Slashdot Mirror
ISP Embarq Monitors User Traffic
Deli Korkmaz writes "The Washington Post reports that Sprint-Nextel spin-off Embarq, currently the US's fourth largest DSL provider, monitored Internet activity on some 26,000 customers in Kansas using deep-packet inspection technology NebuAd in order to deliver targeted advertising to users' desktops. CNet provides coverage as well. The House of Representatives Committee on Energy and Commerce is investigating whether any privacy laws were broken. Users were informed of this test and invited to opt out only via Embarq's online Privacy Policy; a mere 15 subscribers did so."
All up into a dude's business just to sell ads. Disgusting.
The truth about Led Zep should never be told on
was this deep packet "inspection", or did they actually alter traffic? Like modifying web pages to insert ads, or change IP addresses of banners?
Or something more hands-off like monitoring customer browsing and using it to deliver better targeted ads when the customer browsed their own web pages?
I work for the Department of Redundancy Department.
If we can get web servers to support TLS (for multi-domain encryption on a single IP vs. SSL), and create a non-identity framework for encryption, we should just start encrypting everything end to end. ISPs are asking for it with these behaviors.
...because the opt out was buried in a 5000 word privacy policy. If anything, this story should lead the house to realize that merely posting a privacy policy on your website doesn't mean the customers are bound by it especially in terms of rights, privacy and willingness to be subjected to monitoring merely for advertising sake.
~ Ron Fitzgerald
I think that very simply worded new legislation is required...
"Opt Out" is the new default for any new program, feature, change of any kind for any kind of product or service provider.
Any new programs or offerings will default the individuals to opt-out status, and require the user to notify the provider (without being hampered by phone calls, e-mails, etc) to opt-in.
Any company failing to comply with this policy shall have all of their assets liquidated and deposited into the bank account of the person(s) they elected to opt-in by default.
Who is general failure, and why is he reading my hard drive?
I find the phrase 'deep packet inspection' interesting because it simultaneously describes the technique used and a large subset of the results acquired.
thats the brutal and unfortunate truth. Its not to say that everyone is unaware in areas where there is less exposure to different types of people, which you gain in major cities. For the most part, in large numbers, people will remain ingnorant and complacent until there is some form or ability to organize and invoke change.
I remember that when you were 'invited' to do something, like receive a magazine subscription, you would have to sign up for it first.
Now, they secretly 'invite' you to not do something, like selling off your privacy, unless you sign up... or sign out, down, whatever... what does 'opt out' even mean anyway. Get off my lawn!
tom.gerke@embarq.com was the contact for the CEO back in March. I assume it is still legitimate...
Weird slashbug #455
We had this problem with the credit card industry before. People were signing up and had no clue what they were agreeing to because the most important terms weren't properly exposed. Then we got a law that made the current interest rate and the formula by which it is computer and how it may be changed in regulated-size type.
Time for a format for privacy policies to match that...
Frankly, I'm surprised by the number of people who opted out. For something that was done to ~30 thousand people, disclosed only in the byzantine back layers of some policy somewhere(I'm guessing this is one of those policies that get to change without notice) and, so far as I know, not previously known to the geek news sources at large, 15 opt outs is pretty high.
Obviously there is no good way to do this experiment; but I'd be quite interested to see an estimate of the "expected baseline opt-out rate" for various sorts of disclosure, calculated by disclosing a ludicrously and absolutely unacceptable term or condition and seeing how many people opt-out. From that, you could then more accurately gauge the real level of unhappiness that a given opt-out percentage implies(For example, what percentage of people would opt-out if a term authorizing the CEO and the board to seize subscriber's assets at any time, for any reason, in any quantity appeared deep in the privacy policy? That value would, in effect, constitute the 100% opposition value.)
Or, we could just do the easier thing and make opt-in absolutely mandatory, perhaps with brutal mob justice for violators.(a man can dream, can't he?)
Please be careful with the terminology.
Opt-out means that you're in and you have to opt-out to stop your membership/subscription/whatever.
Opt-in is what you want: it's your choice to subscribe/join/whatever, and if you don't, there is no membership/subscription/whatever.
For example: The do-not-call list is an opt-out scheme. Unless you take action and put your name on the list, they're allowed to call you. Most newsletters are opt-in: You only receive the newsletter if you subscribe. Spam is neither opt-in nor opt-out: You get spam without doing anything. If you try to opt-out, you get more spam.
... in my opinion, because not only do they *know* that not many people out there even read the terms of service (or Privacy policy for that matter), but on top of that they are compulsively "opting" everyone in.
To me, it looks like unilaterally changing the terms of a lease, after the fact, to allow me to go into your apartment an install cameras on every room.
I'd be switching providers right about... now.
Whenever you have to search long and hard to find new 'features', this can only mean one of several things:
Even more on-topic are these quotes from the Wiki article (provided by spinkham above):
According to Nebuad's sales pitch less than 1% of users opt-out. One ISP expects to earn at least $2.50 per month for each user (..) Generally, NebuAd provides an additional income stream to network operators, which may maintain or lower consumers' internet access bills.
As we've all known for a long time, ordinary people's surfing habits are worth money. What when you'd ask people up front: "Do you want your surfing habits to remain private, or give up this privacy in exchange for a discount?"
I'm afraid the vast majority of people would go for the discount. The anything-connected-to-everything world of today has gotten us so used to data breaches and 'unknown parties' snooping through our private info, that we just don't seem to care anymore. Which seems strange: the less (privacy) you have left, wouldn't you value those last remains more than you used to?
So, in this day and age, why the *&^#@!&* isn't all traffic encrypted between my browser and the destination server? We're long past the days where there should be anything but https: in front of urls. Are the big guys not really able to handle the encryption overhead?
Anyone notice how 'Privacy' oriented NebuAd's Page is ? I wonder how long it's been like that.
Television programs are specifically designed to reach a particular demographic so that the ad time can be sold for the highest price possible, with the premise being something like, "this thirty seconds at this time slot will give you the eyeballs of 1,500,000 males between 15-24." Then the ratings, the collection of which is automatic for Tivo users and cable subscribers, confirm to what extent the advertiser got that. (If not, they have to run the ad extra times until it does earn all eyeballs promised, but that's another story.)
If I understand the online analogy correctly, advertising networks like DoubleClick.net treat web sites sort of like TV programs--so DoubleClick sells ads for certain websites based on what the website says its demographics are. The advertisers pay, the advertising network and the website split the money.
Cookies are traditionally used to try to correlate user behavior with certain groups of sites--for instance, do people who read tech articles on Washington Post also read the NY Times? So upon reading the NebuAd site, wading through the glop of deliberately vague marketspeak and earnest assurances of privacy, it seems to be sort of an ad delivery network--sort of like DoubleClick--but with the additional feature of having invented a better metric of user activity, via the ISP instead of cookies on the user's computer. Therefore they can have a complete picture of a user's behavior, and the user, if they even know what's going on, has to work a lot harder to do anything about it--deleting cookies or installing firewalls and anti-spyware doesn't cut it anymore. The ISP is now making money off the advertising, either directly or through NebuAd, so they have no incentive to encrypt traffic nor abet the user in doing so.
Both NebuAd and Embarq doth protest too much about their privacy policies. The important thing is that they could be spying on anything they want to and the end user is completely in the dark. We only know about this because Embarq at least put it on the privacy policy, but were they even legally obliged to do so to begin with?
At least that's what it looks like from out here...
I really wonder why a company would choose a name that reminds me of embargo, which is related to a boycott. Doesn't look like a good name to me.