via a 1-MEGAbit pipe.

LeeFebruary 24, 2015 1:46 PM

Is AT&T in dire financial straits or something? This pay-to-opt-out deal strikes me as desparate. Anyway, here in the U.S. we pay to opt out now (apparently). In Germany, it's considered illegal to ask anybody to do anything other than opt in.

AnuraFebruary 24, 2015 2:05 PM

@Lee

The goal is always to profit more. When you have an oligopoly (in some areas they have a pure monopoly) then you can pretty much get away with anything without worrying about your customers leaving, and packet inspection is something that's done by all the major ISPs.

scpFebruary 24, 2015 2:31 PM

I prefer to look at as AT&T offering a discount to permit personalized advertising. This is equivalent to AT&T paying for their customers' data. The Internet service costs X, the discounted service is X - D. D is what AT&T pays for the data. If I own the data, then I have a right to sell it, if I find D to be large enough to entice me.

Competitive pricing might eventually drive the value of D to be larger than X, at which time AT&T will be paying us to use their Internet service. AT&T will also, eventually, want exclusive access to our data. At that point, they will begin creating tools to prevent other apps, businesses and governments from accessing it.

Long term, I see this as a good thing.

CallMeLateForSupperFebruary 24, 2015 2:33 PM

The stated premium, USD 29, looks suspiciously arbitrary to me. Are we to believe that AT&T loses about thirty advertising bucks each month? I don't. Also, the 9 on the right... it's definitely meant to fly under our mind's radar; we're supposed to register just the 2 (on the left). Result (no surprise): "Ah! Only twenty bucks." Wily folks will see the figure for what it is (kissin'-close to thirty), but that has been anticipated too. Just like in software prices iback in ancient times, there is a sweet spot, and as long as that's not exceed, the lovely impulse purchases will roll in.

Anyone who anticipates signing up for this should solemly acknowledge to him/herself - both aloud and in writing - that it will becoma a item on the bill. Once there, it will be subject to periodic increases, just like the internet service. What? You thought that coughing up thirty bucks would end the nightmare?

Although I am tempted to hope that this program fails miserably, I have this niggling thought, that some statistics wonk would attribute failure as proof that Joe Sixpack doesn't care about his being tracked on the internet.

xd0sFebruary 24, 2015 3:00 PM

@Snarki

IANAL, so take the following observations as my recollection / opinion while I try to dig up the links.

Current US Privacy law I believe is established on the back of property law. The initial idea being that the act of creation leads to a "thing" that is owned by the creator. So if I build a chair I own it. I build a data entry in a data base, I own it too in that line of thinking. The initial basis is about the act of creation and ownership established on that, independent of the fact that data can be in more places than one at a time and can be about someone or collected in an invasive or even illegal way. The "act of creation" area is where there was early (IMO poorly thought out) ideas of how ownership would be asserted on data.

If my recollection of all of that history is correct, then AT&T under US Privacy Law owns the data by the fact it creates the "thing" the holds the data, and is supported by in that by the fact they gain the data through "experience" providing the customer service.

I'm sure my understanding is flawed to some degree by both faulty memory and the fact that IANAL and laws change over time, but the premise that ownership is established for data by who it is about vs who creates the data or Database entry is not (or wasn't a few years back) the way the law was being interpreted.

vas pupFebruary 24, 2015 3:28 PM

@Bruce:" have mixed feelings about this. On one hand, AT&T is forgoing revenue by not spying on its customers, and it's reasonable to charge them for that lost revenue. On the other hand, this sort of thing means that privacy becomes a luxury good. In general, I prefer to conceptualize privacy as a right to be respected and not a commodity to be bought and sold."
AT&T NEVER respected privacy of the customers even in pure phone service era. They charged you NOT be entered into their paper phone book of the customers (person, not business), but they should charged you to be entered in the phone book as soon as you want it. Conclusion: default privacy settings for ANY AT&T service (past/current and I guess future - just extrapolation) never protect customer privacy. Period. Another example, when somebody from Europe (e.g.Germany) is calling you to your land line phone in US with caller ID from AT&T you do NOT have neither phone number nor source information (like 'International call'). What you have is 'Unavailable' for both lines on your caller id, BUT when you call to Europe they always see your phone number on caller Id even when you dial *67 before calling there. Make you own conclusion about AT&T practice.

When Sly CallsFebruary 24, 2015 3:44 PM

The essential issue in so far as individual rights are concerned is whether two people have the freedom to form a contract for the exchange of goods or services.

You may not like the terms being offered for a particular product, but that does not give you the right to use the machinery of government to abridge the freedom of others to form contracts.

In the present context, there are many complications. AT&T has already been victimized by many regulations which restrict how it is allowed to do business, and there is such a long history of cooperation between telecoms and the NSA that AT&T should probably be regarded as a fascist entity rather than as a free corporation. In that case the whole conception of individual rights is submerged by the totalitarian notion of an organic state.

What we have is a very mixed situation which presents itself with the appearance of two parties freely entering into an agreement, but this seems to be a vestigial illusion.

In actuality, AT&T's offering may be just a new phase of an elaborate fraud. In a situation such as that, where the government is pulling all the strings, no one should take the contractual terms of AT&T at face value and act accordingly.

LIFebruary 24, 2015 4:54 PM

@Garrett:
Fully agreed.

AT&T's actions (that I actually support) are the result of hysteria about privacy spread by this and similar blogs. Indeed, why not rip off idiots who think that they can delegate their privacy to anyone, and pay the fee?

I'd be the first to support a law requiring all telecom companies to store all customer data forever. Maybe then people stop being dillusional and learn some basic crypto...

BlueLightMemoryFebruary 24, 2015 6:17 PM

I wouldn't trust AT&T for any price.

If anyone wants their privacy while online, just boot from a live tails CD, using Tor, with no-scripts set. AT&T won't know where you're going if you do this. Neither will the Feds for that matter. But with the Feds you have to be a little more discerning, careful, and flexable. But that's another story for perhaps another day.

BuckFebruary 24, 2015 7:52 PM

Anyone remember The Future of Privacy 'expert' canvassing report from a few months ago? If you mentally swap the words: civil society for internet, freedom for privacy, and slavery for surveillance; well, let's just say that some of the responses are incredibly disturbing...

Universal freedom will be the new taboo and will not be appreciated or understood by upcoming generations.
Big slavery equals big business. Those special interests will continue to block any effective public policy work to ensure security, liberty, and freedom in civil society.
The politics of slavery and freedom are so broken, particularly when it comes to industry and government interests, that it is unlikely there will be any positive change.
There will be a subset of the public rebelling against this slavery and slave-driven society through either withdrawal from the civilized world or acts of 'civil disobedience' against the powerful.
Freedom will be managed by market solutions, with the affluent able to maintain better control of their freewill. Like luxury cars and summer homes, control over one's own life will be the privilege of winning financially.
Optimistically, people are better informed about how their skin-color can be used to discriminate against them and demand greater security, freedom, and access to due process. Pessimistically, people may want those things,but they have no real power to get them.
I fear the coming of walled societies, where there is security but also pay walls - and the security is partial. The relationship of freedom, security, and openness is not resolved, and I fear it will not be done in a way that allows for openness in the future.
It's really not too hard to imagine quite similar arguments having been made in the past several centuries... :-\

Dirk PraetFebruary 24, 2015 8:01 PM

A number of solutions come to mind:

1) If the option is available, dump AT&T in favour of an ISP that doesn't indulge in this kind of racketeering. That is of course if they aren't doing DPI as well and unlike AT&T are not even giving you the possibility to opt out. For those who have still not caught up: AT&T has a long history of being a bunch of r*t b*st*rds and they don't deserve your business.

2) As @Anura already suggested, get an Amazon AWS or VPS with a version of OpenVPN capable of traffic obfuscation and which will defeat most forms of DPI. You already have one for less than $5 a year. Check http://lowendstock.com for locations and prices. Downside: you need to be familiar with OpenVPN or know someone who can do the setup for you.

3) Check if you can flash your home router with the latest DD-WRT releases, set up the on-board OpenVPN server with traffic obfuscation and install compatible OpenVPN clients on your home devices (computers, tablets, smart phones). Alternatively, set up a Raspberry Pi to do the same.

Ole JuulFebruary 24, 2015 9:13 PM

I can't get AT&T here and my only available ISP is a small local company who doesn't play the big boy games.

Still, as a matter of principle I mostly browse through a VPN. In this day and age I think everybody should. You can get very good service for $40 or so per year and it has many additional advantages. One is that I now get Google searches that are more international and less censured. Seriously, if somebody is not using a VPN, they should be.

Robert.WalterFebruary 24, 2015 10:13 PM

I would like to report @mix for trolling with off topic posts.

Either can't wait for Friday, just nuts or an AT&T threadjacker.

Nick PFebruary 24, 2015 11:10 PM

@ Moderator

I agree with Robert.Walter. The constant stream of random posts makes new comments page unusable and threads cluttered.

Nick PFebruary 24, 2015 11:18 PM

@ Dirk Praet

Thank you for that VPS link! The ones I kept finding were way more. Well, to be fair, I was wanting to be able to customize the OS. Might not be realistic given how cash-strapped I am. Check out this one. The retro graphics are great and remind me of Cryptocat.

TonyFebruary 25, 2015 12:19 AM

The Internet is full of services that are "free" to users where the provider makes money from advertising, and pushes up the value of those adverts by targeting based on analysis of the user. Google, Yahoo, Twitter, Facebook, etc.
This just seems like the same thing where you get a cheaper rate with advertising, and a pricier rate without.
Interesting that the value is $29/month. If that rate holds for lower speed connections, AT&T could presumably offer a 5-10 Mbit/s connection for free with advertising.

.February 25, 2015 2:59 AM

" it's reasonable to charge them for that lost revenue."

Why? It's not. They provide a service (Internet connection) that you pay for, making money by tracking you is not simply unethical, but should be made illegal. When you fill your car with gas in a station they don't put a GPS bug in it then sell your location data, why this case should be different?

Not an AT&T customer, fortunatelyFebruary 25, 2015 4:04 AM

I'm surprised this is even legal. Do you also have to pay, say, USPS to not open and read your letters? Whatever happened to the right of the people to be secure in their papers and effects?

Dirk PraetFebruary 25, 2015 5:04 AM

@ Moderator, @ Nick P, @ Robert.Walter

Re. MIX posts

I concur with Robert.Walter and Nick P. This is either a bot or the rantings of someone who's gone off the deep end.

Peter A.February 25, 2015 6:06 AM

I just wonder if AT&T (or any other ISP) modifies *all* traffic (e.g. by injecting a HTTP header/cookie into all your requests) or does it only for traffic destined for specific paying "partners". In other words, would anyone be able to verify that the ransom works, by setting up some web service and generating some requests towards it before and after paying the ransom to see if there's a difference.

Of course, even if you see on your web service that the header/cookie disappears after you pay, you still have to believe them, that they have stopped injecting it into connections to other web services...

ModeratorFebruary 25, 2015 8:20 AM

Y'all are right. I've just deleted all but one of the posts made by MIX in the last 24 hours. MIX, either stay on or reasonably near topic or vamoose.

HJohnFebruary 25, 2015 10:27 AM

Someone beat me to the "discount" angle, but I think any carrier would be wise to frame it differently.

Make the privacy default plan, and give users the option of waiving some privacy in exchange for discounts. It would be a legitimate value for value deal.

It may be the same end, but framing it as an additional cost instead of a value for value discount just seems wrong.

LeeFebruary 25, 2015 10:44 AM

@Buck: Yes sir, the dystopian future is here.

@Ole Juul: Relative to VPNs, just be like Don Henly and don't call it paradise.

@BlueLightMemory: Relative to TOR, isn't there a reason the Navy designed it and then threw it away? (OK, the TOR people did some fixups, which I'm sure are VERY good. And -they're very nice people. I wouldn't wish the pressure they're under on anybody tho...)

@NoteToSelf: If I ever want to sidestep AT&T's packet mining and opt-out agreements, I'll do it by war driving. (KIDDING REALLY JUST KIDDING !!!!)

vas pupFebruary 25, 2015 10:45 AM

@kazoonga • February 25, 2015 8:45 AM
Is the mailman also allowed to read your mail or offer a surcharge not to?
NO, but USPS makes snapshot image and store it (as they claim just for better delivery) of the face surface of you envelope (sender address/recipient address).
Just be aware of that. That is exact mapping of metadata and content.

LeeFebruary 25, 2015 11:20 AM

Back when AT&T technology was limited to the last letter in their acronym, things were good, really good. Ah - those were the days. Or WERE they? Hmmmmmmm.

BuckFebruary 25, 2015 11:33 AM

@HJohn

Added value? Discounts?? Would be wise to frame it differently..?

Stop trying to rationalize this price discrimination! Either way you put it, the poor are bound to bear the brunt of the burden. When the acquired data is used to effect employment opportunities, financial deals, and incarceration terms, then 'luxury privacy' is literally modern slavery. There's no 2-ways around it...

HJohnFebruary 25, 2015 1:01 PM

@Buck
Stop trying to rationalize this price discrimination! Either way you put it, the poor are bound to bear the brunt of the burden.
_____________

You're ascribing motives to me that I don't have. I'm not rationalizing anything.

Let's frame it this way: A company has a product it wants to sell, and the straightforward cost is $50. However, they will give it to me half price if I share some of my demographic information for advertising purposes.

That's value for value, and some people may make the trade off. Yes, the poor may be more likely to take the deal, but if it is a choice between having something or not having something, isn't that their decision to make?

It' s not price discrimination. Their charging different amounts for different types of products/services.

Please don't attribute motives to me that I don't have. I don't want people to forgoe privacy, but in their decision to chose a provider, it really isn't my decision to make with their money.

LessThanObviousFebruary 25, 2015 5:24 PM

@scp You certainly have the right to offer up your own data for a price. I this case the price difference being $29 I'd have to say it's pretty clear the cost difference is not actually the market value of your marketing data. That makes it more a digital protection racket where AT&T says pay us this fee that is in excess of the value of the item they claim to be offering or we'll do something harmful to you. It's no different than a mobster walking into a deli and saying "Give us 5% of your till every month and we'll make sure something bad doesn't happen to your business." The business might think 5% sounds like a better deal than having a couple guys show up to break your windows, steal your cash and give you a beating so they might choose to pay. If the cost difference was $3 a month or less I might be willing to believe the value of the data to advertisers was at least in the same ballpark after expenses. I don't think you have to be a marketing expert to see that the online ads you see from your home in a month are not going to net $29 per month on average in changes in purchasing behavior. They are not offering an incentive to those who participate in data sharing. They are offering an incentive to participate and a penalty not to participate, the later is unethical.

AnuraFebruary 25, 2015 6:04 PM

I should also add that they didn't even give you the option before, and that the vast majority of people probably are unaware they were doing it in the first place. Outside of the tech community, it's not very well known. The default should be to do no deep packet inspection, to not care where your data goes to or comes from, and they should offer the advertising as a discount to your plan.

Ole JuulFebruary 25, 2015 7:15 PM

I agree with @Lee that a VPN is not pardise. Security and privacy issues don't have a single solution and the user will always be part of the mix. I certainly have no delusions about the minimal level of privacy that I get from using a VPN, but do think that it generally keeps my ISP out of the picture, and if anybody needs to know where I live, they should ask me. In case anybody wants to know, the commercial VPN that I use is proxy.sh which is only $40 for the year, and so far has been very fast for me when used with servers in other countries. For actual security, one is of course still working on trust.

ThothFebruary 26, 2015 12:14 AM

State Of Cryptography and Security
- Closed Source Software
* Easily coerced and corrupted.
* Attempts to follow standards that are usually corrupted.
* Central authority of projects as single point of failures.
* Funding and reputation of corporate image and products can be used to subjugate corporations (Hagelin cipher machine case).

- Open Source Software
* Coercion is possible.
* Code forks and Code inspections can root out problem.
* Difficult to completely coerce.
* Widely deployed and generally very little central authority to coerce.
* Corrupted standards are usually frowned upon and not applied. Few uses EES encryption in open source. (EES - Escrow Encryption Standard)
* Open source crypto techniques not found in stanrdards (Serpent, Twofish, BCRYPT, SCRYPT, DJB's crypto algos ...etc...) giving higher chances of protection against coercion and corruption.
* Wide variety of differing qualities of work.
* Authors of open source software may not be interested in work easily due to funding and real life problems (lack of incentive to work).
* Huge body of open source works but not all are verified or verifiable with ease due to lack of documentation or communication channels to work's author(s).

- Closed Source/Design Hardware
* Easily coerced and corrupted.
* Most hardware are closed source. Cannot be verified independently.
* Use profitability, trade secrets, corrupted standards to control.

- Open Source/Design Hardware
* Very rare.
* Harder to coerce or corrupt the design but the manufacturing stage is usually closed door process and can be disrupted/corrupted.
* Easily disrupted by strangling fundings and raising bogus legal cases as distraction, disruption and destruction (3D scenarios).
* Hard to verify correctness of any open source/design hardware due to lack of proven and well-researched algorithms to test correctness of wires and pins of chips against published designs.

FigureitoutFebruary 26, 2015 12:48 AM

Thoth
lack of proven and well-researched algorithms to test correctness of wires and pins of chips against published designs.
--On chips that still have pins exposed to the human being (SoC's...don't) you can "Ohm it out". Old school EE's will give you sh*t if you don't know this. This is basically just for ensuring a pin from a chip is the same one thru a PCB to another point on the board. Doesn't address connections w/in the chip though. If *even* that can be falsified then that's another issue that I throw my hands up (means connections on PCB's can be falsified too...which would be incredible).

Sivasubramanian MFebruary 26, 2015 3:38 AM

It is sad that Telecom firms and large Cloud Networking firms have managed to make commercial surveillance ( or even surveillance for States) as the default setting for the services that they provide. Where it is appropriate to enable surveillance features by consent of the users, it has become the inevitable reality that users now requires the consent of these firms as also a premium fee in order to turn off surveillance features. It is just not right.

MarkFebruary 26, 2015 4:07 AM

This is where we unfortunately see the influence of American's "capitalism at all costs" approach. In the EU, data privacy is seen as a right, something that is enshrined in law. However, in the USA, it's not; privacy laws are driven by industry needs (HIPPA, etc.).

This would never fly in [most of] Europe. This brazen approach of selling privacy as a commodity disgusts me. The only good thing about this is that at least they're being transparent (well, much more than most companies...) about what they're doing. In the UK a few years ago, they tried something similar with Phorm.

Unfortunately when you drill down to it, America's capitalism at all costs approach from the tech industry -- which dominates the world -- ends up hurting us all. Google, Uber, Amazon, Airbnb, LinkedIn... all American companies with pathetic privacy records. (Don't be fooled by the "sharing economy"; it's capitalism in sheep's clothing.)

Granted, governments are another topic altogether. But it's clear to me America's tech industry drives a lack of digital privacy because American's privacy laws are weak.

We all lose because of it.

BuckFebruary 26, 2015 6:45 PM

What you describe is almost the exact definition of price discrimination.

What you are rationalizing is something along the lines of: "the price discrimination of privacy is OK, but I'd rather it be done this way instead of that."
Don't feel bad about that. It seems there are many here among us who feel the same way...

However, few seem to realize that lurking beneath the surface of this petty distinction lies a deeper and far more disturbing rationalization. It is: "Enslavement is OK, because people like us have the prerequisite knowledge and necessary financial resources in order to choose to not be a slave."

Coyne TibbetsFebruary 28, 2015 2:54 PM

I have serious doubts that AT&T would stop spying for any amount.

Their program must have the usual series of steps when snooping into your messages: (1) Collect your data, (2) analyze it, (3) apply the results of the analysis.

The third part is where you get targeted advertising. But there's literally no reason to for AT&T to stop parts 1 and 2 just because you want privacy. Just turn off the targeted advertising in part 3 and..."What they don't know won't hurt them."

AT&T wouldn't even have to stop all of part 3; they could still sell your information to marketing companies; pump it into further analysis for marketing or social research programs; or even hand it over to the government. How would you know?

You might get freedom from advertising being targeted at you, but how would you confirm the rest?

I predict that, in due course, we will find out that all that $29 or $44 or $66 or whatever-per-month did is turn off those annoying targeted ads.

Anon CowherdMarch 21, 2015 8:56 AM


Do you think paying ATT a fee for not spying on you somehow makes the US government happy to settle for not collecting all the information on you they possibly can?

Of course not. They will be spying on you either way. The fee is a disgusting scam.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.