Slashdot Mirror

← Back to Stories (view on slashdot.org)

ISP Embarq Monitors User Traffic

Posted by Soulskill on from the you-can-trust-us dept.

Deli Korkmaz writes "The Washington Post reports that Sprint-Nextel spin-off Embarq, currently the US's fourth largest DSL provider, monitored Internet activity on some 26,000 customers in Kansas using deep-packet inspection technology NebuAd in order to deliver targeted advertising to users' desktops. CNet provides coverage as well. The House of Representatives Committee on Energy and Commerce is investigating whether any privacy laws were broken. Users were informed of this test and invited to opt out only via Embarq's online Privacy Policy; a mere 15 subscribers did so."

7 of 106 comments (clear)

  1. Why aren't we encrypting everything already? by Anonymous Coward · · Score: 5, Interesting

    If we can get web servers to support TLS (for multi-domain encryption on a single IP vs. SSL), and create a non-identity framework for encryption, we should just start encrypting everything end to end. ISPs are asking for it with these behaviors.

    1. Re:Why aren't we encrypting everything already? by TheRaven64 · · Score: 2, Interesting
      Creating a non-identity framework for encryption won't work. Your ISP is the one entity who is guaranteed to be able to stage a man-in-the-middle attack, and non-identity frameworks are vulnerable to this form of attack. What is needed is:
      • Every DNS SOA record comes with a public key signed by a key in the parent.
      • Every DNS A record is signed by the key associated with the SOA record.
      • Every A record comes with a public key signed by the key in the SOA record.
      • HTTP uses this public key.

      I believe this describes a subset of DNSSEC, but the DNSSEC RFCs are tangled up in the need to do everything, rather than just doing one useful thing. Having every DNS record come with a public key, with a chain of trust going back to the root DNS servers, would do a huge amount for Internet security. Then you would only need something like a Verisign certificate to prove that mycorp.com was actually owned by MyCorp and not by ScamsAreUs.

      --
      I am TheRaven on Soylent News
  2. Re:was it limited to inspection? by spinkham · · Score: 5, Interesting

    If they are using the NebuAd services, it IS both deep packet inspection and inserting javascript in all pages.
    The fact that it uses the information it gathers to give better targeted ads on your DNS redirection (a separate kind of internet breaking evil you should be ashamed of, BTW) is just gravy.
    You as an employee have only received half the story, and it makes it sound a whole lot better that way.
    Wikipedia's article on NebuAd will give you some of the real scoop, but it gets worse the more you find out about it..
    http://en.wikipedia.org/wiki/NebuAd

    --
    Blessed are the pessimists, for they have made backups.
  3. Actually a fairly high number of opt-outs by fuzzyfuzzyfungus · · Score: 4, Interesting

    Frankly, I'm surprised by the number of people who opted out. For something that was done to ~30 thousand people, disclosed only in the byzantine back layers of some policy somewhere(I'm guessing this is one of those policies that get to change without notice) and, so far as I know, not previously known to the geek news sources at large, 15 opt outs is pretty high.

    Obviously there is no good way to do this experiment; but I'd be quite interested to see an estimate of the "expected baseline opt-out rate" for various sorts of disclosure, calculated by disclosing a ludicrously and absolutely unacceptable term or condition and seeing how many people opt-out. From that, you could then more accurately gauge the real level of unhappiness that a given opt-out percentage implies(For example, what percentage of people would opt-out if a term authorizing the CEO and the board to seize subscriber's assets at any time, for any reason, in any quantity appeared deep in the privacy policy? That value would, in effect, constitute the 100% opposition value.)

    Or, we could just do the easier thing and make opt-in absolutely mandatory, perhaps with brutal mob justice for violators.(a man can dream, can't he?)

  4. Re:When did the world change? by ScrewMaster · · Score: 2, Interesting

    Sure, pick on a dead guy that can't defend himself from ridiculous charges. Looking at my property tax bill, I see that about 56% percent goes to "education". Fifty six percent! Education outweighs all other government expenditures in my county, roads, police & fire, medical, everything. I'd say they're getting plenty of money to do their jobs, and have always been getting plenty of money, but would rather build little local empires than teach students properly. None of that can be laid at Reagan's (or even George Bush's) feet.

    --
    The higher the technology, the sharper that two-edged sword.
  5. Re:was it limited to inspection? by Dan541 · · Score: 4, Interesting

    How is this legal?

    I thought warrantless wiretapping only covered law enforcement.

    --
    An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
  6. Re:was it limited to inspection? by rtb61 · · Score: 3, Interesting

    Catch is on ADSL system it is an illegal monitoring of telephone activity. It is a telephone line and whether the communications are straight voice or digitised content it is still illegal. The ISP and the advertising agency should be prosecuted to the full extent of the law including imprisonment and government that lets this get by in criminally complicit.

    --
    Chaos - everything, everywhere, everywhen