what you need to know is the rules were as green (aka new) as rules go, and this puts us right back into the landscape we were in circa 2015.
nothing has actually changed except the possibility of actual change. whatever information being culled, packaged, and sold two years ago will likely remain and (possibly) be expanded. for now.
Or two days ago. Which is the part that caught me. Yesterday I was reading headlines and all fired up to create a VPN before the dystopian apocalypse is upon us, but then I read a bit more that the proposed and now repealed rule was never in effect. I need a time machine to go with my VPN.
Potentially, we were better off with the “threat” of new rules coming into play.
These ISP’s are big companies, and like all big companies it takes them a long, long time to implement new initiatives. Just speculating, but some ISP’s may have canceled (or not started) projects that collected user data, because they assumed the new rules would be in place before their projects came online.
Well, the DNS queries and the IPs you’re connecting to. Equivalent information in the common case, but in theory you could use DNSCrypt to a nameserver other than your ISP’s (though almost nobody does) and in that case they’d not see your DNS queries, but still see what IPs your HTTPS connections are going to.
What I haven’t found is any kind of attempt at quantifying how significant that is. In some cases HTTPS ends up hiding basically all the relevant information. For example the information that you connected to Wikipedia or Google is nearly useless for building any kind of surveillance or marketing profile, since almost everyone does. So HTTPS hiding the actual Wikipedia articles you read or Google search queries you made accomplishes the goal nearly 100%. However, if you’re regularly connecting via HTTPS to a site with one clear type of content that isn’t co-located with a bunch of other popular sites using SNI, then the mere fact that you connected to that IP gives away a lot of information.
You’re right. For some reason I thought the SNI information was encrypted in recent versions of TLS, but I’m wrong, apparently that was proposed for TLS 1.3 but didn’t make it in.
I still haven’t found a good answer to “have ISP’s ever sold your browsing history to anyone?” and “how would they identify you if they did?”. Would they actually reach into your HTTP traffic and pull out cookies to serve as an identifier?
Like, if I open http://somesite.com/ and it has a tracking pixel from http://userdatadepot.com with cookie uid=123, will my ISP then use “userdatadepot.com:uid=123” as an identifier for my browsing history? Not sure why, but that seems like something which will not happen, and even if it did, could easily be blocked by tracker blocking extensions like Ghostery.
Maybe I’m misunderstanding your question, but for most people and businesses, they know who you are because you have an account for them. So when you click on somesite.com they directly record the http/s request to the site. They don’t need trackers because your network traffic passes through their system.
Yes, of course. The question is that when they have this nice bundle of all the news I’ve read and porn I’ve watched, and they go ahead and decide to sell it to the highest bidding data warehouse, how does the bidder resell that to someone who wants to target me with balloon and Trump ads?
I guess the best answer might be “where there is a profit, there is a way”. I’d bet an extension like Ghostery or uBlock can interrupt that chain of cookie syncing, though.
There’s a fairly large market of companies and organizations buying personal data that doesn’t need to be tied to a person online, only to their “RL” identity, so I’m not sure this even has to be solved to start making money. A lot of marketing is still offline, and with the growth in spending on U.S. election campaigns, there is also a huge amount of money being spent to amass personal profiles that are tied to physical addresses (which the ISP has, thanks to billing records).
There’s nothing to stop the ISP from selling bundles of data tagged with the name and address and phone number of the customer. Imagine Verizon collects all your browsing data from your cell and then markets phone number, name, browsing data, ip, as daily special. No cookies need apply. Now when you browse PDP11Porn.com the server can check your IP number against the database.
An ISP providing a way to look up browsing history by IP seems crazy to me, even without name / address. I don’t think there exists an ISP that could stay in business a year after creating such a service.
I just assume that if the ISP’s (and others) lobbied so hard for this law, they must have some reason to want the data. Just the fact that the ISP’s want to take it for free makes me not want to give it to them.
I can believe that Verizon puts a salted hash of your account_id into the header of each HTTP request unless you opt out. Then ad platforms can see that identifier and serve you ads based on the history they bought from Verizon. There’s probably a way to also link that to a https cookie id, but perhaps not on Safari defaults of no-third-party-cookies? And almost certainly not with Ghostery and uBlock installed. It seems like there would be a lot of limitations in comparison to Facebook or Google’s trackers, and very little advantage.
The other advantage for advertisers to use existing trackers is that they target individuals specifically, not everyone who uses your internet connection, which is often a whole family or dorm or housemates…
A friend posed this question to me: How effective is a VPN really in the face of this? Given that pretty much every bit of content we browse on the web uses cookies and other means to cross correlate with our online buying history anyway.
Dunno what to say to that. I’m setting one up anyway, whether or not I use it all the time depends on how hard it is :)
what you need to know is the rules were as green (aka new) as rules go, and this puts us right back into the landscape we were in circa 2015.
nothing has actually changed except the possibility of actual change. whatever information being culled, packaged, and sold two years ago will likely remain and (possibly) be expanded. for now.
Or two days ago. Which is the part that caught me. Yesterday I was reading headlines and all fired up to create a VPN before the dystopian apocalypse is upon us, but then I read a bit more that the proposed and now repealed rule was never in effect. I need a time machine to go with my VPN.
Potentially, we were better off with the “threat” of new rules coming into play.
These ISP’s are big companies, and like all big companies it takes them a long, long time to implement new initiatives. Just speculating, but some ISP’s may have canceled (or not started) projects that collected user data, because they assumed the new rules would be in place before their projects came online.
Doesn’t the HTTPS-Everywhere campaign’s success limit the damage here to DNS queries?
Well, the DNS queries and the IPs you’re connecting to. Equivalent information in the common case, but in theory you could use DNSCrypt to a nameserver other than your ISP’s (though almost nobody does) and in that case they’d not see your DNS queries, but still see what IPs your HTTPS connections are going to.
What I haven’t found is any kind of attempt at quantifying how significant that is. In some cases HTTPS ends up hiding basically all the relevant information. For example the information that you connected to Wikipedia or Google is nearly useless for building any kind of surveillance or marketing profile, since almost everyone does. So HTTPS hiding the actual Wikipedia articles you read or Google search queries you made accomplishes the goal nearly 100%. However, if you’re regularly connecting via HTTPS to a site with one clear type of content that isn’t co-located with a bunch of other popular sites using SNI, then the mere fact that you connected to that IP gives away a lot of information.
Is “not co-located” necessary? I think ISPs can collect SNI information just fine, although I don’t know whether they do.
You’re right. For some reason I thought the SNI information was encrypted in recent versions of TLS, but I’m wrong, apparently that was proposed for TLS 1.3 but didn’t make it in.
Only for sites that support HTTPs, right? Many do not.
I still haven’t found a good answer to “have ISP’s ever sold your browsing history to anyone?” and “how would they identify you if they did?”. Would they actually reach into your HTTP traffic and pull out cookies to serve as an identifier?
Like, if I open http://somesite.com/ and it has a tracking pixel from http://userdatadepot.com with cookie uid=123, will my ISP then use “userdatadepot.com:uid=123” as an identifier for my browsing history? Not sure why, but that seems like something which will not happen, and even if it did, could easily be blocked by tracker blocking extensions like Ghostery.
Yes. Likely not in general, but I used to work for a company that bought clickstream data from free dialup ISPs.
Maybe I’m misunderstanding your question, but for most people and businesses, they know who you are because you have an account for them. So when you click on somesite.com they directly record the http/s request to the site. They don’t need trackers because your network traffic passes through their system.
Yes, of course. The question is that when they have this nice bundle of all the news I’ve read and porn I’ve watched, and they go ahead and decide to sell it to the highest bidding data warehouse, how does the bidder resell that to someone who wants to target me with balloon and Trump ads?
I guess the best answer might be “where there is a profit, there is a way”. I’d bet an extension like Ghostery or uBlock can interrupt that chain of cookie syncing, though.
There’s a fairly large market of companies and organizations buying personal data that doesn’t need to be tied to a person online, only to their “RL” identity, so I’m not sure this even has to be solved to start making money. A lot of marketing is still offline, and with the growth in spending on U.S. election campaigns, there is also a huge amount of money being spent to amass personal profiles that are tied to physical addresses (which the ISP has, thanks to billing records).
There’s nothing to stop the ISP from selling bundles of data tagged with the name and address and phone number of the customer. Imagine Verizon collects all your browsing data from your cell and then markets phone number, name, browsing data, ip, as daily special. No cookies need apply. Now when you browse PDP11Porn.com the server can check your IP number against the database.
An ISP providing a way to look up browsing history by IP seems crazy to me, even without name / address. I don’t think there exists an ISP that could stay in business a year after creating such a service.
I just assume that if the ISP’s (and others) lobbied so hard for this law, they must have some reason to want the data. Just the fact that the ISP’s want to take it for free makes me not want to give it to them.
So there’s the EFF article on Verizon’s tracking header: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
There’s also the Verizon FAQ: https://www.verizonwireless.com/support/unique-identifier-header-faqs/
I guess it comes down to who you choose to believe. Or how you define things like “selling browser history”.
I can believe that Verizon puts a salted hash of your account_id into the header of each HTTP request unless you opt out. Then ad platforms can see that identifier and serve you ads based on the history they bought from Verizon. There’s probably a way to also link that to a https cookie id, but perhaps not on Safari defaults of no-third-party-cookies? And almost certainly not with Ghostery and uBlock installed. It seems like there would be a lot of limitations in comparison to Facebook or Google’s trackers, and very little advantage.
The other advantage for advertisers to use existing trackers is that they target individuals specifically, not everyone who uses your internet connection, which is often a whole family or dorm or housemates…
A friend posed this question to me: How effective is a VPN really in the face of this? Given that pretty much every bit of content we browse on the web uses cookies and other means to cross correlate with our online buying history anyway.
Dunno what to say to that. I’m setting one up anyway, whether or not I use it all the time depends on how hard it is :)