Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Embarq Monitors User Traffic

Posted by Soulskill on from the you-can-trust-us dept.

Deli Korkmaz writes "The Washington Post reports that Sprint-Nextel spin-off Embarq, currently the US's fourth largest DSL provider, monitored Internet activity on some 26,000 customers in Kansas using deep-packet inspection technology NebuAd in order to deliver targeted advertising to users' desktops. CNet provides coverage as well. The House of Representatives Committee on Energy and Commerce is investigating whether any privacy laws were broken. Users were informed of this test and invited to opt out only via Embarq's online Privacy Policy; a mere 15 subscribers did so."

106 comments

  1. wow by conteXXt · · Score: 4, Funny

    All up into a dude's business just to sell ads. Disgusting.

    --
    The truth about Led Zep should never be told on /. (Karma suicide ensues)
    1. Re:wow by Anonymous Coward · · Score: 0

      From the summary:

      The House of Representatives Committee on Energy and Commerce is investigating whether any privacy laws were broken.

      And the government is investigating the sleaziest way to secretly co-opt this shit to see what might be of use to government interests. This wouldn't be, by far, the first time they've gone to third party "aggregators" to purchase (or demand) information on citizens which they're forbidden by law from gathering themselves. Not that there's much left in that area after the congress recently tucked its collective ankles behind its ears to "revise" FISA.

      One example -- sometime back, the CIA, in an attempt to build a database containing facial images of most US citizens, purchased the driver's license images from three states. The plan blew up in their faces after South Carolina (IIRC) found out about the intended use and sued to get its images back. I'm confident their images were returned. But not the copies. Duh.

    2. Re:wow by squidguy · · Score: 3, Funny

      Nice...surf pr0n, Embarq dynamically sends you goatse adds.

    3. Re:wow by Anonymous Coward · · Score: 0

      Whats the truth behind Led Zepplin?

    4. Re:wow by Z00L00K · · Score: 2, Informative

      Opt-out should be replaced by opt-in, always!

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    5. Re:wow by tehcyder · · Score: 1

      Nice...surf pr0n, Embarq dynamically sends you goatse adds.

      Wouldn't that depend on what pr0n you were surfing in the first place?

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  2. was it limited to inspection? by v1 · · Score: 4, Insightful

    was this deep packet "inspection", or did they actually alter traffic? Like modifying web pages to insert ads, or change IP addresses of banners?

    Or something more hands-off like monitoring customer browsing and using it to deliver better targeted ads when the customer browsed their own web pages?

    --
    I work for the Department of Redundancy Department.
    1. Re:was it limited to inspection? by Ron_Fitzgerald · · Score: 4, Informative

      It is exactly like Phorm. They monitor your surfing habits to identify your likes and feed the info to a partner website that is displaying an ad based on your habits.

      --
      ~ Ron Fitzgerald
    2. Re:was it limited to inspection? by Anonymous Coward · · Score: 5, Informative

      Disclaimer: I am an Embarq employee.

      It was used to better target the advertisements on MyEmbarq.com and on the DNS redirection pages for server not found. If there was any more past that, then the general work force was not aware of it. No modifying of pages or redirecting others' advertisements.

      This system would only work if you used Embarq's DNS servers.

    3. Re:was it limited to inspection? by spinkham · · Score: 5, Interesting

      If they are using the NebuAd services, it IS both deep packet inspection and inserting javascript in all pages.
      The fact that it uses the information it gathers to give better targeted ads on your DNS redirection (a separate kind of internet breaking evil you should be ashamed of, BTW) is just gravy.
      You as an employee have only received half the story, and it makes it sound a whole lot better that way.
      Wikipedia's article on NebuAd will give you some of the real scoop, but it gets worse the more you find out about it..
      http://en.wikipedia.org/wiki/NebuAd

      --
      Blessed are the pessimists, for they have made backups.
    4. Re:was it limited to inspection? by mrsteveman1 · · Score: 1

      Out with those servers for my machines then....

    5. Re:was it limited to inspection? by Anonymous Coward · · Score: 2, Insightful

      From wikipedia, a quote allegedly from NebuAd's privacy policy:

      The information we collect is stored and processed on NebuAd's servers in the United States. As a result, that information may be subject to access requests by governments, courts or law enforcement

      So, the gov't doesn't need to do wiretapping without permission... NebuAd does it for them, with my ISP's permission. All that's needed is a subpoena.

      NICE!

    6. Re:was it limited to inspection? by Anonymous Coward · · Score: 0

      Agreed, the crucial thing here is that a third party is allowed to modify your packet stream at all. This should be a no-no. If they couldn't do that they'd have no reason to snoop.

      Does this fact now mean that their subscribers are no longer legally accountable for the traffic that passes between them and the internet? It all becomes more and more circumstantial.

    7. Re:was it limited to inspection? by Anonymous Coward · · Score: 0

      It's passed not past. You're fired.

      Tom

    8. Re:was it limited to inspection? by Dan541 · · Score: 4, Interesting

      How is this legal?

      I thought warrantless wiretapping only covered law enforcement.

      --
      An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
    9. Re:was it limited to inspection? by AllIGotWasThisNick · · Score: 1

      Why would you assume a subpoena is required? By submitting to the policy, you clearly indicate that you have NO expectation of privacy, and thus would have no actual right to privacy within those communications. As always, IANAL. ;)

    10. Re:was it limited to inspection? by Anonymous Coward · · Score: 0

      An ISP injected JavaScript in all text/*ml HTTP requests made on port 80, which completely messed up all HTML, XML and XHTML, including my web 3.14 application's AJAX calls. Took me a while to figure what was going on and replacing the the content type header on the server with text/plain fixed it.

      I still don't like the idea of writing *MY* own web application which *I* will use and getting all sorts of ads in it while still paying a monthly fee to my ISP. Websites pay for the traffic they serve me using money collected from ads. ISPs should pay for the traffic they serve me using the fee they're collecting from me every month.

      We've had an ISP poisoning the DNS with whatever they felt like. Someone registered a very simple domain name and pointed it to their services. Everyone got used to typing that domain (three letters) in stead of the ISPs domain name (TWENTY-EIGHT letters). After they realized it, the three-letter domain resolved to 127.0.0.1 but only for the users of that ISP.

    11. Re:was it limited to inspection? by rtb61 · · Score: 3, Interesting

      Catch is on ADSL system it is an illegal monitoring of telephone activity. It is a telephone line and whether the communications are straight voice or digitised content it is still illegal. The ISP and the advertising agency should be prosecuted to the full extent of the law including imprisonment and government that lets this get by in criminally complicit.

      --
      Chaos - everything, everywhere, everywhen
    12. Re:was it limited to inspection? by Anonymous Coward · · Score: 0

      No it isn't. You're Fired.

      Frank

    13. Re:was it limited to inspection? by atraintocry · · Score: 1

      It's sort of the opposite situation. Law enforcement needs warrants because they're a third party, and specifically because they're law enforcement. If the wire starts and ends with ISP-owned equipment, they don't really have to tap it to know what's on it. I'm sure their argument is that you agreed to the terms when you signed up, and if you don't like the new "enhancements" to the service, you're free to drop it.

      It's not so simple, obviously. The fact that in any given spot in the US you only have 2 or 3 choices for broadband, and this the direct result of government-granted monopolies, tells me that they should not be so cavalier in how they treat their customers. Plus, say what you will about Americans, we do not take being spied upon lightly (unless someone brings up "sleeper cells", child porn, or record label IP, of course). But this has to do with ad delivery, and I hope Congress does the right thing here, even if it's only to emphasize the fact that the government has a monopoly on spying on citizens.

      They told Charter to cut it out until they investigated. Now they're actually investigating Embarq. Depending on their findings, this could be very good news. I just hope that they remember that the free market doesn't apply here, since there never really has been a free market for telecom services, and that was by Congress's own hand.

  3. Why aren't we encrypting everything already? by Anonymous Coward · · Score: 5, Interesting

    If we can get web servers to support TLS (for multi-domain encryption on a single IP vs. SSL), and create a non-identity framework for encryption, we should just start encrypting everything end to end. ISPs are asking for it with these behaviors.

    1. Re:Why aren't we encrypting everything already? by Cathoderoytube · · Score: 2, Insightful

      Not sure if that'll work. Some internet companies apparently block all encrypted traffic. I'm thinking of Rogers Cable as my example (feel free to correct me though). I mean really it's their own business if they want to shaft their customers. Unfortunately most people either don't care that this sort of stuff is going on, or don't know of any other ISPs they can go to as alternatives.

      --
      I have nothing compelling to say
    2. Re:Why aren't we encrypting everything already? by YrWrstNtmr · · Score: 2, Insightful

      If we can get web servers to support TLS (for multi-domain encryption on a single IP vs. SSL), and create a non-identity framework for encryption, we should just start encrypting everything end to end. ISPs are asking for it with these behaviors.

      You just lost 99.9% of the intarweb using population.

    3. Re:Why aren't we encrypting everything already? by maxume · · Score: 4, Insightful

      Just add a privacy light to browsers. "When that thing is on, your communications are between you and whoever you are communicating with, when it isn't on, anybody can see them". Then compare it to a postcard and a letter in an envelope.

      --
      Nerd rage is the funniest rage.
    4. Re:Why aren't we encrypting everything already? by Anonymous Coward · · Score: 0

      Somehow I doubt any ISP could get away with blocking all encrypted traffic. That'd mean no online banking, shopping, etc.

    5. Re:Why aren't we encrypting everything already? by Cathoderoytube · · Score: 0, Troll

      Worried about our precious Karma are we?

      --
      I have nothing compelling to say
    6. Re:Why aren't we encrypting everything already? by cheater512 · · Score: 1

      Any ISP who blocks SSL wont get very far.
      Everything from Internet banking to eBay uses SSL.

      Stuff that normal people notice.

    7. Re:Why aren't we encrypting everything already? by Anonymous Coward · · Score: 0

      if there was a -1 Tosser you would be it

    8. Re:Why aren't we encrypting everything already? by Anonymous Coward · · Score: 0

      Amusingly, this would become much easier if certain people (Apache, Firefox...) would just @#&@*&#@ implemen SNI already. It's even RFC'd. However, neither side wants to until the other does.

      (GNUTLS, on the other hand, speaks it already.)

    9. Re:Why aren't we encrypting everything already? by Xtravar · · Score: 1

      OK, you made me look up http://en.wikipedia.org/wiki/Server_Name_Indication

      Now, it says Firefox and Apache have it implemented... what's the problem?

      --
      Buckle your ROFL belt, we're in for some LOLs.
    10. Re:Why aren't we encrypting everything already? by x_MeRLiN_x · · Score: 3, Informative

      You seem to be in favour of ISPs respecting their customer's privacy but then went on to mock an anonymous coward for opting to remain anonymous.

      That doesn't make much sense to me.

      Yes, you are wrong. Rogers Cable throttles encrypted traffic, but doesn't block it.

    11. Re:Why aren't we encrypting everything already? by TheRaven64 · · Score: 2, Interesting
      Creating a non-identity framework for encryption won't work. Your ISP is the one entity who is guaranteed to be able to stage a man-in-the-middle attack, and non-identity frameworks are vulnerable to this form of attack. What is needed is:
      • Every DNS SOA record comes with a public key signed by a key in the parent.
      • Every DNS A record is signed by the key associated with the SOA record.
      • Every A record comes with a public key signed by the key in the SOA record.
      • HTTP uses this public key.

      I believe this describes a subset of DNSSEC, but the DNSSEC RFCs are tangled up in the need to do everything, rather than just doing one useful thing. Having every DNS record come with a public key, with a chain of trust going back to the root DNS servers, would do a huge amount for Internet security. Then you would only need something like a Verisign certificate to prove that mycorp.com was actually owned by MyCorp and not by ScamsAreUs.

      --
      I am TheRaven on Soylent News
    12. Re:Why aren't we encrypting everything already? by Anonymous Coward · · Score: 0

      Rogers HAS effectively blocked all VPN traffic sincelast week with their new DNS policy of redirecting ALL non-public domains to their ad partner in the US.

      So yes, they are not 'blocking' all encrypted traffic, but it sure felt that way when all of sudden ssh, ping, mstsc and most other work programs just stopped working.

      So VPNs will only work now if you use your own DNS server.....or a 3rd party. They refuse to provide normal DNS service and refuse to rebate us for having to use someone else's either :)

    13. Re:Why aren't we encrypting everything already? by Anonymous Coward · · Score: 0

      It's bloody expensive, that's why. Ever wondered why https://www.google.com/ redirects you to http://www.google.com/ ?

    14. Re:Why aren't we encrypting everything already? by spinkham · · Score: 1

      All versions of IE on XP do not support it. Nor does IE 6 on Vista.
      That's at least 50% of web surfers right there.

      --
      Blessed are the pessimists, for they have made backups.
    15. Re:Why aren't we encrypting everything already? by Anonymous Coward · · Score: 1, Informative

      IP addresses are not useful as global identifiers of services: (i) their scope of validity is limited in time (DHCP, renumbering); (ii) their scope of validity is topologically limited (NAT, anycast); (iii) they may be shared resources (NAT, multiple web servers sharing one address); (iv) a address:resource correspondence that is valid may insuficiently describe that resource's reachablitity (same service, multiple addresses).

      These are not theoretical problems; this is all stuff that is in the Internet now, in sufficent quantity that they cannot be ignored (no matter whether one thinks they are "evil" or not) without breaking presently working client<>connectivity.

      In modern DNS, the important RRs are SRVs and TXTs, not A RRs.

      SRVs allow the resolution of a "handle" to a given service; they do not stack especially well, but they do decouple the service from the network layer address, and especially from the well-known (static) port mapping.

      SRVs, like A RRs may be mutated along the way, since there is no guarantee that the address and port that the service thinks it has is a valid mapping far away, which also means that there is no guarantee that the client has the same idea as the server of what the server's address + port 2-tuple is.

      TXTs can encode public key authenticators, service-access information, and so forth, which should not mutate along the path, since it is information useful to identify and use the service no matter where the service appears to be network topology wise.

      A modern Wide Area Bonjour DNS zone is worth studying, particularly one that contains SASL keys (32hexdigits._apple-sasl._tcp.WAB.ZONE.NAME. TXT "f.q.d.n." is pretty commonplace, and one can look up the SRV for _apple-sasl._tcp.f.q.d.n. and the A RR for f.q.d.n. and when one connects, one does a crypto handshake using the 32hexdigits. NATs might munge the A RR and overloading closer to the server might munge the SRV RR, but that only relates to being able to initiate a connection to *something* that will either prove its identity or not).

      There are a variety of approaches to encoding X.509 style information into TXT RRs too, with similar reasoning: decoupling the identity of the server from the address/port tuple resolved at the client.

      Thus, while you are not "lost" with respect to the tree of auths, you are more likely to want to protect (via PK signing) the non-mutable information (service keys, TXT RRs)

      A RRs and SRV RRs cannot be put "back" into the non-mutable category without breaking a substantial amount of existing connectivity. Moreover, keeping them mutable and ephemeral offers an ability to scale network connectivity in the event IPv6 fails to see wide deployment (no comment on the possibility that). The technology is also useful in the event IPv6 does see wide deployment, fully supplanting the IPv4 Internet, since renumbering, mobility, provider change, and so forth will continue to be operational problems.

      An alternate approach would be to use a separate distributed identity database which one searches to find the binding between a server name (fqdn:servicename) and server credentials. This could use DNS software, it's just the servicename:identity mapping tree could benefit from having a different structure than the servicename:address mapping tree currently in the DNS.

      The DNS would continue to primarily act as a distributed address database that one searches to find the binding between an FQDN and a locally useful handle (IP Address, and where SRV RRs are in use, transport layer protocol and port).

      We already have several databases which find bindings between organizational identity and server name (google, for instance)...

  4. Only 15 people opted out... by Ron_Fitzgerald · · Score: 5, Insightful

    ...because the opt out was buried in a 5000 word privacy policy. If anything, this story should lead the house to realize that merely posting a privacy policy on your website doesn't mean the customers are bound by it especially in terms of rights, privacy and willingness to be subjected to monitoring merely for advertising sake.

    --
    ~ Ron Fitzgerald
    1. Re:Only 15 people opted out... by Vukovar · · Score: 0

      Nevertheless, it was disclosed by the ISP - at what point do you stop holding consumers responsible for not bothering to read and hold companies liable for burying the details? 5,000 words is going to be 9-10 pages.

    2. Re:Only 15 people opted out... by DigitAl56K · · Score: 5, Insightful

      Opt-out?

      How is this not wiretapping? You're intercepting and monitoring the exchange of information between two entities, possibly even "bugging" at least one of them if you're also introducing cookies or similar devices.

      Can the phone company introduce something into their privacy policy that all communications may be tapped without the request of law enforcement and have that be legally sound because I didn't "opt-out"?

      Furthermore, even if the subscriber had the opportunity to opt-out, did the second entity? No they didn't. Therefore the privacy of at least one party has been unquestionably violated.

      Opt-out... WTF?

    3. Re:Only 15 people opted out... by iminplaya · · Score: 2

      One reason that you can't consumers responsible is that you can hardly consider a "privacy policy" verifiable. They are all a sad joke foisted on the public so they feel secure. Nothing could be farther from the truth. Congress must prohibit all monitoring by the ISPs. But that's not going to happen, because we must think of the children, and protect the copyright monopolies from the taarrarists.

      --
      What?
    4. Re:Only 15 people opted out... by YrWrstNtmr · · Score: 4, Insightful

      5,000 words is going to be 9-10 pages.

      Or a really, really, really long scroll in a narrow, non resizeable window.

    5. Re:Only 15 people opted out... by jadin · · Score: 4, Funny

      It was apparently on display next to Arthur Dent's home demolition notice.

    6. Re:Only 15 people opted out... by noidentity · · Score: 1
      Yeah, I just scanned the agreement and didn't see any obvious "TO OPT OUT, GO TO ". I did notice this weasly-worded bit neat the beginning:

      EMBARQ does not disclose CPNI outside EMBARQ or its authorized agents without customer consent, except as required or permitted by law.

      So, in other words, EMBARQ will disclose CPNI to anyone it feels like, as long as it's legal?

    7. Re:Only 15 people opted out... by Arthur+Grumbine · · Score: 1

      Congress must prohibit all monitoring by the ISPs

      Yeah...more Gov't involvement, that's what we need! We can create a whole new bureaucracy to feed with 10's or 100's of millions of tax dollars! Which will bring more jobs!! Which is good, right!?!!

      ...or we can just let the free market sort it out. And if we personally care about it, then we can personally tell our friends who are using Embarq to complain, and threaten to discontinue their patronage, or we can even show them how to anonymize their browsing.

      --
      Now that I think about it, I'm pretty sure everything I just said is completely wrong.
    8. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      Christ man, he's not asking for socialism. If we left everything to free market there would be a monopoly in the ISP business by now, and they would be more than happy to cut off any and all traffic they deem inappropriate. A ban wouldn't cost 10 million, especially if you impose ridiculous fines on rule-breaking ISPs.

    9. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      All they have to do is say the gummit ordered the wiretaps and you have no recourse!

      Thanks Obama!

    10. Re:Only 15 people opted out... by iminplaya · · Score: 1

      Yeah...more Gov't involvement, that's what we need!

      I guess you haven't noticed the government is pushing for more monitoring, logging, and storage now. There's your bureaucracy at work. If they prohibit it, then we can take the ISPs to court. The government bureaucrats would actually lose their jobs. Of course they can't have that. Bureaucrats are more powerful than the president.

      --
      What?
    11. Re:Only 15 people opted out... by Dan541 · · Score: 1

      They are not disclosing it to all users, that is not possible. They have only notified the customer not the user.

      I don't pay for the Internet in this house so I won't be getting any notification that my privacy is being violated, and what if the bill payer is away? since it's opt out users on the home network would be violated until the bill payer returns and even then they may not get the letter or understand the ramifications involved.

      What the United States need are some privacy laws (you apparently have none) to protect people from these vultures.

      --
      An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
    12. Re:Only 15 people opted out... by Dan541 · · Score: 1

      Congress must prohibit all monitoring by the ISPs.

      But that would require them to act in the intrests of the people!!!!

      --
      An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
    13. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      here would be a monopoly in the ISP business by now

      You presume the "natural" monopoly is not actually caused by the regulations required within the municipalities. Removing municipal wiring monopolies (right of way leases, etc) would immediately open up the local ISP business to competition, and in turn, encourage both statewide and inter-state ISP collectives.

    14. Re:Only 15 people opted out... by base3 · · Score: 1

      Read the Gramm-Leach-Bliley "privacy" notices your banks and insurance companies send you every year. They use that same "permitted by law" wording. They assume (sadly, correctly) that most of their customers don't know the difference between the words "permitted" and "required" and/or don't care.

      --
      One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
    15. Re:Only 15 people opted out... by tlhIngan · · Score: 1

      ...because the opt out was buried in a 5000 word privacy policy. If anything, this story should lead the house to realize that merely posting a privacy policy on your website doesn't mean the customers are bound by it especially in terms of rights, privacy and willingness to be subjected to monitoring merely for advertising sake.

      Not only that, but the privacy policy was posted on the ISP's home page, and said change to the privacy policy wasn't announced. I don't know many people who visit their ISP's privacy policy on a daily basis to see if there's any change. Most normal users probably haven't read it, and I'm sure the 15 people were probably new geek subscribers who actually decided to read the policy on subscription. Heck, I'm sure a number of people probably *don't* have their ISP home page as their browser's start page. More likely, it's pointed at the ISP's "portal" page, or some other portal page, or Google...

    16. Re:Only 15 people opted out... by FamineMonk · · Score: 1

      Or even worse a flash window that only scrolls at a set speed. Time it for like 5 mins and see how many make it through.

    17. Re:Only 15 people opted out... by Tesen · · Score: 1

      Yeah, long statement and in the last paragraph, second or third line the "opt-out" clause, where skim readers would probably miss it. I mean WTF, why is everything "opt-out" and not "opt-in"?

      WTF!

    18. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      and we cant have that

    19. Re:Only 15 people opted out... by blackest_k · · Score: 1

      Douglas Adams put it this way

      "But Mr Dent, the plans have been available in the local planning office for the last nine month."

      "Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn't exactly gone out of your way to call attention to them, had you? I mean, like actually telling anybody or anything."

      "But the plans were on display ..."

      "On display? I eventually had to go down to the cellar to find them."

      "That's the display department."

      "With a flashlight."

      "Ah, well the lights had probably gone."

      "So had the stairs."

      "But look, you found the notice didn't you?"

      "Yes," said Arthur, "yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'."

      --
      Blarney Quality Restaurant, Plants
    20. Re:Only 15 people opted out... by Z00L00K · · Score: 1

      about:blank is the best page ever to start with.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    21. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      Hey there!

      If you feel compelled to astroturf for your politics, maybe you should examine the merits of your ideology (that is, you should question why your political group needs you to sacrifice your honor).

      Just a thought.

    22. Re:Only 15 people opted out... by chunk08 · · Score: 1

      Because then only 15 people would opt in...

      --
      Do away with our corrupt tax code. Support the Fair Tax
    23. Re:Only 15 people opted out... by cobaltblue1975 · · Score: 1

      ROFLMAO! That damn galactic freeway!

    24. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      Federal wiretapping laws require only one party consent to put the interception outside of the statute. Embarq got that consent from the user.

    25. Re:Only 15 people opted out... by Anonymous Coward · · Score: 0

      I live south of KC, and sadly use Embarq for internet becasue they've monopolized this area. I don't know about the 5000 page privacy policy, but I do know that if I want to use firefox's "i'm feeling lucky" google feature in the address bar, I get redirected to the Embarq site every few hours or everytime I restart my browser and have to Opt-out repeatedly.

  5. Sigh - I hate to suggest this... by GuyverDH · · Score: 4, Insightful

    I think that very simply worded new legislation is required...

    "Opt Out" is the new default for any new program, feature, change of any kind for any kind of product or service provider.

    Any new programs or offerings will default the individuals to opt-out status, and require the user to notify the provider (without being hampered by phone calls, e-mails, etc) to opt-in.

    Any company failing to comply with this policy shall have all of their assets liquidated and deposited into the bank account of the person(s) they elected to opt-in by default.

    --
    Who is general failure, and why is he reading my hard drive?
    1. Re:Sigh - I hate to suggest this... by Anonymous Coward · · Score: 0

      That's called making it "opt-in"

      You're welcome.

    2. Re:Sigh - I hate to suggest this... by Dark_Gravity · · Score: 1

      I think that very simply worded new legislation is required...

      "Opt Out" is the new default for any new program, feature, change of any kind for any kind of product or service provider.

      Any new programs or offerings will default the individuals to opt-out status

      That is actually opt-in. Opt-out means that you are on the the list (in the program, etc) unless you opt-out.

      Spam is opt-out. Opt-out is theft.

      --
      Bring back Sirius Punk!
    3. Re:Sigh - I hate to suggest this... by GuyverDH · · Score: 1

      I was thinking along the lines of a radio button or toggle... two settings "Out" or "In" - with the label "Opt".

      Default being "Out"...

      Thanks for pointing out the definition of an "Opt-In" vs an "Opt-Out" - however, that wasn't quite what I was shooting for...

      Semantics... /sigh

      --
      Who is general failure, and why is he reading my hard drive?
  6. Deep packet inspection by Shaitan+Apistos · · Score: 4, Funny

    I find the phrase 'deep packet inspection' interesting because it simultaneously describes the technique used and a large subset of the results acquired.

  7. The majority of middle America is unaware by lambosv21 · · Score: 1, Insightful

    thats the brutal and unfortunate truth. Its not to say that everyone is unaware in areas where there is less exposure to different types of people, which you gain in major cities. For the most part, in large numbers, people will remain ingnorant and complacent until there is some form or ability to organize and invoke change.

    1. Re:The majority of middle America is unaware by Shaitan+Apistos · · Score: 2, Insightful

      thats the brutal and unfortunate truth. Its not to say that everyone is unaware in areas where there is less exposure to different types of people, which you gain in major cities. For the most part, in large numbers, people will remain ingnorant and complacent until there is some form or ability to organize and invoke change.

      I'm going to start randomly pasting this into comments on new stories, it's generic enough to work with almost every story and will probably soak up the insightful mod points.

    2. Re:The majority of middle America is unaware by Anonymous Coward · · Score: 0

      Man, that is disgusting! Where in hell do you live? This is America, man! We are the land of the almighty greenback! This is the way capitalism works, dude! And behavioral targeted web ads are a trend that has never picked up because of pathetic privacy advocates! They even offered a way to opt-out. If I was them (and that is what I do on the networks I deploy...) I would say "to sign up for the referred services defines an agreement with our behavioral analysis policy and an explicit authorization to us to perform website code alteration on order to display targeted ads. By signing up to the services you agree on not hold the ISP, the provider, the behavioral analysis company, or the ad delivering company responsible for any privacy violation".
      Welcome to capitalism! If you don't like it move to Cuba or North Korea...

    3. Re:The majority of middle America is unaware by lambosv21 · · Score: 1

      except that new slashdot deep packet inspection they haven't told anyone about which tracks down how long it takes you to come up with what youre typing ;) in that case you may want to let that post sit for a while before you paste =P

    4. Re:The majority of middle America is unaware by gujo-odori · · Score: 5, Insightful

      I might go along with the Insightful were it not for the gratuitous (and most likely inaccurate) use of "middle America." There are a number of things wrong with this:

      1) I can think of a lot of places in world (having lived there) where people are at least as technologically clueless as the average American. There is nothing special about Americans - either positive or negative - in that regard;

      2) If you meant "middle" as in "middle class" you missed. The most technologically clueful income strata in America is most likely the middle class. One of the things that keeps the poor in poverty is lack of clue combined with means to acquire it; rich people, on the other hand, have middle class people who are paid to do all that stuff for them, and thus don't acquire clue about computers unless they are very interested in them or were once middle class;

      3) If you meant "middle" as in "geographic center" it is still likely that you missed. Even in the Silicon Valley area, where I live, computer cluefulness remains largely the province or those who are in the industry or who are computer enthusiasts on their own. Everyone else is as clueless as they are everywhere else. Those who aren't clueless are, again, mostly in the middle class.

      If you'd written that the majority of people (everywhere) are unaware, I might have spent one of my remaining mod points to mod you up. As it is, I was tempted to use to mod you troll, but decided to take the time to explain why I consider your post a troll instead.

    5. Re:The majority of middle America is unaware by atraintocry · · Score: 1

      If that was insightful, then this will be the post of the century.

      When people say "middle America", they are talking about the average American. Average in skill set, or income, or number of kids, or whatever statistic is relevant to the discussion. Imagine a bell curve, start at the mean and grab maybe one and a half sigmas. Again, this is for whatever variable is relevant to the discussion (in this one, maybe computer skills, or political activism).

      Yeah, it's a tortured term referring to imaginary people. But it's not like nobody's used it before. You'd have to be purposefully dense (that is, a pedant) to act like you don't know what it means.

    6. Re:The majority of middle America is unaware by gujo-odori · · Score: 1

      And that's exactly what's wrong with the post I replied to. There is nothing special about middle Americans WRT computers and clue, or the lack of it. Thus, the use of "middle American" was a troll. And yes, I was insightful. Not only do I think so, a lot of others did, too.

      You're a troll, too. HAND.

  8. EXACTLY by zoomshorts · · Score: 0, Flamebait

    OPT-OUT should be default by LAW, and if the company opt's you in, they should pay
    1,000 dollars to YOU each time they divulge any of your information to ANY party.

    NO ONE wants these types of idiots knowing a single thing about them. NO ONE !!!

    1. Re:EXACTLY by Anonymous Coward · · Score: 5, Informative

      Please be careful with the terminology.

      Opt-out means that you're in and you have to opt-out to stop your membership/subscription/whatever.

      Opt-in is what you want: it's your choice to subscribe/join/whatever, and if you don't, there is no membership/subscription/whatever.

      For example: The do-not-call list is an opt-out scheme. Unless you take action and put your name on the list, they're allowed to call you. Most newsletters are opt-in: You only receive the newsletter if you subscribe. Spam is neither opt-in nor opt-out: You get spam without doing anything. If you try to opt-out, you get more spam.

  9. Redundant after the Capitulation by Anonymous Coward · · Score: 0

    The House of Representatives Committee on Energy and Commerce is investigating whether any privacy laws were broken.

    Obviously they couldn't have broken any laws- their just-passed FISA Capitulation Bill just made any privacy laws quaint and irrelevant.

    It's because of Obusha's lack of spine on the matter that he lost my vote. Obviously I'm not insane enough to vote against him, but I cannot in good conscience vote FOR him, not after that display of spinelessness.

    I don't understand how hard it could be to take a stand against the most corrupt and incompetent presidential administration in our nation's history, but it seems politics and backbone don't go together in today's America.

    1. Re:Redundant after the Capitulation by Anonymous Coward · · Score: 0

      It's because of Obusha's lack of spine on the matter that he lost my vote.

      Liar.

      You know something else that would be great in today's America? Having honor and not misrepresenting your political loyalties to game the system. It's lying.

  10. When did the world change? by Nymz · · Score: 1

    I remember that when you were 'invited' to do something, like receive a magazine subscription, you would have to sign up for it first.

    Now, they secretly 'invite' you to not do something, like selling off your privacy, unless you sign up... or sign out, down, whatever... what does 'opt out' even mean anyway. Get off my lawn!

    1. Re:When did the world change? by QuoteMstr · · Score: 1

      The world changed when Reagan gutted the education system and this country began a long, slow slide into ignorance.

    2. Re:When did the world change? by squidguy · · Score: 2, Informative

      That started long before Reagan.

    3. Re:When did the world change? by Annymouse+Cowherd · · Score: 3, Funny

      That started when the education system was introduced.

    4. Re:When did the world change? by ScrewMaster · · Score: 2, Interesting

      Sure, pick on a dead guy that can't defend himself from ridiculous charges. Looking at my property tax bill, I see that about 56% percent goes to "education". Fifty six percent! Education outweighs all other government expenditures in my county, roads, police & fire, medical, everything. I'd say they're getting plenty of money to do their jobs, and have always been getting plenty of money, but would rather build little local empires than teach students properly. None of that can be laid at Reagan's (or even George Bush's) feet.

      --
      The higher the technology, the sharper that two-edged sword.
    5. Re:When did the world change? by Adambomb · · Score: 1

      The current system is almost word for word exactly what Woodrow Wilson wanted the education system to become. I wouldn't blame Reagan for more than accelerating the process.

      "We want one class to have a liberal education. We want another class, a very much larger class of necessity, to forego the privilege of a liberal education and fit themselves to perform specific difficult manual tasks."
      -- Woodrow Wilson

      There we go...bringing class into it again... it makes life difficult for some when things aren't easily classified as "will be exploited" or "will exploit".

      Hell, we're almost at the centennial anniversary of this plan.

      --
      Ice Cream has no bones.
    6. Re:When did the world change? by blincoln · · Score: 1

      I would like to see the context from which that quote was taken. It seems to me like something he would have said as a lead-in to a criticism of that point of view.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
    7. Re:When did the world change? by Adambomb · · Score: 1

      It is straight from an address of his to the New York City High School Teachers Association from january 9th 1909 (when he was the principal at Princeton). I infuriated my AP US History teacher no end by harping on those points back in the day when we read the speech, but to be fair i cannot remember enough to absolutely be sure of the context nor can i seem to find a copy of it. If you manage to get access to the Princeton copies of the Papers of Woodrow Wilson prior to his innauguration, check the jan 1909 box. That's the best pointer i got at the moment.

      I'm going by my memories of the impression i got, and the fact that my teacher at the time had no rebuttals. That's only correlation but whether he was misquoted or not, the system described is what america got. Have you looked in on the quality of education in an average General or even some College prep course loads recently? My experiences are over a decade ago at this point but I never had to do a damned thing until i hit AP courses. It's not like i'm the sharpest of marbles either.

      --
      Ice Cream has no bones.
  11. Tom Gerke by CauseWithoutARebel · · Score: 5, Informative

    tom.gerke@embarq.com was the contact for the CEO back in March. I assume it is still legitimate...

    --
    Weird slashbug #455
  12. Disclosure laws... by LostCluster · · Score: 4, Insightful

    We had this problem with the credit card industry before. People were signing up and had no clue what they were agreeing to because the most important terms weren't properly exposed. Then we got a law that made the current interest rate and the formula by which it is computer and how it may be changed in regulated-size type.

    Time for a format for privacy policies to match that...

  13. Actually a fairly high number of opt-outs by fuzzyfuzzyfungus · · Score: 4, Interesting

    Frankly, I'm surprised by the number of people who opted out. For something that was done to ~30 thousand people, disclosed only in the byzantine back layers of some policy somewhere(I'm guessing this is one of those policies that get to change without notice) and, so far as I know, not previously known to the geek news sources at large, 15 opt outs is pretty high.

    Obviously there is no good way to do this experiment; but I'd be quite interested to see an estimate of the "expected baseline opt-out rate" for various sorts of disclosure, calculated by disclosing a ludicrously and absolutely unacceptable term or condition and seeing how many people opt-out. From that, you could then more accurately gauge the real level of unhappiness that a given opt-out percentage implies(For example, what percentage of people would opt-out if a term authorizing the CEO and the board to seize subscriber's assets at any time, for any reason, in any quantity appeared deep in the privacy policy? That value would, in effect, constitute the 100% opposition value.)

    Or, we could just do the easier thing and make opt-in absolutely mandatory, perhaps with brutal mob justice for violators.(a man can dream, can't he?)

    1. Re:Actually a fairly high number of opt-outs by Anonymous Coward · · Score: 0

      ludicrously and absolutely unacceptable term or condition

      "We own your soul and your first-born child"

    2. Re:Actually a fairly high number of opt-outs by Jupix · · Score: 1

      Have you ever read this? http://www.pcpitstop.com/spycheck/eula.asp

      I bet people read privacy policies even less than EULAs, but hey.

    3. Re:Actually a fairly high number of opt-outs by Anonymous Coward · · Score: 0

      Wasn't there someone who hid a prize in their eula and measured how long it took for someone to claim it? I believe it was months later.

  14. It's clear they are abusing their customers.. by esegura · · Score: 3, Informative

    ... in my opinion, because not only do they *know* that not many people out there even read the terms of service (or Privacy policy for that matter), but on top of that they are compulsively "opting" everyone in.
    To me, it looks like unilaterally changing the terms of a lease, after the fact, to allow me to go into your apartment an install cameras on every room.

    I'd be switching providers right about... now.

    1. Re:It's clear they are abusing their customers.. by kegon · · Score: 1

      I agree, I don't see any difference between this and spyware. There is nothing "experimental" about this test except to find bugs in their advertising software. They should run the same kind of targeted advertising test using almost identical wording but this time default to opting out.

      If it was a real experiment they would run it again using the same people, without modifying adverts, they would count the number of clicks on non-targeted adverts and targeted adverts and compare them.

      My expectations are that 0% would choose the targeted advertising options.

      Also, without targeted advertising I reckon 0.01% of users would click on an advert, with targeted advertising 0.02% would click on an advert. The remaining ~99.9% of users would be classified as "irritated by the advertising".

      We would find out just how worth it those adverts are. I don't think they will ever be able to run such tests because they would never be able to get a statistically significant number of people to agree to be spied on.

  15. Sell your own private data? Sure, why not! by Alwin+Henseler · · Score: 5, Insightful

    Whenever you have to search long and hard to find new 'features', this can only mean one of several things:

    • It's not really a feature that people want (because if it were, it would be announced loud & clear)
    • It's just ammo for lawyers to shoot with, or
    • They don't want you to see it (eg. what they're doing might be illegal)

    Even more on-topic are these quotes from the Wiki article (provided by spinkham above):

    According to Nebuad's sales pitch less than 1% of users opt-out. One ISP expects to earn at least $2.50 per month for each user (..) Generally, NebuAd provides an additional income stream to network operators, which may maintain or lower consumers' internet access bills.

    As we've all known for a long time, ordinary people's surfing habits are worth money. What when you'd ask people up front: "Do you want your surfing habits to remain private, or give up this privacy in exchange for a discount?"

    I'm afraid the vast majority of people would go for the discount. The anything-connected-to-everything world of today has gotten us so used to data breaches and 'unknown parties' snooping through our private info, that we just don't seem to care anymore. Which seems strange: the less (privacy) you have left, wouldn't you value those last remains more than you used to?

  16. https by Anonymous Coward · · Score: 0

    Let me elaborate: use https. HTTP over SSL if you don't want deep packet cavity inspection.

  17. long past time for encryption by default by aachrisg · · Score: 2, Insightful

    So, in this day and age, why the *&^#@!&* isn't all traffic encrypted between my browser and the destination server? We're long past the days where there should be anything but https: in front of urls. Are the big guys not really able to handle the encryption overhead?

    1. Re:long past time for encryption by default by Antique+Geekmeister · · Score: 4, Informative

      HTTPS presents a significant load on servers. It can easily demand 3 times the hardware and support to transfer a large, busy set of servers to HTTPS for all traffic. If it *didn't* present a noticeable load, it would be fairly useful as a normal encryption channel.

      It's also awkward to proxy and manage the encryption securely, because HTTPS is very careful about checking hostnames and IP addresses to avoid people forging your site. This makes it more awkard for usrs, as their browsers complain about untrusted keys or the server owners have to invest in registering keys.

  18. NebuAd's Website by DJLuc1d · · Score: 1

    Anyone notice how 'Privacy' oriented NebuAd's Page is ? I wonder how long it's been like that.

  19. NebuAd is quite nebulous by Deli+Korkmaz · · Score: 1

    Television programs are specifically designed to reach a particular demographic so that the ad time can be sold for the highest price possible, with the premise being something like, "this thirty seconds at this time slot will give you the eyeballs of 1,500,000 males between 15-24." Then the ratings, the collection of which is automatic for Tivo users and cable subscribers, confirm to what extent the advertiser got that. (If not, they have to run the ad extra times until it does earn all eyeballs promised, but that's another story.)

    If I understand the online analogy correctly, advertising networks like DoubleClick.net treat web sites sort of like TV programs--so DoubleClick sells ads for certain websites based on what the website says its demographics are. The advertisers pay, the advertising network and the website split the money.

    Cookies are traditionally used to try to correlate user behavior with certain groups of sites--for instance, do people who read tech articles on Washington Post also read the NY Times? So upon reading the NebuAd site, wading through the glop of deliberately vague marketspeak and earnest assurances of privacy, it seems to be sort of an ad delivery network--sort of like DoubleClick--but with the additional feature of having invented a better metric of user activity, via the ISP instead of cookies on the user's computer. Therefore they can have a complete picture of a user's behavior, and the user, if they even know what's going on, has to work a lot harder to do anything about it--deleting cookies or installing firewalls and anti-spyware doesn't cut it anymore. The ISP is now making money off the advertising, either directly or through NebuAd, so they have no incentive to encrypt traffic nor abet the user in doing so.

    Both NebuAd and Embarq doth protest too much about their privacy policies. The important thing is that they could be spying on anything they want to and the end user is completely in the dark. We only know about this because Embarq at least put it on the privacy policy, but were they even legally obliged to do so to begin with?

    At least that's what it looks like from out here...

  20. Is this you? by Anonymous Coward · · Score: 0

    "It looks like we're moving forward with the trial next month regardless of how I or any of my co-workers feel about it," says an employee at one ISP. "I've pretty much accepted that at this point, so it's not likely anything I'll walk out over."

    I was amused to hear the employee is going to ensure they aren't tracked.

    "We have two upstream links to the Internet and the NebuAd spybox will only be hooked up to one of them, so I know at least for my home connection I'll be setting a static route to use the non-poisoned link," they say. "I don't want to go anywhere near it." How's that for a candid vote of confidence?

    From here.

  21. Embar...? by wikinerd · · Score: 1

    I really wonder why a company would choose a name that reminds me of embargo, which is related to a boycott. Doesn't look like a good name to me.

    1. Re:Embar...? by caluml · · Score: 1

      Embarking on a journey is what I immediately thought of.
      Woosh?

      --
      Get your own free personal location tracker
  22. Is the opt-out worthless? by Anonymous Coward · · Score: 0

    A couple of issues with Nebuad's cookie based opt-out... First off, they can't check if you've opted-out without messing with your traffic, unless they wait for you to visit a site that accesses their cookie domain (faireagle.com). Secondly what happens if a remote website tries to opt you in:- Nebuad's opt-out opt-out page is here - http://www.nebuad.com/privacy/optout.php clicking on the opt-out link sets a couple of faireagle.com cookies (o=9 in a.faireagle.com and b.faireagle.com) However, if you search for Nebuad's opt-in url in google - http://www.google.co.uk/search?num=100&hl=en&q=site%3Anebuad.com+optin_done&btnG=Search&meta= and click on Google's cache of "www.nebuad.com/privacy/optin_done.php" Then check the faireagle cookies to see if you are still opted-out!

  23. Wiretapping violations = prison time by Anonymous Coward · · Score: 0

    All employees of nebuad and co-conspirator ISPs belong in prison for their felonious conduct. They want to see my traffic subjected to involuntary deep packet inspection, I want to see them subjected to involuntary deep beef injection.