287 comments

[ 4.7 ms ] story [ 144 ms ] thread
I've always wondered why people are so hard on Facebook, but give At&t and the other ISPs a free pass to do whatever they want. If you ask me, the ISP cartels are orders of magnitude more evil than FB.

At least FB is making changes to address the issues, unlike At&t who keeps screwing people over more and more every year.

Facebook is mildly transparent about it so it's easy to criticize, the ISPs are black boxes.
Good question... Maybe:

1. I don't think people have thought about it enough. I know I haven't. I think part of the reason is AT&T et. al. seem "inevitable" whereas Facebook is conveniently "quittable".

2. FB's lack of privacy has been discussed in the open and in the news recently, making it stand out.

3. (One of) FB's goals is to sell you to advertisers...

Don't ISPs like Comcast have access to orders of magnitude fewer users? I think it has to do with scale and the fact the Cambridge Analytica used Facebook data and not, it seems, Comcast data. Overall Facebook is just the focal point of the ire. The ire though is really not Facebook as such but rather unregulated data collection by private companies.
Yes. Google and Facebook both have global reach and billions of users, but they also spend millions of dollars on PR to convince you the ISPs are the real privacy threat.

The author's LinkedIn includes recently working for a law firm, Fenwick & West, which proudly brags about Google being one of their clients on their career page.

If an article is doing "whataboutism" that minimizes the danger of big tech, check their resume, it's probably their job.

Yes, they have far less users, but they also have a much longer history when it comes to user tracking and measurement in the name of ad targeting. Although I think the big difference is they can't do network analysis.

This said, Comcast (which owns NBC universal), has been able to use cable boxes to improve ad targeting for decades, trace that back to internet usage, and apply it to models already built for NBC usage. A

n even more powerful one though is Verizon, where with their now acquisition of yahoo can use that data as well, which is combined with both all of the home data collection comcast has, but with 80+ million mobile users as well.

> Don't ISPs like Comcast have access to orders of magnitude fewer users?

Yes, but because it's your ISP and your data it's snooping, it suddenly becomes important.

As they say, one death is a tragedy. A thousand deaths is a statistic.

People should also include credit card companies as they've been tracking purchases and inferring data long before Facebook has existed.
Whenever you think "why don't users care about this privacy issue" stop and ask yourself "wait, do people actually know about this privacy issue and do they understand the implications, though?"

Do you think most people have actually thought about how their ISPs must track their every interaction with the web and read all of their unencrypted chats and traffic?

I think that what's needed is more awareness about what the ISPs are doing, but I really don't like headlines and articles like this one that try to minimize what Facebook and Google are doing.

The ISPs tracking may be more all-encompassing, but a large portion of the web, especially popular websites are becoming "dark" to them, as major sites adopt HTTPS encryption. Their next most valuable tracking tool besides HTTP is probably the DNS server. And to get people to change that you'll need raise a lot of awareness about it.

I guess Microsoft, Google, and Apple enabling their own DNS resolvers by default on their operating system would be a small improvement, but you're kind of moving the problem instead of solving it. And Google already does that with recent versions of Android, I believe.

> I've always wondered why people are so hard on Facebook, but give At&t and the other ISPs a free pass to do whatever they want.

Because we choose to use AT&T and other ISPs. Facebook has enough beacons spread across millions of websites that even if you choose not to have a Facebook account, it's still monitoring you.

Majority of people in the USA don't choose their ISP, their city zones IPSs per neighborhood.
Because Facebook is in the business of monetising data about people and ISPs aren't.

It's not obvious to me that ISPs would bother (except where required to do so by law). They could just route traffic and not inspect anything.

"It's not obvious to me that ISPs would bother"

The issue is mainly that ISPs are also, by and large, the Cable Companies. Cable is dying. It's dying quickly. Cable companies are seeing dwindling revenue streams from their cable packages and are going to be looking for ways to bolster their shareholder's profits despite the inevitable death of traditional cable programming schemes.

How do they do that?

They do it by selling anything and everything they can to advertisers, exactly like what they've been doing with cable. Coincidentally that's also exactly the reason that cable is dying.

ISPs also are in the business of selling your data.
Largely because FB is mining your data today and has built a half-trillion dollar business doing it. For ISPs it's mostly theoretical and attempts here and there. (That's why this article uses the phrase "pose a greater surveillance risk").
(comment deleted)
Spoiler Alert: ISPs also already sell your data to advertisers and data middle-men. They also have built a business selling your data.
I agree, though I'd say that this is because of general ISP incompetence, not because the ISPs don't want to do this.
FB (and other data collection businesses) pose a greater threat because they have direct access to your content rather than passive streams of increasingly encrypted data. And web trackers get access to your browsing behavior even if you aren't a user in a way that gives them more oversight on TLS connections since they're embedded (somewhat unwittingly) by webpages throughout the internet.

TLS limits what your ISP can see. So until they block encrypted traffic it doesn't scare me too much.

> Many – though by no means all – of us are privileged enough to #DeleteFacebook, or at least reduce the time we spend there.

What privilege is being referenced here?

There are countries where Facebook is a primary means of communication.
I wasn't aware of that. I know of places where it is popular and a reflex for quick communication but I didn't think it would be a/the primary tool.
The article doesn't address strategies for avoiding such surveillance. How well does it work? Does it prevent you from doing anything you might need to do? How hard is it? How much slower? Can it be done on a mobile device?
You can setup your own VPN on a provider with generous transfer allocations. You can buy an off the shelf vpn. You could also use DNSCurve and exclusive https.
I recommend installing a VPN right on your router. Flash your router with something like dd-wrt
Whining about Comcast might be actually valid, but for most people of this world it's largely irrelevant. People from every place have Facebook access. Comcast customers are minority - Americans are minority. That's why Facebook has a lot harder time (also, ditching Facebook is more achievable).
I recently received a "terms of service" update from Comcast, with the notification that they can now "monitor and record anything going through the network. Including, but not limited to: audio recording, video recording, ..."

I don't even have an alternative in my area.

Yikes. I'd be sure to lodge a complaint here, note about the local monopoly: https://consumercomplaints.fcc.gov/hc/en-us

I'm curious where you are located [if you don't mind sharing]?

Lodge a complaint with Pai’s FCC!

Thanks, I needed a good laugh this morning.

So many comments to the FCC ignored. Complaints won't go anywhere, either.
Comments were collected. No obligation existed to treat them as a vote. Very few contained new information to the FCC, so they weren't valuable. The entire "millions of comments" nonsense is wholesale irrelevant, because the process doesn't exist for the purpose of voting or conveying public opinion.

Comments are collected in case there are scenarios the regulatory agency didn't consider. They considered them, and decided a way you didn't like.

You have to get this stuff on record in real-time so the adminstration after Pai's will have timestamped evidence to act on. Stop being so short-sighted and defeatist about this stuff, think strategically.
I’m not one for violence - but I challenge Pai to a public duel.
Well, yeah. But on the other hand, the complaint records aren't going to be deleted even under Pai.

The complaints likely won't go anywhere anytime soon. But when Pai's successor is working to repair the damage, there's a decent chance that one of the things they'll have to do is go through the agency's records to figure out what was ignored. Having a record of the complaint will at least give them options in the future.

So file the complaint, even if it's unlikely to matter in the short-term. :)

Why wouldn't they be deleted? They were stuffed with bot complaints, FCC could remove any and say it was a bot.
Federal record-keeping rules are pretty stringent. Generally speaking, you can't delete stuff. Especially important records. And public comments are a required part of federal rulemaking procedures--see 5 U.S. Code § 553(c) [0]--so they'd definitely fall into the "important" category.

In fact, the FCC's response to the bot activity was to point out that they aren't permitted to delete the comments, though a former FCC special counsel was quoted as suggesting that the FCC "might have an obligation under the Administrative Procedure Act to remove fake comments from its consideration."[1] But "removing fake comments from its consideration" isn't the same as actually deleting them, so I'd imagine that just means labeling them as "likely fake" and ignoring them in their deliberations. The same would apply to official FCC complaints. The FCC might ignore them, but they can't outright delete them without violating the law.

0. https://www.law.cornell.edu/uscode/text/5/553

1. https://www.wired.com/story/fccs-broken-comments-system-coul...

Time to shell out for a VPN service.
Are VPN Routers a good option, or do you recommend VPN on each device?
Depends on the traffic from devices. If you don't have crazy high traffic, flash your router with openwrt and install wireguard. If the flash is too small, you can compile your own image with wireguard selected which doesn't need as much flash space.

Next you can choose a cloud provider, which is metered (GCE, AWS, etc), or non-metered like OVH, or Digital Ocean(they don't charge you if you go over the 1TB for now).

Or you can choose a VPN service provider like Mullvad who have wireguard option (PIA should be getting it soon), if you trust them.

Be careful in choosing your provider since you might be annoyed with the latency over time, or just get used to it.

There are tutorials for all this.

Netflix and other video sites will be blocked from a lot of VPS providers. You may be better off going with a professional service that can keep their ips clean
True, but it can be mitigated by setting the routing table for Netflix IPs to avoid the tunnel. There's no standard way this can be done, but it's not impossible.
I did this for a while, and it was a decent headache to maintain. I had pfSense running at the Comcast edge and configured it to route all but specifically whitelisted traffic through a VPN I controlled. Speed was slower than max but acceptable due to choosing a VPS provider close to me, but the maintenance on the whitelist was cumbersome.
You can mitigate the speed issue by adding your own DNS local caches and then start blocking ads, trackers and malware sites and whomever you want (FB is added to the spyware list) using publicly available lists. All of this speeds browsing considerably.

A personalized router is very powerful.

> your own DNS local caches

Doesn't that mean your ISP will now see what domains you are looking up?

Not if you use DNS-over-HTTPS with cloudflare or google.

https://github.com/aarond10/https_dns_proxy

Just clarifying your comment for others: Your ISP would still see the IPs of the sites your packets visit unless you are using an encrypted VPN connection. The DNS-over-HTTPS is a great addition to a VPN.

(the VPN comment was several levels up so some might miss it)

Openwrt by default caches using dnsmasq, but the blocklist is a good idea. The problem is, even the blocklist is sometimes too big for the tiny flashes of some routers.
I use a Qotom mini pc as a router. I configure it with NixOS. It's amazing.
As another poster said, go with a mini-pc like Qotom. Uses little power, configure however you want (memory, SSD). Most web pages load instantly, and it handles a massive blocklist (Bind9). I'm slowly adding a list of always on packages like sync tools. Also, you can use an AP instead of router attached wifi. Move the Power-over Ethernet AP where you want. Ubiquiti Unifi is far better coverage than my previous consumer grade wifi. Do it all in your favorite Linux flavor.
The average user doesn't want to buy more hardware, and flashing an existing router can be done in an evening.

Also, why Bind9? I don't see what's wrong with dnsmasq, and changing hosts file for blocklist. Also, I often advise against network wide blocklists unless you're the only one using the network, since subtle things break.

Here's what I do: https://news.ycombinator.com/item?id=14780738

The only thing different is that I use wireguard and dnsmasq now.

I find having one piece of low-power hardware that is always on a handy tool. A homeserver+router, basically. I can decloud a lot of things. Having a beefier piece of hardware makes it a non-issue. I try to run things in Docker for modularity. Total hardware cost is competitive with a high-end router, but I think I get more.

Bind9 seems to be better for blocking. RPZ is made for it. I don't think dnsmasq supports RPZ though projects like Pi-Hole use dnsmasq. I'm not positive, but I think RPZ is more flexible. Bind9 seems to do anything you like. I may want to resolve DNS myself and not just forward.

I'm starting to look into configuring Bind9 to have different blocking per user using "views." Some want Facebook, some don't, so I can block accordingly. I'm not sure you can do that in dnsmasq. I did discover subtle things break, like you can't block Facebook and still access Instagram, thus the "views" approach. I don't want to change hosts file on every device, especially mobiles, and can even provide some protection for guests this way. I might do a captive page for a blocked domain and let people bypass in their view if they like, then I can have a "block-first" approach.

I do like network-wide blocking for the malware lists - if anyone acquires malware, it can't phone home (if it's on the list) and I can detect via logs. DNS as firewall seems to be a trend. I'm looking into blocking IPs via iptables as well using public lists. Maybe I'll even setup Snort or Bro. The possibilities are endless.

I'm interested in the implementation of this, but do not have the technical background to begin. Would you have any go to resources for a beginner?
careful because I already see this coming:

"In order to server our customers better and provide the best possible experience, VPN services will be blocked and will require a Business Tier service. We feel that unless you have a legitimate business reason to anonymize your network traffic we will provide this service in order to protect our subscribers and network integrity. Click Here to Speak to our Sales Representative"

One of the problems I've run into with using a vpn service is that many services block IPs from common vpn services. While this may be due to abuse originating from those IPs this still seems like a lazy approach to abuse prevention.

One approach that could work around this in many cases is to run a VPS with a private VPN server on a cloud provider. This is beyond the technical ability of the average user though and costs more than most VPN services.

In practice this isn't much of a problem, and I get it with Netflix. I turn off my VPN if I am watching Netflix on my computer and I don't think my privacy suffers too much for it. It feels bad not to have 100% coverage but I honestly don't care who knows what I watch / how often I watch Netflix.
It is more of a problem if you want to run the VPN on your router upstream of your devices, which simplifies management and ensures all devices are protected from ISP snooping, including devices where I don't control the software like a Chromecast.

I had to disable router-level vpn for exactly this reason, which is frustrating.

Amusingly enough, when I did have it on, my Chromecast showed weather data for the vpn endpoint so it's using IP-based geolocation for weather. It could be smarter.

> my Chromecast showed weather data for the vpn endpoint

That is pretty awesome. I feel your pain and that is why I haven't gone and flashed my router even though I finally bought one that will let me.

I run a private VPN server on Digital Ocean and still get blocked by some sites. Zillow.com comes to mind as one I was unable to access recently.
Same -- Netflix, craigslist as well
FYI NordVPN works on Netflix. At least it does at the current time. Though I've been blocked on Amazon even just while shopping.
Why would Amazon care? I think I've went to Amazon over Tor and had no problem. I never tried to log in, but they let me browse just fine.
If you can't access Zillow, nothing of value was lost.
That can potentially be a HIPAA violation unless medical providers/platforms get a Business Associates Agreement with the ISP. This could be a nightmare.
The HIPAA violation would be on the care provider by transmitting in cleartext over the internet.

If they're transmitting properly over TLS then no patient info would be divulged.

What you can do is use a third party DNS resolver like 1.1.1.1, ideally over HTTPS or TLS, and use HTTPS for all your web traffic. That dramatically reduces what they can inspect.

If that isn’t enough, your next option is a VPN or Tor.

Third party DNS is at best a very minor hiccup in the ease of an ISP monitoring where you're going, though in combination with things like HTTPS Everywhere it's a start - mostly if you're going to good-sized sites where most of your traffic actually goes to CDN providers.

Hm, thinking about it as I write, I could see how encrypted DNS plus everything being encrypted and served via CDN could actually cut down a lot on what carriers can see. Still far from perfect, but not quite as bad as I was originally thinking.

Edit: I wasn't familiar with Server Name Indication (destination hostname is unencrypted even though the rest of the URL and session are encrypted).

Without encryption, they can see who you talk to, what you are saying, the rate, the frequency, from where and when.

With encryption (https), they can see who you talk to, the rate, the frequency, from where and when. They can't see the actual URL (just the hostname) or data (encrypted).

With VPN, they see you are talking to a VPN, the rate, the frequency, from where and when. VPNs cut down on knowing who you are talking to (assuming they aren't logging or being monitored which they could easily do).

Other services could be added to obfuscate rate, frequency and when I would assume, but even then those services would only be additive obfuscation (unless you cache packets for a short term... just thinking as I type).

Someone check me if i'm off on this these points...

You're close. There's actually well understood technology for obfuscating the rate and frequency - the field for manipulating these variables is called "traffic analysis".

One simple technique is to always transmit X packets/sec where Y packets/sec are real and the other packets are dummy packets (Y < X). If the channel is encrypted, it's impossible to distinguish the dummy traffic from the real traffic, and if you're over a VPN, it's difficult to identify the destination.

A slightly more sophisticated approach is to vary X over time, to make it shaped like streaming video, for example, to obfuscate the fact that you're using traffic analysis countermeasures.

If you are repeatedly going to sites A,B,C, then over time even if you are sending bogus packets, the sites you do go to will rise to the top.

It’s similar to differential privacy where even with a bunch of bogus data patterns in aggregate can be determined.

It's not one of encryption or tunneling or packet shaping that does the work, but rather all of these techniques together work to reduce an adversary's traffic analysis capability.
(comment deleted)
I'm not familiar with how to set this up. Do you have a link to a guide to use such a service for me and others?
I recently signed up for a promo from DirectTV Now where the promo was cheaper than the free AppleTV that came with it.

Don't worry, I'm not promoting DirectTV Now because it sucks balls. I have ad blocking at the router level at home and DirectTV basically won't work because of it. Even when it does work the picture quality is awful, you can't easily skip commercials, changing channels is painfully slow. And there are ads everywhere.

But, my main point is that a few weeks after getting it, I get a mailer from Charter asking me why would I want to pay for channel bundles (I get only internet from Charter)... the only way that mailer makes sense is if they were watching my traffic and seeing that I'm a subscriber to a channel package from their competitor. (I've never gotten a similar mailing and it doesn't make sense absent spying, otherwise they're kind of arguing against their own main cable service.)

It really made me want to get VPN setup whole-house.

I just received a similar mailer from Time Warner, and we use Sling. However, I think they are just trying to capture a market segment that they entirely missed the boat on, and that it is coincidental. I guess I could ask my neighbors if they received the same mailer.
I think in your case its more likely they mass mailed a neighborhood minus their cable subscribers.
for anyone interested I pulled up the Terms and found what I believe the OP is referencing:

`Monitoring and Recording. You agree that Comcast and its agents may monitor and record any telephone calls or other voice, data or image communications that are transmitted between: (1) Comcast and its agents and (2) you, your agents, any user of your Service(s) or Equipment, or any user of any phone numbers associated with your account.`

WTF?
It's Comcast, they are a terrible company. They manage to somehow rank worse than haliburton and BP after that oil spill
Well doesn't that just mean they're allowed to record the conversations between me and their tech support? How is that worrisome? I assumed the person you were replying to was asserting that Comcast had proclaimed its right to record all communications I had over the internet.
(comment deleted)
I don't know. I'm reading it differently. I'm reading it in a way that almost any other entity with the power to execute on a term like that probably would - liberally and with deference to their own interpretation of lawful. Not too mention the 100% murky scope of requests and behests of government.

I read that the wire is owned by Comcast. Its agents roam free and everything traversing that wire is monitored. 100%.

If you're going to read the language non-sensically, why even bother to point to the text? Why not just make up whatever you want?

The numbering and the "and" clearly mean that one of the two endpoints must be "Comcast and its agents." The language is there to allow them to record customer service calls because otherwise in some states that would be a violation of wiretap consent laws.

I think this language could allow for Comcast to monitor any traffic passing through their proxies?

I agree that it seems to be worded to imply that it's just CS monitoring but I don't believe that `transmitted between` would necessitate that the party be the intended endpoint.

(comment deleted)
(comment deleted)
What's so weird about that? Every company seems to record communication between itself and its customers; Comcast is saying it can do the same.
This is far broader. No where in the Subscription Agreement[0] is the scope or the uses defined or limited. From what's written here, any form of information sent to Comcast in any way will can be stored and monitored for any purposes.

IANAL, but this seems like clever lawyering to make consumers think they're only referring to customer service calls.

[0]: https://www.xfinity.com/corporate/customers/policies/subscri...

Here's mine in New Zealand (Slingshot), which sounds a bit more fair

"We do not proactively monitor what content you download or access, however, we must act on lawful requests for information and/or interception as well as infringement notices which we receive under the Copyright (Infringing File Sharing) Amendment Act 2011. This action may include sending you an infringement notice"

Add an always-on VPN tunnel to your router with the tunnel exit on someone else's (not Comcast) network.
Aren't all ISPs required to comply with lawful intercept regulation that includes data retention?
They can't read the contents of conversations masked by TLS, but Facebook can. This is incredibly relevant to modern services and technology.

Telephone is an audio stream, so speech-to-text is a bit more wobbly. SMS, on the other hand... well, at least their price gouging was cost prohibitive for a few decades.

Comcast, AT&T and Verizon don't have a single bit of data on me, I'm not a customer. As opposed to Facebook and Google being present on just about every webpage and gobbling up data about all the people on the planet that have internet access.

The article has this bit in it:

"Your internet provider doesn’t just know what you do on Facebook – it sees all the sites you visit and how much time you spend there. Your provider can see where you shop, what you watch on TV, where you choose to eat dinner, what medical symptoms you search, where you apply for work, school, a mortgage. Everything that is unencrypted is fair game. "

The last part is the important part: hardly anything is unencrypted these days (and if it isn't it really should get with the times). So if that part of the article would have been adjusted to the present day situation that only thing that remains is that if these parties are your provider then they can indeed see which IP addresses you connect to (if you don't use a VPN).

They can't see what you watch on TV unless you configure your TV to tell them (or use a set-top box to choose your channels for you), they do not know where you choose to eat your dinner unless your smartphone leaks GPS coordinates to them (regular triangulation is too coarse for this) and they do not know where you apply for work and school or a mortgage.

In general this is a whole bunch of alarmist hoopla, yes, providers see too much data, no it's nothing compared to Facebook and Google.

What should worry you is AT&T and other cellular services providers access to your call records (which they are required by law to keep for a long time in most places) and SMS data as well as the possibility of them recording all your voice calls without your consent.

For the vast majority of customers, Comcast, AT&T, and Verizon know what sites you visit, what types of data you pass to them, every single DNS lookup you make, etc. Sorry, but this is FAR more intrusive than Facebook, which you CLAIM has lots of data on you even if you don't use their service. It's harder to avoid Google than it is to avoid Facebook, but again, it's doable.
> For the vast majority of customers, Comcast, AT&T, and Verizon know what sites you visit

They know which IP addresses you connect to. Many of those host large numbers of websites.

> what types of data you pass to them

What do you mean with 'what types of data'? They can't access the headers of encrypted traffic.

> every single DNS lookup you make

Yes, that's true. And you can cache those locally.

> etc. Sorry, but this is FAR more intrusive than Facebook, which you CLAIM has lots of data on you even if you don't use their service.

Shadow profiles are a thing.

> It's harder to avoid Google than it is to avoid Facebook, but again, it's doable.

It's just about impossible. Every other email you send ends up in a gmail inbox. So even if you don't use their services at all your data still ends up with them. Even if you don't have a smartphone enough people around you will have them that your social graph will end up with Google anyway. And so on.

> They know which IP addresses you connect to. Many of those host large numbers of websites.

And SNI reveals which one of the Web sites you are accessing.

It's well known, not the poster's personal claim:

https://boingboing.net/2017/11/08/involuntary-profiling.html

FB goes so far as to buy your data from others, which is why I block all trackers. I'm sure I still leak data to FB, even though I never joined, and never will.

Interesting! Thanks for the informative reply. This feels like the kind of thing I probably read about at some point but subsequently forgot.
> The last part is the important part: hardly anything is unencrypted these days (and if it isn't it really should get with the times).

It's always nice to see

https://letsencrypt.org/stats/#percent-pageloads

Everyone can do something to help increase this!

(On the other hand, there's still an information leakage from the volume and timing of communications, like inferring that two people are communicating with one another in real time because their traffic flows are correlated, or figuring out what page someone's reading on a site from that total volume of encrypted traffic downloaded.)

It's pretty hard for ISPs to do that on a large scale: ISPs are only regional monopolies, in the areas they are monopolies at all. There's likely a relatively small percentage of your communications where both ends of the communication are using the same ISP.
On the other hand, most people communicate most often with people in their own geographic region, and in the U.S. the "two people on the same ISP" probably happens pretty frequently with Comcast and AT&T (as well as national mobile carriers in the case of mobile data service, where you might not immediately realize that the carrier could learn that information in the way that it would if you were making a phone call or sending a text message).
With calls and texts, certainly, but with Internet traffic? Bear in mind as well, ISPs tend to be monopolies in more rural areas, where the distance between people is higher to begin with. And most of your communications on the Internet will go to or from a server, which is likely not local.
In this case, the ISP can correlate the timing of the communications activity in order to confirm that it involves two particular customers.
Give me an example, what kind of communication?
Like a Skype call. If user A calls user B (of the same regional ISP), the communications don't go directly from A to B (rather they go from A to Skype and Skype to B, and vice versa), but the timing and volume of the traffic flows are extremely well correlated.
Alright, I can grant that is true, although if you assume an ISP like Comcast has thousands (or more) simultaneous Skype calls, and they come and go often enough that it's likely you'll be dealing with many starting at close to the same time... there's a lot to track there. Also, bear in mind, you have to weed this out from all the unidirectional calls: Comcast to [other ISP] and [other ISP to Comcast] calls, so you can't even make one-to-one matches reliably.

And of course, when you compare to the tech industry alternative: Microsoft knows who is talking to who straight up (and on a global scale), whereas the ISP can only guess. And while the ISP's understanding of who is calling who ends at the household, Microsoft knows which user accounts made the call, which is much more likely to correlate to individual people.

MS has access to the payload as well.
> On the other hand, there's still an information leakage from the volume and timing of communications, like inferring that two people are communicating with one another in real time because their traffic flows are correlated

Yes, this is a problem. But it is also totally inherent to the role of being a provider. And as long as the internet is roughly structured the way it is today that will continue.

> they can indeed see which IP addresses you connect to

They can see the hostname, actually, because DNS isn't encrypted. And even if you run DNS over TLS, it doesn't matter because of SNI (https://en.wikipedia.org/wiki/Server_Name_Indication).

Ah right you are, so yes, they can get to that. Even so, that's just a host, which is a far cry from the full URL which is typically what Facebook and Google have access to through 'like' buttons and analytics.
> Comcast, AT&T and Verizon don't have a single bit of data on me, I'm not a customer.

That's likely incorrect. You're traveling across their networks in routine use of the US Internet and its services/sites. In addition to consumer services, they all have substantial business services. They probably have less data on you than Facebook & Google.

I highly doubt there is a recognizable profile for me on Comcast, AT&T or Verizon servers, I'm 100% sure there is a recognizable profile of me on FB's servers. And I'm not a customer of any one of them.

The worst that I can think of that AT&T would have is some traffic stats, and they wouldn't know that it was me, just that some traffic from some random EU IP made it through one of their choke points. That entirely does not worry me.

> So if that part of the article would have been adjusted to the present day situation that only thing that remains is that if these parties are your provider then they can indeed see which IP addresses you connect to

You're saying that like it's nothing. Whatever happened to "metadata is often more revealing than data"?

> As opposed to Facebook and Google being present on just about every webpage and gobbling up data about all the people on the planet that have internet access.

You can trivially install Privacy Badger, Ghostery or any other number of tracker blockers that are available for free. Firefox comes built-in with a tracker blocker that's pretty good too. Every person on the planet has the option to opt out from FB and Google tracking.

Using a VPN costs money. Some websites (eg. retailers, Netflix) aggressively block connections from VPN IPs which means you have to turn off your VPN and sacrifice your privacy to access those sites. Whereas I've never seen a site block you because you have Privacy Badger installed.

> Whatever happened to "metadata is often more revealing than data"?

That's true, but the article claims that the actual data is accessible which it isn't in most cases.

And it's a bit in the nature of being an ISP, after all the only thing they are supposed to do is to take your packets and deliver them elsewhere, if they didn't do that then they wouldn't be in business at all. To the extent that this raises awareness of how the internet works under the hood I'm all for it but it is designed that way, it is not as if AT&T, Comcast and Verizon have gone out of their way to get this ability by injecting their content into each and every web page.

> You can trivially install Privacy Badger, Ghostery or any other number of tracker blockers that are available for free.

Yes, and I do. And most people do not.

> Every person on the planet has the option to opt out from FB and Google tracking.

Yes, but only a small percentage actually does so. And Google is present in so many market segments that in practice you will be interacting with it whether you want it or not even if you have a blocklist a mile long. Because that email you just sent to that innocent looking domain is actually gmail masquerading as some other domain.

> Whereas I've never seen a site block you because you have Privacy Badger installed.

I see this several times per week actually, usually related to some over-eager adblocker detector.

> Yes, but only a small percentage actually does so.

But they can and its free to do so. Opting out of ISP tracking costs money, when I'm already paying my ISP money.

> it is not as if AT&T, Comcast and Verizon have gone out of their way to get this ability by injecting their content into each and every web page.

Not for lack of trying[1]. Also Verizon now owns Yahoo and AOL which have some pretty large ad networks of their own.

1. https://arstechnica.com/tech-policy/2014/09/why-comcasts-jav...

> Opting out of ISP tracking costs money, when I'm already paying my ISP money.

All you will end up doing is giving someone else the same capability that your ISP has today. A VPN solves exactly nothing.

> Not for lack of trying

Yes, that's true they did try that. But then again, so did some registrars by hijacking domain names that were not in use. (And sometimes even when they were in use).

But end-to-end encryption took care of that in a pretty definitive manner.

> A VPN solves exactly nothing.

Maybe, maybe not. US ISPs operate as virtual monopolies in many markets - even if an ISP was tracking and monetizing online activity most customers don't have any recourse.

In contrast, the VPN market is extremely competitive; there are dozens, maybe hundreds of providers. Privacy is one of the differentiating factors between them. It would be extremely risky for a VPN provider to claim "no logs" but actually store logs - a single data breach, rogue employee, or whistleblower could end their business.

I'm not claiming VPNs are a desirable solution. The desirable solution is that ISPs don't track or otherwise monetize their customers' online activity.

You're a small minority, when you include both cell phone and broadband the vast majority of the country is a customer of one of at least one of them.

It would be good to see data on the relative monopoly market concentrations between the cable/telcos vs Facebook/Google.

I think you're encrypted argument is falling prey to the common fallacy of "it's only metadata". Knowing when you interact with which sites is more important than 90% of what you're doing on those sites, in terms of profiling you and monetizing you with data brokers.
Yes, but it is far harder for my ISP do monetize that data than it is for the two largest ad networks on the planet.

My ISP is welcome to know what sites I connect to because I pay them to do exactly that. Facebook and Google inserting their riders everywhere I go is not part of something I consent to.

And that's the root of the problem, if I send an envelope with my return address on the back the postal services have access to the meta-data and it is my decision to let them.

But it is not my decision to let a bunch of unrelated third parties use the contents of the letters to build up profiles on me and my counterparty.

The irony is that with more and more sites wanting to be "portals", more traffic is centralized within a single domain and none of the lateral movements are visible to the ISP.

Then: You go to foxnews.com, then you go to pornhub.com. Based on hostnames we can make some inferences about you and your behaviors.

Now: You go to reddit.com(/thedonald), then you go to reddit.com(/twerkinggifs). Thanks to HTTPS, the specific subs you're visiting aren't visible to the ISP; all they can see is you going to reddit a bunch of times.

No. AT&T has DPI on all packets that traverse its network and it cross licenses and shares financials with an extremely large number of network, credit, and transportation firms. This includes their cell network which tracks users at GPS accuracy.

For your statement to be true you would have to go without credit, a vehicle, a house, an internet connection, a cable TV, a connection to a cell tower.

It is more likely that you are not familiar of the size and complexity of their data collection and aggregation system.

I'm not as concerned about CA having data I've given to FB as I am about their admission of using it to spread false information. If cable and phone companies were politically weaponizing my data the same way I'd be just as concerned.

On the one hand, maybe worrying sooner prevents issues. On the other hand, I don't want to assume a slippery slope out of principle.

> admission of using it to spread false information . . . weaponizing my data

Can you link me to what Cambridge Analytica actually did with the data? I've been really curious about it but I can't find anything concrete.

Well the founder was recorded admitting to creating fake news for political purposes in an untraceable manner. The FB data would have let them target and personalize it.

And the 2016 election was flooded with targetted fake news from obscured foreign sources. I don't personally have access to CA's operations and communications. It's for investigators to prove if A and B are connected.

It's up to us to deploy Occam's razor.

>If cable and phone companies were politically weaponizing my data the same way I'd be just as concerned.

What makes you think they aren't? They have influencers in Washington, just like any political group does.

The only difference between what the ISPs did and CA did is that the ISPs sell the data, whereas CA stole it. Your data still gets transferred.

Of course they lobby, and for self-serving purposes. And that could use reform. But it's not related to the FB/CA story. They use our data to participate in the ad-tech ecosystem but that's separate from lobbying, which doesn't benefit from having my likes or social graph in any way I'm aware of.
We should implement browser extensions that randomly go to sites in the background, and create so much noise that the ISPs can't get any signal from us.
be more useful and run a tor node
Most tor nodes are government run anyway what’s the point.
a key difference here is the data structures behind the scenes, dont you think? FB built a state-of-the-art pipeline designed for graph analytics, and sold that as a revenue source. Meanwhile, the ISPs spent money on attorneys to secure favorable legal terms, and the "moron count" inside the company is likely quite high.. A zillion streams of sequential records are more like the 90s data warehouse situation, not FB graph search.
Oh cool, now it is the big ISPs. What is the Guardian coming up with next?

"The ISPs surveillance is nothing compared with the NSA"??

How are people waking up only now? Snowden happened in 2013!

> Your provider can see [...] what medical symptoms you search [...]. Everything that is unencrypted is fair game.

Which search engines are unencrypted these days?

Does that matter much when your next DNS lookup is erectiledysfunction.org and your next ip packets go to the ip address of that domain?
I don't think I've ever visited a website that had name of an illness in the domain name. But maybe it's just me.
When the article says "what medical symptoms you search"... Comcast can't see what you search if you're connected to a page using https, right? All of the major search engines and medical sites all use https... so, what are they talking about?
Indeed. They can know you're at WebMD, not that you looked up erectile dysfunction symptoms at WebMD. Only the ad companies get that kind of detail.

And beyond that, we're so centralized these days that most websites people spend time on are generic. For example, you have no idea what someone's interests are because they connect to Reddit, Google, Facebook, Twitter, and YouTube, nor who they might be communicating with over those domains.

You are right but they were not mentioned by Soros in Davos 2018 :)
Naive questions:

What has been the US legal/regulatory framework governing "privacy" that telecomunications operators have had to work within for the past thirty years?

Has Facebook had to operate within that same framework? As FB grew, has it been subject to the same restrictions?

Has Facebook, with the billions they have made through collecting and monetising user data, and with the competition they have given to the telecommunications providers, played any role in any "shrinking" of past privacy protections afforded telecom subscribers?

I have not lived very long but the big difference I see from past decades is that collecting user data and monetising it is viewed as a "core business".

While I was not yet born at the time, I am confident that the telegraph was not funded by reading peoples telegrams and trying to sell that information to merchants. As far as I know telephone service was not funded by recording peoples conversations and marketing the value of the collected information to advertisers. Even consumer internet service, first appearing in the 1990s, was not funded by collecting user data and trying to "monetise" it.

"Free" communication thanks to the internet has brought us a new type of company. It operates in a legal grey area, free from many of the restrictions that applied to its predecessors. Until proven otherwise, it appears that without collecting data on users and marketing it to third parties, this type of company cannot survive.

Yet, whether these new companies exist or not, as far as I can see communication over the internet is still "free". (The cost being the internet subscription fees.) Of course when a user chooses to utilise the "services" of these companies to "simplify" their internet use (or even their first introduction to the internet), that notion of "free" becomes rather complicated.

sites and isp were excempt of all common carrier laws. then fcc tried to add privacy considerations on isp similar to telcos, but that was shot down recently by republicans. granted, if the proposals also included sites/advertising, democrats would join in shutting it down.
Yet another reason Musk's new satellite internet will be awesome. I'd personally sacrifice some bandwidth for privacy.
what makes you feel that one will be "private"? Please don't tell me that you believe into the Musk PR. Google used to be the same way "Don't be evil...".

It is the great circle of life. The incumbents love to be privacy-centric, but as soon as they become big enough, they realize that they can make a shitload of money with data//metadata now that they got a captive set of customers

True, I have more faith in that guy though. Maybe he is just another money grubbing hackjob that will eventually morph his companies into evil enterprises but it just doesn't seem like thats his schtick atm.
No he just releases software that kills a customer, and then publicly releases the data from the car sensors to paint the now dead customer as an incompetent driver. Sounds like exactly the person to trust with my privacy.
That guy is a scam artist. Tesla accounting is very abnormal; it's probably why the CFO quit.
Yeah, sure, agreed, but why call the article that? Don't we want them all to stop sucking?
If you talk to a sales person from any third party ad service and ask questions about what you can do with data—you'll find there is an entire market of buying and selling data from every cell company, credit card company, banks, corporate rewards cards, voting records and donations, etc.
How about they all pose a serious threat to privacy?
The good news is, HTTPS is pretty common these days and Cloudflare just launched encrypted DNS (1.1.1.1). Those two things cover a large portion of exposed data.

If you're on Android, this is an excellent app that allows you to set a custom DNS server across all apps and connections, without root: https://f-droid.org/en/packages/org.jak_linux.dns66/. As a bonus it also lets you blacklist domains, though of course that's not relevant to concerns about your ISP.

Be wary of third-party VPNs, though (bottom section titled "VPNs could put you at risk"): https://arstechnica.com/information-technology/2016/06/aimin...