Your ISP might not be spying on you now — but you’d be crazy not to worry that it will

(Image by Rob Pegoraro/Yahoo Tech)

The good news: Your Internet provider can’t tell you’re reading this story.

The bad news: It still has other ways to track what you’re interested in. And — given the history of Internet providers tracking their users’ travels around the Web and then selling that information to advertisers — it wouldn’t be surprising if your ISP wanted to figure out more ways to follow you online.

These concerns have become higher-profile issues since the Federal Communications Commission gave itself the authority to make Internet providers obey some of the same privacy rules that already restrain telephone and pay-TV services.

Why you shouldn’t worry

The FCC can do that because last year’s reclassification — in the name of net neutrality — of Internet providers. That shift subjected them not only to “common carrier” rules that govern phone companies but also the privacy obligations that stop your phone carrier from, say, selling your calling history to a marketing agency.

So far, the commission has mainly looked for — in the words of a May 2015 notice — “reasonable, good-faith steps” by ISPs to follow those rules. (The Federal Trade Commission already exercises roughly that level of oversight, taking action when it thinks Internet providers are being deceptive or unfair.)

But the FCC is now getting ready to debate more detailed regulations.

Beyond their customary response — relentless litigation — to overthrow the net-neutrality regime, major Internet providers have recently offered another reason not to adopt such regulations: They say they can’t see that much of what you do, anyway.

A paper released last Monday by Georgia Tech’s Institute for Information Security & Privacy (and partially funded by the industry group Broadband for America) makes that argument by pointing out how much Internet traffic is now encrypted and how much of it travels over mobile and Wi-Fi networks instead of via residential broadband.

The amount of time we spend on those other networks isn’t news. But some numbers about encryption cited in the 125-page paper did catch my eye.

Authors Peter Swire (a longstanding privacy professional and veteran of the Clinton and Obama administrations), Justin Hemings, and Alana Kirkland say that the data — from the network-analysis firm Sandvine and the Center for Applied Internet Data Analysis (CAIDA), a public/private research organization — suggest that Internet providers are blind to half or more of the traffic they carry, because that traffic is encrypted.

Sandvine, for example, forecast last month that 70 percent of global Internet traffic will be encrypted this year. (But the same report found that, in North America in February, only 38 percent of wired-broadband traffic was encrypted.) CAIDA’s research, meanwhile, shows the share of encrypted traffic rising from 13 percent in April 2014 to 49 percent in February of 2016.

The paper’s conclusion: “There clearly can be no ‘comprehensive’ ISP visibility into user activity when ISPs are blocked from a growing majority of user activity.”

(Image from CADIA site)

Why you should worry

But even when you visit encrypted sites, your Internet provider can still see their domain names (unless you also employ a virtual-private-network connection). As New America’s Open Technology Institute pointed out in a January paper, your mere presence at the domains of Planned Parenthood, cash-advance services, or the National Rifle Association can reveal volumes about you, regardless of whether or not the specific pages they send you are encrypted.

And if even a limited view of somebody’s Web activity is so worthless, why haven’t Internet providers stopped trying to monetize their users’ online habits?

A decade ago, many sought to use “deep packet inspection” of their users’ traffic to help sell ads. Today, AT&T’s GigaPower gigabit fiber-optic service’s default offering is a “Premier Offer,” in which you consent to have your Web traffic scanned for marketing purposes; a no-scanning option is available but hidden behind a smaller-type link. AT&T’s deal does save you money — or, if you prefer to put it another way, the ISP will charge you $29 and up for your privacy.

Verizon Wireless’s since-radically-curtailed “supercookie” tracking didn’t lower your bill, but it did make it easy for every other site to follow you around the Web. On Monday, the FCC announced a settlement in which VzW agreed to pay a $1.35 million fine, obtain its customers’ permission before sharing their data with third parties, and only perform this tracking “using methods that comply with reasonable and accepted security standards.”

Internet providers have also been among the last tech firms to start issuing “transparency reports” inventorying government queries about their customers. That doesn’t make them easier to trust.

Don’t trust anyone too much

Swire, Hemings and Kirkland are right that search engines, social networks, app developers, and ad networks can gather far more data about you than your ISP and then leverage that information to follow you wherever you go on whatever device you use.

(Remember that in the debate about how much data police investigators can obtain from a single locked phone.)

If you skip to page 102 of their paper, you’ll see a graphic outlining how many parts of today’s “online ecosystem” ten companies participate in. None have a lock on all ten core functions (from Internet access to online video), and the Internet providers listed look relatively weak.

Companies that don’t want any more regulation like to throw around data like that to argue that, hey, it’s the other guys that need more rules. But there’s a simpler way to read them: as a reminder that one of the better ways to protect your privacy is to spread your business around. It might be easier to let one company serve all of your online needs, but that also gives that one company a much bigger magnifying glass to hold over your online activities.

Email Rob at [email protected]; follow him on Twitter at @robpegoraro


Leave a Reply