ISPs May Be Selling Your Web Clicks

Mozzarella writes "Could our ISPs be selling our click data without us even knowing it? It seems like the practice is happening a lot more than we realize, and can be tracked for each user. Complete Incorporated's CTO David Cancel told Ars Technica that his company (an internet research firm) licenses click information from ISPs for 'millions of dollars' to figure out how we use the web. From the article: 'He did not give a specific figure about what this broke down to in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month — this estimate was erroneously attributed to Cancel himself in some reports on the event. Cancel said that this clickstream data is 'much more comprehensive' than data that is normally gleaned through analyzing search queries.'"

Your Internet soul was sold years ago

There is little new here. Companies such as http://www.hitwise.com/ [hitwise.com] have been purchasing raw traffic data for years. They place a box at switch level and monitor everything about everyone and the sell on the reports for profits. The last time I had a quote from them it was in the region of $28k to monitor footfall to a single site for a year. Access to the full data set can run into the hundreds of thousands.

Is this legal?

If this is being done without users' consent, then it strikes me as being dangerously close to wiretapping, which is illegal.

EULA doesn't always prevail

It is WITH user consent via the 99.9%-unread EULA.

If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

Whether the right to sell data relating to your Internet use to third parties something a reasonable person would expect is debatable. Someone could challenge those portions of the EULA covering click info, on the basis that they are not to be reasonably expected in an end user license covering a contract for Internet access.

The challenge wouldn't necessarily prevail in court, but it could be made. The legal theory behind this is that when one party holds a substantial bargaining advantage over the other, and has employed contractual language that is dense and lengthy, it is unreasonable to expect that the disadvantaged party will be able to spot every element of the contractual language. After all, the company can employ a lawyer to put all sorts of bizarre language into a contract, and most consumers are not schooled in such language, nor do they necessarily have the time to go through the language of each and every EULA. Thus, if the party with an advantage employs tricky language in the EULA, that language can be considered unenforceable.

Re:Is this legal?

Remember that EULA you clicked 'I agree' on without reading?

I agree.

Apologies to HAL 9000

"Good lord, it's full of... porn"

Insert joke here

Insert joke about a click business represented by a guy named Cancel here.

So, who's going to be the first to...

write a randomizer (using wget?) to pollute their data?

Possible

While a counterattack is possible there are two mitigating factors:

First, philosophically, it is always the course of greater wisdom to explore extinguishing the problem using passive resistance (eg. avoiding offending services). Sadly, this is rarely effective against a determined aggressor but it does prevent unnecessary conflict by establishing a baseline of just how determined the aggressor is.

Second, in terms of time, the information gathering industry is way ahead of us and the internet laws are written to be easily used against people who would interfere with their exploits.

All in all, though, data pool pollution would be an effective approach if the aggressor has been determined to be resolute and the legal aspect weren't so grim.

Seem reasonable. Almost

For his part, David Cancel told Ars that he "strongly supports an increase in the methods and degree to which disclosure is communicated," not only for clickstream data but for any kind of data collected on users' personal surfing habits.

Nicely put. I'd even go so far as to suggest it's even nicer than what we typically hear during White House press conferences.

He stated that "all users should be informed explicitly when their data can be sold to a third party."

The tricky part. A nice sounding pronouncement, but it sidesteps the issue of whether they are, and if so, to what extent, etc. And it overlooks what we should expect, which is typically a progression starting with a scandal, followed by a Mistakes Were Made apology, followed by calls to action and the scattered efforts of those affected but who otherwise have little say in the matter, and if we're lucky, a legislator giving a There Oughta Be a Law speech before some subcomittee.

I've often wondered what the cable companies are doing with respect to TV watching. On the one hand, it seems perfectly reasonable that they could devise a system whereby they could collect statistics on my viewing habits and sell them to Nielsen's. On the other, I'm not aware of whether they can, have plans to, or already do. Maybe someone more knowledgable can clue me in.

Windows Vista Version

Looks like you are clicking a link...

Cancel or Allow Cancel to view your clicks?

huh?

This is a VIRTUAL Warentless Search!

Boy if HotSpotVPN is not going to make hay off of this, I don't know what will.

Typo

That's $0.40 dollars per user, not $40. The cents sign is missing from the summary.

Master Plan

Mwahaha, my plan to distort tracking information by clicking on millions of porn links has not been in vain !

oh noes

MY ISP knows that I download lots of porn, read slashdot and fark. well, for starters, my ISP serves me those pages. So, um, I'd hope they are involved.

Though in this case, if they tie names or other identifiers to the data I could see the uproar. I mean we do pay the ISP, so they shouldn't go out of our way to spread our info to others [more than it already is].

Of course this opens the door to "unlisted" ISP accounts where the ISP doesn't log your data if you pay a premium ...

oh shit I gave them an idea...

Wrong info

... tracked for each user. Complete Incorporated's CTO David Cancel...

... in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month...

The company is Compete Inc., and the estimate was 40 cents per user per month.

I am thankful!

Before my ISP started selling my clicks, they were piling up all over my apartment. I welcome their new plan!

Encryption?

This reminds me of something I've been mulling around in the back of my mind a lot lately - I think the net needs to move towards every connection being encrypted. I mean, why are we sending URLs as plaintext in the first place? The only thing my ISP should see is a target IP address and an encrypted stream. Maybe the internet powers that be should be coming up with new IP standards (eTCP?)

What about...

caching proxies? Wouldn't they skew the collected data?

Competition can "solve" this

Assuming you think this is a problem (and I'll wager most of us here do), competition can solve this. Some companies can charge more for having a privacy clause in your contract. Others can compete by offering less service but at the expense of your data. Effectively you'd subsidize your internet connection by selling metrics on yourself.

The only problem, of course, is if fraud is going on: if companies are using the data in a way inconsistent with their agreements.

Re:Who gives a rats ass?

You all act so fuckin high and mighty - Privacy is a moot point to argue when you live in your parents basement.

You know I'm right

Son, your mother and I have said it before and we'll say it again: if you didn't have such a fixation on ostrich porn, we wouldn't have to monitor your net connection. When you're 18 and you have a place of your own then you can look at all the flightless bird porn you like, but not a moment sooner. Do you have any idea what it did to your little sister to come home and find you naked and covered in egg yolks with your head in a box of sand and feathers stuck up your ass?

Re:bring it on

More importantly, if it's my clicks, why don't I get paid for them? I should get compensation for the carpal tunnel generating all their clicks.

Re:bring it on

who should I be sending the lawsuit to?

      Sue Google for a billion dollars. Everyone else is...

Re:this coupldn't be more off topic if it tried

aw come on mods, that had to be at least a -3 off topic.

it's not fair. I've had loads of +2 to +5 moderations, but never a -3, surely you can give me this one thing....

Re:Who gives a rats ass?

It isn't just about your personal privacy. The way that society protects other people's privacy can affect your personal well-being.

The simplest example is when a group attains political dominance and is able to breach the privacy of anyone who challenges the status quo. If they can cause sufficient embarrassment or publicly humiliate anyone enough to make them unelectable, they can still appear to run open and fully democratic elections without risk of losing their grip on power.

Society as whole will stagnate and suffer under such conditions, and even if you personally have nothing to hide, chances are that you'll end up suffering too. Although you may not realize it since most people tend to accept that life is the way it is, never wondering if a better life could ever have been an option.

Re:Naive or purposely wrong?

The data is not sold with accompanying user name or information, but merely as a numerical user value. However, it is still theoretically possible to tie this information to a specific ISP account

only if the ISP leaks something, like a specific identifier (MAC?) or a cookie.

A URL can have information in it that either identifies you, or can help narrow it down.

For example, a poor quality website for looking up your IP address might return it in the URL. If you look up your address, the URL would have it. If you edit Wikipedia anonymously, your user talk page, which you might edit frequently, has your IP address in it. If you go to several sites with a narrow userbase, for example a college or business's website, they could try to get all of the IPs that visit those sites and find which ones are common between them. Also, if you have a personal website, with stuff that would only be of interest to you, visiting there several times could make it easy to guess who you are in real life.