Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISPs May Be Selling Your Web Clicks

Posted by Zonk on from the hey-those-are-mine dept.

Mozzarella writes "Could our ISPs be selling our click data without us even knowing it? It seems like the practice is happening a lot more than we realize, and can be tracked for each user. Complete Incorporated's CTO David Cancel told Ars Technica that his company (an internet research firm) licenses click information from ISPs for 'millions of dollars' to figure out how we use the web. From the article: 'He did not give a specific figure about what this broke down to in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month — this estimate was erroneously attributed to Cancel himself in some reports on the event. Cancel said that this clickstream data is 'much more comprehensive' than data that is normally gleaned through analyzing search queries.'"

28 of 110 comments (clear)

  1. Your Internet soul was sold years ago by BristolCream · · Score: 5, Informative

    There is little new here. Companies such as http://www.hitwise.com/ have been purchasing raw traffic data for years. They place a box at switch level and monitor everything about everyone and the sell on the reports for profits. The last time I had a quote from them it was in the region of $28k to monitor footfall to a single site for a year. Access to the full data set can run into the hundreds of thousands.

    1. Re:Your Internet soul was sold years ago by cswiger · · Score: 3, Informative

      Well, you can get free tools like analog or webalyzer, or commercial things like Unison, which process a webserver logfile and generate all kinds of reports like search terms, OS & user-agent breakdowns, aggregated over various time-intervals, without installing an inline traffic sniffer.

      But there's a difference between a website analyzing the traffic sent to it, particularly if reasonable notice in the site's privacy policy is there, and reselling that data to third parties, or gathering data from all sites going by an MAE or ISP NAP without any permission or notification. The former is something which most people take for granted when they decide to browse to a site, but the latter is not something which most people assume is OK.

      Fortunately, using SSL is a pretty good defense against man-in-the-middle attacks, so long as the server keys have not been compromised-- trying to analyze HTTPS traffic only gives you source and dest IPs, but no info about the specific URLs being hit, cookies, search keywords, and so forth.

      --
      "The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
    2. Re:Your Internet soul was sold years ago by BristolCream · · Score: 3, Informative

      I'm not talking about statistics collected at site level. Hitwise place a box at switch elvel with consumer ISP's, tracking everywhere they go and eveything the do. Seriously. Read all about here.

    3. Re:Your Internet soul was sold years ago by Anonymous Coward · · Score: 2, Informative

      What is needed is an anonymous network beyond the government watched Tor and simple proxifiers. A new network is needed. A few people have created an anonymous, deniable, virtual Internet using OpenVPN and Quagga. anoNet has all the luxuries of the Internet (http, ftp, IM, IRC, p2p, search, etc.). They also have full DNS and IP/AS registration to keep things sane. Unlike the Internet all registration is anonymous and private. This network is not a warez network at all, merely a group of people who want a different network, founded on privacy.

      http://www.anonet.org/

  2. Is this legal? by Raul654 · · Score: 5, Insightful

    If this is being done without users' consent, then it strikes me as being dangerously close to wiretapping, which is illegal.

    --


    To make laws that man cannot, and will not obey, serves to bring all law into contempt.
    --E.C. Stanton
    1. Re:Is this legal? by Seumas · · Score: 2, Interesting

      This wouldn't matter to me if the data was anonymized so that it was impossible to correlate the data beyond "all of these are by the same individual", but no way to identify by IP address or anything else.

      The problem, as we saw with the data AOL released last year, is that there is most certainly identifiable data in the clicks, such as phone numbers, credit card numbers, usernames, passwords, real names, social security numbers, medical information and other private data.

    2. Re:Is this legal? by vandon · · Score: 2, Insightful

      If this is being done without users' consent, then it strikes me as being dangerously close to wiretapping, which is illegal.

      Remember that EULA you clicked 'I agree' on without reading?
    3. Re:Is this legal? by HomelessInLaJolla · · Score: 2, Insightful

      Even if the information isn't immediately personally identifiable it is fairly easy, through analysis of the cross-section of a few related databases, to make it so. It's just math and most cookies have some uniquely identifiable characteristic. Perhaps they can't tie information A with person B, but it isn't too difficult to tie information A to information C to information D and then cut the database down to people who have A, C, and D. Iterate if necessary.

      --
      the NPG electrode was replaced with carbon blac
    4. Re:Is this legal? by Harmonious+Botch · · Score: 4, Funny

      Remember that EULA you clicked 'I agree' on without reading? I agree.
    5. Re:Is this legal? by scribblej · · Score: 2, Informative

      I use ComCast.

      When you sign up, they have a disk you are supposed to use to get started.

      It's a damn internet connection. I don't need a disk for that. nor will I use one. Plus, I'm on Linux, which they don't support.

      The practical upshot of this is, I've never seen a contract. I called them up to activate service over the phone. No EULAs, no clicking, no "I agree," nothing.

    6. Re:Is this legal? by TuballoyThunder · · Score: 2, Informative
      You probably agreed to quite a few things.

      By using this service you are agreeing to
      • Operator Acceptable Use Policy
      • Cable Modem Service Subscription Agreement
      • Time Warner Cable and Affiliated ISPs Subscriber Privacy Notice
      and, from the Operator Acceptable Use Policy

      e) In addition to the foregoing, Operator and ISP each shall have the right at any time to add to, modify or delete any aspect, feature or requirement of the ISP Service, including but not limited to content, equipment and system requirements. Operator shall have the right to add to, modify or delete any provision of this Agreement and/or any Terms of Use established by Operator and/or the Subscriber Privacy Notice at any time. An online version of this Agreement, the Terms of Use, and the Subscriber Privacy Notice, as so changed from time to time, will be accessible at http://help.twcable.com/ or another online location as designated by Operator. Operator will notify Subscriber of any significant change in this Agreement, the Terms of Use or the Subscriber Privacy Notice. Upon any such change, Subscriber's continued use of the ISP Service will constitute Subscriber's consent to such change. If Subscriber does not agree to any such change, Subscriber immediately shall stop using the ISP Service and notify Operator and ISP that he/she is terminating the subscription to the ISP Service.
    7. Re:Is this legal? by drinkypoo · · Score: 2, Interesting

      The problem, as we saw with the data AOL released last year, is that there is most certainly identifiable data in the clicks, such as phone numbers, credit card numbers, usernames, passwords, real names, social security numbers, medical information and other private data.

      That's not the only problem. Let's say for the sake of argument that you don't use adblock and you do load images from, say, doubleclick that have unique URLs. If that URL exists in your search data, then even if your IP has been cleared, and replaced with some other identifier that groups the clicks together (without grouping clicks the information is fairly useless) they can tie all of that activity to you, and your IP (from their logs.)

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  3. Apologies to HAL 9000 by athloi · · Score: 2, Funny

    "Good lord, it's full of... porn"

    --
    technical writing / development
  4. Yes by memeplex · · Score: 2, Insightful

    It is WITH user consent via the 99.9%-unread EULA. Compete could license data from say, NetZero, also funded by Charles River. Or maybe from Alexa toolbar-collected data, since the Alexa Research team all went to Compete around the year 2000. Read the EULA.

  5. Insert joke here by thib_gc · · Score: 2, Funny

    Insert joke about a click business represented by a guy named Cancel here.

    1. Re:Insert joke here by fbjon · · Score: 2, Funny

      I won't Allow that.

      --
      True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
    2. Re:Insert joke here by Joebert · · Score: 2, Funny

      It has Abbot & Costello written all over it.

      --
      Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  6. So, who's going to be the first to... by msauve · · Score: 2, Funny

    write a randomizer (using wget?) to pollute their data?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:So, who's going to be the first to... by Dunbal · · Score: 2, Insightful

      With all due respect, their business is not evil.

          If they're really not evil then where is the harm in obtaining my consent first? Well?

      --
      Seven puppies were harmed during the making of this post.
  7. Re:Who gives a rats ass? by spun · · Score: 5, Funny

    You all act so fuckin high and mighty - Privacy is a moot point to argue when you live in your parents basement.

    You know I'm right

    Son, your mother and I have said it before and we'll say it again: if you didn't have such a fixation on ostrich porn, we wouldn't have to monitor your net connection. When you're 18 and you have a place of your own then you can look at all the flightless bird porn you like, but not a moment sooner. Do you have any idea what it did to your little sister to come home and find you naked and covered in egg yolks with your head in a box of sand and feathers stuck up your ass?

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  8. Possible by HomelessInLaJolla · · Score: 3, Informative

    While a counterattack is possible there are two mitigating factors:

    First, philosophically, it is always the course of greater wisdom to explore extinguishing the problem using passive resistance (eg. avoiding offending services). Sadly, this is rarely effective against a determined aggressor but it does prevent unnecessary conflict by establishing a baseline of just how determined the aggressor is.

    Second, in terms of time, the information gathering industry is way ahead of us and the internet laws are written to be easily used against people who would interfere with their exploits.

    All in all, though, data pool pollution would be an effective approach if the aggressor has been determined to be resolute and the legal aspect weren't so grim.

    --
    the NPG electrode was replaced with carbon blac
  9. Re:bring it on by Telanis+Blackwood · · Score: 2, Interesting

    More importantly, if it's my clicks, why don't I get paid for them? I should get compensation for the carpal tunnel generating all their clicks.

    --
    See this? This is a comment. Learn from this.
  10. Seem reasonable. Almost by value_added · · Score: 3, Insightful

    For his part, David Cancel told Ars that he "strongly supports an increase in the methods and degree to which disclosure is communicated," not only for clickstream data but for any kind of data collected on users' personal surfing habits.

    Nicely put. I'd even go so far as to suggest it's even nicer than what we typically hear during White House press conferences.

    He stated that "all users should be informed explicitly when their data can be sold to a third party."

    The tricky part. A nice sounding pronouncement, but it sidesteps the issue of whether they are, and if so, to what extent, etc. And it overlooks what we should expect, which is typically a progression starting with a scandal, followed by a Mistakes Were Made apology, followed by calls to action and the scattered efforts of those affected but who otherwise have little say in the matter, and if we're lucky, a legislator giving a There Oughta Be a Law speech before some subcomittee.

    I've often wondered what the cable companies are doing with respect to TV watching. On the one hand, it seems perfectly reasonable that they could devise a system whereby they could collect statistics on my viewing habits and sell them to Nielsen's. On the other, I'm not aware of whether they can, have plans to, or already do. Maybe someone more knowledgable can clue me in.

  11. EULA doesn't always prevail by Infonaut · · Score: 4, Interesting

    It is WITH user consent via the 99.9%-unread EULA.

    If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

    Whether the right to sell data relating to your Internet use to third parties something a reasonable person would expect is debatable. Someone could challenge those portions of the EULA covering click info, on the basis that they are not to be reasonably expected in an end user license covering a contract for Internet access.

    The challenge wouldn't necessarily prevail in court, but it could be made. The legal theory behind this is that when one party holds a substantial bargaining advantage over the other, and has employed contractual language that is dense and lengthy, it is unreasonable to expect that the disadvantaged party will be able to spot every element of the contractual language. After all, the company can employ a lawyer to put all sorts of bizarre language into a contract, and most consumers are not schooled in such language, nor do they necessarily have the time to go through the language of each and every EULA. Thus, if the party with an advantage employs tricky language in the EULA, that language can be considered unenforceable.

    --
    Read the EFF's Fair Use FAQ
    1. Re:EULA doesn't always prevail by DragonWriter · · Score: 2, Insightful

      If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

      Whether the right to sell data relating to your Internet use to third parties something a reasonable person would expect is debatable. Someone could challenge those portions of the EULA covering click info, on the basis that they are not to be reasonably expected in an end user license covering a contract for Internet access.


      Since most of the time there is a separate "privacy policy" containing such provisions, and you have to separately acknowledge the privacy policy, and since it would be very hard to make the case that a reasonable person would not expect to find agreements as to what information would be protected as private and what information would be shared in a "privacy policy", I don't expect that that's going to be effective against most agreements.

  12. Typo by merreborn · · Score: 2, Informative

    That's $0.40 dollars per user, not $40. The cents sign is missing from the summary.

  13. Re:Is this IANAL but...? by Sparr0 · · Score: 2, Informative

    One less than you have now told us. I have an implicit contract with all of my utility companies. They give me [something], I give them money in return. That's it, the bulk of our spoken and/or implicit agreement. If either of us want more out of the deal, it would need to be spelled out and signed.

  14. Re:Who gives a rats ass? by Jherek+Carnelian · · Score: 2, Insightful

    It isn't just about your personal privacy. The way that society protects other people's privacy can affect your personal well-being.

    The simplest example is when a group attains political dominance and is able to breach the privacy of anyone who challenges the status quo. If they can cause sufficient embarrassment or publicly humiliate anyone enough to make them unelectable, they can still appear to run open and fully democratic elections without risk of losing their grip on power.

    Society as whole will stagnate and suffer under such conditions, and even if you personally have nothing to hide, chances are that you'll end up suffering too. Although you may not realize it since most people tend to accept that life is the way it is, never wondering if a better life could ever have been an option.