54 comments

[ 2.6 ms ] story [ 111 ms ] thread
Just because you can buy it doesn't mean you can't be sued if you use the information to harm or embarrass someone... right?
Harm, yes, but embarrass - what would be the grounds for suit? (Not a lawyer, just can't fathom any legal grounds for action here...)
Well, embarrassing someone or otherwise harming them with speech is not illegal, and the truth is an absolute defense against libel lawsuits in the US. Also, even if it weren't, public figures have less protection under these laws.
Well, you can sue anyone for most anything - the question is whether you have a case. If the information is true, anyone who published it would most likely be protected on first amendment grounds, especially since there is clear public value and a policy reason for publishing the information.
He can only buy it if someone's willing to sell it. ISPs won't sell information this granularly - not directly.
> ISPs won't sell information this granularly - not directly.

That's not for certain. And anyway, what stops a purchaser of bulk data from reselling individual records as a value-add?

As amusing as it would be, the ISPs are only permitted to sell aggregate anonymized data, not anything personally-identifiable (as per the 1984 Cable Act).

They wouldn't get actual Google or Bing searches as neither company would sell those on - I imagine at most they'd get top-lists of DNS resolutions in a given geographical area, possibly with some demographic data thrown in - still valuable data for some marketers though, but unlikely to be anything juicy.

I wonder if any ISPs would sell that data for any price, given the risk of backlash.

Top DNS resolutions of white men 50 and older from the Capitol Hill region of DC would probably still be an interesting read.
It would still just be ANY queries for cpsc.gov.
You're right, it's never going to be that you PayPal your ISP $25 and get someone's network history (though I may regret those words in a decade).

But, "Sell" is different than "Act" on though, right?

If I'm an ISP, my number one job tomorrow is going to be setting up some sort of software bridge that interacts with current real time bidding ad tech software to better target ads.

Expect the number of "ads that follow you around the Internet" to spike considerably, and be utterly resistant to things like clearing out your local browser cookies, PrivacyBadger, etc.

Not resistant to uBlock Origin
As /u/fjdlwlv said, uBlock Origin will make sure work of that, plus if you're serious about blocking this stuff, pi-hole (https://pi-hole.net) will again add an extra layer of loveliness to your ad-network blocking capabilities.

Now throw a VPN on top of all this (and THEN work on the problems with policy, people)...

EDIT: missing words EDIT 2: URL

Even if they were permitted to sell individual data, just because an act may allow them to doesn't mean it compels them to.

ISPs and advertising agencies have invested heavily into lobbing for this. The amount of money they'd make off of it is going to be more than this campaign could possible raise.

Wait, what? This one?

(2) A cable operator may disclose such information if the disclosure is— (A) necessary to render, or conduct a legitimate business activity related to, a cable service or other service provided by the cable operator to the subscriber;

If the cable service has another service that delivers ads, why wouldn't that be acceptable?

That isn't how the data sales work at all.
It's highly unlikely that the ISPs are going to piecemeal out private customer data & browsing history by name.

And why bother when they can follow Google & Facebook's insanely profitable profiling / targeting ad playbook?

Considering that almost 60% of us use Chrome which is owned / designed by the world's biggest advertising company (1) and that leaks privacy even in "incognito" mode (2) I feel like the narrative around the FCC order is not intellectually honest.

EG - Google - in fact - came out AGAINST the original framework that was repealed this week! (3)

The new FCC Chairman - Ajit Pai - has stated he endorsed this act to re-level the playing field for ISPs vs Facebook / Google / and the less visible ad tracking / ad profiling agencies.

And he's further stated that he's going to use this opportunity, of resetting the playing field, to create a framework that applies for EVERYTHING digital.

I am not going to pretend that I am optimistic that the FCC is going to build a consumer framework that we can all live with, but I am confused how Google / FB / etc are getting away with murder on the privacy / profiling side.

Let's use this opportunity to push for the "opt in" framework that makes the most sense.

(1) https://www.netmarketshare.com/browser-market-share.aspx?qpr...

(2) https://www.quora.com/Does-Google-track-what-happens-in-the-...

(3) https://ecfsapi.fcc.gov/file/100319291940/2016-10-03%20Googl...

I don't use Google or Facebook. I do use the internet.

I don't pay Google or Facebook. I do pay my ISP.

That is why Google/Facebook get away with so much. Their users opted-in and gave consent for their information to be used in advertising. If people weren't happy they could choose to not use the website. I don't necessarily have that choice with my ISP especially since in many areas there is no competition.

Google and Facebook are everywhere, it's practically impossible not to touch their ad networks without filtering, and since many sites aggressively punish ad-blocking, "not using Facebook or Google" is looking increasingly like not using the internet.
In way I am getting so annoyed by the ad blocker blocker that I am almost motivated to create a ad blocker blocker blocker.
Even though you don't use Facebook or Google they ABSOLUTELY are using you.

Both operate global advertising networks, even if you never log into Facebook or set up an account they are tracking you.(1)

And Google owns the largest mobile OS which is RIPE with tracking / profiling features.

MacOS and Windows 10 also track you, Apple seems a little better - theoretically - about leaking your privacy rights - but MSFT is humming right along not only building a massive data business, but also buying up companies like LinkedIn to improve their ability to target you based on how you're using their OS.

So I disagree on the "we have a choice" part.

You've got me on the "I pay my ISP" but that argument died when Cable started showing ads.

(1) http://bgr.com/2016/05/27/facebook-ads-tracking-non-users-pr...

I can use AdBlock on my phone and computer and not be subjected to anything from Google or Facebook. And Apple absolutely does not track you if you don't allow them to. So please explain to me how I am being tracked. It's technically not possible.

ISPs are completely different in that they can track me (a) without my consent and (b) with no technical means for me to stop them.

I said "Let's use this opportunity to push for the "opt in" framework that makes the most sense."

Are you saying that it's ok for FB / Google / Ad Networks to track everything we do and create profiles without opting in SO LONG as I can find some way to block them?

If so I guess I'm not sure what I'm arguing with.

Just use VPN. Or VPN and Tor. Or VPN, Tor, and VPN. Or ...
Using a VPN to another country slows down browsing a lot – in my experience, enough to make the web unusable from a bad hotel WiFi connection. It's annoying enough that I usually just accept the loss of privacy.
Quality paid VPNs don't reduce speed enough to be problematic in that context. Free VPNs are sometimes throttled. And some ISPs may throttle VPN traffic. If you have problems, you can see if port 443 is better. Or TCP vs UDP.
Then you have the issue of anonymous payment, and trusting your VPN. Many paid services are honeypots, because, the assumption is why pay if you are innocent.
Well, but then ISPs are honeypots too ;)
I understood that the benefit of this to ISPs was to offer targeted, individual marketing. So I doubt they are selling by bloc/demographic, I suspect it's something more like Adwords. User data may be anonymized by name but it doesn't take that many data points of e.g. someone's search history to identify them. It's unclear to me what, exactly, you will be able to purchase, but it wouldn't surprise me if they can narrow a larger data buy down to a few individuals with high probability. About a decade ago now there was a leak of anonymized google search history and some researchers successfully tracked down several individuals.

Google/FB/etc get away with it because you don't have to use their services, although things like the supercookie are highly specious. If you want to use any online resources you are going through an ISP.

I, too, think the opt-in model is not unreasonable, but you know it will be buried in the most obtuse, double-negative-filled language their lawyers can contrive.

Don't repeat Pai's lies. ISPs are natural oligopolies and in some cases legally chartered monopolies. There is no level playing field.

He's not trying to increase privacy. He is reducing it.

"Cards Against Humanity" is known for their crazy publicity stunts. They raised $100k this winter to dig an enormous "holiday hole" for self-described pointless reasons. (http://www.npr.org/sections/thetwo-way/2016/11/27/503502142/...)

I'm not really sure how I feel about this one, though. The reason we're in this mess in the first place is that too few Americans really understand what's at stake re: online privacy.

I remember the Holiday Hole. We had it up on a screen at work. On the website, one of the frequently asked questions was "Where is this hole?" to which the answer was, "In American, and in our hearts."
I'm not coming out in favor of, or against this, but how do you think it would impact lawmakers understanding of what's at stake re: online privacy if this were to happen?
Wonder how fine-grained you'll be able to purchase data. Say you can buy data in a 2km circle minimum from a given point, and results with anonymized/aggregate.

Then you buy 2 more circles, find out where they all intersect - bam, got yourself data for a given point.

Same as the old Tinder tracking exploit.

(comment deleted)
There actually is a totally separate debate to be had on the topic of public records and communications by elected officials.

Under federal law, all communications to which a federal employee is a party constitute public records. Obviously, that doesn't mean they are all publically available; white house emails, for example, have traditionally been released several decades following the end of the administration. (With redactions, of course.)

Today, congressional staffers and politicians at every level use private email accounts and cell phones to subvert public disclosure, and by extension, public accountability. Even when the political or security sensitivity of such records is long gone, historians will likely never be able to track them down or study them.

EDIT: Congress is specifically granted an exemption to most of the public records laws that apply to the executive branch, including FOIA.

Citation?
Watch the #archemail symposium videos from the library of congress.[1] For FOIA a lot of the emails actually do eventually go on the web. But with private individuals, when they donate their email correspondence you can almost always only read them on one computer in one specific university library.

But yeah, even when documents are supposed to go on the web there are often gaps. E.g. Hillary Clinton basically hired folks to steal documents about her legislative record from the library of congress.

[1] http://www.digitalpreservation.gov/meetings/archivingemailsy...

With all the hubbub surrounding Russia and DNC's leaked emails, and who talked to who when over the last year, I wonder if we'll start to see all political players incentivized to embrace encrypted communications. While messages will still inevitably leak (compromised endpoints, human factors), perhaps we will never see the like of '16-'17 again (doubly so if Russia proves to be 45's undoing).
I've seen a few things pop up about ISPs and selling user data. Some of this is a bit worrying (especially since I seen at least one seeming-scam purporting to "buy congress's browser history"):

As far as I know, nobody is looking to make browser history available for purchase. It's unlikely that anybody aside from the NSA or some other state-actor, with very significant resources available to them, is even capable of storing that data.

Ask yourself this question: can you currently buy all of, for instance, Jeff Session's private facebook data? Every message he's ever sent, like he's made, etc.?

Of course not.

What you can do, and what ISPs are very possibly looking to do, is make general demographic information available to advertisers.

For instance: if a person has shown a recent interest in camping, show them ads for camping equipment.

Now, I absolutely do not think that this is acceptable (ISPs sharing data, however I do think that facebook giving me targeted advertisements is a perfectly reasonable exchange).

I just think that it's important to know what is being talked about. Especially when it comes to people trying to scam others for money.

There are two different questions there. Can I personally buy the info? No.

Is that information currently for sale? I have no idea.

Just because it isn't being sold publicly doesn't mean it isn't being sold at all.

Furthermore, comparing Facebook to ISPs is ridiculous. If Facebook pisses me off, I stop using it and I'm slightly inconvenienced. On the flip side, if my ISP pisses me off, I have literally no other choice in ISPs. I would go without internet beyond tethering to my phone, which means pretty much just basic email (IE: no internet). So your comparison is... bad.

Furthermore, for you to suggest the cards against humanity guys are running a scam shows complete ignorance of the company and the group of people behind it. Literally 0 chance they're trying to scam people.

This is HN, not a cocktail party.

We've seen post after post about using the "demographic targeting" capabilities of facebook and google to target individuals, about the more general problem of de-anonymizing data, and about how damn hard this type of "abuse" is to prevent even if companies were interested in spending serious resources to prevent it.

We further understand that while this type of loophole exploitation is beyond the interest of the vast majority of people, there is an entire swamp of gray-market software developers willing to package the loopholes into nice user-friendly tools in exchange for a handful of bitcoin.

The cards against humanity stunt may well be a scam, but it's not nearly so damaging as the scam of pretending that ISP sales of user data will preserve privacy.

Really this is a jab at net neutrality, the open selling of data by ISPs is a power grab away from the FCC that helped to make net neutrality a thing by labeling broadband/ISPs as common carriers.

Republicans (this was a party line vote) say it is unfair that Google and Facebook have your personal information and use it for ads but why can't ISPs have that and also sell it? One big fucking reason is people sign up to Google and Facebook for the purpose of sharing and agree to their ads in exchange for a service. Google built the most powerful search engine and Facebook built the social graph. Google/Facebook built value and they only use your info to target ads to you, they don't sell it because others would do the same. They sell ads and people use them because they have info on you, not necessarily to sell off to others.

If you ask me it is unfair for republicans to legally allow ISPs to do the same because we expect privacy from ISPs in ways we do not from Google and Facebook. You can choose not to use Google or Facebook but you cannot choose your ISP/broadband provider. In my opinion this is like letting someone view your mail, read it and then sell information about you. It is also an unfair competitive advantage for ISPs because they can place ads on any website if they want or track you across all sites not just like Google/Facebook which are huge but only see a portion of what you do. ISPs built no value product like a search engine or social graph for this purpose, they should do that if they want access like Google and Facebook. It seems almost like the GOP are harming innovative companies and rewarding/catching up non-innovators. I bet broadband companies/ISPs won't even use the profits to improve broadband and rollout gigabit service for real. It is a rewarding of lazy semi-monopolies over innovative companies and products.

Republicans also control the FTC not the FCC so they want all control to fall to the FTC instead. It is both a power grab and a bending over of all their constituents.

Most of all, it is also another step in dismantling net neutrality as FCC protected that by categorizing the broadband/ISPs as a common carriers and they want to sap the FCCs power in that regard.

Good man. I work at Bluehost and I spoke to him on the phone once, his website was/is hosted by Bluehost. :)
Would be nice to have a TLS encrypted DNS. I know that wouldn't hide everything from aggregate reporting but it would help I would think.
I'm feeling really manipulated by the media here. So if I am understanding this correctly, this is what ISPs have already been doing forever, and it will continue. There was a new rule put in place to increase privacy protections, but it wasn't in effect yet, and that rule is what is being rescinded.

So the status quo is being maintained, Telecommunications Act already makes it illegal to sell personally identifiable information, and there is no browser history apocalypse coming.