ISPs May Be Selling Your Web Clicks

Mozzarella writes "Could our ISPs be selling our click data without us even knowing it? It seems like the practice is happening a lot more than we realize, and can be tracked for each user. Complete Incorporated's CTO David Cancel told Ars Technica that his company (an internet research firm) licenses click information from ISPs for 'millions of dollars' to figure out how we use the web. From the article: 'He did not give a specific figure about what this broke down to in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month — this estimate was erroneously attributed to Cancel himself in some reports on the event. Cancel said that this clickstream data is 'much more comprehensive' than data that is normally gleaned through analyzing search queries.'"

Re:Is this legal?

[Seumas]

This wouldn't matter to me if the data was anonymized so that it was impossible to correlate the data beyond "all of these are by the same individual", but no way to identify by IP address or anything else.

The problem, as we saw with the data AOL released last year, is that there is most certainly identifiable data in the clicks, such as phone numbers, credit card numbers, usernames, passwords, real names, social security numbers, medical information and other private data.

Re:bring it on

[Telanis+Blackwood]

More importantly, if it's my clicks, why don't I get paid for them? I should get compensation for the carpal tunnel generating all their clicks.

Re:Is this legal?

[drinkypoo]

The problem, as we saw with the data AOL released last year, is that there is most certainly identifiable data in the clicks, such as phone numbers, credit card numbers, usernames, passwords, real names, social security numbers, medical information and other private data.

That's not the only problem. Let's say for the sake of argument that you don't use adblock and you do load images from, say, doubleclick that have unique URLs. If that URL exists in your search data, then even if your IP has been cleared, and replaced with some other identifier that groups the clicks together (without grouping clicks the information is fairly useless) they can tie all of that activity to you, and your IP (from their logs.)

EULA doesn't always prevail

[Infonaut]

It is WITH user consent via the 99.9%-unread EULA.

If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

Whether the right to sell data relating to your Internet use to third parties something a reasonable person would expect is debatable. Someone could challenge those portions of the EULA covering click info, on the basis that they are not to be reasonably expected in an end user license covering a contract for Internet access.

The challenge wouldn't necessarily prevail in court, but it could be made. The legal theory behind this is that when one party holds a substantial bargaining advantage over the other, and has employed contractual language that is dense and lengthy, it is unreasonable to expect that the disadvantaged party will be able to spot every element of the contractual language. After all, the company can employ a lawyer to put all sorts of bizarre language into a contract, and most consumers are not schooled in such language, nor do they necessarily have the time to go through the language of each and every EULA. Thus, if the party with an advantage employs tricky language in the EULA, that language can be considered unenforceable.