06 September, 2008

Your biggest privacy concern could be from your own ISP

Over the last 6 to 12 months there has been several battles between ISPs, users, and the government. ISPs want to choose what type of content can run on their network and how fast it should be delivered. One such example is Comcast's blocking of P2P traffic. During their FCC investigation, Comcast changed this practice, though after being ruled that it was actually illegal practice, Comcast is now challenging the ruling. For Comcast to block just P2P traffic, it had to scan all the activity on your connection to identify what part of the traffic was P2P.

In the Comcast ruling, the FCC implied that it would be legal to monitor user traffic so that illegal content could be blocked such as child pornography and copyrighted material. While we would all like to see child pornography and other nefarious activity stopped, this would require the ISP to inspect everyone's content, from banking to love letters to new job applications and everything in between. It would be interesting to see this challenged in the courts, as this seems to violate wiretapping laws.

Now we've all heard about a store or even banks either losing customer data (such as credit card numbers) or their network being breached, losing data. How long until the same thing happens to an ISP? What if that ISP had all of your surfing habits and associated content? It doesn't end here, though.

As I mentioned in my Safe and Secure Internet Surfing blog post, so ISPs are allowing third-party companies setup in their data rooms to monitor and collect information about you in exchange for a few dollars. These third-party company's, such as Phorm and NebuAd, use your Internet surfing behavior to better target advertising. Further, this is being done without your permission. No opt in; no offer to lower your ISP fee in exchange; and in some cases, no way to prevent. Fortunately, this behavior has had so much recent scrutiny that some ISPs have decided to stop projects that would have added this to their networks, and the President of NebuAd has even left for a new job.

Before I close out, let's look at one more scenario -- most ISPs are operating with a conflict of interest. The same ISP that should be delivering you content of your choice at a consistent speed as any other content, also is a provider of content themselves. For example, I currently do not have any form of cable TV or satellite TV -- any TV I watch is either through the air or over the Internet. My ISP, could throttle down my throughput (or lower the reliability) for Internet TV in hopes of getting me to buy their service which would deliver a higher quality experience. The same could be said about Internet telephone (VoIP). I can use a lower cost service such as Skype, which directly competes with my ISP's VoIP offering. Through inspecting my traffic, they could also reduce the throughput of my connection, making me want to try a different service such as their offering.

One more example. Comcast recently introduced a bandwidth cap (effective Oct 1), which has a hard penalty for violation (loss of service). The next step from Comcast is to add some exceptions to the bandwidth cap; add an exception for any Comcast content. Now if you had concerns about exceeding your bandwidth usage, you may opt to access Comcast content at times where in the past you would have looked at content from another provider. Each of these examples requires your ISP to perform deep-packet inspection to know specifically what you're doing in order for them to know how to handle the situation. This is just another situation where your ISP would have records of your Internet activity; records that they do not need to provide Internet service.

So let me conclude, ISPs such as Comcast have already demonstrated that they can and will inspect your Internet traffic to take action based on their interpretation of what you should or should not do on the Internet. Additionally, though the FCC beleive blocking certain traffic protocols such as P2P are illegal, watching for illegal content is okay, therefore all activity must be watched to locate anything illegal. We have already seen some evidence of ISPs using their "trusted" services to make more money from you through allowing third-parties monitor and track your Internet behavior. I have also established how most ISPs are operating under a conflict of interest, providing you Internet access and competing content and services. And finally, we have already witnessed organizations that we trust lose our data to nefarious hackers.

What can you do?
  • Tell your government officals how you feel about these issues, and support only those that are looking out for your best interest -- Save the Internet is a good place to start.
  • You can also notify your ISP your position, and that if they offer these new "features", you will be finding a new ISP. Here's one such resource from August 15, 2008, that lists spying ISPs.
  • Pay attention to what industry experts who care about this are saying.
    • Follow Steve Gibson: Perhaps the most well known security expert among the general public. Steve has been responsible in getting Microsoft to make many security improvements over the years. Steve, through his GRC website also provies a great utility, Shields Up, that can analyze and give you feedback aboutr the security of your computer on the Internet.
    • Follow Paul Ohm: Paul recently posted an article about the very subject I've written about here: The Greatest Threat to Privacy: The Internet Service Provider. "Paul is an Associate Professor at the University of Colorado Law School. He specializes in computer crime law, as well as Internet regulation, criminal procedure, intellectual property, and information privacy."
    • Check back here: I will do my best to summarize the many things I hear on Internet security, privacy, and the unethical behavior of ISPs.
  • Read other blogs, such as Wired's postings on Law, Online Rights, and Security.
I predict that without increased consumer involvement, this sort os privacy and security violations will gradually gain a foothold. It's time for the less Internet savvy to understand and speak up too.

No comments: