Oh YuckJune 25, 2008 at 19:16 | Posted in Life, Privacy/Security | Comments Off on Oh Yuck
Tags: advertising, adzilla, anonymity, frontprorch, ISP, nebuad, phorm, privacy
After listening to Steve Gibson on Security Now! this week (episode 149) I started doing some digging on some of the other companies that Steve mentioned that are trying to get ISPs to engage in DPI (Deep Packet Inspection) Tracking of their clients (you, me, almost everyone on the net).
The sudden and rapid proliferation of these companies (Phorm, Nebuad, Adzilla, Frontporch, etc) seems to indicate that there is some interest in this business model and that is frightening to a privacy advocate like myself.
Why you ask would I be concerned about “anonymous” tracking of “non-personally identifiable information”. Well, firstly the anonymous part is a blatant lie. The whole reason these companies are doing this is to be able to put better targeted advertisements in front of you. To do that. they MUST know who you are.. perhaps not you in the person of “Joe blow” but the definitely know you when you are surfing a site that their advertising partners use. This means it is completely trivial to strip away your supposed anonymity.
Only a few people worried about the anonymity of information collected by search engines until the United States government tried (and succeeded) in going on a fishing expedition in that data. What is to stop similar abuses of this technology.
Unless they are completely transparent on how they collect the data, what data they collect and how long they retain it we have to assume the worst. DPI lets these companies collect any data that is unencrypted from any online source, e-mail, chat, web browsing, unencrypted VNC sessions (well those are a terrible idea over the open net anyways, but people persist in using them), etc.
Add to this that ISPs are installing this without clear declaration of the fact to their users (no having it hidden in paragraph 39 of page 18 of the TOS (that you know 99% of users never read) does not constitute CLEAR disclosure. But really what ISP is going to say “oh, yes, before I give you this cable modem would you please sign this waver giving us total permission to monitor, scan, store, and sell (yes, they are selling your info and your privacy to these companies) everything you do.. unless you encrypt it.”
IMHO this is a privacy nightmare waiting to happen. Am I a bit alarmist? Perhaps. Were the people that were alarmist about search engines and privacy correct? yes.. 100% so.
The bottom line is that our privacy is our right and we all individually need to take steps to protect it. By writing the privacy commissioner about your concerns, by writing your ISP about your concerns, by doing everything possible on you home network and PC’s to ensure that these schemes fall flat on their collective faces.
(I hope to write a blog entry on hardening you computer and Internet activities against these threats soon. I wrote one related to Phorm earlier but as this threat is growing I think a more in-depth Blog entry is necessary)