ISPs May Be Selling Your Web Clicks

Mozzarella writes "Could our ISPs be selling our click data without us even knowing it? It seems like the practice is happening a lot more than we realize, and can be tracked for each user. Complete Incorporated's CTO David Cancel told Ars Technica that his company (an internet research firm) licenses click information from ISPs for 'millions of dollars' to figure out how we use the web. From the article: 'He did not give a specific figure about what this broke down to in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month — this estimate was erroneously attributed to Cancel himself in some reports on the event. Cancel said that this clickstream data is 'much more comprehensive' than data that is normally gleaned through analyzing search queries.'"

Your Internet soul was sold years ago

[BristolCream]

There is little new here. Companies such as http://www.hitwise.com/ have been purchasing raw traffic data for years. They place a box at switch level and monitor everything about everyone and the sell on the reports for profits. The last time I had a quote from them it was in the region of $28k to monitor footfall to a single site for a year. Access to the full data set can run into the hundreds of thousands.

Re:Your Internet soul was sold years ago

[cswiger]

Well, you can get free tools like analog or webalyzer, or commercial things like Unison, which process a webserver logfile and generate all kinds of reports like search terms, OS & user-agent breakdowns, aggregated over various time-intervals, without installing an inline traffic sniffer.

But there's a difference between a website analyzing the traffic sent to it, particularly if reasonable notice in the site's privacy policy is there, and reselling that data to third parties, or gathering data from all sites going by an MAE or ISP NAP without any permission or notification. The former is something which most people take for granted when they decide to browse to a site, but the latter is not something which most people assume is OK.

Fortunately, using SSL is a pretty good defense against man-in-the-middle attacks, so long as the server keys have not been compromised-- trying to analyze HTTPS traffic only gives you source and dest IPs, but no info about the specific URLs being hit, cookies, search keywords, and so forth.

Re:Your Internet soul was sold years ago

[BristolCream]

I'm not talking about statistics collected at site level. Hitwise place a box at switch elvel with consumer ISP's, tracking everywhere they go and eveything the do. Seriously. Read all about here.

Possible

[HomelessInLaJolla]

While a counterattack is possible there are two mitigating factors:

First, philosophically, it is always the course of greater wisdom to explore extinguishing the problem using passive resistance (eg. avoiding offending services). Sadly, this is rarely effective against a determined aggressor but it does prevent unnecessary conflict by establishing a baseline of just how determined the aggressor is.

Second, in terms of time, the information gathering industry is way ahead of us and the internet laws are written to be easily used against people who would interfere with their exploits.

All in all, though, data pool pollution would be an effective approach if the aggressor has been determined to be resolute and the legal aspect weren't so grim.