Plans For Massive Web Tracking Via ISPs

Lauren Weinstein, the moderator of the PRIVACY Forum, writes: "My latest issue of the PRIVACY Forum Digest, going out now, reveals Predictive Networks' plans for widespread Web Tracking via direct links to ISPs! Details are here. Thanks much." Pay ISPs for the ability to snoop on their customers, what a great idea. Dave Farber has a comment on Predictive Networks as well.

Re:Crowds

I checked crowds.org and its not regestered. crowds.com is owned by some German guy who hasn't put much of anything up. And crowds.net is also regestered.

Tip: use a search engine. I recommend Google [google.com]. Try searching for "crowds proxy" [google.com]. You should find The Crowds Home Page [att.com].

Re:Thoughts

Third, there is NOTHING to stop you using tunnels to convince your ISP that you never visit any place of interest.

I wouldn't bet on it. The terms of service of some cable modem ISPs prohibit VPNs.

Data Protection Act

Ah, but to go along with the draconian laws that the RIP bill is, there is a little diamond in the rough.

The Data protection act. Basically, if any UK organisation (not just a company, any org) wants to store personal data about me on a computer, they have to get my signature on a piece of paper, giving them permision. In other words, such a scheme in the UK must be opt-in.

Additionally, they _have_ to let you view _all_ the data you hold on them, for a nominal fee.

(Oh, IANAL, that's just how I precieve it to work, as someone whose tangled briefly with it)

So, how does this releate? Well, look at the they way they let you see your personal data:

Any subscriber on The Predictive Network has the right to view their Digital Silhouette free of charge twice during the calendar year. Subscribers will be charged $50.00 per request thereafter.

Note the two free views. This is so that they can link the Silhouette with a person (or maybe I'm just a bit cynical). After that, you pay through the nose. In UK, assuming it's sent via email, I believe the maximum they can charge is one pound (Those values are typical from companies that snail mail the data to you. They may not be able to charge even that much). Thier planned method of limiting acess to the data they hold is illegal in the UK.

Other nice touches - it would have to be (technically) opt-in. Admitingly, they can be rather sneaky about it - it's now common to have a small box on any form you send to a company, and if you _don't_ tick the box, they have your permision to sell your data. However, it's trivial to tick the box and stop them.

Data protection act - As far as I have seen, it's good for individuals, and bad for companies.

Oh, and there are a number of prosecutions each year under this act - in other words, this has teeth.


--

Re:Who's paying for this?

Battery Ventures
[battery.com]
www.battery.com

20 William Street, Suite 200
Wellesley, MA 02481
phone: (781) 577-1000
fax: (781) 577-1001

901 Mariner's Island Boulevard, Suite 475
San Mateo, CA 94404
phone: (650) 372-3939
fax: (650) 372-3930

Write Robert G. Barrett (Managing Partner) and
show your displeasure at the types of company
battery chooses to fund. His address is
bob@battery.com [mailto]

Write to your ISP

If you are truly concerned about this issue, it is a very good idea to politely inform your ISP that you will refuse to do business with them should they participate in this kind of monitoring.

Just a short note to their sales department or administrators should be enough to let them know
where you stand.

For your convenience I'm including a "form letter" that we can use to make our opinions known. Be
sure to substitute your ISP's name in the appropriate 4 locations in this message, and to substitute your name at the end.
------------------------------------------------ --
Dear (ISP NAME HERE),

I wanted to take just a minute of your time to highlight an issue of some importance to me, a customer for (TIME PERIOD), by which I hope to make known at least one customer's views on some rather disturbing trends in Interenet access. Just a moment of your time to express my thoughts, and hopefully influence (ISP NAME HERE)'s future direction would be appreciated.

There is currently an initiative and offering by a company named Predictive Networks to engage ISPs in a scheme by which the ISP will monitor web traffic patterns from individual subscribers. This data would be given to Predictive Networks to create user profiles which are then used for marketing purposes.

In exchange for this information ISPs would presumably be financially compensated. This of course can only lead to coercion by ISPs upon subscribers to submit to this sort of monitoring lest they face either termination of service or higher service fees.

The discussion which brought this initiative to my attention can be found at the URL http://www.vortex.com/privacy/priv.09.13.

I have no desire to particpate in such data collection, and will vigorously oppose the imposition of any such policy upon me. As a satisfied customer of (ISP NAME HERE) to this date, I want to make known that I will refuse to conduct business with any ISP which chooses to participate in this venture. I sincerely hope that (ISP NAME HERE) will never consider detailed monitoring of their customer's Internet traffic.

Thank you for your time,
(YOUR NAME HERE)
------------------------------------------------ --

What impact on DSL?

This is mostly referring to ISP's (I know,
backbones *are* mentioned) -
and where I live, the major DSL provider is
SWBell, which is a semi-regulated provider.
(Semi-regulated by the government). Telephone
companies keep track of all sorts of data
about us - all the calls we receive, all of
the calls that we make. What they can do with that information is extremely limited. They are prohibited
from selling or making that information available,
unless its requested by a law enforcement agency.

Would those regulations also apply information
that they may/could gather through a DSL-style
connection? And if they currently do not, should
they be expanded to do so?

The concept is rather scary - as long as a company can make money by infringing on people's
privacy, those companies will have no issue to
continue to track/monitor and sell information.

As much as I am against governmental regulation,
some federal guidelines may be necessary in order
to keep these companies in line.

Just my 2 cents... on a sleepy Friday morning...

Re:I can't sit back and watch this!

I doubt this is a hoax. I work for a network management software company, and we've had requests from major-name American ISPs to gather information of this type. We've refused. So there definitely is a "market need" out there waiting to be satisfied, and apparently Predictive Networks wants to satisfy it.

Re:What impact on DSL?

Telephone companies keep track of all sorts of data about us - all the calls we receive, all of the calls that we make. What they can do with that information is extremely limited. They are prohibited from selling or making that information available, unless its requested by a law enforcement agency.

Sorry but this assumption is not quite valid anymore. Pleae refer to:
"CNN" - FCC to appeal court ruling vacating privacy regulations [cnn.com] - August 25, 1999. A court ruling overturning federal protection of telephone customer records puts the interests of phone companies over the rights of consumers, a top federal regulator says.

The Federal Communications Commission("FCC") plans to appeal the decision by the three-judge panel of the 10th U.S. Circuit Court of Appeals, which could enable phone companies to use information about customers for marketing purposes without obtaining their consent.

"FCC" Chairman Bill Kennard said the court's decision to reject the commission's rules remove important protections to consumer privacy.

Political News from "Wired News" - Phone Records Up for Grabs? [wired.com]. A court ruling ( 98-9518 -- U.S. West Inc. v. Federal Communications Comm. -- 08/18/1999 [kscourts.org] ) with implications for the use and sale of private telephone records sets a disturbing precedent for how the courts regard privacy, watchdog groups say.

But the Federal Communications Commission("FCC") will appeal last week's 10th Circuit Court of Appeals decision, which pleased those privacy groups.

The ruling effectively canceled a vague "FCC" regulation that had forced phone companies to obtain customer permission before using or selling call records for marketing purposes.

ACLU Press Release: 10-25-99 - Consumer and Privacy Organizations, Legal Scholars Urge Appeals Court to Protect Consumers' Telephone Privacy [aclu.org]. In a friend-of-the-court brief filed today, 15 consumer and privacy organizations and 22 legal scholars urged a federal appeals court to reconsider a decision that would allow telephone companies to use private telephone records for marketing purposes. The groups, including the American Civil Liberties Union, said that the case is of great importance to consumers across the United States. The brief, filed in support of a petition from the Federal Communications Commission, asks the 10th Circuit Court of Appeals to uphold a privacy provision that was enacted by Congress in 1996 and implemented by the FCC.

Scary article from marketroids' perspective

Doing a quick Google search, I ran across this article [fastcompany.com] praising the development of "interactive relationship managers" (IRMs) like the one developed by Predictive Networks. The author is all agog about the marketing benefits of using these IRMs to target exactly what the customers want. He says that 'the "best customers"...[will] make sure that the only advertising that gets through is advertising that they really want to hear.' But then he claims that the way to do this is to use IRMs that 'collect user data based on the surfing habits of ISP customers and then make appropriate suggestions as to what else those customers might like or need.

He also mentions the opportunity for companies to act as free ISPs to their customers so that they can easily gather the profiling information.

<RANT>
This "solution" is patently ridiculous (maybe it should be patented!). Am I a "best customer" in his terms, or not? I absolutely do not want my time and bandwidth wasted by any advertisement unless I decide that I want to see it. According to his definition, that makes me a "best customer".

But there's no way that I want any commercial entity, either software or meatware, to profile my actions and try to figure out what I might be interested in. I'm sorry, but this "best customer" wants to choose for himself what he's interested in seeing. I know best what I'm interested in. Any other "solution" is a travesty, and especially one that violates my privacy in order to provide a useless "service" that I do not want at all.

Not only is the IRM a violation of my privacy, but it's also ineffective -- my current interests are not determined by my previous interests. If I am interested in purchasing something, I will find the information I need for myself. And it will be good information -- not just biased marketing drivel.

How can someone be so clueless to think that IRMs are a solution for people who want to control what advertising they see? They are the same marketing solution all over again - "we will tell you what you should be interested in."

Sorry, but I'm not listening. I already know what I'm interested in.
</RANT>

Re:Thoughts

> this scheme will only affect the clueless

That's not the point. _No one_ should have to jump through hoops to maintain their right to privacy on the Internet. One shouldn't have to be a "geek" and know how to beat the system, because the system shouldn't be that way in the first place.

> the sheer volume of information they'll need to process will be overwhelming

So maybe it'll be difficult in the beginning, but remember Moore's Law can be applied to more things than your Quake III fps score or your Linux compile time. While processing power, bandwidth and storage capacity continue to increase, the last time I checked, the length of URLs was pretty much constant. If they can't handle all the data now, with the right funding, they will be able to soon. It's only a matter of time....

Set up tunnel network

I've been kicking around the idea of setting up an invitation-only IPv6 tunneling network with encrypted tunnels. This story encourages me to develop the idea.

UK and the Regulation of Investigatory Powers Act

In the UK, the government will get there first.

The Regulation of Investigatory Powers Act [fipr.org] will treat ISPs as telcos. It will require them to put the monitoring apparatus in place, so the government can watch what its taxpayers are doing. More detailed discussion of this hideous legislation can be found at the STAND [stand.org.uk] site.

Once the telcos, sorry, ISPs put this apparatus in place, thy might as well get some return on their 'investment' by gleaning marketing info about their customers in passing.

We need to fight back!

I keep seeing these draconian laws being passed by our government, and these orwellian systems being created and implemented by profit- and power-hungry corporations. It seems every day there's a different post to Slashdot describing some new method for controlling the flow of information and the freedoms that we should be taking for granted...

And what are we doing about it? Why do we keep allowing our rights and freedoms to be taken away?

Why are those in power doing this to us? That's easy to answer: Because they can. Because anybody in power will seek to extend their power and control.

Why are we allowing this to happen? I don't know. Some of us are fighting back as much as we can, but most of us simply post to Slashdot and complain.

Listen up! All this bullshit that we've been fed ("We live in a free country!", "The economy is doing great!"), it's all just that: bullshit! We're losing our rights and freedoms on a daily basis, our economy is fake (the drop on last Friday was equivalent to Black Tuesday in 1929), people all over the world are being forced into sweatshop slavery in the name of "economic progress", and our environment is being raped and destroyed at an alarming rate in the name of profit.

And most importantly? The technology that we all love and support is being turned back on us in order to control and monitor people. They're usurping something that they have no right to usurp. We have to put the power of technology back into the hands of the people!

It's time to fight back! It's time for a revolution!

http://www.indymedia.org [indymedia.org] - Support independant media!
http://www.soaw.org [soaw.org] - Why are our tax dollars being spent on training murderers?
http://www.corpwatch.org [corpwatch.org] - So you think only governments can oppress and censor?

http://www.spunk.org [spunk.org]
http://www.infoshop.org [infoshop.org] - Communism is dead, Capitalism is close to it. There is another alternative, and it's time we started exploring it.

http://www.adbusters.org [adbusters.org]
http://www.rtmark.com [rtmark.com]
http://www.subvertise.org [subvertise.org] - Subvertising (also known as adbusting) at it's best.

http://www.ainfos.ca [ainfos.ca] - Keep informed on what is happening in the world, from an anti-authoritarian, grassroots perspective.

http://www.a16.org [a16.org] - Seattle and D.C. are just the beginning.
Michael Chisari
mchisari@usa.net

Oops... link down

Looks like Zero Knowledge picked an inopportune time to update their Web site.

They run a network that's like a proxy on steroids. They even try to protect you against traffic analysis. Everything is encrypted. Everything goes through three servers, chosen by the user from a long list. The server operators are all independent of each other.

Each server knows only the hop before it and the hop after it. The first server has your IP address, but not the address of the site you're visiting, let alone the URL. It only knows how to send the data to the second server. The second server knows only the other two, and doesn't know who you are or what site you're hitting. The third server knows the URL, and how to send the data back via the second server, but not who's hitting it. You can theoretically use longer chains. You can pick servers in different countries. Etc, etc.

A future version of the system is supposed to send "cover traffic" to screw up traffic analysis.

The software runs on Windows; Linux version due RSN, so they say.

50 bucks buys you 5 pseudonyms for a year. Hizonner says check it out (when the Web site comes back up).

Disclaimer: I want to work for these guys.

It's inevitable: simple economics, plus the gov't.

I work for a big .com, and in the course of my product management duties I have picked up some knowledge about how ad rates on the net are set up.

(Vocabulary you need to know: CPM. CPM stands for "cost per thousand," and it is how ads are sold. Show an ad to 1000 people, and you earn the ad's CPM, less a fee for ad serving, which is somewhere around $0.30-$0.50, from AdSmart anyway.)

Anyway, here's why all this tracking hoo-hah is inevitable...

Un-targeted banner ads -- the "bottom feeders," I have heard them called -- command a measly $1-3 CPM. Many sites that do not have their users categorized display these "run of site" untargeted banners. They make a few bucks per CPM. Nice, but it's not the big money.

Targeted ads are much more lucrative. If your users are divided into highly "vertical" segments, like car people, pet people, etc. you can make $10-$15 CPMs.

Right there is the motivation for all of this. Targeted ads make the big bucks.

But, look on the bright side... in the coming no-privacy ISP world, there's an opportunity for a number of right-thinking geek-run ISPs to really grow and serve our needs...

... until the government fixes that by banning on-line anonynimity. Which is their ultimate goal -- don't doubt that for a minute. The President stated that very clearly recently. I wish I had the link handy. Right now we should also be thinking of ways to defeat enforced-by-law identity tracking, as it is inevitable.