Congress Removes FCC Privacy Protections on Your Internet Usage

Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T, and Verizon collected all of your browsing history and sold it on to the highest bidder. That's what will probably happen if Congress has its way.

This week, lawmakers voted to allow Internet service providers to violate your privacy for their own profit. Not only have they voted to repeal a rule that protects your privacy, they are also trying to make it illegal for the Federal Communications Commission to enact other rules to protect your privacy online.

That this is not provoking greater outcry illustrates how much we've ceded any willingness to shape our technological future to for-profit companies and are allowing them to do it for us.

There are a lot of reasons to be worried about this. Because your Internet service provider controls your connection to the Internet, it is in a position to see everything you do on the Internet. Unlike a search engine or social networking platform or news site, you can't easily switch to a competitor. And there's not a lot of competition in the market, either. If you have a choice between two high-speed providers in the US, consider yourself lucky.

What can telecom companies do with this newly granted power to spy on everything you're doing? Of course they can sell your data to marketers -- and the inevitable criminals and foreign governments who also line up to buy it. But they can do more creepy things as well.

They can snoop through your traffic and insert their own ads. They can deploy systems that remove encryption so they can better eavesdrop. They can redirect your searches to other sites. They can install surveillance software on your computers and phones. None of these are hypothetical.

They're all things Internet service providers have done before, and they are some of the reasons the FCC tried to protect your privacy in the first place. And now they'll be able to do all of these things in secret, without your knowledge or consent. And, of course, governments worldwide will have access to these powers. And all of that data will be at risk of hacking, either by criminals and other governments.

Telecom companies have argued that other Internet players already have these creepy powers -- although they didn't use the word "creepy" -- so why should they not have them as well? It's a valid point.

Surveillance is already the business model of the Internet, and literally hundreds of companies spy on your Internet activity against your interests and for their own profit.

Your e-mail provider already knows everything you write to your family, friends, and colleagues. Google already knows our hopes, fears, and interests, because that's what we search for.

Your cellular provider already tracks your physical location at all times: it knows where you live, where you work, when you go to sleep at night, when you wake up in the morning, and -- because everyone has a smartphone -- who you spend time with and who you sleep with.

And some of the things these companies do with that power is no less creepy. Facebook has run experiments in manipulating your mood by changing what you see on your news feed. Uber used its ride data to identify one-night stands. Even Sony once installed spyware on customers' computers to try and detect if they copied music files.

Aside from spying for profit, companies can spy for other purposes. Uber has already considered using data it collects to intimidate a journalist. Imagine what an Internet service provider can do with the data it collects: against politicians, against the media, against rivals.

Of course the telecom companies want a piece of the surveillance capitalism pie. Despite dwindling revenues, increasing use of ad blockers, and increases in clickfraud, violating our privacy is still a profitable business -- especially if it's done in secret.

The bigger question is: why do we allow for-profit corporations to create our technological future in ways that are optimized for their profits and anathema to our own interests?

When markets work well, different companies compete on price and features, and society collectively rewards better products by purchasing them. This mechanism fails if there is no competition, or if rival companies choose not to compete on a particular feature. It fails when customers are unable to switch to competitors. And it fails when what companies do remains secret.

Unlike service providers like Google and Facebook, telecom companies are infrastructure that requires government involvement and regulation. The practical impossibility of consumers learning the extent of surveillance by their Internet service providers, combined with the difficulty of switching them, means that the decision about whether to be spied on should be with the consumer and not a telecom giant. That this new bill reverses that is both wrong and harmful.

Today, technology is changing the fabric of our society faster than at any other time in history. We have big questions that we need to tackle: not just privacy, but questions of freedom, fairness, and liberty. Algorithms are making decisions about policing, healthcare.

Driverless vehicles are making decisions about traffic and safety. Warfare is increasingly being fought remotely and autonomously. Censorship is on the rise globally. Propaganda is being promulgated more efficiently than ever. These problems won't go away. If anything, the Internet of things and the computerization of every aspect of our lives will make it worse.

In today's political climate, it seems impossible that Congress would legislate these things to our benefit. Right now, regulatory agencies such as the FTC and FCC are our best hope to protect our privacy and security against rampant corporate power. That Congress has decided to reduce that power leaves us at enormous risk.

It's too late to do anything about this bill -- Trump will certainly sign it -- but we need to be alert to future bills that reduce our privacy and security.

This post previously appeared on the Guardian.

EDITED TO ADD: Former FCC Commissioner Tom Wheeler wrote a good op-ed on the subject. And here's an essay laying out what this all means to the average Internet user.

EDITED TO ADD (4/12): States are stepping in.

Posted on March 31, 2017 at 12:07 PM • 103 Comments

Comments

Just a ProductMarch 31, 2017 12:32 PM

How come internet access still costs anything?

Since we're the product now instead of the customer, how come we still have to pay?

Vesselin BontchevMarch 31, 2017 12:39 PM

While Bruce makes many valid points, he, like many other writers on this particular subject glosses over a simple fact that will most probably mislead many of the readers.

It is not as if the users already had protection of their privacy from this kind of snooping on the part of their ISPs. The rules that have been repealed had not been enforced yet. That is, your ISP was already snooping on you and selling the results to the advertisers, if they felt like doing it.

Many people, including Bruce, are presenting the repealing of the rules as "the ISPs lobbied for a change that eliminated your privacy and won". That is not the case. They lobbied against a change that would have given you new privacy protections and won.

BillMarch 31, 2017 12:45 PM

A lot of articles this week on using VPN services to bypass ISP surveillance, but none of the ones I've seen have presented any argument or evidence that the VPN service providers are any more trustworthy.

AlainMarch 31, 2017 12:55 PM


I think it's time to start using automatic page scrubbers at a large scale.

Are there examples that are done right, aka difficult to detect and that can generate much more than user traffic every month?

If more than 90% of requests are resulting from smart software that emulate users it will be less useful to make profiles from the traffic or single some more normal requests out.

for example : I've read that health insurers are using the browse history to adapt the individual policy if people are searching diseases. If almost everyone seems to be searching on diseases this becomes useless.


BTW. The ISP will feel the burden for the increased traffic, but that's very nice damage ;-) The ISP's asked for it.

ACORNMarch 31, 2017 1:00 PM

Somebody needs to write a app that causes your phone or computer to periodically perform random searches and browse random sites and potentially make calls to random numbers. Your true searches and visited sites would be hidden in this large volume of bogus meta data. Even a small increase in bogus meta data vastly complicates the job of determining who you are and what you really are interested in. Once a large percentage of the population is running this app, the internet snooping industry would become worthless. This concept scares the wits out of the internet parasites.

Maybe SoMarch 31, 2017 1:11 PM

The bigger question is: why do we allow for-profit corporations to create our technological future in ways that are optimized for their profits and anathema to our own interests?


It's funny. When I was in graduate school back in the late 1980s I took a course in technology and society, assigned readings included Lagdon Winner and Jaques Elluel.

https://en.wikipedia.org/wiki/Langdon_Winner
https://en.wikipedia.org/wiki/Jacques_Ellul

It was an interesting class and it caused me ponder technology in a new way. But I had no idea what the next three decades would become. To be blunt, when I was 22 I thought Ellul liked to exaggerate and was unduly pessimistic but now in my 50s I think he was correct and I was woefully naive when I was 22. I now recommend The Technological Society to anyone willing to listen. I consider it to be one of the most prophetic books ever written. Yes the book is long, exhaustive to the point of tediousness, but I don't think one can begin to answer the question @Bruce raises without understating Ellul's thesis of technology as a form of religious worship. Why do we let for profit companies bolster their profits at our expense? Well, why do billions of people every day tithe? Who are we to resist a god's demand for a pound of flesh?

S. ArpasandMarch 31, 2017 1:17 PM

if i as a customer send a written notice to comcast, demanding that they are not to collect, market or sell any of my internet usage data, would they be obliged to honor that or can they simply ignore it ?

Matthew FinniganMarch 31, 2017 1:18 PM

What I've been wondering about is why there hasn't been any outcry (that I've seen) from the business community. Businesses should want as much privacy for their browsing history as individuals. If the Amalgamated Chemicals office in Coeur D'Alene, their R&D office, is spending a lot of time researching 'x', wouldn't they want that kept secret from their competitors?

tzMarch 31, 2017 1:28 PM

If you were around during the Robert Bork hearings, I forget who went to the Video store (Blockbuster) to get the list of videos he rented. They found nothing scandalous but passed a bill banning video rental places from sharing that info.
I wonder if it covers streaming like Amazon Prime Video and Netflix and Hulu.

Obama had 8 years to do something about the NSA surveilance, they had 60 votes in the senate and majority in the house. Everything just got worse, and part of the provision in Obamacare violates medical privacy. You have to store data digitally. Doctor Patient confidentiality doesn't exist (what if lawyers were forced to keep their notes in the cloud? Or pastors forced to record confessions?).

Just before Obama, Congress passed immunity for Verizon and AT&T's cooperation in surveilance in turning over data illegally without a warrant. The "you phone calls are protected" is nonsense. All you have is a thin legal veneer which you probably can't act on individually (See the mandatory arbitrarion clauses in all agreements preventing class actions = it was AT&T that established you lose your rights to a jury in a click-through).

No one really cares about their liberties, it is all left v.s. right, and neither want to protect it. Rand Paul and earlier Ron Paul are big on liberty, but they aren't democrats.

Maybe Democrats will get serious, but I doubt it. They wanted to insure Obama could find right wing racists, but now Trump can find illegal aliens. There is sufficient support for a small government party, but everyone wants a big government to mercilessly crack down on what they don't like but want total freedom and privacy for what they like. The end of that will be civil war, when is starting to smolder.

Even worse, is a sense of entitlement. Would you pay $5 or $10 per month to avoid all tracking? No?

Real security products can't sell in a land of snake-oil (http://tomwoods.com/keep-the-spooks-from-snooping/ - Swiss law doesn't stop keyloggers, but you can feel secure), and real privacy products can't sell at all because no one will even spend a few dollars to buy them.

Lets say Sprint says "we won't track you with auditable guarantees". Will ANYONE switch to sprint, or one of the resellers? No.

People take the "discount cards" from grocers that track what you buy to save a few dollars.

People simply don't value it.

MM59March 31, 2017 1:30 PM

I don't believe that regulatory agencies are our only hope.
Most of them, including the FCC, are "captive agencies", run by industry.

Our only hope is that citizens wake up and say no.
If Comcast, Verizon, Time Warner won't commit to keep your browsing history private - would you disconnect?

Imagine if all citizens disagreeing with their policies to sell your personal data called up tomorrow and said "agree to my terms of privacy or I will disconnect my service" - what would happen?

We are all Dorothy - nothing in Oz's bag for us but always having the power to go home at anytime - but we fail to use that power. Why?

Would disconnecting for about 6 months be a bad thing? Would it allow us to get to really know our friends and family better? Get re-connected with nature and community? Clean out those old files and closets? Read a few good hard cover books without damaging your eyes with blue light?

They can't build and operate this electronic fence if we don't participate.

PatrickMarch 31, 2017 1:41 PM

@Vesselin

Thanks for bringing that up because it's something I've seen debated recently. I don't claim to be an expert, but the response I've seen to your point goes something like this:

Up until last year, the FTC was responsible for regulating ISPs. In a lawsuit between the FTC and AT&T, the FTC lost the ability to regulate ISPs because they are now classified as common carriers. Regulatory control then shifted to the FCC. So while it's true that the FCC rules were not yet in effect, it's disingenuous to suggest that there were never privacy controls while under FTC regulation. What congress did is still a fundamental shift in terms of consumer privacy: up until now, ISPs were not allowed to collect and sell customer data (like browsing history) without their consent.

I'd appreciate it if anyone more knowledgeable has any insight on this.

ACORNMarch 31, 2017 1:57 PM

The only hope is citizens taking their privacy and security into their own hands. Look at what end-to-end encryption has done to secure texting and messaging services. Way to go Signal! If you aren't using Signal (or an app based on Open Whisper Systems), you need to switch over and tell all your acquaintances to switch over too.

As for browsing, we have to hope that TOR can speed up or that VPN can become inexpensive or that an app that obfuscates searches can become available (as Winston Churchill said, "In war, truth must be accompanies by a bodyguard of lies").

Looking to government to solve problems is a waste of time.

WinterMarch 31, 2017 2:05 PM

States are stepping in:

https://arstechnica.com/tech-policy/2017/03/isp-privacy-rules-could-be-resurrected-by-states-starting-in-minnesota/

One aspect of the current administration and law makers is their hostility to the federal state, leading to the federal level neglecting their duties and responsibilities. We might see the states distancing themselves from federal impotence and start taking up the responsibilities.

What I do not understand is why the USA and Europe have taken opposite paths wrt privacy. Europe has a law on the books that strengthens privacy law from 2018 on.

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

JeremyMarch 31, 2017 2:37 PM

@S. Arpasand: if i as a customer send a written notice to comcast, demanding that they are not to collect, market or sell any of my internet usage data, would they be obliged to honor that or can they simply ignore it ?

Even if they were obliged, it wouldn't help you. They would probably just disconnect your service, and tell you that they will only turn it back on if you agree to their standard contract terms (whatever those happen to be).

Even if they weren't snooping anyway, they will probably not want the hassle and the risk of having a weird one-off contract with each individual user. The minimum charge for the lawyer to look at your letter and tell them whether or not it contains a hidden trap is probably more than you pay them in a year. It's virtually impossible to get companies to fix OBVIOUS ERRORS in their own form contracts, let alone agree to new terms.

Our system of contracts has some pretty serious issues.

Clive RobinsonMarch 31, 2017 5:13 PM

The real problem with this is not the selling of your information.

The real problem is "the collection into business records", because the FBI --who should be your main worry-- can get at these with not much more than press a button to print out a letter and post it to your ISP's registered address...

The point to not is that if your ISP collects some of it's customer activities it will in fact collect ALL it's customers activities, because it's just cheaper to do so.

Thus whilst you might have a contract with your ISP where it "Does not sell your activity record" it will not just keep them it will also still sell them but as part of aggregate or vaguely anonymised data set.

So you would need to find an ISP that does not sell any user data to third parties, as it is less likely to collect anything more than the bare minimum. But you could still get fingered by the FBI if the ISP collects data for internal test/engineering/billing reasons as these are all "Business Records" no ifs, no buts, no maybes...

Whilst other US Gov agencies could get at the records, it's the ones with prosecution / sequestration abilities like LEAs and Revenue you need to worry about. Because they can put you and your loved ones in purgatory or on the streets.

One thing I would be wary of is "legislation to follow". I suspect that in about a year once the majority of ISPs have set this up you will see "IP Rights" lobyists pushing for unfettered access to the data for free... Then you will find out what purgatory means, because they will not use it for marketing, but direct revenue raising by threat of litigation. As we already know they do not care if there records are wrong they will just push at you unless you hit them with expensive civil action.

So now is a very good time to either get rid of your WiFi or keep your own evidence quality records...

Oh and as you can assume with a very high degree of certainty records will be kept, you need to take defensive action.

As others have noted you will find it difficult to find a VPN service that does not keep it's own records. One way around this is to have a VPN to an "Out of US jurisdiction point" in say the EU and use it to tunnel a second VPN to say a Swiss VPN service that then drops your traffic out to the sites you want to visit. This has the advantage of also removing any "Packet Tagging" your ISP may have attached.

Alternatively have a look at @Dirk Praet's advice on last weeks Friday Squid thread,

https://www.schneier.com/blog/archives/2017/03/friday_squid_bl_570.html#c6749406

Jesse ThompsonMarch 31, 2017 5:37 PM

I run a small ISP.

I guess what I would like to see at this point is some sort of grass roots labeling campaign for self-enforcement (just because nothing better seems to be on offer) so that we can advertise some kind of "privacy respected" logo on all of our adverts that any company could be sued by the logo holder if it were ever found that they were breaking the agreed upon rules. :o

MarjorieMarch 31, 2017 6:43 PM

> How come internet access still costs anything?

With zero-rating, the various interconnection fights, usage-based billing, etc., we've seen that major ISPs have limitless greed. They'll charge you, then they'll charge you a few more times (taxes, fees, usage, the cable-TV charge or the larger not-having-TV charge), then they'll charge everyone you're talking to (Netflix, Akamai), and then they'll use all this money to prevent competion (banning municipal networks, buying smaller ISPs, bribing/lobbying politicians).

In other words, because they know that people will pay it no matter much they're abused in return.

> Since we're the product now instead of the customer, how come we still have to pay?

There's a long history of free internet access actually. Netzero being the commercial end, and there were lots of local community Freenets (still are...). Freenets could exist because the phone network was common-carrier, and the wire providers couldn't stop them like DSL/cable/wireless providers can.

Google did offer "free" access until last year (5mbit down/1 up but there was a one-time $300 construction fee):
https://arstechnica.com/business/2016/04/google-fiber-ends-free-5mbps-internet-offer-in-kansas-city/

MarjorieMarch 31, 2017 6:49 PM

Jesse,
> "I run a small ISP. I guess what I would like to see at this point is some sort of grass roots labeling campaign for self-enforcement"

You could pledge to follow the draft rules that were proposed. Probably worth talking with groups like the EFF, EPIC, and anyone else who opposed removing these protections—I don't know about logos or endorsement but I'm sure they'd be interested to chat about ideas.

DerpQuakeMarch 31, 2017 6:50 PM

Somewhere along the line our society missed the chance to say "of course federal wiretapping statues should apply to internet communication". Now we are all doomed, because money.

All paid communication services should at least offer a true and permanent opt-out of all communication inspection or collection and I don't mean some cookie based BS. I mean a box I check on the account that stays put and always applies to all communication from all devices.

NOYBMarch 31, 2017 9:12 PM

I find myself becoming increasingly hostile to the federal government, and feel it’s time for states to FORCEFULLY take back *ALL* authority.

Now laws really don’t protect anyone excepting from ”those who get caught”, but in Texas - laws might actually have a deterrent effect. Texas could simply enact the most airtight requirement that all peepers face truly gruesome public execution. Perhaps fan it into a frenzy with lotteries and prize money for the individual who gets to plant an axe in the perp’s skull.

Now there would always be illegal wiretaps (just as I’ve witnessed over decades at telephone company facilities)...but you’d sure need to trust that person who spotted you :) “Axe in the skull” would tend to focus your attention.

There’s no loss for Texas here. We already have a reputation for barbarism. Why not put it to use?

Would be mighty fine to scare all the peepers out of this state.

Still, even with this, it makes sense to hide your activity as best you can. Because there always will be perps who escape that axe. You can’t watch them at all times. The axe is only your first layer.

WhatsEffMarch 31, 2017 10:35 PM

(Originally posted on current squid)
https://www.schneier.com/blog/archives/2017/03/friday_squid_bl_570.html#c6749409

What's Eff up to?

president trump ran as a populist after all. What is he now? Surely he could support the little guy once, at least, and with single-payer health care, and earn a capital letter, or two.

Is Eff planning a campaign to petition or call the white house, with or without interested partners or others, regarding things like:
https://www.eff.org/deeplinks/2017/03/congress-sides-cable-and-telephone-industry
https://www.eff.org/deeplinks/2017/03/first-horseman-privacy-apocalypse-has-already-arrived-verizon-announces-plans

for a presidential veto if it's not too late.

No Eff, I don't expect you to take on single-payer healthcare, but maybe some powerful players somewhere might.

Let us hope that trump is not a chump.

Anonymous CowardMarch 31, 2017 11:51 PM

@DQ

Somewhere along the line our society missed the chance to say "of course federal wiretapping statues should apply to internet communication". Now we are all doomed, because money.

IANAL but this sentiment seems near enough to target, though it needs [and terrorists and pedophiles and disruptive business ideas] added to the end.

This FCC play seemed like an Orwellian 'chocolate rations are going up' move. I really feel like in some 9/11 related move the NSA and CIA somehow got the nation to believe in a new normal. I think if in 2000 you surveyed the top execs at the top internet companies in a publishable way, they all would have stated unequivicably that they believed that existing laws ALREADY prevented ISPs from selling that data in the same way that phone companies were never allowed to sell your metadata to the highest bidding (magnum) private investigator. But then 9/11 and torture and the gubernment is gonna do just whatever it damn well feels like with its blanket fear of terrorists and pedophiles based authority. And the public can't do much because without Snowden, we have to take them at their word that they would be powerless against the bad guys without their vast secret powers ruled over by secret courts and executed by secret police.

memo to moderator: I read the recent post about comments. This may well fall into the drive-by idealogue category. Feel free to exercise your liberty deleting it. The core of my crusade has perhaps been centered around the need to 'root hack' the U.S. internet policy into one that has a hard core value of pure well defined mechanisms of free speech furthering traditional models of democracy. Wheeler at the FCC wrote some words indicating perhaps value of that aspect, but his actions at the FCC clearly involved preventing that foundation from being laid. Servers Matter. Mandated extra middleboxes are ceding too much from what could have been a beautiful machine of Free Speech.

The cause is definitely lost. It's a jungle out there. End of story. Same as it ever was. Ruled ostensibly by a 70 year old horny hound dog with a billion dollars and jewel encrusted penthouse doors shown off on reality T.V.

I could never understand the cultural phenonenon of Survivor, MTV's Real World, and CBS's Big Brother, and NBC's The Apprentice. Until now. My favorite Hillary quote is the one about developing a thick skin.

Clive RobinsonApril 1, 2017 4:47 AM

@ Anonymous Coward,

I could never understand the cultural phenonenon of Survivor, MTV's Real World, and CBS's Big Brother, and NBC's The Apprentice.

If I told you that the ideas behind those programes originated from the European world view would it help?

Also, they are a bit like Eddisons ideas, based on European ideas then presented as "All American"...

mutley dastardlyApril 1, 2017 5:04 AM

I had to let go today one of my US-providers due to FCC and Trump-gov.-privacy-canceling regulations.

What's going to happen to the EU-US-agreement on the Privacy Shield - i'm afraid it won't have a long life.

It's sad we have to put this in here - i learned the Snowden-lesson very well.

The only weapon that's left in my closet is my spending. I'm gonna use that weapon - and innocent people will get hurt. If we don't do it right now - even more innocent people will get hurt. I'll continue to use it - until things get back to the way it used to be - before election-day.

Huh?April 1, 2017 5:14 AM

I agree these are alarming developments. Part of a larger suppression plan that will take tremendous, coordinated resistance to combat.

Just a quick question here. In the 6th paragraph @Bruce wrote "They can deploy systems that remove encryption..."

If strong encryption is employed from browser to server, how can an intermediary ISP remove it? Can you provide link(s) to more specifics please?

Perhaps you meant they can deploy systems that simply remove weak encryption, which not really "encryption" in the first place if it's been proven to be insecure.

Thanks!

Clive RobinsonApril 1, 2017 5:58 AM

@ Huh?,

If strong encryption is employed from browser to server, how can an intermediary ISP remove it?

By forcing your traffic through their TLS proxy that in effect does a "Man in the Middle" attack.

It's what a lot of less reputable nation states have donr to spy on web traffic of their citizens to major search and social media sites for quite a few years now. You can by a box for your Office etc to ensure you can comply with SabOx and SEC requirments to audit for insider trading etc.

That said apparently WhatsApp and similar are causing problems (I posted a Bloomberg story on the use of new apps by "masters of the Universe on the previous squid page).

ALApril 1, 2017 5:32 PM

It seems to me that the certificate approach to encrypting email has failed. I'd like to see plugins for the popular email software, where a shared password operates as a key to encrypting email between two correspondents. It could be stored in the address book. The password could be conveyed using secure messaging, such as Whatapp or Signal.

I find the double standard infuriatingApril 1, 2017 7:46 PM

"Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T, and Verizon collected all of your browsing history and sold it on to the highest bidder. That's what will probably happen if Congress has its way."

I think that this paragraph is a perfect illustration of what I call "ISP-phobia". At the same time, Bruce says,

"Unlike a search engine or social networking platform or news site, you can't easily switch to a competitor. And there's not a lot of competition in the market, either. If you have a choice between two high-speed providers in the US, consider yourself lucky."

Really? That choice is more theoretical than practical. Google is a de-facto monopoly in internet search in ways that neither Verizon, Sprint or ATT are when accessing the internet via wireless (the argument holds a bit more merit with cable/DSL access).

Still. Google has built a business that generates tens of billions of dollars a year collecting everybody's "browsing history" and selling "it on to the highest bidder" and I saw no outrage from the likes of Bruce. In fact, I saw the opposite: exhortations to put one's soul at the hands of Google, because you know, "Google is good" but those evil old telecom operators are well, "evil".

I am sorry but I am not buying this. Very few people disable the cookie technology that Google uses to spy on internet users because it is very labor intensive. For starters gmail is the most popular email service. Nobody that I know enables cookies to log into gmail, only to disable them after logging out. Not to mention that even if users were to follow that practice, Google also collects the IP address. So in practice, people would need to stop using gmail altogether, disable Google cookies and change their IP address regularly to be able to fool Google effectively. How many people do this?

The old rules served only one purpose: to solidify Google's monopoly in online advertising,which is what you would expect from the Obama administration given its revolving door with Google. The new rules open the pie of data-mining driven advertising to telecom operators.

The real remedy to this kind of unwarranted spying (by both ISPs and Google) is to hope people will massively adopt VPN technology. stop using gmail and permanently disable all Google related cookies (like youtube's and doubleclick's). Only then we will be safe from the most vicious predator to our internet privacy: Google.

I find the double standard infuriatingApril 2, 2017 12:45 AM

As to what revolving door I was talking about, here it is,

http://watchdog.org/265844/google-obama-revolving-door/

So let's be serious. If we are going to be outraged -and I am- that large American companies have no respect for privacy when it comes to people's digital lives, the real outrage is that Google and Facebook have been doing for years what ISPs will be able to do now and nobody in the high tech intelligentsia -certainly not Bruce- complained about it.

In fact, here is Bruce enjoying his celebrity status with the Google crowd,

https://www.youtube.com/watch?v=GhWJTWUvc7E

GrauhutApril 2, 2017 4:03 AM

Be your own vpn provider, use Tor.

And its not a real problem if your provider sells you to advertisers, wake up.

The real problems begin if they sell you to your bosses and three letter agencies...

Clive RobinsonApril 2, 2017 7:09 AM

@ I find...,

Nobody that I know enables cookies to log into gmail, only to disable them after logging out. Not to mention that even if users were to follow that practice, Google also collects the IP address. So in practice, people would need to stop using gmail altogether, disable Google cookies and change their IP address regularly to be able to fool Google effectively. How many people do this?

Well people do and IP tracking is not as effective as you might think.

I turned of cookies and javascript years ago, and I recularly encorage others to do the same. Client side code execution is a major no no and should be discoraged, we've more or less got rid of Flash and Java, so JavaScript should likewise be culled for both the sanitary and sanity of the internet and it's users. When people talk about NoScript and similar they are breaking one of the fundemental rules of secuity which is more commonly known as the KISS Principle. For security you should be reducing your code surface, not exponentialy increasing it's complexity with extra code that should have been built into the base browser in the first place.

As for changing your IP address, there is more than one way of skining the track the user cat. Back before the 1990's there was rarely a single user per host address, as we were still in the multi-user system era when it came to Internet Conectivity. During the 1990's as the Internet transitioned from academic/military to personal/commercial early ISP's in effect limited usability by charging not for bandwidth connectivity but host connectivity, which helped push the development of NAT/PAT technology thus multiple desktops could be hidden behind a single host --IP-- Address, thus moving back to multi-user per host address. This would have carried on if the client-server model had been the only game in town. ISPs tried to enforce this by trying various tricks to stop the use of home not commercial servers, this worked fairly well as can be seen from the relative types and pricing of DSL modems with ADSL predominating by a very large amount. In effect the telco ISPs had two markets a price concious home market and a premium rate commercial market. The cable companies by and large only had the home market, but in the UK certainly quickly decimated the telco premium market breaking up the cosy monopoly that had exorbitant pricing and also entering into the infrastructure market further decimating the telco markets. In many cases they also broke the smaller ISP model of charging by host address and just charged by bandwidth. It was at this point linking users to IP addresses became viable. Shortly after that the "user peer to peer" market started taking off with the likes of VoIP further eating away at the telco markets. Then at the turn of the century was the start of the Smart Mobile market which has grown year on year ever since. However there was a problem, the mobile service providers had a very limited IP address range and thus there could be between a hundred to three hundred unrelated in meatspace customers connecting from a single IP address. Further business users likewise had IP address space issues thus for the likes of large organisations infrastructure NAT/PAT became the norm one of the largest was the UK NHS with NHSnet back in the 2000's that in effect ran with several layers of NAT from the organisational, through local regional, to major regional, finally exiting into the Internet by one or two national NAT gateways. This worked fine for many IP address independent services like traditional web browsing but was a real disaster for many premium services like academic and medical journal servers that had used IP addresses as "identifiers".

But the world of mobile was realy starting to hurt, many services had the same IP address issues, but a couple of new problems were getting in, BYOD and Mobile WiFi, where IP addresses of devices changed not just between Internet access but as an internet service was in use, some Internet telephony services got realy whacked by this.

By and large the use of IP address to identify users is becoming less and less relevant as mobile usage increases and multiple levels of NAT/PAT get implemented with virtual networks running over the top in ways that quite effectively emulate early mix-nets. As mobile usage on virtual networks is set to increase with time the Internet will slowly migrate to a simple anonymity network if IPv4 continues to be the preeminent host identification method. Which will be messy, and why the life of some of the Tor breaking techniques that use client side code to find user device IP addresses have quite a short shelf life in the main.

Oh and I can't off the top of my head remember who first calculated that the number of active connections would excead half the number of usable unique IPv4 addresses by 2020, but it's begining to look like it's actually happened a year or so ago if you include the number of active connections that happen behind NAT and on virtual networks in as well. It's time we seriously rethought the way we do routing and dump IPv4 and IPv6 --which most dislike-- and went for a radically different approach where the fact end user devices are fully mobile and peer2peer as standard not the now well out of date static clients and server model. But first you have to kill off the "vested interests" and "legacy equipment" issues...

I find the double standard infuriatingApril 2, 2017 9:03 AM

@Clive Robinson,

Not sure anything you said has anything to do with what I say. I repeat: both Facebook and Google have perfected the art of tracking people online with a combination of IP tracking and, specially, cookie tracking.

3 years ago, the PBS show Frontline released a two part special on NSA spying following the Snowden revelations. The second part, that you can watch here https://www.youtube.com/watch?v=t17BYedTz7U , was entirely dedicated to the ways the NSA leverages for its own purposes the tracking infrastructure built by Google and Facebook. Again, no outrage from Bruce then that it's Google and Facebook that have made the NSA job very easy.

I think that this entry is 100% hypocritical. When it comes to violating people's digital privacy, Google and Facebook are by far worse offenders than traditional ISPs. Not only they track people's activity, but they data mine their stored content in ways that a ISP will never be able to do because https has been the norm to connect to both Google and Facebook -and in fact the most prominent websites- for many years now.

Google dropped recently its "end to end" encryption effort that was mentioned in the aforementioned talk by Bruce, more info here https://www.wired.com/2017/02/3-years-gmails-end-end-encryption-still-vapor/ .

The regulations congress repealed sought to ensure Google and Facebook's monopoly when it comes to abusing people's digital privacy. I see a silver lining here: I hope people realize that neither Google nor Facebook are their friends and begin to treat both companies with the same disdain and contempt some are treating now traditional ISPs. We have the technology to minimize their abuse and I hope it is massively adopted now that spying by private companies is back to the news.

LeonApril 2, 2017 10:46 AM

Why is it that -on almost all privacy issues- US and Europe take completely opposite directions?

John GaltApril 2, 2017 10:49 AM

@ SCHNEIER

[[[ What can telecom companies do with this newly granted power to spy on everything you're doing? Of course they can sell your data to marketers -- and the inevitable criminals and foreign governments who also line up to buy it. But they can do more creepy things as well. ]]]

That's the purpose. Sell it to government(s) and criminal enterprises. That's what Google does.

But, more importantly, it lets you share it with your friends for free, too.

Why would Trump sing off on it? I don't think he would if he really understood it. Face fact: Trump doesn't even use email. The extent of his computer skills is text messages (including Twitter).

I find the double standard infuriatingApril 2, 2017 12:43 PM

@Leon,

Why is it that -on almost all privacy issues- US and Europe take completely opposite directions?

Simple answer: history. I read somewhere what I am about to say, so it is by no means an original argument, but I fully agree with it.

Those of us who have traveled to many places cannot fail to notice that on the surface, Europe and the United States look very similar (specially when both civilizations are compared to say a Muslim country or a country like China or India). Both Europe and the United States share a common, for lack of a better word, Judeo-Christian-Greco-Roman heritage. You can argue all day long about Protestantism vs Anglicanism vs Roman Catholicism, but at end of the day, these have more in common among them than with say Islam or Confucianism. The Enlightenment mindset that is common among the intelligentsia of both sides of the Atlantic was born in France and England during the XVII-th and XVIII-th centuries -one of the many consequences of the Protestant Reformation.

But that's what the similarities end. The people who left Europe for the New World were the troublemakers. They were those who found the institutions of their time -ecclesiastical or government- oppressive. At the same time, those who stayed in Europe were those who liked these institution, be it because they had faith in them -say those who are pro monarchy-, be it because they liked the protection that these big institutions brought. What eventually became the American people were the ones running away from the feudal lord whereas those that stayed in Europe where the ones happy with the feudal contract: full obedience to the feudal lord, in exchange of security and protection. In the XXI-st century, government plays the role of the feudal lord, so it is not surprising that current Europeans have faith in government whereas current Americans deplore it while at the same time have no problem sharing their data with big corporations in exchange of what they perceive as "free stuff" (free email, search engine, social network, etc).

This dynamic is not going to change anytime soon. What I find deplorable are attempts to defend particular predators (such as Google or Facebook) while bashing others (such as Verizon and ATT), when in fact my opposition to intrusion is based on principle. I don't care what government interest there is to spy on me or other Americans. Similarly, I'd be happy to pay more to avoid the spying by Google and its Double Click tracking technology, but because I am surrounded by morons, it is not possible -the overwhelming majority of Americans are happy to surrender their privacy in exchange of "free stuff".

So the only solution that I see to the problem of spying is to stop pretending that there are good predators (Google, Facebook, government in case of Europeans) and bad predators (ISPs, government in case of Americans). We have to acknowledge the problem and promote the widespread adoption of anonymous browsing technology (such as VPNs) and end to end encryption. The technology already exists. Agreeing to the notion that there are good predators and bad predators is agreeing to the game these predators want us to play. I refuse to.

I find the double standard infuriatingApril 2, 2017 1:20 PM

BTW, it goes without saying that those considering a VPN service to protect their privacy should make sure they choose it in a smart way: pick a VPN service that keeps its customer data outside American jurisdiction -so it cannot be bought by American companies- and particularly outside the 5 eyes countries (ie, picking a VPN service headquartered in the USA, the UK, Canada, Australia or New Zealand is a really bad idea). There are many VPN services that are headquartered outside these countries but that have access servers in the USA.

Then of course, use TOR for your most sensitive browsing activity.

A massive adoption of these tactics would be even good in the long run for law enforcement. It would force them to be smart and deploy human intelligence on the bad guys, instead of collecting and storing everybody's information.

Dirk PraetApril 2, 2017 2:35 PM

@ I find the double standard infuriating, @ Leon

Why is it that -on almost all privacy issues- US and Europe take completely opposite directions?

In the EU, privacy is a human right as guaranteed both by the UDHR and ECHR, enshrined in EU Data Protection Directive 95/46/EC that last year was superseded by the General Data Protection Regulation. In the US, it's more like a marketable commodity.

The historic background is that Europeans generally distrust corporations, whereas Americans distrust government and regulation.

I find the double standard infuriatingApril 2, 2017 3:44 PM

"The historic background is that Europeans generally distrust corporations, whereas Americans distrust government and regulation."

This is a circular statement that explains nothing.

The historical reason for that fact is that the Europeans of today are the descendants of those who liked the deal that successive governments offered to the people who decided to stay in Europe. On the other hand, today's Americans are the descendants of the Europeans who didn't like the deal these successive governments offered and left for the US looking for a better future away from oppressive European institutions.

When the original 13 American colonies won their war of independence against the United Kingdom, they set up a system of government that codified this mistrust of government because the last thing these colonies wanted -particularly their elites- is to substitute one form of oppressive government for another. That healthy mistrust of government in embedded in the American character and has been assimilated by successive waves of immigrants that came to the US after 1776.

On the other hand, the Europeans who remained in Europe have traditionally seen in government the instrument for their material and spiritual salvation. It didn't matter it was feudal lords, kings, presidents or prime ministers. They just love other people telling them what to do and how to live their lives in exchange of being babysitted. That's why they have faith in government.

This, is the reason for the different approach towards who is perceived as the greatest threat for online privacy. The typical European government already knows more about the average citizen than Google ever will from spying on them. What triggers these Europeans is not somebody knowing about their private lives, rather, somebody other than daddy government knowing the same.

Clive RobinsonApril 2, 2017 3:46 PM

@ I find the double...,

I repeat: both Facebook and Google have perfected the art of tracking people online with a combination of IP tracking and, specially, cookie tracking.

They have very far from "perfected the art of tracking people online", there is one heck of a lot worse to come if we alow it.

As I've already pointed out tracking by Host / IP address is no where near perfect and is worsening over time.

As for cookie tracking that likewise is getting less reliable.

What ISPs can and in the cases of the larger ISPs have done is add extra tags to a users datagrams. You have absolutly no control over this and you can not stop it. I would expect more of this type of tagging in the future.

The only way you have currently to limit it is to use an encrypting or secure tunnel. As your real traffic is encrypted as it goes into the secure tunnel, any tags that are attached to the encrypted packets of the secure tunnel get striped of at the other end by the decryption process.

Tor or a VPN you have some actuall control over should do this. Tor for instance has it's multiply layered secure tunnels which should in theory eliminate the tags.

There is however a fly in the ointment. Even if you control the hardware at both ends of a secure tunnel you don't control the next nodes upstream of the hardware. Often this upstream node is controled by an ISP or it could be under the influance of financial or IC interests. If they have reason to believe the hardware is running the end of a secure tunnel they may be able to use simple timing on the inbound and outbound packets to read the tag of the end of the inbound secure tunnel packet, and thus use it to tag the outbound packet. This is especially true for low latency secure tunnels. Such an attack would work against all secure tunnels where a correlation by length or time could be achived.

There are various ways around this such as the encryption process of the secure tunnel deliberatly fracturing the unencrypted packets down into different sized blocks prior to encryption that get reasembled at decryption. If used with fixed rate or packet insertion this will help stop timing and size correlation of inbound to outbound packets. I'm unaware of any secure tunnel systems that do this sort of correlation prevention.

One reason for this is if inbound secure tunnel packets come from one source only, time and size corelation are not necessary by an attacker. Currently most secure tunnels are --assumed to be-- from fixed point to fixed point, thus anti-correlation measures would appear to be superfluous.

This notion of providing a solution designed for a minimal security requirment is in the longterm problematical, however short term it alows product to be brought to market.

For instance the use of Tor within a "sphere of influence" such as totally within Australia, Canada, New Zeland, the UK, the US or some combination of them would be susceptible to such an attack.

Thus the use of out of "sphere of influence" jurisdictions as the distant end point of a secure tunnel should be used. Further the use of a jurisdiction that is antagonistic to the jurisdiction you are in or has sufficient privacy legislation is recommended.

But there is an assumption there that could prove disastrous against an IC that is known to use zero days and other methods to take control of routers not in their jurisdictions.

Further there is also a probability that a sufficiently large global corp could control infrastructure in other jurisdictions as we see with third world etc jurisdictions. Or the likes of Alphabet etc could form commercial relationships with infrastructure controlers.

This sort of tagging attack has been well within our technical capabilities of a number of years now, so it is possible it is already in use. Unfortunatly if it is not yet being used it is this sort of future we should be looking at either to prevent it or mitigate it.

As Shakespeare said in Henry V, "The game is afoot"...

ab praeceptisApril 2, 2017 3:58 PM

Clive Robinson

JavaScript should likewise be culled for both the sanitary and sanity of the internet and it's users.

Won't happen anytime soon. javascript is the foundation for the holy web 2.0 cow that is melked for many, many billions each and every year.

Not that I wouldn't largely agree with you but: Since when do profit interests listen to the voice of reason? Unless *they* are about to be culled, that is.

There is a very clear pattern, namely that it was *always* profit greed that won while "security" was "solved" by some brochure bla bla with funny images.
Hell, they did even avoid minimal precautions like using a strictly typed language; nope that would have frightened and kept away too many web-"developers" (read: braindead lala coloursplash zombies for whom Visual Basic was too hard a challenge in high school).

I'm waiting for symerski to sell "secure sandbox protection". With fully automatic (and uncontrolled) updates, of course.

After all, the business model to first crap in everybodies living room and to then sell cleaning services has shown to be perversely successful.

I find the double standard infuriatingApril 2, 2017 4:12 PM

@Clive Robinson

I have to say this: I find your Orwellian contortions and semantics avoiding criticizing Google or Facebook or what they already do bizarre.

Here is the reality: Google and Facebook make, combined, more than 100 billion dollars a year almost exclusively out of spying people. I don't know how much money AT&T and Verizon make out of selling people's internet habits, but I bet it is not even 10% of that. And yet, you and Bruce want us to believe that the ISPs are satanic whereas Google and Facebook are angels who have nothing but their users' well-being in mind.

I haven't read a clear articulation as to why I should fear Verizon more than Google and these set of posts don't clarify anything. No ISP can do anything against a VPN that leverages OpenVPN (as most do). The discussion about datagrams is a red herring to avoid talking about Google and Facebook spying.

MartinApril 2, 2017 4:44 PM

@ I find the double standard infuriating

"What triggers these Europeans is not somebody knowing about their private lives, rather, somebody other than daddy government knowing the same."

Yes, just get if off your chest!

Tell it in your own words.

Clive RobinsonApril 2, 2017 6:25 PM

@ I find the double...

And yet, you and Bruce want us to believe that the ISPs are satanic whereas Google and Facebook are angels who have nothing but their users' well-being in mind

I've said nothing of the sort and you well know it.

The fact I chose not to be dragged into endorsing your pet peeve appears to be causing you issues. I am well aware of the failings of many entities, and have discussed them in threads where they are within the context of the thread.

This thread is about the effects of the recent actions of the US congress with regards ISPs and what effects that may lead to.

Whilst both Alphabet and Facebook have talked about developing connectivity solutions it has been --as far as my nemory serves-- about to non US jurisdictions. Thus within the confines of what the US congress has done not relevant.

But if you read back to my previous post I did indicate that large corporations could well develop future relationships with various service providers. So you might want to think further on that and how it might relate to your pet peeve.

As for,

The discussion about datagrams is a red herring to avoid talking about Google and Facebook spying.

The point about ISPs "tagging datagrams" is a very real issue as has been noted in the past in this blog and else where. It's something that all ISPs can do with relative ease, but neither Google or Facebook can do unless they become an ISP, thus they are not relavent to the discussion on this thread.

So please just go scratch your itch in a more relevant place...

I find the double standard infuriatingApril 2, 2017 6:49 PM

@Clive Robinson

Well, I think we will have to agree to disagree. The outrage at the passage of S.J.Res.34 is misplaced.

For starters, all the passage does is to preserve the status quo because the new rules had not taken effect yet.

Second these rules had only one objective in mind: to preserve Google's and Facebook's ability to spy on us all while making it difficult for ISPs to do the same.

If you add the revolving door between Google and the Obama White House to the analysis, it is not very difficult to see in said rules a last favor of the Obama administration to his Google and Facebook friends. And if you think that I am exaggerating with the "friends" statement, just read this, courtesy of Mr Assange,

- https://wikileaks.org/podesta-emails/emailid/19070#efmACIAD6 Sheryl Sandberg, Facebook COO says to John Podesta, Hillary Clinton's campaign chief : And I still want HRC to win badly. I am still here to help as I can.

- Here is Google/Alphabet's chairman Eric Schmidt offering Hillary Clinton help in planning her campaign https://wikileaks.org/podesta-emails/emailid/37262 .

My apologies if I don't see any sort of "altruist motives" in the Obama administration's attempt at insuring that both Google and Facebook be given a free pass when it comes to spying people.

In the era of Fake News, this is as close to "Fake Outrage" as you can get from both Bruce and the EFF.

AnselmApril 3, 2017 1:48 AM

The main difference between the likes of Google and Facebook on the one hand and the ISPs on the other is that the former only get to see the traffic that you send to them. It is very easy to avoid being spied upon by Google and Facebook; all you need to do is not use their services. Avoiding being spied upon by your ISP is a lot more hassle.

Clive RobinsonApril 3, 2017 4:09 AM

@ Anslem,

It is very easy to avoid being spied upon by Google and Facebook; all you need to do is not use their services.

Oh that it were that easy, if you visit a web page that has various buttons installed in the "easy way" then they get you...

As for "Avoiding being spied upon by your ISP is a lot more hassle." for most people it will be beyond their abilities currently and with the likes of "tagging" it will get to the point where you realy have to know what you are doing which is probably less than 1 in several tens of thousands of Internet connecyed people.

Clive RobinsonApril 3, 2017 5:28 AM

ISP Tagging of Users datagrams

Whilst people say that the FCC rules were not implemented, thus imply there is no change, that is not the case.

The FTC had previously placed rules on ISPs etc, which were still in effect. The reason the FCC brought in their own rules was that the FTC rules were challenged and in the process the FCC gave ISPs "common carrier status" which negates the FTC rules. All of which means that "there were rules" and now "there will be no rules" in this area.

Which brings us around to what caused concern with ISPs in the past. Part of it was three to four years ago with ISPs modifying and tagging peoples data [see first part of 1] without their permission and beyond their control as it happened at the node upstream of them the ISP controled. This abuse included adding fields to HTTP traffic and flipping protocol flags such as STARTTLS to turn off encryption, so they could read your email headers and content etc.

Because this "tagging" was above the TCP level in the network protocol stack a sort of workaround at the time was to use an encrypted secure tunnel as used by VPNs Tor and other anonymity systems.

However this would not stop the VPN provider or service provider of an upstream node of them tagging the data again once decrypted. Even though such re-tagging would not directly provide such fine grained information a tag that gave the VPN identifier and packet network time would be sufficient to rebuild the data.

It's also possible to tag data at and below the TCP layer and a secure tunnel obviously can not stop this, thus it can give rise to tracking issues.

To see why let's assume that you and your VPN provider use the same service provider or group of suppliers that have a hidden from their customers agreement. Because they control the upstream node to you and the upstream node to the VPN, they can tag your encrypted packet of the secure tunnel the VPN uses at your upstream node. They will alsi see this tag on the inbound traffic at the upstream node of the VPN providers systems. If the VPN provider tunes for low latency and maximal throughput the odds are good that the unencrypted packets outbound from your VPN provider systems can be cross correlated with the tagged encrypted secure tunnel packets that were inbound, thus the outbound packets can be retagged.

This is of particular concern with the likes of Onion routing running in a "sphere of influence" be it commercial or IC. It's become apparent that various national SigInt agencies either "have relationships" with ISPs or have backdoors into ISP systems and routers. Because this would enable them to pass the tag around each onion router without the router even being aware the tag exists. Thus they could tag from end to end irrespective of the link based secure tunnels between the Onion routers.

With the current way IP works this problem is NOT going to go away, thus you need to use other techniques to render it of no use.

[1] http://www.makeuseof.com/tag/two-ways-your-isp-is-spying-on-you-and-how-to-be-safe/

Slime Mold with MustardApril 3, 2017 7:22 AM

'Comcast has said they will not...' That applies until one mid-sized or large ISP does start selling their customers, at which point the board will bludgeon the chairman half or more to death for leaving revenue on the floor. Very poor corporate form.

To elaborate:
A American corn farmer might own 2000 acres, lease an additional 2000 acres and net $150k per year. A corporation would mortgage the owned land to either purchase more land or purchase more equipment and lease more. The idea of leaving capital (the land) idle is contrary to principle. That is why 2007 - 2008 found so much of Wall Street so leveraged. The corporate farm would work - until a severe drought or a nationwide bumper crop crashed prices.

@ I find the double standard...

Google and Facebook have been pilloried by Bruce, @Clive Robinson, me, and pretty much all the regulars. People aren't responding because the ground is so well trampled it is a rift valley.

Please understand: I have been here a dozen years, and @Clive, @Dirk, @Nick P, @Wael and others were here when I got here.

TMApril 3, 2017 7:34 AM

"It's too late to do anything about this bill but we need to be alert to future bills that reduce our privacy and security"

Rather lame for a call to the barricades. This is no time for resignation. The resistance against Trump's corporate fascism is growing. Surely there is something you can do if you care about internet freedom.

Dirk PraetApril 3, 2017 8:58 AM

@ I find the double standard infuriating

What triggers these Europeans is not somebody knowing about their private lives, rather, somebody other than daddy government knowing the same.

It would appear that you have a rather limited understanding of how society in Europe works. We have come to distrust both governments and corporations. And that's why privacy over here is a human right enshrined in comprehensive legislation and regulation limiting both corporate and governmental overreach, whereas in the US it's more of a legislative patchwork around a concept that doesn't even feature as such in your Constitution and has been declared dead by corporate execs and corporate controlled politicians alike.

And yet, you and Bruce want us to believe that the ISPs are satanic whereas Google and Facebook are angels who have nothing but their users' well-being in mind

Allow me to chime in with @Slime Mold with Mustard in saying that you are really barking up the wrong tree.

Just a ProductApril 3, 2017 9:23 AM

@Anselm @Clive Robinson

It may not be as easy as "Just don't use Google and Facebook", but it's still completely possible and relatively easy, and free, to avoid them tracking you.

By just not using them, you deny them any extra information from a user profile. They could still track general stuff, but they will not have all the extra information that using them creates in a profile. With your ISP this isn't even possible.

Beyond that, it's completely possible to bock all traffic to those sites. Perhaps a game of cat and mouse as they change names, but still very possible and free. Things will break on other sites that leverage services from them. Comment section logins, external site logins, like and share buttons, sometimes javascript. But, all of those things are really subtle versions of "using them" beyond just "using the main site".

That's what makes the ISP different. It's completely possible to "not use" Google or Facebook, even if "completely" takes a little more effort than just not creating profiles with them. They do not have a monopoly on anything. Even Google search is not a monopoly, you can use other search engines. They may not work the same, but they are available. And, this "not using" doesn't cost anything.

With your ISP, you cannot have no profile, they have to bill you after all. Any work around requires you buy a product from someone else to hide you from the product you already bought. Likely with little to no options to buy ISP service from someone else. Even 2 choices are not choice if they both do it.

It's not that one group tracking you is better than another group. That distinction has no impact on this conversation. It's that ISP tracking you has no ability for you to avoid. The loss of that ability makes you no longer the customer, you're just the product now. The Netzero example was spot on. There was no question there, you were the product not the customer and got free access in exchange for being that product. With the current ISP, this allows them to change you into the product while still pretending you're the customer and charging you for that right. If they want to change what they're providing, and provide a free access option where the tracking is done, they should go for it. They might even get lots of people to sign up, people are cheap after all. But, that's not what the local utility commissions gave them exclusive access to provide.

I find the double standard infuriatingApril 3, 2017 10:00 AM

To all,

Pardon me if I am not impressed by the minutiae. Take for example

"let's assume that you and your VPN provider use the same service provider or group of suppliers that have a hidden from their customers agreement"

Sure, and let's assume you are God and can read minds, then there is no hiding away from tracking, not even TOR. Is this supposed to be a serious argument, really?

The basic principle in computer security is that you defend against your adversary's assumed capabilities. When it comes to omnipresence in websites, nobody is as omnipresent in the web as Google and Facebook (in this order).

I get that Google has done a fantastic job brainwashing the computer intelligentsia (people like Bruce) to have said intelligentsia push Google's talking points. I truly do get it. It's like when Hal Varian was making the rounds that we should trust Google with our data because otherwise Google's services wouldn't be as good or when Vint Cerf was going around promoting net neutrality. Nobody in this community seriously challenged that both Varian and Cerf's talking points were mysteriously aligned with Google's bottom line.

I am sorry, but I am not buying any of this. Google is a phenomenal business story from any metric imaginable: market share, market value, revenue, profit, etc. But this notion that they are not motivated in everything they do by their own interests requires suspending one's critical thinking.

For some reason, when the NSA pushes for certain standards and crypto primitives, nobody has a problem second guessing them that there is probably some nefarious intent behind their proposals. Everybody understands that the NSA mission is to spy on people and that all of their proposals are subordinated to that mission.

And yet, people here and other forums have a very hard problem understanding that every proposal Google makes is subordinated to their mission of making profit out of tracking people's online activity.

It's a sad thing to see so many otherwise smart people suspend their critical thinking when the name "Google" is thrown around.

Dirk PraetApril 3, 2017 10:46 AM

@ Clive

I suppose in the first part of your post you were referring to the AT&T X-ACR and Verizon X-UIDH super cookies?

It's also possible to tag data at and below the TCP layer and a secure tunnel obviously can not stop this, thus it can give rise to tracking issues.

Yes it is, but that would mean a full MITM of all TCP traffic, which might be - at least IMO - rather cumbersome and quite expensive. It would also be detectable by anyone with some basic Wireshark knowledge. Last but not least, it's one thing to passively sweep up a user's data, it's another to actively interfere with or subvert his communications, and which - again IMO - would constitute "unjust or unreasonable business practices".

If we consider TCP packages as the envelope our data payload is encapsulated in, they are ultimately the same thing as the envelope that holds our paper letter. No postal office would have the right to open that envelope to put an ad or tracking device in it, unless directed to do so by some LEA with the proper authority. At least in the EU, such practices would never fly. US mileage, as usual, may vary significantly.

@ I find the double standard infuriating

t's a sad thing to see so many otherwise smart people suspend their critical thinking when the name "Google" is thrown around.

Please cut it out. Your soapboxing is irritating, especially because you'll hardly find any Google fan here. May I suggest taking it here instead? This guy is a great Google fan.

I find the double standard infuriatingApril 3, 2017 10:56 AM

@Dirk Praet,

"Your soapboxing is irritating, especially because you'll hardly find any Google fan here".

Sure, like that thing about "let's assume that you and your VPN provider use the same service provider or group of suppliers that have a hidden from their customers agreement".

Dude, recap. This whole thread was started with a fake outrage about what ISPs "might do" now that the status quo has been preserved, but it gives a total free pass to those who are currently preying on our digital lives. Bruce is a regular speaker at Google and make sure to show them their love at every occasion. I showed an example of one of his talks above. You can find more of them in youtube.

I think that you guys are Manchurian Google fans, the worst kind of Google fan there is.

VPNsApril 3, 2017 11:36 AM

VPN everywhere. Torrent Freak publishes a yearly "top privacy VPNs" that's really good at finding the ones that don't log and don't keep identifying data, and there's new ones cropping up every year with better and better services. I use Private Internet Access on my home rig and phone and have been happy with it for a few years, but there are others that are just as good.

Of course, there are some services that are hostile to VPN traffic. Netflix won't let you watch content if it looks like you're coming a country outside the US. Pandora won't stream unless you're in (or look like you're in) the US. At my workplace, our edge gear drops certain traffic if it sees that it's encrypted (though I get around that with a different VPN setup using the same provider). Point being that maybe in the near future ISPs will start dropping or be otherwise hostile to encrypted traffic, as well. In which case people like Bruce should start working on the next weapon in that arms race.

And, look on the bright side. Government or industry being hostile to privacy/freedom tends to foster innovation in better privacy tools and techniques. So there's that.

Whats_EffApril 3, 2017 12:42 PM

@I find the double standard infuriating
"In fact, here is Bruce enjoying his celebrity status with the Google crowd,
https://www.youtube.com/watch?v=GhWJTWUvc7E"

Yawn

Since you appear to be a video fan, last nights 60 Minutes, had a video of a white cop who shot and killed an unarmed black in Tulsa (OK;USA), on film, and is accused of manslaughter. Presumably against her lawyers advice she has talked to the media pre-trial, and feels like she is being pursued by a lynch mob. Her trial may start in May.

I find the double standard infuriatingApril 3, 2017 1:32 PM

@Whats_Eff

I don't get what you are trying to say here. The reality is that there is plenty of evidence in the public domain of Bruce being intellectually (and spiritually) servant to Google. The video I pointed out above being just one of the many instances in which he has done so.

Me pointing this out is only to cause this crowd of Manchurian Google fans to think as to whether their outrage is actually "fake outrage".

Google's entire business is built on the most sophisticated online spying techniques available in the universe. It's not easy to replicate what they have accomplished. Microsoft has spent billions of dollars trying to catch up to no avail.

This notion that preserving the status quo will endanger our online privacy is baloney. It is already endangered and letting ISPs get a little bit of the pie is not going to change much things.

In fact, as counter intuitive as it might be, I see a silver lining here. Faced by competition in the advertising world, perhaps Google will have to attract customers in a different way like offering end to end encryption to paying customers.

I find the double standard infuriatingApril 3, 2017 1:58 PM

@Bruce,

Will you be similarly "outraged" now that we know who is responsible for unmasking Trump (and his associates) names collected by the NSA while it was doing other things?

https://www.bloomberg.com/view/articles/2017-04-03/top-obama-adviser-sought-names-of-trump-associates-in-intel

"White House lawyers last month learned that the former national security adviser Susan Rice requested the identities of U.S. persons in raw intelligence reports on dozens of occasions that connect to the Donald Trump transition and campaign, according to U.S. officials familiar with the matter."

Or will your "allegiance" to Obama - http://docquery.fec.gov/cgi-bin/fecimg/?11972680681 - cloud your judgement the same way Google is clouding your judgement when it comes to the FCC rules?

Come clean!!!

AdamApril 3, 2017 3:37 PM

My main concern is how long until VPN and other encryption services are illegal.

I've been surfing the web via VPN for almost a decade now, not with the intent to hide as that IMO is futile but to deprive my ISP of anything other than the dumb pipe they should be.

I find the double standard infuriatingApril 3, 2017 3:53 PM

@Adam,

The beauty of software is that VPN or VPN-like solutions are near to impossible to make illegal. There is a lot of futility in those efforts. To be fair, both Democrats and Republicans are guilty of a "national security paranoia trumps everything else" mindset.

Banning software-enabled encryption is akin to trying to ban guns. Both efforts only ensure that only the bad guys have access to the banned stuff (encryption or guns).

I hope that both government and corporate interests understand that the smart thing at this juncture is not to fight people's interest in protecting their privacy but to embrace those efforts.

Take Google and Facebook for example. It is well known that they make a particular amount of revenue per user http://www.digitalstrategyconsulting.com/intelligence/2014/06/ad_revenue_per_user_google_facebook_twitter.php . If both were to come with a revenue model that says, for those privacy minded people we will let you pay us that amount -plus a premium- to ensure that certain services -say email or messaging- are encrypted and impossible for anybody to access the content except for the intended users. Some people would continue to be gladly spied upon in exchange of the free stuff, but I am sure there would be a market for premium users that would become profitable quickly.

Who would object to that? People paying the premium would have to provide credit card information, so it would be possible to track things like metadata (who messages to whom), but the content would still be protected.

Still, the groupthink mindset that pervades Google, Facebook and government Manchurian advocates makes the above next to impossible.

FreezingApril 3, 2017 5:10 PM

The cause is definitely lost. It's a jungle out there. End of story. Same as it ever was. Ruled ostensibly by a 70 year old horny hound dog with a billion dollars and jewel encrusted penthouse doors shown off on reality T.V

Interestingly, he`s been complaining about surveillance himself. Now that he feels the heat maybe he could become an ally to the cause. [wink]

Nah. Not gonna happen.

John GaltApril 3, 2017 10:49 PM


[[[ Here is the reality: Google and Facebook make, combined, more than 100 billion dollars a year almost exclusively out of spying people. ]]]

Simple fact: Cloud Computing is for Airheads. Even Google knows it.

VERY FEW in private sector are really is buying into it. The only people who ARE buying are those who are psychopathic peeping toms.

Spies are the lowest form of life on the planet.

That's why, during war, when you are a spy, you can be executed on the spot. Geneva Convention doesn't protect spies.

So... Google and their ilk are, like a wartime spy, the lowest form of life on the planet.

I've used computers my whole life to solve REAL business and engineering problems -- the problems that computers were really designed for.

Google and ilk can't even do a good name and address program. Cloud Computing is for Spies.

I find the double standard infuriatingApril 3, 2017 11:58 PM

Spies are the lowest form of life on the planet

I generally agree with this sentiment. In high tech in particular, the aforementioned spies have had a devastating effect.

20 years ago, being a high tech company (think Cisco, Oracle, even Microsoft) meant that you used your employees' talent to build products that customers were willing to pay a premium for. The product these companies sold was technology and the profit was essentially a measure of the value added by the organization: the difference between how much it cost a company to build the product and how much customers were willing to pay for the product.

Today's high tech companies, at least the companies the media and people like Bruce idolize, do not make money out of building products that are marketed to customers at a profit, but rather, they make money out of spying on people. Their product is these users digital lives in the form of a Stasi-like dossier that is sold to the highest bidder. East Germans were allowed to see their Stasi dossiers after the fall of the Berlin Wall. I hope that when these companies go bankrupt, they give the same rights to anybody who has ever used their services.

When it comes to Bruce's fake outrage, the current FCC president Ajit Pai put it best,

"President Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers. American consumers' privacy deserves to be protected regardless of who handles their personal information"

As far as I am concerned, the real outrage is the brainwashing we have been subjected to by Bruce and the like that Google is good but Comcast is evil.

Dirk PraetApril 4, 2017 3:04 AM

@ double standard thingie

Google is good but Comcast is evil.

Only in some weird parallel universe is it a victory for the 4th Amendment rights of the American people that their corporate-owned representatives in their infinite greed have decided to put up for grabs their privacy to yet another corporate wolf pack.

Who's paying you to write this nonsense and baseless accusations of our host?

Clive RobinsonApril 4, 2017 4:59 AM

@ Adam,

Sorry Your thought,

My main concern is how long until VPN and other encryption services are illegal.

Is getting lost in the interference...

I do not think they will become illegal or treated as "weapons of war" again for a whole heap of reasons. Not least of which is they are far to usefull to LEAs as an excuse to the politicians for not acting but getting more appropriations money as the IC has repeatedly demonstrated.

No there is another trick in the legal minefield that is "going equipped". It's an old not much used law --which should ring alarm bells-- much like the one used on Apple.

Put simply "going equipped" goes back to the days of "grabbing ruffians" and turning them into criminals, and is based on the opinion of a police officer not fact or even evidence of a crime. Essentialy you are charged if an officer finds you carrying something that he considers "you might be" going to use to "commit a crime". You get taken to the lockup and a magistrate decides the following day if the arresting officer had good suspicion. If the magistrate does you get anything up to a further six months in lockup or you get sent for criminal trial which could mean a lot lot longer in a distant prison, such as Australia.

Criminals quickly adapted to turn "innocent every day items" such as newspapers into weapons (roll it up very tight and hold it like a stick an inch or two from one end and use the short end to stab with like a hammer).

Thus you now find people are subject not to the usuall standard of "innocent untill proven guilty" but "guilt unless they can beat the might of the state" by doing the impossible of proving their innocence. Thus all pretence of "equity at arms" at trial is gone. It's one of many "stripping of rights" tricks the authorities have in their arsenal of weapons of oppression against what "authority" sees as undesirables.

In the UK we had with the introduction of the "Regulation of Investigatory Powers Act" (RIPA) the crime of not handing over encryption keys on demand --by voice or letter no warrant required-- with a "secret" trial that you could get several years in jail for.

Thus ask yourself the question of how you would produce the key of a symmetricaly encrypted message where the application you used negotiated it by Diffie-Hellman?

If you try you get into the Catch22 problem, if you succeed at that by showing the application hides it from you, you will then stand accused of deliberatly selecting the application because you knew you had something to hide. Which is what the likes of UK Home Office Minister Amber Rudd is starting with WhatsApp. The more noise she and her ilk make in the national press about Whatsapp being a "hiding place from justice" the more difficult it is for you to say you did not use it for exactly that reason...

The smarter level criminal or terrorist who wants to continue their chosen career path will use other methods such as Codes not Ciphers and via channels that are so standard everybody uses them without thought, including all the potential members of a jury at trial.

I know it sounds mad but we are effectively "sleep walking into a situation" where the only way to avoid being made a criminal --when your number comes up-- is to think and behave like a very clever criminal, which by far the majority of people have no clue or desire to do. Which is ideal for the Authorities as it makes their job oh so much simpler...

Who?April 4, 2017 5:57 AM

@ Anselm

The main difference between the likes of Google and Facebook on the one hand and the ISPs on the other is that the former only get to see the traffic that you send to them. It is very easy to avoid being spied upon by Google and Facebook; all you need to do is not use their services. Avoiding being spied upon by your ISP is a lot more hassle.

What about visiting sites that use Google Analytics?

What about replying to someone that writes you from a @google.com email account?

What about visiting web pages that use these evil corporations to insert announcements? Are you sure they are not tracking you?

What about being phoned from a device that runs Android or iOS?

What about information about you provided for free to these corporations by "loyal customers" (a.k.a your friends, if you have ones)?

Right now I would not say avoiding espionage by these giant corporations is not easier than avoiding espionage by ISPs.

Are you sure accepting a service agreement from these big corporations is required to allow them build a profile of your activities?

In some way I prefer the NSA to Google or Facebook. At least the profiles they make from your activities are available to a small set of authorized government employees only. Google violates the privacy of billions of citizens and sell that data to anyone willing to pay (sometimes they even give it for free, let us say from Google's search engine).

Who?April 4, 2017 6:00 AM

Right now I would not say avoiding espionage by these giant corporations is not easier than avoiding espionage by ISPs.

Obviously it should read: Right now I would not say avoiding espionage by these giant corporations is easier than avoiding espionage by ISPs.

Who?April 4, 2017 6:13 AM

@ I find the double standard infuriating

Today's high tech companies, at least the companies the media and people like Bruce idolize, do not make money out of building products that are marketed to customers at a profit, but rather, they make money out of spying on people. Their product is these users digital lives in the form of a Stasi-like dossier that is sold to the highest bidder. East Germans were allowed to see their Stasi dossiers after the fall of the Berlin Wall. I hope that when these companies go bankrupt, they give the same rights to anybody who has ever used their services.

I only wish these high tech corporations will go bankrupt and the profiles they built about us being destroyed. We need a global communication network, but we need to be the owners of our own information. I cannot understand how Internet went so wrong so quickly.

Clive RobinsonApril 4, 2017 8:05 AM

@ Dirk Praet,

Yes it is, but that would mean a full MITM of all TCP traffic, which might be - at least IMO - rather cumbersome and quite expensive. It would also be detectable by anyone with some basic Wireshark knowledge.

Yes it would mean a MITM but that is what ISPs are anyway at both ends, but not as cumbersome as you might think. As for Wireshark no, it can not see what the ISP adds to your outbound stream on the cloud side of the ISP, nor can it see what the ISP removes from the inbound stream on the cloud side. All wireshark can see is what the ISP want's it to see, that is the power of controlling the upstream node...

The ISP is "the gateway" between your little network and the Internet, with few --wealthy-- excptions your little network connects to the Internet through a single point which is the ISP.

This gives the ISP in effect unimaginable power, simply because people do not even realise they should think about it. The reality is from your network they are the equivalent of the entire mess you as a person see only the tip of at the airport when you fly abroad. They can and they have done pretty much whatever they want, and you have no way to stop them, because they can cut you off whenever they feel like it and if you read your service agreement they reserve the right to do what ever they like for "technical" reasons. Further in many places you do not have an option of moving to another service provider... It's not just a monopoly it's a tyranny and this is the first ordinary people are seeing of it.

Along with the not thinking about the power an ISP has, people further don't realise just what an ISP knows about what goes on in their private little network if the chose to look.

After all you don't need to be told there is a school down the road when you see all the uniformed kids and "Chelsea Tractors" and other "school run" vehicles turning into the road and comming back again. You can also make a guess at the quality and type of school from the cars, footware and uniform badges.

It's the same for an ISP even if you try to hide Tor traffic in another common secure tunnel like HTTPS, they will still have a very good idea of what you are doing from the IP address and port numbers on the outer IP packet. There are to few Tor gateway or routing nodes for them not to know, the same with VPNs the traffic just like that on the school road is different enough to notice without actually looking.

Which means they don't have to devote effort to every customer just some. Thus the effort is not realy cumbersome "yet".

And trust me the ISPs will if they see their share of the profit pie diminish more than a fraction will act, they are legaly obliged to if they have shareholders. Thus trying to hide traffic will be in breach of their TOCs and as "computers" are involved in the US atleast that's not just a civil court matter but a criminal court matter. The only way around it is if there is sufficiently existing "custom and practice" which there is probably not...

I find the double standard infuriatingApril 4, 2017 9:14 AM

@Dirk Praet

"Who's paying you to write this nonsense and baseless accusations of our host?"

WOW! Let's recap:

- I point out the obvious: that when it comes to spying on people online, the most sophisticated machinery is that currently deployed by Google and Facebook. In fact, that Microsoft hasn't been able to catch up with this and it is not for lack of trying.

- I point out that there is plenty of evidence of Bruce behaving as a sellout to Google.

- I point out that Bruce donated money to the Obama presidential campaign.

- I point out that there was a revolving door between the Obama administration and Google as well as a cozy relationship between key executives of Google and Facebook and the Hillary Clinton campaign.

- I point out that the repealed rules would have created a two tier situation: allowing Google and Facebook to continue to do what they are doing all while preemptively denying ISPs the possibility of doing the same -something that they were not doing in the first place https://www.recode.net/2017/3/31/15138154/att-comcast-not-invading-privacy-fcc-vote-protections .

Importantly, I make all the above points based on publicly available information -in the case of Sheryl Sandberg and Eric Schmidt thanks to wikileaks.

And the end result in your mind that I am a paid troll. Perhaps, only perhaps, you should ask yourself is the only person who has a clear agenda is Bruce when he defends his political and technological allies that have been violated our privacy online for longer than we can remember all while he is unreasonable with what ISPs might do. Think about it!

I find the double standard infuriatingApril 4, 2017 9:25 AM

@Who?

Be careful or you risk being labelled a paid troll for pointing out the obvious!

I fundamentally agree with you. As to why the internet went wrong, a while back I read an essay on this very topic https://www.theatlantic.com/technology/archive/2014/08/advertising-is-the-internets-original-sin/376041/ .

It's interesting, but it doesn't fix anything. As I said, the only hope that I see is that with the increased public awareness, corporations like Google, Facebook and Microsoft become more like the ISPs that Bruce is maligning here, offering their customers a paid deal to avoid spying completely and leave under spying only those minions who don't mind to have their lives spied upon in exchange of "free stuff". Probably this was not possible when the first web services were born, but currently, all these companies have reached critical mass that offering paid services in exchange of not spying makes sense from an economic point of view.

Who?April 4, 2017 9:50 AM

@ I find the double standard infuriating

As I said, the only hope that I see is that with the increased public awareness, corporations like Google, Facebook and Microsoft become more like the ISPs that Bruce is maligning here, offering their customers a paid deal to avoid spying completely and leave under spying only those minions who don't mind to have their lives spied upon in exchange of "free stuff".

Some years ago I suggested to a friend that works at Google that I was wishing to pay to recover my personal data. He said that Google's profit for selling personal information was about $10 USD per user. I said, well I will be glad to pay $30 USD for all my data BEING DESTROYED RIGHT NOW. They can hardly say "no," I am ready to pay three times the amount of money they will earn violating my privacy!

On a different matter, I cannot really share your point of view about our host. I think Bruce cares about privacy, at least it is the way I see it.

I find the double standard infuriatingApril 4, 2017 10:06 AM

@Who?

"I cannot really share your point of view about our host. I think Bruce cares about privacy, at least it is the way I see it."

The only person any of us will agree 100% on everything is the person we see when we look at the mirror in the mornings.

I started as a Bruce fan as well, but quickly realized that his vision of what constitutes online privacy and mine are divergent. The election of Trump accelerated this perception, but in all honesty I had began to question his motives well before that.

Take for example his coziness with Google. I can understand that he likes that Google has a higher regard for technology at large than other companies and that it has made an effort to hire outstanding technologists. However, it is also not possible to see Google -from an online privacy point of view- as anything other than a predator.

We are left with the question that matters most in computer security: whom you trust. I don't trust Google for the same reason I wouldn't trust any profit making corporation with my privacy. Nobody can serve two masters and neither does Google. When Google has to chose between profits ore protecting our online privacy, profits will always come first. Period. This choice manifests itself in numerous ways. The most obvious, and explicit, is the spying and selling of our information to the highest bidder. There are other less subtle ways, such as complying with abusive laws, both in the US and abroad, or the way Google treats those who don't follow the company talking points. Here is a 2005 article on how it tried to shut down adverse reporting by CNET http://money.cnn.com/2005/08/05/technology/google_cnet/ .

For all these reasons, I believe Google is an evil corporation that pretends not to be one. If you know anything about Jewish or Christian theology, you know that the devil is the master of deception. It lies, lies and lies. I see Google as a satanic corporation given his past history and I see it very difficult that it will ever change given all the money it makes out of preying on us.

a hint of the futureApril 4, 2017 11:48 AM

Please note that the redactions mentioned below (withdrawing this post) did not survive cut and paste.

https://www.eff.org/deeplinks/2017/03/first-horseman-privacy-apocalypse-has-already-arrived-verizon-announces-plans

MARCH 30, 2017 | BY BILL BUDINGTON AND JEREMY GILLULA
UPDATE: Verizon Software on Android Phones

UPDATE: We have received additional information from Verizon and based on that information we are withdrawing this post while we investigate further. Here is the statement from Kelly Crummey, Director of Corporate Communications of Verizon: "As we said earlier this week, we are testing AppFlash to make app discovery better for consumers. The test is on a single phone – LG K20 V – and you have to opt-in to use the app. Or, you can easily disable the app. Nobody is required to use it. Verizon is committed to your privacy. Visit www.verizon.com/about/privacy to view our Privacy Policy."

UPDATE #2, April 3, 2017: We have published a revised version of this post here.


Within days of Congress repealing online privacy protections, Verizon has announced new plans to install software on customers’ devices to track what apps customers have downloaded. With this spyware, Verizon will be able to sell ads to you across the Internet based on things like which bank you use and whether you’ve downloaded a fertility app.

Verizon’s use of “AppFlash”—an app launcher and web search utility that Verizon will be rolling out to their subscribers’ Android devices “in the coming weeks”—is just the latest display of wireless carriers’ stunning willingness to compromise the security and privacy of their customers by installing spyware on end devices.

The AppFlash Privacy Policy published by Verizon states that the app can be used to

“collect information about your device and your use of the AppFlash services. This information includes your mobile number, device identifiers, device type and operating system, and information about the AppFlash features and services you use and your interactions with them. We also access information about the list of apps you have on your device.”

Troubling as it may be to collect intimate details about what apps you have installed, the policy also illustrates Verizon’s intent to gather location and contact information:

“AppFlash also collects information about your device’s precise location from your device operating system as well as contact information you store on your device.”

And what will Verizon use all of this information for? Why, targeted advertising on third-party websites, of course:

“AppFlash information may be shared within the Verizon family of companies, including companies like AOL who may use it to help provide more relevant advertising within the AppFlash experiences and in other places, including non-Verizon sites, services and devices.”

In other words, our prediction that mobile Internet providers would start installing spyware on their customers’ phones has come true, less than 48 hours after Congress sold out your personal data to companies like Comcast and AT&T. With the announcement of AppFlash, Verizon has made clear that it intends to start monetizing its customers’ private data as soon as possible.

What are the ramifications? For one thing, this is yet another entity that will be collecting sensitive information about your mobile activity on your Android phone. It’s bad enough that Google collects much of this information already and blocks privacy-enhancing tools from being distributed through the Play Store. Adding another company that automatically tracks its customers doesn’t help matters any.

But our bigger concern is the increased attack surface an app like AppFlash creates. You can bet that with Verizon rolling this app out to such a large number of devices, hackers will be probing it for vulnerabilities, to see if they can use it as a backdoor they can break into. We sincerely hope Verizon has invested significant resources in ensuring that AppFlash is secure, because if it’s not, the damage to Americans’ cybersecurity could be disastrous.

Verizon should immediately abandon its plans to monitor its customers’ behaviors, and do what it’s paid to do: deliver quality Internet service without spying on users.

I find the double standard infuriatingApril 4, 2017 11:55 AM

@a legal opinion

From the article

"Don’t believe anyone who suggests that the law merely returns us to the state of the world before the FCC finalized its landmark privacy rules in October. The obvious reason Internet service providers burned through time, money, political capital and customer goodwill to push for this law was to ask for a green light to engage in significantly more user surveillance than they had ever before had the audacity to try."

Sure, and yet we are asked to believe that Google and Facebook, the current abusers of our online privacy, are not engaging in a collaborative effort with the US government. Does the word PRISM ring any bells around here?

In one thing I agree with the above fellow, and by extension Bruce, the current debate is about whom people should trust. Bruce is saying that we shouldn't trust ISPs but that we should trust Google, the "don't be evil" company. My point is that we should trust neither ISPs nor Google and that the terms of current debate are fake terms.

The real question here is that all these privacy advocates are failing to take the only side that matters: the people's side. We are being asked to decide who is more evil, Google or Comcast, when in fact I see both corporations as equally motivated by profit.

The technology exists for massive adoption of counter measures, such as VPN and Tor, as well as abandoning gmail for other email providers that do not have something like doubleclick on their spying arsenal. That's what I would like Bruce to propose: get rid of gmail, period.

I find the double standard infuriatingApril 4, 2017 12:01 PM

@a hint of the future

Up until 2010, Google did not scan emails at rest for advertising purposes. Emails were only scanned for said purposes when read at the client. With the massive adoption of smart phones, it realized that it couldn't do this as effectively, from a revenue point of view, for smart phones, so it decided to scan emails when they were received by their servers as opposed as when they were read by clients.

Google has been scanning our most intimate details for 7 years (and counting), including those of people who are not gmail users but who send emails to gmail users (meaning, almost anyone who uses email)

Where was the outrage then and now about this?

I am sorry; this is fake outrage.

Dirk PraetApril 4, 2017 12:24 PM

@ Clive

Wireshark ... can not see what the ISP adds to your outbound stream on the cloud side of the ISP, nor can it see what the ISP removes from the inbound stream on the cloud side.

In the case of the AT&T/Verizon X-headers, it was kinda trivial for a user to hose them with a local proxy or even firewall.

It's an entirely different ballgame when working below the TCP level. Anything the ISP adds to the egress package has to be removed back from the (returning) ingress package, or Wireshark will pick it up. Which in itself is not that hard to accomplish, unless we're talking encrypted sessions. Unless the ISP is somehow able to hijack an SSL/TLS session through a Superfish-like MITM, the options are rather limited there, and it would require a proxy with a valid certificate the user would not be asking questions about.

Tagging (equally) encrypted VPN traffic might identify where someone is going but would still not reveal what he is doing there. Which would make that information pretty much worthless to them, so why would they bother unless working on behalf of LEA's? Same goes for Tor traffic, especially over https or combined with a VPN. In essence, they wouldn't have any relevant information to sell with the exception of metadata for LE use, so they will most probably just focus on new spyware apps at the application layer level. Much simpler, less prone to legal challenges and in all likelihood completely overseen by a majority of non-suspecting punters using carrier issued mobile devices preferably running some highly insecure and outdated Android OS.

Not to say that all of this is not a valid concern, quite to the contrary, and especially for those who still haven't understood why they should encrypt everything. I'm just not convinced active tampering with user traffic would not get ISP's into legal problems, especially in the EU.

@ Who

I cannot understand how Internet went so wrong so quickly.

The internet is an American invention predominantly run on and controlled by US technology and entities. However much the Founding Fathers enshrined in the US Constitution a series of safeguards against government overreach, they never foresaw similar dangers from corporations. That is, for example, why the 4th Amendment only applies to unreasonable search and seizure by the government, not by corporations.

The concept of privacy as such also doesn't feature anywhere in the US Constitution. It is just derived from the 4th Amendment, and with similar limitations, resulting in a patchwork that doesn't come anywhere near the EU standard where privacy is a human right. This different attitude originates in Europe's 19th and early 20th century working class struggles against capitalist aberrations and which laid the foundation for current social democracies.

In the US, it was just a matter of time before a number of US technology behemoths and advertising parasites realised that internet PID could be turned into big business and that existing legislation essentially allowed them to do so. And which, unfortunately, was recently again upheld by a fully corporate-controlled Congress.

@ double standard thingie

I point out the obvious

No. what you are doing is setting up a straw man argument to justify yet another private data grab by US corporations, the entire thing not even thinly disguised as an ad hominem attack on our host. Most people on this forum are better informed and definitely less retarded than you seem to think. Now get back to your corporate issued cointel manual and try again at Breitbart's.

I find the double standard infuriatingApril 4, 2017 12:36 PM

@Dirk Praet,

"No. what you are doing is setting up a straw man argument to justify yet another private data grab by US corporations"

And then

"Most people on this forum are better informed and definitely less retarded than you seem to think

I challenge you to find where I am defending ISPs ability to spy on us. Nowhere. However, you, and Bruce, are defending the Obama rules that essentially preserved Google and Facebook's ability to spy on people while denying the same to ISPs.

Here is some reporting, circa 2010, of Google spying on everybody's emails http://www.cbsnews.com/news/google-will-scan-your-email-not-read-it-what-hypocrisy/ .

Have you heard about a psychological mechanism known as projection https://en.wikipedia.org/wiki/Psychological_projection ? That's what you are doing here.

Sorry if I haven't lost my critical thinking the way you and Bruce have. Spying on people is wrong. I couldn't care less whether it's Google or Comcast who does, however, you do give a pass to Google.

Dirk PraetApril 4, 2017 2:29 PM

@ double standards thingie

I challenge you to find where I am defending ISPs ability to spy on us. Nowhere.

This here is the key piece of your message: It is already endangered and letting ISPs get a little bit of the pie is not going to change much things.

Well it does, and I don't think I'm the only person here to have caught this little subliminal message around which your entire Google smoke and curtains rant and baseless @Bruce accusations are built. There's no corporate spying fans here. Our host is no Google agent. Both of which have been pointed out to you. Yet you keep on rambling. So you're either delusional or a paid troll.

I find the double standard infuriatingApril 4, 2017 2:51 PM

@Dirk Praet

Sorry dude, when you have to resort to "subliminal" implications my only answer is that perhaps a course on American English will help you with your discernment. I stand by what I said: I have never advocated for ISPs (or Google) to spy on us. Bruce is fine with Google spying on us but not with ISPs doing the same.

For those of you, non Americans, who take Bruce as if he was some sort of Messiah. He isn't. He is subject to the same human pressures as the rest of us.

He knows that the day he targets Google with the same viciousness he is targeting ISPs, that will be the end of his speaking invitations at Google campuses or other Google sponsored activities.

Humans cannot have two masters. It is clear to me Bruce is a Goggle puppet and all op-eds he writes on the issue of online privacy confirm this assessment. I am not saying he is a "paid Google puppet", I am saying he is a Google puppet. Why is he so intellectually and spiritually servant to Google and his agenda is something that only Bruce can answer. All I am saying is that I am not falling for the scam of his fake outrage.

I find the double standard infuriatingApril 4, 2017 2:58 PM

@Dirk Praet

And I forgot, there is money trail as well,

https://www.theregister.co.uk/2014/10/14/assange_bollocks_google_eff/

I don't know if Bruce is personally compensated by Google, but as they say, money is fungible. The fact that Google funds EFF creates a conflict of interests that is impossible to ignore and makes all statements by Bruce and the EFF regarding online privacy that avoid criticizing Google suspect.

Just a ProductApril 4, 2017 4:00 PM

@I find the double standard infuriating

The only one with a double standard here is you. Right from the start. You started, in your first message with:

The old rules served only one purpose: to solidify Google's monopoly in online advertising,which is what you would expect from the Obama administration given its revolving door with Google. The new rules open the pie of data-mining driven advertising to telecom operators.

You rant and rave in post after post about the evils of Google and Facebook. Two services who you can completely avoid. It's more involved than just not logging in, but you can eliminate all traffic from you to them. Yes, doing so means using different content providers and other sites that leverage them for support will not work the same. But, that's all choice left to the individual. It may not be an easy choice, but it's choice. The ISP option is no choice, it's not possible to avoid.

Your entire argument is that you don't like Google and Facebook and this change allows the ISP to be just as bad as them. Repeated loudly and often.

On it's face, that's incorrect. It allows an ISP to be much worse than Google and Facebook. Plus Google and Facebook are completely avoidable. Stuff breaks if you avoid them, but if you don't like their tracking, that's the price to not use what they provide.

Two wrongs do not make a right.

It's like seeing a few kids playing with matches. You don't like it and you want nobody else to like it. Your solution is to give large numbers of kids matches and gasoline and see if they can start a fire big enough that everyone will be outraged enough to do something about the first few too.

Everyone else is discussing that the others should not be given the matches and gasoline and not worrying about the first few in this discussion because this isn't a discussion about general privacy, it's about if we should hand out the matches and gasoline.


Being loud and obnoxious and posting often doesn't make your argument any more valid. It's still wrong and you STILL started and continue with that it's OK to create additional bad actors just because nobody is talking about existing bad actors in this context. Creating more wrong is never the right direction.


There's entire series of other blog posts about if it's a good deal trading privacy for function when using Google and Facebook. Those are all great places to discuss if the value is worth the privacy tradeoff.

RatioApril 4, 2017 5:21 PM

Twenty two of the ninety four comments above (i.e., a quarter) are from one infuriated individual?

@I find the double standard infuriating,

Maybe it's time for a new hobby?

Whats_EffApril 4, 2017 5:59 PM

@I find the double standard infuriating

"I don't get what you are trying to say here. The reality is that there is plenty of evidence in the public domain of Bruce being intellectually (and spiritually) servant to Google. The video I pointed out above being just one of the many instances in which he has done so."

1) didn't look at your video; javascript turned off; care to quote something specific, preferably current, w/footnotes, and preferably from a reliable source

2 I thought potential white on black crime vs. white on white crime, in a law enforcement context, might appeal to the 'I find the double standard infuriating' in you.

3) These may be apples and oranges, obviously, with nuanced complexities in discussing them (isps vs. google or facebook), and under different legal authorities, different lobbying budgets, etc., for example,
https://www.eff.org/who-has-your-back-government-data-requests-2015

updated link:
https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware

From @a legal opinion, above, citing a law professor:

... "If signed, it could result in the greatest legislative expansion of the FBI’s surveillance power since 2001’s Patriot Act." ...


ModeratorApril 4, 2017 6:14 PM

@I find the double standard infuriating, please take your fury elsewhere.

BobApril 5, 2017 11:25 AM

"It's too late to do anything about this bill -- Trump will certainly sign it -- but we need to be alert to future bills that reduce our privacy and security." We were alert, very alert, and it didn't do anything. Maybe the reason PIPA and SOPA went the way they went is not how much attention was paid to them, but as bruce said "In today's political climate, it seems impossible that Congress would legislate these things to our benefit."

anonymousApril 6, 2017 9:37 AM

@I find the double standard infuriating

It's always your choice whether to use or not to use certain search providers. Not so much with internet providers, on the other hand.

if we give it away to the gov't (not sell it) it's ok?April 8, 2017 12:23 PM

https://www.emptywheel.net/2017/04/06/the-ispectr-workaround-the-new-broadband-rules-may-be-not-so-much-what-theyll-sell-but-what-they-give-away/

"Remember. on several occasions last year, Republicans tried to change the rules of National Security Letters so as to permit the FBI to demand providers to turn over “electronic communications transactional records” (ECTRs) with just a National Security Letter."
...
"So in effect, this question (whether or not it comes from Wyden) would reflect a concern that that would become available if these providers were willing to respond to FBI’s requests for ECTRs, and may remain widely available because of the change in the broadband rules. It also reminds me of Wyden’s neverending quest to liberate an OLC memo John Yoo wrote as part of Stellar Wind, but which purportedly pertains to cybersecurity.

In wake of the broadband rule change, AT&T, Verizon, and Comcast (but not, for example, CenturyLink) have assured customers they won’t change their practices and won’t be selling individual customers’ data.

But I’m not seeing any of the providers making assurances about what they’ll be giving away to the government."

BiscuitsNGravyApril 11, 2017 1:28 PM

Is anyone aware of an ISP that is currently admitting to violating their customer's privacy rights by collecting browsing history while charging market rate for service? I feel it's important we publicly shame any provider that crosses that line.

It continues to disturb me that the debate in the press didn't immediately go from the ability of providers to sell your data to the providers ability to collect, store or analyze your data in the first place. It is completely unreasonable for an ISP to ever collect info from customer's communications in the first place. The internet is a public network, but an ISP collecting browsing data is akin to putting a recording device inside my car just because I drive on a public roadway. Even on a public roadway I can have a reasonable expectation of privacy for conversation going on inside my car.

I know Comcast has at least in the past (2014) stated that not only do they not sell your browsing history, but they don't collect it in the first place. http://corporate.comcast.com/comcast-voices/setting-the-record-straight-on-tor

The moment I find out Comcast changes that policy is the day I close my account and tell the ACLU I'm happy to join a class action.

I knew a Trump administration would be pro-business, I kinda forgot that usually implies a complete disregard for the interests and rights of the individual.

DannyApril 14, 2017 9:42 AM

Just curious why this site tried to deliver 32 unsolicited ads (which my Ad Blocker dutifully blocked?) I'm sure none of these ads tiered to deliver malicious content...

Albert TrotterApril 16, 2017 8:58 AM


:
The FTC historically did privacy for ISP's.
FTC has no section 5 authority (IE to make those kinds of rules) for common carriers. It's specifically exempted by the FTC act, and has been for 90 years. This has been upheld in court. See https://iapp.org/news/a/the-att-v-ftc-common-carrier-ruling-...
In June 2015, the FCC reclassified the ISP's as common carriers.
Tada, the FTC rules no longer apply.
So the FCC regulated them with roughly the same set of rules.
Now they've undone this.
Now the claim is "well, the FTC should be doing it, it was just a power grab by the FCC". But that's not really accurate. The power grab, if any, was reclassifying them as common carriers. Once that was done, they pretty much had to regulate them because the FTC can't.
Because the FTC still doesn't have authority to regulate them, and they are still classed as common carriers, there is a void.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.