Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Communications Networking The Internet

ISP Embarq Monitors User Traffic 106

Deli Korkmaz writes "The Washington Post reports that Sprint-Nextel spin-off Embarq, currently the US's fourth largest DSL provider, monitored Internet activity on some 26,000 customers in Kansas using deep-packet inspection technology NebuAd in order to deliver targeted advertising to users' desktops. CNet provides coverage as well. The House of Representatives Committee on Energy and Commerce is investigating whether any privacy laws were broken. Users were informed of this test and invited to opt out only via Embarq's online Privacy Policy; a mere 15 subscribers did so."
This discussion has been archived. No new comments can be posted.

ISP Embarq Monitors User Traffic

Comments Filter:
  • wow (Score:5, Funny)

    by conteXXt ( 249905 ) on Friday July 25, 2008 @06:58PM (#24343751)
    All up into a dude's business just to sell ads. Disgusting.
  • by v1 ( 525388 ) on Friday July 25, 2008 @07:01PM (#24343781) Homepage Journal

    was this deep packet "inspection", or did they actually alter traffic? Like modifying web pages to insert ads, or change IP addresses of banners?

    Or something more hands-off like monitoring customer browsing and using it to deliver better targeted ads when the customer browsed their own web pages?

    • by Ron_Fitzgerald ( 1101005 ) on Friday July 25, 2008 @07:07PM (#24343843)
      It is exactly like Phorm. They monitor your surfing habits to identify your likes and feed the info to a partner website that is displaying an ad based on your habits.
      • by Dan541 ( 1032000 ) on Friday July 25, 2008 @09:12PM (#24344807) Homepage

        How is this legal?

        I thought warrantless wiretapping only covered law enforcement.

        • It's sort of the opposite situation. Law enforcement needs warrants because they're a third party, and specifically because they're law enforcement. If the wire starts and ends with ISP-owned equipment, they don't really have to tap it to know what's on it. I'm sure their argument is that you agreed to the terms when you signed up, and if you don't like the new "enhancements" to the service, you're free to drop it.

          It's not so simple, obviously. The fact that in any given spot in the US you only have 2 or 3
    • by Anonymous Coward on Friday July 25, 2008 @07:13PM (#24343899)
      Disclaimer: I am an Embarq employee.

      It was used to better target the advertisements on MyEmbarq.com and on the DNS redirection pages for server not found. If there was any more past that, then the general work force was not aware of it. No modifying of pages or redirecting others' advertisements.

      This system would only work if you used Embarq's DNS servers.
      • by spinkham ( 56603 ) on Friday July 25, 2008 @07:21PM (#24343971)

        If they are using the NebuAd services, it IS both deep packet inspection and inserting javascript in all pages.
        The fact that it uses the information it gathers to give better targeted ads on your DNS redirection (a separate kind of internet breaking evil you should be ashamed of, BTW) is just gravy.
        You as an employee have only received half the story, and it makes it sound a whole lot better that way.
        Wikipedia's article on NebuAd will give you some of the real scoop, but it gets worse the more you find out about it..
        http://en.wikipedia.org/wiki/NebuAd [wikipedia.org]

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          From wikipedia, a quote allegedly from NebuAd's privacy policy:

          The information we collect is stored and processed on NebuAd's servers in the United States. As a result, that information may be subject to access requests by governments, courts or law enforcement

          So, the gov't doesn't need to do wiretapping without permission... NebuAd does it for them, with my ISP's permission. All that's needed is a subpoena.

          NICE!

          • Why would you assume a subpoena is required? By submitting to the policy, you clearly indicate that you have NO expectation of privacy, and thus would have no actual right to privacy within those communications. As always, IANAL. ;)
      • Out with those servers for my machines then....

      • by rtb61 ( 674572 ) on Saturday July 26, 2008 @02:52AM (#24346369) Homepage
        Catch is on ADSL system it is an illegal monitoring of telephone activity. It is a telephone line and whether the communications are straight voice or digitised content it is still illegal. The ISP and the advertising agency should be prosecuted to the full extent of the law including imprisonment and government that lets this get by in criminally complicit.
  • by Anonymous Coward on Friday July 25, 2008 @07:01PM (#24343789)

    If we can get web servers to support TLS (for multi-domain encryption on a single IP vs. SSL), and create a non-identity framework for encryption, we should just start encrypting everything end to end. ISPs are asking for it with these behaviors.

    • Re: (Score:3, Insightful)

      Not sure if that'll work. Some internet companies apparently block all encrypted traffic. I'm thinking of Rogers Cable as my example (feel free to correct me though). I mean really it's their own business if they want to shaft their customers. Unfortunately most people either don't care that this sort of stuff is going on, or don't know of any other ISPs they can go to as alternatives.

    • Re: (Score:3, Insightful)

      by YrWrstNtmr ( 564987 )
      If we can get web servers to support TLS (for multi-domain encryption on a single IP vs. SSL), and create a non-identity framework for encryption, we should just start encrypting everything end to end. ISPs are asking for it with these behaviors.

      You just lost 99.9% of the intarweb using population.
    • Re: (Score:3, Interesting)

      by TheRaven64 ( 641858 )
      Creating a non-identity framework for encryption won't work. Your ISP is the one entity who is guaranteed to be able to stage a man-in-the-middle attack, and non-identity frameworks are vulnerable to this form of attack. What is needed is:
      • Every DNS SOA record comes with a public key signed by a key in the parent.
      • Every DNS A record is signed by the key associated with the SOA record.
      • Every A record comes with a public key signed by the key in the SOA record.
      • HTTP uses this public key.

      I believe this de

      • Re: (Score:1, Informative)

        by Anonymous Coward

        IP addresses are not useful as global identifiers of services: (i) their scope of validity is limited in time (DHCP, renumbering); (ii) their scope of validity is topologically limited (NAT, anycast); (iii) they may be shared resources (NAT, multiple web servers sharing one address); (iv) a address:resource correspondence that is valid may insuficiently describe that resource's reachablitity (same service, multiple addresses).

        These are not theoretical problems; this is all stuff that is in the Internet now,

  • by Ron_Fitzgerald ( 1101005 ) on Friday July 25, 2008 @07:02PM (#24343801)
    ...because the opt out was buried in a 5000 word privacy policy. If anything, this story should lead the house to realize that merely posting a privacy policy on your website doesn't mean the customers are bound by it especially in terms of rights, privacy and willingness to be subjected to monitoring merely for advertising sake.
    • by DigitAl56K ( 805623 ) * on Friday July 25, 2008 @07:30PM (#24344055)

      Opt-out?

      How is this not wiretapping? You're intercepting and monitoring the exchange of information between two entities, possibly even "bugging" at least one of them if you're also introducing cookies or similar devices.

      Can the phone company introduce something into their privacy policy that all communications may be tapped without the request of law enforcement and have that be legally sound because I didn't "opt-out"?

      Furthermore, even if the subscriber had the opportunity to opt-out, did the second entity? No they didn't. Therefore the privacy of at least one party has been unquestionably violated.

      Opt-out... WTF?

    • by jadin ( 65295 ) on Friday July 25, 2008 @08:31PM (#24344515) Homepage

      It was apparently on display next to Arthur Dent's home demolition notice.

    • Yeah, I just scanned the agreement and didn't see any obvious "TO OPT OUT, GO TO ". I did notice this weasly-worded bit neat the beginning:

      EMBARQ does not disclose CPNI outside EMBARQ or its authorized agents without customer consent, except as required or permitted by law.

      So, in other words, EMBARQ will disclose CPNI to anyone it feels like, as long as it's legal?

      • by base3 ( 539820 )
        Read the Gramm-Leach-Bliley "privacy" notices your banks and insurance companies send you every year. They use that same "permitted by law" wording. They assume (sadly, correctly) that most of their customers don't know the difference between the words "permitted" and "required" and/or don't care.
    • by Alwin Henseler ( 640539 ) on Friday July 25, 2008 @08:50PM (#24344649)

      Whenever you have to search long and hard to find new 'features', this can only mean one of several things:

      • It's not really a feature that people want (because if it were, it would be announced loud & clear)
      • It's just ammo for lawyers to shoot with, or
      • They don't want you to see it (eg. what they're doing might be illegal)

      Even more on-topic are these quotes from the Wiki article [wikipedia.org] (provided by spinkham above):

      According to Nebuad's sales pitch less than 1% of users opt-out. One ISP expects to earn at least $2.50 per month for each user (..) Generally, NebuAd provides an additional income stream to network operators, which may maintain or lower consumers' internet access bills.

      As we've all known for a long time, ordinary people's surfing habits are worth money. What when you'd ask people up front: "Do you want your surfing habits to remain private, or give up this privacy in exchange for a discount?"

      I'm afraid the vast majority of people would go for the discount. The anything-connected-to-everything world of today has gotten us so used to data breaches and 'unknown parties' snooping through our private info, that we just don't seem to care anymore. Which seems strange: the less (privacy) you have left, wouldn't you value those last remains more than you used to?

    • by tlhIngan ( 30335 )

      ...because the opt out was buried in a 5000 word privacy policy. If anything, this story should lead the house to realize that merely posting a privacy policy on your website doesn't mean the customers are bound by it especially in terms of rights, privacy and willingness to be subjected to monitoring merely for advertising sake.

      Not only that, but the privacy policy was posted on the ISP's home page, and said change to the privacy policy wasn't announced. I don't know many people who visit their ISP's priva

  • by GuyverDH ( 232921 ) on Friday July 25, 2008 @07:11PM (#24343877)

    I think that very simply worded new legislation is required...

    "Opt Out" is the new default for any new program, feature, change of any kind for any kind of product or service provider.

    Any new programs or offerings will default the individuals to opt-out status, and require the user to notify the provider (without being hampered by phone calls, e-mails, etc) to opt-in.

    Any company failing to comply with this policy shall have all of their assets liquidated and deposited into the bank account of the person(s) they elected to opt-in by default.

    • I remember that when you were 'invited' to do something, like receive a magazine subscription, you would have to sign up for it first.

      Now, they secretly 'invite' you to not do something, like selling off your privacy, unless you sign up... or sign out, down, whatever... what does 'opt out' even mean anyway. Get off my lawn!
      • The world changed when Reagan gutted the education system and this country began a long, slow slide into ignorance.

        • Re: (Score:3, Informative)

          by squidguy ( 846256 )
          That started long before Reagan.
        • Re: (Score:3, Interesting)

          by ScrewMaster ( 602015 )
          Sure, pick on a dead guy that can't defend himself from ridiculous charges. Looking at my property tax bill, I see that about 56% percent goes to "education". Fifty six percent! Education outweighs all other government expenditures in my county, roads, police & fire, medical, everything. I'd say they're getting plenty of money to do their jobs, and have always been getting plenty of money, but would rather build little local empires than teach students properly. None of that can be laid at Reagan's (or
        • The current system is almost word for word exactly what Woodrow Wilson wanted the education system to become. I wouldn't blame Reagan for more than accelerating the process.

          "We want one class to have a liberal education. We want another class, a very much larger class of necessity, to forego the privilege of a liberal education and fit themselves to perform specific difficult manual tasks."
          -- Woodrow Wilson [wikiquote.org]

          There we go...bringing class into it again... it makes life difficult for some when things aren't easily classified as "will be exploited" or "will exploit".

          Hell, we're almost at the centennial anniversary of this plan.

          • I would like to see the context from which that quote was taken. It seems to me like something he would have said as a lead-in to a criticism of that point of view.

            • It is straight from an address of his to the New York City High School Teachers Association from january 9th 1909 (when he was the principal at Princeton). I infuriated my AP US History teacher no end by harping on those points back in the day when we read the speech, but to be fair i cannot remember enough to absolutely be sure of the context nor can i seem to find a copy of it. If you manage to get access to the Princeton copies of the Papers of Woodrow Wilson prior to his innauguration, check the jan 190

    • I think that very simply worded new legislation is required...

      "Opt Out" is the new default for any new program, feature, change of any kind for any kind of product or service provider.

      Any new programs or offerings will default the individuals to opt-out status

      That is actually opt-in. Opt-out means that you are on the the list (in the program, etc) unless you opt-out.

      Spam is opt-out. Opt-out is theft.

    • I was thinking along the lines of a radio button or toggle... two settings "Out" or "In" - with the label "Opt".

      Default being "Out"...

      Thanks for pointing out the definition of an "Opt-In" vs an "Opt-Out" - however, that wasn't quite what I was shooting for...

      Semantics... /sigh

  • by Shaitan Apistos ( 1104613 ) on Friday July 25, 2008 @07:12PM (#24343881)

    I find the phrase 'deep packet inspection' interesting because it simultaneously describes the technique used and a large subset of the results acquired.

  • thats the brutal and unfortunate truth. Its not to say that everyone is unaware in areas where there is less exposure to different types of people, which you gain in major cities. For the most part, in large numbers, people will remain ingnorant and complacent until there is some form or ability to organize and invoke change.
    • Re: (Score:2, Insightful)

      thats the brutal and unfortunate truth. Its not to say that everyone is unaware in areas where there is less exposure to different types of people, which you gain in major cities. For the most part, in large numbers, people will remain ingnorant and complacent until there is some form or ability to organize and invoke change.

      I'm going to start randomly pasting this into comments on new stories, it's generic enough to work with almost every story and will probably soak up the insightful mod points.

      • except that new slashdot deep packet inspection they haven't told anyone about which tracks down how long it takes you to come up with what youre typing ;) in that case you may want to let that post sit for a while before you paste =P
    • by gujo-odori ( 473191 ) on Friday July 25, 2008 @07:42PM (#24344155)

      I might go along with the Insightful were it not for the gratuitous (and most likely inaccurate) use of "middle America." There are a number of things wrong with this:

      1) I can think of a lot of places in world (having lived there) where people are at least as technologically clueless as the average American. There is nothing special about Americans - either positive or negative - in that regard;

      2) If you meant "middle" as in "middle class" you missed. The most technologically clueful income strata in America is most likely the middle class. One of the things that keeps the poor in poverty is lack of clue combined with means to acquire it; rich people, on the other hand, have middle class people who are paid to do all that stuff for them, and thus don't acquire clue about computers unless they are very interested in them or were once middle class;

      3) If you meant "middle" as in "geographic center" it is still likely that you missed. Even in the Silicon Valley area, where I live, computer cluefulness remains largely the province or those who are in the industry or who are computer enthusiasts on their own. Everyone else is as clueless as they are everywhere else. Those who aren't clueless are, again, mostly in the middle class.

      If you'd written that the majority of people (everywhere) are unaware, I might have spent one of my remaining mod points to mod you up. As it is, I was tempted to use to mod you troll, but decided to take the time to explain why I consider your post a troll instead.

      • If that was insightful, then this will be the post of the century.

        When people say "middle America", they are talking about the average American. Average in skill set, or income, or number of kids, or whatever statistic is relevant to the discussion. Imagine a bell curve, start at the mean and grab maybe one and a half sigmas. Again, this is for whatever variable is relevant to the discussion (in this one, maybe computer skills, or political activism).

        Yeah, it's a tortured term referring to imaginary peopl
        • And that's exactly what's wrong with the post I replied to. There is nothing special about middle Americans WRT computers and clue, or the lack of it. Thus, the use of "middle American" was a troll. And yes, I was insightful. Not only do I think so, a lot of others did, too.

          You're a troll, too. HAND.

  • Tom Gerke (Score:5, Informative)

    by CauseWithoutARebel ( 1312969 ) on Friday July 25, 2008 @07:47PM (#24344189) Journal

    tom.gerke@embarq.com was the contact for the CEO back in March. I assume it is still legitimate...

  • Disclosure laws... (Score:5, Insightful)

    by LostCluster ( 625375 ) * on Friday July 25, 2008 @07:55PM (#24344247)

    We had this problem with the credit card industry before. People were signing up and had no clue what they were agreeing to because the most important terms weren't properly exposed. Then we got a law that made the current interest rate and the formula by which it is computer and how it may be changed in regulated-size type.

    Time for a format for privacy policies to match that...

  • by fuzzyfuzzyfungus ( 1223518 ) on Friday July 25, 2008 @08:10PM (#24344345) Journal
    Frankly, I'm surprised by the number of people who opted out. For something that was done to ~30 thousand people, disclosed only in the byzantine back layers of some policy somewhere(I'm guessing this is one of those policies that get to change without notice) and, so far as I know, not previously known to the geek news sources at large, 15 opt outs is pretty high.

    Obviously there is no good way to do this experiment; but I'd be quite interested to see an estimate of the "expected baseline opt-out rate" for various sorts of disclosure, calculated by disclosing a ludicrously and absolutely unacceptable term or condition and seeing how many people opt-out. From that, you could then more accurately gauge the real level of unhappiness that a given opt-out percentage implies(For example, what percentage of people would opt-out if a term authorizing the CEO and the board to seize subscriber's assets at any time, for any reason, in any quantity appeared deep in the privacy policy? That value would, in effect, constitute the 100% opposition value.)

    Or, we could just do the easier thing and make opt-in absolutely mandatory, perhaps with brutal mob justice for violators.(a man can dream, can't he?)
  • by esegura ( 898796 ) on Friday July 25, 2008 @08:39PM (#24344569)
    ... in my opinion, because not only do they *know* that not many people out there even read the terms of service (or Privacy policy for that matter), but on top of that they are compulsively "opting" everyone in.
    To me, it looks like unilaterally changing the terms of a lease, after the fact, to allow me to go into your apartment an install cameras on every room.

    I'd be switching providers right about... now.
    • by kegon ( 766647 )

      I agree, I don't see any difference between this and spyware. There is nothing "experimental" about this test except to find bugs in their advertising software. They should run the same kind of targeted advertising test using almost identical wording but this time default to opting out.

      If it was a real experiment they would run it again using the same people, without modifying adverts, they would count the number of clicks on non-targeted adverts and targeted adverts and compare them.

      My expectations are t

  • by aachrisg ( 899192 ) on Friday July 25, 2008 @09:38PM (#24344993)
    So, in this day and age, why the *&^#@!&* isn't all traffic encrypted between my browser and the destination server? We're long past the days where there should be anything but https: in front of urls. Are the big guys not really able to handle the encryption overhead?
    • by Antique Geekmeister ( 740220 ) on Saturday July 26, 2008 @05:49AM (#24346905)

      HTTPS presents a significant load on servers. It can easily demand 3 times the hardware and support to transfer a large, busy set of servers to HTTPS for all traffic. If it *didn't* present a noticeable load, it would be fairly useful as a normal encryption channel.

      It's also awkward to proxy and manage the encryption securely, because HTTPS is very careful about checking hostnames and IP addresses to avoid people forging your site. This makes it more awkard for usrs, as their browsers complain about untrusted keys or the server owners have to invest in registering keys.

  • Anyone notice how 'Privacy' oriented NebuAd's Page is ? I wonder how long it's been like that.
  • Television programs are specifically designed to reach a particular demographic so that the ad time can be sold for the highest price possible, with the premise being something like, "this thirty seconds at this time slot will give you the eyeballs of 1,500,000 males between 15-24." Then the ratings, the collection of which is automatic for Tivo users and cable subscribers, confirm to what extent the advertiser got that. (If not, they have to run the ad extra times until it does earn all eyeballs promised

  • I really wonder why a company would choose a name that reminds me of embargo [wikipedia.org], which is related to a boycott [wikipedia.org]. Doesn't look like a good name to me.

Trap full -- please empty.

Working...