“We don’t solve problems by misrepresenting what the real scenario is. It’s true that ISPs have way too much power over these markets, and they can see and collect a ton of information on you which can absolutely be misused in privacy-damaging ways. But let’s at least be honest about how it’s happening and what it means. That’s the only way we’re going to see real solutions to these issues.”
—–Mike Masnick on Techdirt on the ignorance of supporters, critics, and the public regarding consumer broadband privacy protections, which were just repealed by straight party line votes in Congress, as part of the Congressional Review Act, which allows the legislative branch to eliminate regulations and limits an agency’s ability to issue similar rules to the ones being struck down. President Trump is expected to sign the bill.
I can see both sides of the Internet “privacy” debate. All I ask is that the average screaming head on TV knows what she’s talking about, and that the news media try to educate citizens on the issue, not portray it as another Obama did it so it’s wonderful, Trump is overturning it, so it’s the end of the world. This morning I watched Morning News Babe Robin Meade roll her eyes while “describing’ what the bill does completely inaccurately. The bill, her unhappy face broadcast is baaaad like everything the Trump Administration and Republicans do is baaaaad. Then she explained that the bill would allow internet service providers, browsers and “search engines” to take your internet history and sell it to big corporations. Then she giggled about how Max Temkin, inventor of some card game* I have never heard of, promised in a tweet…
“If this shit passes I will buy the browser history of every congressman and congressional aide and publish it.”
Robin, not having the foggiest idea what the bill really did, thought this was so funny and cool. She did not inform her audience, some of whom were actually seeking reliable information and not just tuning in to ogle, that..
- The bill only undoes the Obama FCC regulations that stopped ISPs from gathering data on its customers’ internet use, and they hadn’t taken effect yet. In other words, it changes nothing.
- Google, Amazon, Facebook, and other browsers and internet services still can gather anything they get their grubby cyber paws on. The FCC doesn’t regulate them.
- As Masnick explains, neither Temkin nor anyone else can buy individual web-use data:
You can’t buy Congress’ internet data. You can’t buy my internet data. You can’t buy your internet data. That’s not how this works. It’s a common misconception. We even saw this in Congress four years ago, where Rep. Louis Gohmert went on a smug but totally ignorant rant, asking why Google won’t sell the government all the data it has on people. As we explained at the time, that’s not how it works*. Advertisers aren’t buying your browsing data, and ISPs and other internet companies aren’t selling your data in a neat little package. It doesn’t help anyone to blatantly misrepresent what’s going on.
When ISPs or online services have your data and “sell” it, it doesn’t mean that you can go to, say, AT&T and offer to buy “all of Louis Gohmert’s browsing history.” Instead, what happens is that these companies collect that data for themselves and then sell targeting. That is, when Gohmert goes to visit his favorite publication, that website will cast out to various marketplaces for bids on what ads to show. Thanks to information tracking, it may throw up some demographic and interest data to the marketplace. So, it may say that it has a page being viewed by a male from Texas, who was recently visiting webpages about boardgames and cow farming (to randomly choose some items). Then, from that marketplace, some advertisers’ computerized algorithms will more or less say “well, I’m selling boardgames about cows in Texas, and therefore, this person’s attention is worth 1/10th of a penny more to me than some other company that’s selling boardgames about moose.” And then the webpage will display the ad about cow boardgames. All this happens in a split second, before the page has fully loaded.
At no point does the ad exchange or any of the advertisers know that this is “Louis Gohmert, Congressional Rep.” Nor do they get any other info. They just know that if they are willing to spend the required amount to get the ad shown via the marketplace bidding mechanism, it will show up in front of someone who is somewhat more likely to be interested in the content.
That’s it.
Got that, Robin?
Probably not.
It’s not just Robin, of course. At MSNBC, the reliably risible Joy Reid sent a tweet (above) telling everyone that the bill meant that they should delete their browsing history hourly, which Masnick properly finds appalling:
“That’s just… embarrassingly uninformed, to the same level as the people insisting you can walk up to Comcast or AT&T and buy Louis Gohmert’s browsing history (or, for that matter, Louis Gohmert’s belief that the government can just buy advertising data to find terrorists).”
It’s not just that Reid is uninformed, however, She is misinforming the public. That’s the opposite of what journalists are supposed to do. It’s unethical, but then it’s designed to make Trump and the Republicans look bad, so it doesn’t count. This is The New York Times Rule, MSNBC application.
There are also multiple crowd funding efforts on the web, like the GoFundMe request for donation to “purchase the data of every Congressperson who voted for SJR34 and to make it publicly available.” This is where ignorance meets fraud: that crowd-funding effort has netted over $30,000 to do something that cannot be done. As with Masnick threat, it also shows how unethical the “resistance” is. Doing this to anyone would be unethical, if it were possible. Golden Rule? What’s that?
Of course, most of the legislators voting for or against the bill aren’t any more astute than Reid, and if they are, they just want to frighten consumers by making the issue something it’s not, like House Minority Leader Nancy Pelosi before the House vote:
“Your broadband provider knows deeply personal information about you and your family – where you are, what you want to know, every site you visit, and more,” . “They can even track you when you’re surfing in a private browsing mode. You deserve to be able to insist that those intimate details be kept private and secure.”
Actually, they don’t “know” anything of the sort, any more than the local waste management company “knows” what Nancy’s excrement smells like. This information is dumped into Big Data files, and sliced, diced and sold for marketing purposes. Yes, it’s your information, and you may not like a big company using and profiting from it this way. But it is not as if they know anything about you personally, or care.
Here was the GOP bill’s sponsor’s very different explanation of it, as Senator Jeff Flake said in a statement:
“The FCC’s midnight regulation has the potential to limit consumer choice, stifle innovation, and jeopardize data security by destabilizing the internet ecosystem. Passing my resolution is the first step toward restoring a consumer-friendly approach to internet privacy regulation that empowers consumers to make informed choices on if and how their data can be shared. It will not change or lessen existing consumer privacy protections.”
This is half-true and glossed, which is still better than Pelosi’s scaremongering. For there to be consumer choice and competition, there would have to be some motivation for the huge ISPs like Verizon and Comcast to compete. TechDirt, which supports the regulations being squashed, argues,
Congress has intentionally and repeatedly ignored the lack of broadband competition that makes net neutrality, privacy, and other bad behavior possible. Now, as cable’s monopoly over broadband grows faster than ever, ISP-loyal lawmakers are rushing to strip away any and all government oversight of one of the least-liked, and most anti-competitive business sectors in American history. ISPs recently busted for covertly modifying packets to track users, charging an additional fee for privacy, or giving worse customer support based on credit score now have carte blanche to misbehave.
But that’s misleading too, as is TechDirt’s description of the GOP bill as caving to lobbyist money. You don’t think lobbying from Google et al., so they would be the only ones who could amass browsing data wasn’t behind those FCC rules eliminating the ability of ISP’s to do the same? Smaller ISPs also wanted their big competitors to be hobbled. Republicans, and President Trump, believe that in the end, less regulation means more jobs and a healthier economy. Democrats believe that businesses should be regulated, and the market be damned. Who’s right in this case? I’m not sure, but I do know that not one voter in a hundred understands this issue. I also know that elections have consequences.
Then there is this continuing misconception, encapsulated by a still cited 2014 cautionary study by the Pew Research Center that concluded that the majority of net-neutrality experts agreed that expectations of digital privacy may be completely gone by 2025. In 2017, we should know that expectations of digital privacy should be gone NOW. Democrats especially should understand this: ask John Podesta. Ask Hillary Clinton. Heck, ask FBI Director James Comey, who foolishly thought he could maintain a secret Twitter account, which was ferreted out and revealed yesterday.
To sum up this mess, ethics and otherwise: The news media is misinforming the public and merely taking partisan positions while repeating talking points; lawmakers are misrepresenting the issue and the bill from both sides of the aisle; the tech sector is generally anti-business, and has its own biased spin, all sides of the issue are driven by financial self-interest, and the public is largely confused and ignorant, which is part of the plan.
The key points are these, which are being completely obscured in all the posturing and spin:
1. Neither the Obama regulations nor the Republican removal of them have much to do with personal “privacy.”
2. If you want to ensure personal privacy, don’t use the internet. Any law, regulation, politician or journalist who causes you to think otherwise is misleading you.
* In the first version of the post, I called it a web game, another bit of misinformation I acquired from Robin’s blathering. (Thanks to Neil Dorr for the correction). Either way, George S. Kaufman’s comment applies.
__________________________
Pointer: HLN, Amy Alkon
Sources: Fox News, TechDirt 1, 2,
Ethics Alarms 
Nice. This was exceptionally informing and it re-enforced what I had learned a while back regarding what this action is doing. Very, very nicely done! Oh, I would expend too much energy on hopes that Robin or anyone else on these networks would ever actually care about “facts.” As we all know, the facts have very little to do with the truth–or at least their version of it! You just gotta love post-modernity……
I remember a few years back, one of the search engine companies thought it was cute to release people’s search histories anonymously. What people found out very quickly is that it was laughably easy to figure out the identities of most people, if only for the tendency for people to google themselves and their friends on a regular basis. The info was taken down quickly.
The saddest one was a woman looking up something like, “how to make your boyfriend happy.” Then, “break up depression ” Then “abortion provider.” “Sadness”. “Forgiveness.” “Churches near me.” Yeah, they can collect a lot of information on you, and it’s out there.
Of course, any search engine that did that would be run out of business.
After a little bit of research, this must have been what I was thinking of:
https://en.wikipedia.org/wiki/AOL_search_data_leak
On August 4, 2006, AOL Research, headed by Dr. Abdur Chowdhury, released a compressed text file on one of its websites containing twenty million search keywords for over 650,000 users over a 3-month period intended for research purposes. AOL deleted the search data on their site by August 7th, but not before it had been mirrored and distributed on the Internet.
AOL did not identify users in the report; however, personally identifiable information was present in many of the queries. As the queries were attributed by AOL to particular user numerically identified accounts, an individual could be identified and matched to their account and search history by such information. The New York Times was able to locate an individual from the released and anonymized search records by cross referencing them with phonebook listings. Consequently, the ethical implications of using this data for research are under debate.
AOL acknowledged it was a mistake and removed the data; however, the removal was too late. The data was redistributed by others and can still be downloaded from mirror sites.
In January 2007, Business 2.0 Magazine on CNNMoney ranked the release of the search data #57 in a segment called “101 Dumbest Moments in Business.”
***************************************************
Consumerist does the wading for you and finds a delightful little item, AOL User 927.
The record starts out blandly enough in March. First he’s concerned about how long it takes broken legs to heal. Then he investigates human mold. Perhaps staying at home after an accident? Then he peeks into a little dog sex, but the leash isn’t very long, the most prurient site he reaches being SFweekly.com, a regular ol’ newspaper.
Later that day he looks up flowers. flowers aster. butterfly orchid. The next day, more flowers, followed by a little forced rape porn, testicle festivals and slow-dancing steps. Must be planning a big night.
Fast-forward to May…
Queries include: beauty and the beast disney porn, holocaust rape, japanese child slave, molestation and rape porn, virtual children, 3d molestation and rape porn, topped off with a little, “oh i like that baby. i put on my robe and wizards hat.”+
A cautionary tale, all around. The web was also more secure then than it is now.
This may be nitpicking.
The web wasn’t really more secure. The gaps in security being used now were basically all available then, along with others which have since been closed. The exploits may have been more obscure.
Well, the technology of hacking has also advanced.
http://www.duckduckgo.com
They build their business precisely on the idea of not keeping user’s information. I use them and for 90% of my searches they are good enough. 🙂
Jack,
“.. Max Temkin, inventor of some web game I have never heard of, promised in a tweet…”
Friendly correction: “Cards Against Humanity” isn’t a web game; it’s a card/ice-breaker game.
Sarcastic add-on: I guess you’ve never played it; I’m sad for you (whatever that’s supposed to mean).
That’s easily fixed: I’ll try it! Of course, people said the same thing about “Scruples.” Or will playing it prevent me from feeding the hungry?
You never played Cards Against Humanity? You haven’t known an ethical dilemma until you are holding one of the “nuclear” cards, and you know if you play it, you are sure to win…but if you do play it, it will be so, so, wrong. Yet hilarious.
The guy’s threat tells me all I need to know about his ethical acumen.
If you play the game, and then research the company behind it, and consider the people who love it, you’ll find the whole thing deeply “problematical” if not outright unethical.
In short, the game itself is a rip off of Apples to Apples, recast as a sort of cruel, vicious, sexist and outrageous “against humanity” madlibs, that often target minorities, because that’s what the people who love the game, typically and literally SJWs find funny to do. Rant online all day about horrible non-sjw types, then go home and play cards against humanity and make all sorts of “ironic” racist madlibs with their friends.
Temkin himself was falsely accused of rape, which hilariously the geek feminism wikia will mention, without mentioning the outcome except for linking to his blog geekfeminism dot wikia.com/wiki/Max_Temkin_rape_report and Gawker will moan that the false rape claim only hurt him for four weeks:
http://gawker.com/remember-when-the-cards-against-humanity-guy-was-accuse-1621559973
>> There is no evidence for this story. I will never have a chance to defend myself. The structure of the modern internet is such that these things never reach resolution and never go away. This is just baseless gossip that will now haunt me for the rest of my life.
> Huh. It seems like he’s doing just fine.
(Here is Max’s version: http://blog.maxistentialism.com/post/91476212698/this-is-a-blog-post-thats-incredibly-confusing)
Well some would say Max learned nothing from this. Others would look at the success of CAH and who loves that game and how he sells it and say he learned quite a bit.
I am continually amazed by how little people know about computers in general and the internet is particular. Sometimes, it takes my breath away.
I am also amazed by lawmakers who attempt to regulate an industry without knowing the first thing about it.
How to be safe with electronic data
First rule: anything online is vulnerable, no matter who secures it. It follows that any computer/device connected online is also vulnerable.
Second rule: Public WiFi is hack-able, and doing so is not that difficult. Someone just has to want to. Using it for playing games could make you vulnerable, and using it to access your financial information (banks, brokers, etc.) is stoopid
Third rule: Anything you do electronically is forever. Any tweet, snap chat, Facebook post, cell phone text or conversation, email, web post, browsing activity, and anything else may be saved by someone. Some of those are harder to get than others: browsing activity takes a snooper on the data line, or a court order to set a snooper up at your ISP. For instance, all cell phones activity is now all saved by the NSA, including where the phone was when. No, no one looks at it, not until they have a reason to research a person, perhaps years later. ‘Smart’ TVs can record you in your own home, without your knowledge, unless you take steps to stop it (electrical tape over cameras/microphones is a start, but still not enough)
Fourth rule: Any public activity can be recorded today. Besides CCD cameras everywhere and licence plate readers on many roads, facial metrics can track you in most urban and many rural areas. Even going into the desert or mountains could be spotted via satellite, should the motivation be enough to look your way.
So don’t leave your computer connected to the Internet 24/7 (a power strip that stops electricity from reaching the computer helps cut connectivity when ‘off’), do nullify the ability of other devices to spy on you in your home, and never say anything electronically you do not want going public. Use complex passwords, and never the same for multiple sites. Password safes are better than written notes (and Apple Notes are silly to use for this.) How much you protect yourself depends on your level of paranoia.
Do you have something to hide? A secret you would rather not be made public? Do not document it electronically! Or use the method below.
Now, how to be safe with electronic information: Place it exclusively on an air-gapped (no network connection at all) computer. Place that computer in a heavy steel safe. Encase that safe in concrete, take it out to an deep ocean trench, and drop it overboard. Forget the coordinates where you dropped it.
The point is, nothing is fool-proof
You can take steps to lower the probability that your information gets out, but even using paper and quill pen was only so good as the physical security the document was placed under. Learn some simple steps and you will remove yourself from the radar of most predators. People are careless, apathetic, and just plain dumb, so anything you do helps keep you safer.
I keep such information in a secure, encrypted flash drive that is not stored in a computer USB slot. Could someone break the encryption, should they find the drive and wish to spend the effort? Sure. But if they want me that badly they will get me, one way or another. Why would they? I do not have any deep dark secrets or hidden crimes in my past. Even so, why should my business be available to anyone just to browse through?
Your mileage may vary, but doing nothing is unethical in my responsibilities to my family.
Excellent information slickwilly. But even if one takes all of these precautions, going to the point of not having an internet connection or even using a computer, there remains a vulnerability. The vulnerability is private information being put on the internet pretty much every time one accesses any form of healthcare.
All of the health insurance companies and healthcare providers by nature of their business have huge databases. In 2015, 4.5 million records of the UCLA hospital system were hacked. Estimates are that more than 150 million records have been exposed since 2009. Healthcare providers were rushed into adopting Electronic Health Records even though they didn’t have adequate cyber security in place. Having your sensitive medical or mental health history exposed is the least of your worries. Medical records sell for hundreds of dollars because they provide a complete dossier of personal information–SSAN, address, date of birth, driver’s license number, credit card numbers and much more. Having your credit card number stolen is nothing compared to this.
If you manage to avoid having your record stolen, you are not out of the woods. Hospitals are regularly being attacked by ransomware, sometimes completely shutting down operations until the ransom is paid. The system is usually infected by someone opening a phishing email or other social engineering attack such as scattering infected USB sticks and waiting for someone to put one in a computer on the network thereby installing the malware.
OK, all of the above attack vectors have been secured and now you’re safe. Wrong. A plethora of medical devices from respirators, pacemakers, and infusion pumps up to MRI scanners and lab analyzers are running embedded programs and connected to the hospital network. If you are lucky, they will only hack the device to get on the network and steal records or plant ransomware. If you are unlucky, they can kill you. But looking on the bright side, a medical record is more valuable to them than your death.
What can you personally do about it? Very little as far as I can see. You can try going to doctors who don’t use EHRs but they are getting harder and harder to find and anyway sooner or later you will need to go to the hospital and they all use them. Besides, you probably have health insurance and there is plenty in those records. This is a huge problem and I think Congress needs to stop worrying about just protecting browser histories and start worrying about protecting all the health information that is out there and continuing to increase exponentially.
Also a COTD…
Comment of the Day; now we have two on this topic. Excellent.
Thanks. I thought Alex’s comment was extremely good but didn’t see it until after I posted.
What is being reported is wrong, but I think even if you take the most optimistic view you’re taking a stance that is not considering all the consequences of ISPs collecting all the data.
(For background, I think the Obama rule was wrong and oppose net neutrality as proposed. I might get behind regulating ISPs as utilities, but only because currently they enjoy monopoly status because local jurisdiction prevent competitors from entering the market.)
First, the way the data is collected it is not necessarily anonymized. Actually for some types of data (say, you visit a site that distributes “cracked” software or even certain security related ones) the ISP will flag your account and send you a letter. So they are keeping your non-anonymized history. Even if they didn’t, matching a set of grouped anonymized searches to a real person is a relatively easy exercise. I know what are the four sites I visit every day and on some of them I leave comments that can be easily traced to my real identity. Anybody watching my traffic – or an anonymized collection of my website visits – can find out everything about me in minutes.
Second, the ISPs are actually storing the raw data (not the content of the pages you visit, but the full URLs). Not aggregates, not statistics. Storage is cheap these days, and whatever they can gain from that extra tenth of a cent will be saved for future use. They already have the infrastructure, so doing it is almost free.
Third, the data is stored forever, or a very long time at least, and it’s barely secured at all. There are no internal controls and they can’t even confirm if there have been external breaches. A legitimate court order can ask them for all the data they have logged on you, based on your physical location or your IP address. I don’t want law enforcement knowing that I bought “The Machinery of Freedom” and have downloaded “The Anarchist’s Cookbook”, and yet they can trivially know that by asking Comcast for it politely.
Fourth, you only know you’ve been targeted when you’re told, but there is no way to know that I have not been the subject of one of these fishing expeditions that turned up nothing. I do not know if anyone has looked at my internet history.
Fifth, your ISP has no incentive to protect you. In many places you can’t go to a competitor, and where you can they have the same policies. The best you can do is take your $50/month away, the government can make their lives comfortable or miserable for years. Guess who they’re going to side with.
What can you do to protect yourself?
– Encrypt everything. That’s not on us but on website operators. Now your ISP only has the domain instead of the full URL. An improvement, but they can still figure out if you visit unsavory places like “how to start a revolution dot com” or “ethics alarms dot com”.
– The VPN solution being suggested by some pundits is stupid. You give more money to someone else who is under the exact same position as your current ISP.
– Use TOR. I use it sparingly, and in the past have run a relay node at my IP address. Unfortunately it is so uncommon that it just brings more attention to yourself. Besides if everything went through TOR traffic the network load would slow things down noticeably.
In the end I can only think of using privacy-friendly services (e.g. DuckDuckGo for your search engine), having the ability to protect your traffic when needed (TOR, but routinely use it to make it “the new normal”) and support those developing the technology to protect privacy (e.g. the EFF). The current incentives are not in your favor, and Congress has demonstrated an absolute inability to do anything about it. This will be a long an upward battle, I don’t expect to see any gains on the individual’s side for decades.
PS: Read this essay by Bruce Schneier: https://www.schneier.com/blog/archives/2016/03/data_is_a_toxic.html I generally oppose government regulation to solve these problems, but the “toxic waste” analogy makes a very strong point.
Terrific exposition: I’ll post later as a COTD.
Much appreciated. Thanks. 🙂
Thanks, I generally defer to Masnick, but thought here (and at other times) he was a bit glib about this.
Illinois is smartening up on a state level. They’ve realized what this bill could potentially lead to. While the rest of the US is relying on privacy and anti-tracking tools like ivacy vpn and tors, hoping they would protect them from data mining giants in the US. it should have been the government to ensure people (and their data) always remained safe and private.
You’ve got to be kidding.
Unfortunately, the Government IS one of the Data Mining Giants.