Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Communications Privacy Your Rights Online

Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes (vice.com) 35

An anonymous reader shares a report: Over the last few years the justified fixation on the bad behavior of Google, Amazon, Facebook and other Silicon Valley giants has let the abuses of the telecom sector fly under the radar. But a new FTC report showcases how when it comes to consumer privacy, broadband providers are every bit as terrible as you thought they were. The new FTC report studied the privacy practices of six unnamed broadband ISPs and their advertising arms, and found that the companies routinely collect an ocean of consumer location, browsing, and behavioral data. They then share this data with dodgy middlemen via elaborate business arrangements that often aren't adequately disclosed to broadband consumers.

"Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies," the FTC report said. The FTC also found that while many ISPs provide consumers tools allowing them to opt out of granular data collection, those tools are cumbersome to use -- when they work at all. "Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data," the FTC said. "The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information." ISPs often provide privacy-specific website portals proclaiming to provide users with a wide variety of opt out options but these choices are often "illusory," the FTC found.

This discussion has been archived. No new comments can be posted.

Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes

Comments Filter:
  • by Pierre Pants ( 6554598 ) on Friday October 22, 2021 @12:32PM (#61918095)
    I never would have believed it. Now I know.
    • VPN use case (Score:5, Informative)

      by Okian Warrior ( 537106 ) on Friday October 22, 2021 @02:08PM (#61918427) Homepage Journal

      A recent slashdot article discussed whether VPNs are obsolete, now that everyone uses https.

      Well, here is your use case: Use a VPN when you don't want your ISP to snoop on what you're doing.

      Note that Tor shows a message saying that using Tor is not sufficient, and they recommend using Tor through a VPN. I personally don't worry about police investigation, but know that the police have recently managed to pierce Tor's anonymity somehow (I think using local javascript execution to access a site without going through the VPN somehow, revealing the actual source IP address accessing an onion site, but I don't know any details).

      Also use case: use a VPN from home to do remote work at a company.

      If one assumes that all the root certs are compromised somehow with the CIA (simply stealing the public keys by physical means would be sufficient), a company setting up a VPN using local certificates not under the certification chain would still be secure.

      Also use case: secure communications with 3rd parties.

      If you want to set up secure communications with someone (or a small group) and they are willing to cooperate, running a VPN through locally generated certs is very secure - probably the best you can get, and probably uncrackable outside of compromising the endpoint (such as putting a virus on the recipient's computer).

      So if you had a team, and wanted your meetings and communications to be secure, using a VPN with locally generated certs is the way to do it.

      I can think of lots and lots of "teams" on the internet that would like to communicate and avoid scrutiny.

      VPN through local certs is the way to do that.

      (Note that the recent Epik hack grabbed entire machine images, which 'sorta implies that the hacker had physical access to the machines. Is your system safe from someone on-site copying down the entire machine image from the server room?)

      • Note that the Gargoyle router software has the ability to force all traffic through Tor. Gargoyle is based on OpenWRT, so this is likely an option there, too.
      • by khchung ( 462899 )

        A recent slashdot article discussed whether VPNs are obsolete, now that everyone uses https.

        Well, here is your use case: Use a VPN when you don't want your ISP to snoop on what you're doing.

        You mistakenly assumed that VPN providers would collect less of your data than your ISP.

        Guess which one is more regulated, ISP or VPN providers?
        Guess which one is costs more to startup from scratch, ISP or VPN provider?
        Guess which one is easier for shady companies to startup and run, ISP or VPN provider?
        Guess which one is easier for the CIA to use as a front to collect data, ISP, or a VPN provider?
        Guess who is more likely to have data the CIA is more interested in, general users not using VPN, or people con

  • by Slicker ( 102588 ) on Friday October 22, 2021 @12:34PM (#61918105)

    How is it legal for an Internet service provider to look at the content we communicate, in any case? Doesn't the DMCA protect from unauthorized access and sharing of one's content?

    Or, let me guess, the DMCA is purely there to protect businesses and not consumers? Unauthorized deep inspection of my communication should be illegal. It is clearly wrong.

    • Doesn't the DMCA protect from unauthorized access and sharing of one's content?

      The DMCA was the law approved by the MFIAA's puppets ("elected", read:bought, officials) to "curb" piracy of their crappy movies, etc.

      What you're thinking is likely GDPR, with is a EU law/directive, though California has some equivalent that doesn't apply to the whole US.

    • by Entrope ( 68843 )

      The Digital Millennium Copyright Act is, as the name suggests, a copyright law. It protects copyrights in creative works. There is no copyright over your Internet browsing history. If you want legal protections over your Internet use, look to other laws.

    • by Holi ( 250190 )
      Why would an extension copyright law be relevant here?
    • by Sloppy ( 14984 )

      the companies routinely collect an ocean of consumer location, browsing, and behavioral data

      I think there are mainly two DMCA questions:

      1) what is the copyrighted work? When you transmit "get me the contents of this URL at pornhub" is that request, itself, a creative expression? Or is that only about as creative and copyrightable as saying "I am a Lexmark-blessed ink cartridge."? Nevertheless, a lot of what you transmit really should fall under title 17, such as posting a comment or speaking in a Zoom call.

  • Might explain why Avast keeps trying to up-sell me on a VPN.

  • by Tablizer ( 95088 )

    The Snooping Industrial Complex is Yuuuge.

  • If you look, ISP data collection is explicitly allowed by the rules. Not sure why the FTC is freaking out, they wrote the actual rules.

    • If you look, ISP data collection is explicitly allowed by the rules. Not sure why the FTC is freaking out, they wrote the actual rules.

      It's a Government thing. U.S. House and Senate members routinely complain about bills written by lobbyists, ignoring the fact that *they* then passed those bills.

  • Let's name them and demand congress put the ISPs under common carrier status, otherwise we're just running around the same old ant mill

  • They should -name names- and let the dirt fly accordingly! Slimeball companies thrive in the dark.

  • by Holi ( 250190 ) on Friday October 22, 2021 @01:22PM (#61918291)
    Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used, according to an FTC staff report on ISPs’ data collection and use practices.

    The staff report, which details the expanding scope and some troubling aspects of some ISP data collection practices, stems from orders the FTC issued in 2019 using its authority under 6(b) of the FTC Act to six internet service providers, which make up about 98 percent of the mobile Internet market:

    AT&T Mobility LLC;
    Cellco Partnership, which does business as Verizon Wireless;
    Charter Communications Operating LLC;
    Comcast Cable Communications, which does business as Xfinity;
    T-Mobile US Inc.; and
    Google Fiber Inc.

    The FTC also issued orders to three advertising entities affiliated with these ISPs: AT&T’s Appnexus Inc., rebranded as Xandr; Verizon’s Verizon Online LLC; and Oath Americas Inc., rebranded as Verizon Media. The FTC sought information on their data collection and use practices, as well as any tools provided to consumers to control these practices.

    As noted in the report, these companies have evolved into technology giants who offer not just internet services but also provide a range of other services including voice, content, smart devices, advertising, and analytics—which has increased the volume of information they are capable of collecting about their customers. The report identified several troubling data collection practices among several of the ISPs, including that they combine data across product lines; combine personal, app usage, and web browsing data to target ads; place consumers into sensitive categories such as by race and sexual orientation; and share real-time location data with third-parties.

    At the same time, the report found the privacy protections many of the companies offer raised several concerns. Even though several of the ISPs promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies. For example, several news outlets noted that subscribers’ real-time location data shared with third-party customers was being accessed by car salesmen, property managers, bail bondsmen, bounty hunters, and others without reasonable protections or consumers’ knowledge and consent, according to the report.

    Many of the ISPs also claim to offer consumers choices about how their data is used and allow them to access such data. The FTC found, however, that many of these companies often make it difficult for consumers to exercise such choices and sometimes even nudge them to share even more information. In addition, while several of the ISPs promise to only keep the data for as long as needed for business purposes, the definition of what constitutes a “business purpose” varies widely among the companies.

    The report concludes that many of the ISPs’ data collection and use practices mirror problems identified in other industries and underscore the importance of restricting data collection and use.

    The Commission voted 4-0 to approve and issue the report. Staff presented findings from the report at today’s open virtual Commission meeting. Chair Lina M. Khan issued a separate statement on the report.

    https://www.ftc.gov/news-event... [ftc.gov]
  • ...you pay them for a connection. What kind of extra pittance can they make by selling that ? A few cents a month ? Why not protect their customers instead ? It seams a much more reasonable long term strategy. My ISP offers ad-blocking at the connection level. It's not on by default, but it's a single click to activate. There's also built-in VPN for the entire household (with any provider you want).
  • Additional to the other ones.

  • We've got the GDPR here so that this doesn't happen. I think it's actually a good idea not to have your politicians', military's, intelligence, & corporate executives' location histories, habits, routines, interests, people they meet, communicate &/or associate with easily available to every competitor country's counterparts & spy agencies. Do you think Russia, Iran & China fund organisations by proxy to block any data privacy laws in congress because they like things just the way they are?
  • by QuietLagoon ( 813062 ) on Friday October 22, 2021 @02:22PM (#61918467)
    ... would be if the FTC actually did something about this egregious breach of privacy.
  • How about security? Link analysis is a thing. You can figure out quite a lot by tracking who is friends with whom or what company you call in sick to and the names of co-workers. Maybe a front organization for CIA NOCs. We may have exposed dozens of agents when Valerie Plame's cover was blown [wikipedia.org] and foreign intelligence had metadata on contacts to her front company. Or someone steps out to pick up lunch and texts the people back at the office [wikipedia.org] if they want something from the local deli.

    Industrial espionage is

  • by Anonymous Coward
    Not mentioned in TFS nor TFA is that a lot of ISPs also run your outgoing mail through transparent proxies with Cisco PIX-like behaviors, i.e.: they filter STARTTLS from EHLO responses and return "Bad Command" if you still send a STARTTLS. This allows them to scan your outgoing email "for your safety," erhm for scumbag marketing purposes.
  • I have been screwed by Charter / ComCast / Spectrum falsifying the laws, then I get screwed in court.

    This must be made a felony.

    They must be held to account.

"I am, therefore I am." -- Akira

Working...