Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ISPs Using "Deep Packet Inspection" On 100,000 Users

CmdrTaco posted more than 6 years ago | from the something-to-think-about dept.

Privacy 309

dstates writes "The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers' privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookies in the ability to track a user. Critics liken it to a phone company listening in on conversations."

cancel ×

309 comments

Sorry! There are no comments related to the filter you selected.

So? Use https, ... (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22972484)

..., ssh, pgp all the time!

Re:So? Use https, ... (0)

Anonymous Coward | more than 6 years ago | (#22972690)

NEWS FLASH: unencrypted communication are sent over an unencrypted connection and could be easily read by a third party.

Re:So? Use https, ... (1)

tomhudson (43916) | more than 6 years ago | (#22972912)

First step: https instead of http.

Inspect THAT!

because every website has https support (0)

Anonymous Coward | more than 6 years ago | (#22972844)

Please. The AC's don't even try anymore. :(

Re:So? Use https, ... (2, Informative)

Ernesto Alvarez (750678) | more than 6 years ago | (#22972966)

Let me add OTR messaging [cypherpunks.ca] to the list.

Available for Pidgin (aka GAIM), Adium X, mICQ, Kopete, Miranda, Trillian and as a proxy for people that use other clients. Works on any IM network.

(I've been using it on GAIM for some time and I recommend it)

fp (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22972490)

first post, is anyone alive?

So what's the status on IPSec? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22972492)

DNSSec and opportunistic IPSec should put an end to the snooping and throttling once and for all.

Re:So what's the status on IPSec? (0)

Anonymous Coward | more than 6 years ago | (#22972554)

Mod parent up.

Even if fairly "lightweight" encryption were used for all communications, it would thwart the vast majority of this snooping. As CPUs increase in power, we could slowly ramp-up the baseline strength of the encryption.

Re:So what's the status on IPSec? (4, Insightful)

NeverVotedBush (1041088) | more than 6 years ago | (#22972768)

In response to another article, I said that we should start encrypting all of our traffic and asked for programmers to start adding that functionality and making it the default so that even unsophisticated users' trafic would be encrypted.

But with the revelation the other day that the Bush administration believes the Fourth Amendment (right to privacy and protection from searches without cause), this becomes just another good reason to get cracking with all traffic encrypted.

http://yro.slashdot.org/article.pl?sid=08/04/03/1219200 [slashdot.org]

Re:So what's the status on IPSec? (2, Insightful)

NeverVotedBush (1041088) | more than 6 years ago | (#22972820)

Yikes - What I meant to say was that the Bush administration believes the Fourth Amendment does not apply to them and that they have the right/power to monitor and wiretap at will.

Also, another point about this is people have always said that users should understand that their activities on the Internet could be monitored by third parties. This, however, is different (at least to me) in that it is systematic snooping on the part of ISPs.

The situation has somewhat changed in another way, too. It used to be that there was no practical way to store or monitor all of the traffic. The technology just wasn't there. Now it is. The FBI has "Carnivore" and who knows what else. Storage is cheap and computers are now very fast. Everything people do can be stored, sifted, inspected, categorized, and given a score as to how likely the person is to be a terrorist, commit a crime, etc.

It is starting to get where people are putting themselves on the line just by posting to forums like these. Obviously that is a paranoid view, but it is also one that is now possible - if not probable - and all it takes is for the right (or wrong) person or organization to decide some site, person, or group should be monitored and it becomes reality.

Why not spider the web? (2, Interesting)

budgenator (254554) | more than 6 years ago | (#22973020)

You think these guys don't like BitTorrent, wait until everyone starts a process to spider the web to obfuscate where the fleshies are really browsing at and run that 24/7 to overload their deep-packet inspection devices.

People already do (5, Informative)

mark_hill97 (897586) | more than 6 years ago | (#22973258)

its called tor [torproject.org] .

Re:So what's the status on IPSec? (1)

liquidpele (663430) | more than 6 years ago | (#22972726)

I read the wikipeadia article on DNSSec, and it does not seem like it's ready to me. Opportunistic encryption is good, but it doesn't work from behind a NAT from what I understand, which makes it basically useless since NAT is the poor man's firewall!

Re:So what's the status on IPSec? (1)

rawler (1005089) | more than 6 years ago | (#22973222)

Which is only one of the countless reasons why NAT must die. By coincidence, IPv6 doesn't encourage NAT, and IPSEC is a lot firmer integrated there. (Also, don't EVER trust your NAT-gw to be a firewall, especially not if it's UPnP-enabled in which case it's actually very likely to be the spy itself.)

Track this! (0, Offtopic)

mastermemorex (1119537) | more than 6 years ago | (#22972500)

(\__/) This is Lapinator (='.'=) copy it in your sig (")_(") so it can take over the world

Re:Track this! (0, Offtopic)

buravirgil (137856) | more than 6 years ago | (#22972894)

that rabbit might take your head off
i know a lapland tale about a hole where women
got dropped off...turned my stomach a little
but i don't know, maybe the story will keep

and never repeat if the tale is told of what
fools of old kept their King a fold and a
narrative hit the street

Encrypt everything. (5, Insightful)

ookabooka (731013) | more than 6 years ago | (#22972508)

Thats it, I say webservers move to SSL only transactions. All other plaintext transmissions should get encrypted at the endpoints transparently. Then when the government whines about not being able to find the terrorists they can blame datamining companies that paid for their election campaign. Then they can make a law that forces a back-door, which would create a need for some nifty-ass steganography [wikipedia.org] which would lead to massively excessive processor and network overhead (encryption and steganography respectively) for the most basic of transactions which would lead to NSA funded algorythms to find these hidden messages which would. . .holy shit it's almost 10AM, I need to hit the sack.

Re:Encrypt everything. (1)

cs02rm0 (654673) | more than 6 years ago | (#22972572)

Seconded. It's beyond me why this hasn't happened already. Google do it fairly well as an option with gmail and google reader for example but not with their searching?

Re:Encrypt everything. (1)

liquidpele (663430) | more than 6 years ago | (#22972590)

Sounds like a good case for a new firefox plugin! Render all the urls to be https, it shouldn't be that hard. You'd probably have to put an option in the right click menu to open as http in case the server didn't support ssl when you clicked the first time though...

Re:Encrypt everything. (2, Funny)

maxwell demon (590494) | more than 6 years ago | (#22972618)

What about Slashdot? After all, you might not want your ISP to know that you read such subversive web sites! :-)

Re:Encrypt everything. (3, Informative)

mollymoo (202721) | more than 6 years ago | (#22973342)

Encryption doesn't stop people knowing who you're talking to, just what you're saying to them. And Slashdot does offer SSL to subscribers.

Re:Encrypt everything. (0)

Anonymous Coward | more than 6 years ago | (#22972680)

Remember many "SSL sites" only encrypt your authentication/login and not the subsequent content such as your E-mail traffic. I encourage any ISP employee who has knowledge of this process by their employer to dime them out here and to provide as much detail as possible. People in the US get worked up about Government monitoring but its corporate monitoring that is the primary threat to the average persons privacy in the USA.

Re:Encrypt everything. (4, Insightful)

pla (258480) | more than 6 years ago | (#22972758)

Thats it, I say webservers move to SSL only transactions.

I agree completely, but keep in mind that even with encryption, ISPs can still collect quite enough information on us to put together a truly impressive profile. Sure, they won't know exactly what you read, but if you visit Erowid, I'd call it a good bet you don't want recommendations on a cheese to go with dinner.

For targetted advertising purposes, the simple "where" counts for 90% of the "what".

Re:Encrypt everything. (2, Insightful)

seneces (839286) | more than 6 years ago | (#22972776)

SSL's general uptake is held back by two unfortunately major points. Firstly, it costs money to buy a SSL certificate, and you have to deal with all sorts of shit (or spend more money) if you use subdomains, alternate domains, etc. Something like CACert could fix this issue if it were widely accepted, but of course that would make the entire system less trustworthy..

Secondly, there is no normally implemented way to do name-based virtual hosting with SSL, and most people don't want to or can't give each domain it's own IP. There is a TLS extension to solve this, but afaik browser and httpd support is minimal or nonexistant currently.

These are issues the community really needs to be concentrating on, because all too often these days it does not make sense to communicate and let the rest of the world watch.

Re:Encrypt everything. (2)

liquidpele (663430) | more than 6 years ago | (#22972824)

I second this! I was trying to get SSL working on our different domain names just the other month and when I found out you can only have one cert per IP address, I was like "who the fuck though this was a good idea?? Like no one ever had multiple domains point to one IP before? GAAAAHH!!" Sorry, I get worked up :(

Re:Encrypt everything. (4, Interesting)

DaleGlass (1068434) | more than 6 years ago | (#22972990)

The problem is that SSL happens before any HTTP does, and SSL is a general mechanism that can be used for any kind of TCP connection.

How does the webserver know what to give you when foo.com and bar.com map to the same IP address, and the browser requests something like index.html that exists on both? This works only because when the browser makes the request it also tells the webserver which domain it was trying to access. The browser sends something like this:

GET /index.html HTTP/1.1
Host: foo.com
Now, this breaks for SSL, because SSL happens before the connection is established, so there's no way to decide which certificate to use based on the domain.

To fix to this is adding the support directly to SSL. rfc4336 contains a mechanism to do this with TLS.

Re:Encrypt everything. (4, Informative)

interiot (50685) | more than 6 years ago | (#22973268)

Wrong RFC. That would be RFC4366 [rfc.net] ,

Re:Encrypt everything. (1)

neumayr (819083) | more than 6 years ago | (#22973002)

Plus it's computationally, and therefore financially, expensive.

no, encryption is not the answer (2, Insightful)

Briden (1003105) | more than 6 years ago | (#22972972)

standing up for our rights is the answer. unfortunately, corporations listen only to once voice, money, so hit them where it hurts.

Cancel your internet, refuse to pay your bills... boohoo, then you won't have internet? you won't have internet anyway, if they get their way.

Re:no, encryption is not the answer (1)

dstates (629350) | more than 6 years ago | (#22973276)

Do not just kvetch on Slashdot. Communications privacy is a serious issue for a democratic society. Write to your congressman and your senators and tell them that this matters to you.

Re:Encrypt everything. (1, Informative)

Anonymous Coward | more than 6 years ago | (#22973148)

HTTPS is not used for one simple reason. IT addes HUGE overhead to a session and reduces the number of sessions a server can handle, thus a web host needs more investment into servers in order to service the same level of users it does now.

Filesharing Responsibility? (3, Insightful)

Thruen (753567) | more than 6 years ago | (#22972524)

If ISPs are monitoring traffic so closely, doesn't that make them more responsible for what people are using their service for? Namely piracy.

Re:Filesharing Responsibility? (2, Interesting)

NeverVotedBush (1041088) | more than 6 years ago | (#22972868)

I do believe that one could make that point. Comcast already has ways to throttle Bittorrent. If they are doing deep packet inspection, I would think that they would know down to the data block what files were being transferred.

Old news - proxies, compressors, etc (2, Informative)

Gothmolly (148874) | more than 6 years ago | (#22972530)

ISPs have always been notorious for secretly compressing your images, caching your traffic, proxying stuff, slipping their own content into your web pages, etc. They look at the contents of your mail, since you can't spoof from anyone to anyone via their servers. How is this different, other than some joker gave it an ominous sounding name like 'Deep Packet Inspection' ?

What's the difference (5, Insightful)

Ernesto Alvarez (750678) | more than 6 years ago | (#22972884)

The difference is that in the first case, the data passes through a dumb machine that compresses, caches, etc. The result is cached like it is expected (RFC 2616 is pretty clear about that), even though it is done transparently. No need to keep logs about who downloaded what.

In this case, the data is explicitly mined, by a company interested in building a profile of each user. It doesn't say it is limited to web traffic only, only that "Nor does NebuAd record a user's visits to pornography or gaming sites or a user's interests in sensitive subjects -- such as bankruptcy or a medical condition such as AIDS.", which I doubt both on technical grounds and because it is a market and someone will want to take advantage and "The company said it processes but does not look into packets of information that include e-mail or pictures." which I think is in contradiction with other parts of the article and even if they didn't, it's a matter of time before they do.

Basically, it's the intent that counts. The ISP can intercept everything they want because they're in the middle. When they start doing so for reasons that are not part of maintaining the communications as specified (like forwarding, maybe firewalling and proxying depending on the conditions), alarms should go off.

I think this is a good thing. (0)

Anonymous Coward | more than 6 years ago | (#22972546)

I think the ISPs spying like this is a good thing - if indeed it can push people to use encryption more. People will be too lazy to do it by themselves without some "motivation" like this. And the ISPs doing it for advertising is a relatively harmless example. Sure beats waiting until a government decides to outlaw some major political party.

I just hope that this invasion of privacy is significant enough that businesses get offended (and they should get offended that some other company is reading most of their emails) to reach the tipping point of encrypting all their communication (email, etc); and home use will follow.

Re:I think this is a good thing. (0)

Anonymous Coward | more than 6 years ago | (#22972860)

Perhaps someone could make up a web-server that creates a random page using links to other websites selected at random. Then anyone can make that a home page, which would mess up all the statistics collected.

time for some hactivism (5, Insightful)

jollyreaper (513215) | more than 6 years ago | (#22972586)

Let's start turning over rocks in the private lives of telcom CEO's and see what scurries out. I'm sure they won't mind, it's in the interests of an open society and free debate, don'cha know.

Btw. is your ISP Knology? (1)

xpiotr (521809) | more than 6 years ago | (#22973034)

One name comes to mind after RTA: Anthony Palermo. ""I don't view it as violating any privacy data at all," said Anthony Palermo, vice present of marketing at Knology." 1. Find his adress 2. Intercept his snailmail (which later is returned). 3. Scan it and post it to our small group of Slashdotters. 4. Ask him if he thinks that this is a violation of his privacy? 5. ?? 6. Profit!

Re:Btw. is your ISP Knology? (5, Interesting)

Shakrai (717556) | more than 6 years ago | (#22973116)

1. Find his adress 2. Intercept his snailmail (which later is returned). 3. Scan it and post it to our small group of Slashdotters. 4. Ask him if he thinks that this is a violation of his privacy? 5. ?? 6. Profit!

7. Go directly to Federal-pound-me-in-the-ass-prison for postal fraud. Do not pass go, do not collect $200.

Seriously, if the USPS, UPS or Fedex started doing this can you imagine the outrage? Yet somehow it's ok to do it with electronic communications? WTF?

Is This Any Way To Do Business? (1)

JackSpratts (660957) | more than 6 years ago | (#22972588)

if they spent half as much time increasing network capacity at the physical layer as they do spying on customers' bits we'd all be twice as well off, and we might even have a shot at some true global parity. as it is now they've got u.s. customers all drinking from their same dwindling pool.

- js.

Re:Is This Any Way To Do Business? (1)

Overzeetop (214511) | more than 6 years ago | (#22972660)

I'm sure part of it is to determine what is passing through the network and how to reduce the overall traffic flow - which would reduce the amount of physical plant needed. It's not all sunshine and light - they make money any way they can, and if snooping does it for them, they'll do it until it is illegal. I'm just pointing out that ignoring all traffic and building out physical plant isn't necessarily in the financial interest of the ISPs. Using what they have in the most "efficient" way is. Their efficiency may not be in line with your bandwidth usage expectations, of course.

Good luck with that (5, Insightful)

TheMohel (143568) | more than 6 years ago | (#22972594)

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

Never mind that it's a true violation of privacy.

Never mind that I block cookies pretty well and I run with NoScript most of the time and I don't see very many ads, and besides, half of the time I'm inside my employer's VPN.

But even more than that, I have seven other users in my household, half of them teenagers. If they want to sniff all of my NAT-ed packets coming out, they're going to discover that I'm a geek who has four Facebook sites, likes art and hates it, plays Runescape incessantly (the 10-year-old), likes the Wiggles, and works as a beauty consultant. So go ahead and hand me the ad for the latest XBox game (I hate games). Offer my kids server hardware, and see if you can get my wife to click on fun games to play with the Backyardigans. Oh, wait, you already do. It's called "not targeting advertising", and it's free.

So what we have is a thoroughly broken high-cost borderline-illegal absolutely-unethical service offered to advertisers in a difficult economic period. By people who we all hate a lot, and who will rapidly become targets for everything from blocking to legislative action to you name it.

I knew there would be some kind of career move for spam kings in the future. I just thought it would pay better.

I predict a less than stellar outcome for these idiots, and they deserve every painful moment.

Re:Good luck with that (4, Interesting)

ChowRiit (939581) | more than 6 years ago | (#22972900)

However, you still get more accurate data on user trends as a whole - you no longer have the old problem of the fact that only the sort of people who fill in surveys will fill in your surveys, and they're not generally a representative sample.

Any data at all on user trends more than their competitors will help advertising companies make money.

Re:Good luck with that (5, Informative)

mpaulsen (240157) | more than 6 years ago | (#22972904)

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

They don't have a common-carrier status to lose.

Re:Good luck with that (1)

Nimey (114278) | more than 6 years ago | (#22972936)

it's a great step to losing their common-carrier status.
HA HA HA! You underestimate the power of bought congressweasels. One will slip in an amendment into a big must-pass bill, and Bob's their uncle.

Re:Good luck with that (1)

neumayr (819083) | more than 6 years ago | (#22972952)

I'm pretty sure they can distinguish different users behind a NAT gateway. Everyone uses NAT.
But that's besides the point - sure, you might have some defenses against that sort of thing, but about 99.9% of Internet users don't.

Meaning, your personally being less affected does not make any difference - they don't need any luck.

Re:Good luck with that (0)

Anonymous Coward | more than 6 years ago | (#22972986)

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

ISPs are not and have never been common carriers!

Re:Good luck with that (1)

TheMohel (143568) | more than 6 years ago | (#22973144)

Yeah, I know. They have a legal exemption from liability for the contents of the traffic they carry, subject to certain restrictions. Which isn't common-carrier status, although it acts a little like it.

But if they start to routinely "deeply inspect" traffic, a frisky plaintiff's attorney is going to see gravy in the "knew or should have known they were defaming my client" kind of stuff, and here we go.

Re:Good luck with that (1)

dstates (629350) | more than 6 years ago | (#22973302)

But broad band ISPs are effectively monopolies in their local markets in large part as a result of government granted monopolies to provide cable TV service and local telephone service. The monopoly status of local telcos is the reason common carrier status was created in the first place. Bringing ISPs under common carrier rules is long overdue.

Communications privacy is a huge issue in a democratic society. Do not just kvetch on Slashdot. Write to your congressman and senators to tell them that this matters to you.

Re:Good luck with that (1)

nurb432 (527695) | more than 6 years ago | (#22973022)

Thats all and good when it just about 'targeting' advertisements to you.

But when it turns to the government doing profiling on your 'habits', its not so harmless. And we all know that is next.

Re:Good luck with that (0, Flamebait)

msormune (808119) | more than 6 years ago | (#22973036)

So if that stuff is so private, why did you just tell it to the whole world? I mean, you got +5 Insightful, and your household's Internet usage profile was just read by 1000000 people.

Re:Good luck with that (5, Insightful)

jmorris42 (1458) | more than 6 years ago | (#22973112)

> If they want to sniff all of my NAT-ed packets coming out, they're
>going to discover that I'm a geek who has four Facebook sites, likes
> art and hates it, plays....

Silly person, they are much smarter than that. Each of those PCs can be identified, see previous slashdot articles on the subject. Especially since each PC in a network serving a diverse family as you are describing will probably have obvious differences in OS and browser versions. Then there is detailed packet header inspection (DEEP INSPECTION, remember?) to seperate out OS subtle version differences, etc. And each PC/account will offerup different cookies to the same websites like Google.

NAT won't stop them. SSL won't stop them. Laws might. This sort of snooping isn't 'like' listening in on phone conversations. It IS listening in on conversations.

Re:Good luck with that (1)

ScrewMaster (602015) | more than 6 years ago | (#22973310)

Never mind that it's evil, or that it's a great step to losing their common-carrier status.

Another common misperception. I don't know of any major United States Internet Service Provider that operates under common carrier regulation. The Telcos still do, but only for phone service. Their data services are considered exceptions to common-carrier regulation.

They obviously looked at the legal situation and decided the lack of immunity from lawsuits over the use of their equipment was a risk worth taking. Operating as a common carrier has regulatory burdens that they really don't want. What they want, actually, is to have the immunity from prosecution and still operate without any particular regulatory controls (i.e., they want to have their cake and eat it too.)

Faith in Godel (1)

buravirgil (137856) | more than 6 years ago | (#22972608)

deeplink down
deep packet clowns
show me your packets
is that a smile or a frown?
thrice cola crown
Godel the bounds
where is Gibran's appendix found?

Throttling bandwidth (2, Insightful)

element609 (303265) | more than 6 years ago | (#22972646)

Isn't this the real issue with clogging 'tubes'? How can the government and ISPs keep up with the computational resources needed to continue this as we demand greater and greater amounts of bandwidth? OK, so they could only inspect http traffic, rather than say, bittorrent traffic, but OMG what happens when 'terrorists' start communicating with other protocols?

ssh tunnelling + squid (4, Interesting)

Orp (6583) | more than 6 years ago | (#22972652)

I pay for a dedicated server (essentially colo but they provide the hardware) from a company with a decent AUP. I put linux on the server and run squid on a non-standard port, allowing connections from localhost only. Then from the machine I'm surfing from I tunnel into the squid server. Say squid is running on port 1234 and sshd is running on 4567:

ssh -f -N -L 1234:localhost:1234 -p 5678 my.squid.server.com

Configure firefox to use a proxy to localhost:1234 and all traffic is encrypted to the squid server.

Of course, I could just use Tor, which is great, but can be slow. In fact, you could run a tor server on your colo machine and have all tor traffic bounce off of the server, which would be pretty fast if you leave tor running as a daemon and dedicate a decent amount of bandwidth to the tor network.

Re:ssh tunnelling + squid (2, Insightful)

jmorris42 (1458) | more than 6 years ago | (#22973152)

> I pay for a dedicated server (essentially colo but they provide
> the hardware) from a company with a decent AUP. I put linux on
> the server and run squid.....

And you are a fool with more money and tech knowledge than you have the brains to use wisely.

Exactly what are you hoping to accomplish by going to all of that bother? Your last mile ISP can't monitor you but the hosting company and THEIR ISP can so you have just shifted the point of attack.

And the government (which is what you are afraid of, right?) can't monitor either (the spooks can but anything they find can't be used against you in a court... they would just have to kill ya) without a warrant. And with a warrant they can monitor you wherever. Doing the kind of crap you are doing makes you a likely target for governmnet snooping. So don't come whining to me whne ya find a keylogger on your machine.... buried inside your keyboard controller chip.

More Encrypted Webpages (1)

nurb432 (527695) | more than 6 years ago | (#22972654)

If everyone offered https, ( or only ) and all email is encrypted then this would become a moot point really quick.

All they would know then is where you went, not what you did. ( Tho in this country, just going there is enough to get you put in jail it seems )

Or we can all move to freenet and really stick it to them.

History Repeats Again (0)

Anonymous Coward | more than 6 years ago | (#22972658)

There is no way this can go horribly wrong.

Torproject.org (0)

Anonymous Coward | more than 6 years ago | (#22972672)

Tor is great, don't masturbate without it!

Re:Torproject.org (1)

nurb432 (527695) | more than 6 years ago | (#22973070)

Freenet adds another layer of security, for when they come for your data.

There should be a law (4, Interesting)

nysus (162232) | more than 6 years ago | (#22972696)

It's illegal for anyone to open mail not intended for them. The same should be done for electronic communication.

And if I hear one libertarian say we need less laws, I'll puke. It's as if they though they had a magic wand and all the troubles of the world would disappear by removing government. Unfortunately, the world hasn't worked that way since we left the caves 12,000 years ago.

Re:There should be a law (1)

Tynin (634655) | more than 6 years ago | (#22972794)

In that case, try to hold your lunch in. Are you expecting our current 1 party government to actually have the insight and knowledge to make a decent law? Especially a law that protects the interest of the citizen and not business? That is the problem with law, especially American law with its case law and precedence. We keep hoping that the law will be just, yet most of all we get are half baked bandaid crap that in turn allows for even worse laws down the road thanks to precedence.

That all said, I do not have an answer for how to make good laws, as that would require our government to actually read, and comprehend what laws they pass... not just rubber stamping everything through. Until everyone that is passing these laws bother to read, how can we trust in the law?

Re:There should be a law (4, Insightful)

nurb432 (527695) | more than 6 years ago | (#22973042)

We *do* need fewer laws. However, the ones that remain need to be effective and of value, and actually enforced.

The law to protect your right to privacy already exists, it just needs to be enforced. Creating more laws doesn't help with lack of enforcement of what is already there.

Re:There should be a law (3, Insightful)

chunk08 (1229574) | more than 6 years ago | (#22973212)

Brilliant post! The problem, though, is that the citizens will not stand up for their rights, because our current culture is taught to depend on the government to fix all of the problems. If citizens were to take a stand on the issue, government and corporations would see that it is not in their best interest to continue these practices. What needs to happen is (as has previously been posted) citizens encrypting their communications and taking other steps (Tor, Freenet, etc.) to prevent snooping, government, corporate, or otherwise.
Liberty and capitalism don't solve problems, they just give us an opportunity to. That's why less government is good.

Re:There should be a law (1)

debatem1 (1087307) | more than 6 years ago | (#22973304)

Laws are not static things. They get interpreted, and they get implemented, and in the course of either process bad things can happen to even the best of ideas. The 'laws' regarding privacy in the states are a joke anymore, having been effectively interpreted into oblivion, and bounded on all sides by public safety measures designed to countermand what should have been basic rights. We do not need more useless laws, or more laws restricting our rights, that much we agree on; but to say that we don't need any more privacy laws (or constitutional amendments) does nothing but allow conflicting laws precedence.

Re:There should be a law (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22973072)

And if I hear one libertarian say we need less laws, I'll puke.

Pesky semantics....

While it may be true that the actual raw number of laws presently on the books is huge and unwieldy, and while it may be true that the removal of many of those laws would actually bring a good deal of efficiency while also eliminating some loopholes that are routinely exploited to the detriment of the majority, and while it may be true that a common knee-jerk response to any kind of exploitive behavior is to cry "pass a law that says you can't" even which there is actually no feasible way to construct or enforce a law that will accomplish that.....while all these things may be true...

Sometimes, it is also true that in this specific circumstance, a new law is actually feasible, beneficial, and totally warranted.

While I don't have a problem with far-reaching statements like "we need fewer laws," I DO have a problem with the thoughtless application of such statements to all circumstances equally. Not all circumstances are equal, and they must each be intelligently judged, on a case-by-case basis.

I hope I didn't make you puke.

Re:There should be a law (1)

phantomcircuit (938963) | more than 6 years ago | (#22973330)

It's illegal for anyone to open mail not intended for them. The same should be done for electronic communication.

And if I hear one libertarian say we need less laws, I'll puke. It's as if they though they had a magic wand and all the troubles of the world would disappear by removing government. Unfortunately, the world hasn't worked that way since we left the caves 12,000 years ago.
In fact it is already illegal to open USPS mail not intended for you. It's a federal crime. The problem is that the laws of the real world that have been in place and working for a very long time have not yet been interpreted to apply on the internet. I fail to see the difference between physical mail and electronic mail.

Re:There should be a law (1)

corsec67 (627446) | more than 6 years ago | (#22973340)

It is just like all of the new patents related to the internet and computers:

Laws are different when it is "on the internet", or "using a computer"

Reading mail not intended for you isn't a problem, "on the internet"

I agree with you that it shouldn't be like that at all, though.

NOT like google... (1)

danep (936124) | more than 6 years ago | (#22972698)

"Dykes noted that by a couple of measures, their system may protect privacy more than such well-known companies as Google."

If I'm searching for something that I'd rather not have permanently stored on [Google's || my ISP's] servers I can always just log out, or go to another [search engine || ISP].

That sentence only makes sense one way. DPI is absolutely nothing like how Google operates. At least what Google does (storing search histories, etc) actually provides a service to the user...

How are they to deliver targeted advertising? (4, Insightful)

Skapare (16644) | more than 6 years ago | (#22972712)

If these are the ISPs (as opposed to the visited web sites) doing the spying, then how are the advertising companies involved supposed to deliver the content? Are they going to use the same "deep packet" method to inject the advertising? If the advertising delivery is away from that deep packet inspection, then how do they identify which user was interested in penis enlargement products vs. which user was interested in replica watches? Or are the ISPs going to lock-in the IP address, now?

Regular postal mail... (3, Insightful)

NotQuiteReal (608241) | more than 6 years ago | (#22972928)

After all, your ISP knows your street address.

Search for info on heartburn... get some post cards advertising the latest antacid. Search for info about Lasik eye surgery... gee handy flyers about your local providers appear.

You get the idea. If I were selling a service and an ISP offered to sell me names and addresses based on keyword searches, why wouldn't I buy that list?

Re:How are they to deliver targeted advertising? (2, Informative)

jmorris42 (1458) | more than 6 years ago | (#22973192)

> If these are the ISPs (as opposed to the visited web sites) doing
> the spying, then how are the advertising companies involved supposed
> to deliver the content?

Because the visited web sites already aren't the ones delivering the advertising. You go to CNN.com and view a page. The ads come from an outside site. That site partners with your ISP. They toss a packet with the IP and perhaps other info (like browser info so the ISP can determine which PC behind the home NAT is making the request and map that to a 'user number or email identity') and returns it. The ad server examines the previous history for that identity and the page being requested and picks an appropriate ad. And it all happens behind the scenes in the page load delay. Frightened yet?

Inspect this! (1)

Wowsers (1151731) | more than 6 years ago | (#22972730)

My old ISP rolled out "deep packet inspection" in an attempt to throttle user bandwidth on ports they didn't like (including VoIP to push their own VoIP solution), they were very proud of their achievement. I was also very proud of my achievement by leaving them for a company that gives me what I pay for, not throttling ports "to enhance my user experience".

The only way to teach these companies a lesson is where possible, leave them for another company, money (and subscribers) talk, and a lack of subscribers hurts them.

Re:Inspect this! (1)

corsec67 (627446) | more than 6 years ago | (#22973362)

Kind of hard to teach a company a lesson by leaving them when they are a monopoly.

Many people have exactly 2 options for ISPs: Cable and DSL.

What if both are evil? How do I switch to a better company in that case?

(My solution is to have the ISP/content provider be legally prevented from having a share of the "last-mile" stuff, so that you can have competition in the ISP space, and then last-mile provider has many requirements, like no filtering of any kind, upgrades every so often, a specified maximum fee structure, etc.)

I think this has another unintended consequence (1)

jskline (301574) | more than 6 years ago | (#22972736)

Fact is that if there is packet inspection going on, this is slowing down traffic on that one connection. Imagine now that there is many users traffic who is being "scanned", redirected or filtered, et al.

Now; has anyone else noticed that the net is getting slower and slower recently?? We already know that sites such as FoxNews.com and other similar types, have special applets that download and attempt to arrange items on the page so that you are forced to see specific adds for a specific period of time before the rest of the page; including the intended content shows into view!

There are other sites that are beginning to "fiddle" with flash ads and present them in a way that you are unable to avoid them. This is getting to be quite annoying.

Time for those magical host lists again!!

Every ISP has spy tools - it can help non-hackers (0)

Anonymous Coward | more than 6 years ago | (#22972778)

And ones that don't are horrible -- unless you'd like to administer the entire network yourself...

Plus it keeps the cops from coming up with excuses to break into my house to collect evidence (ideas they can afford to patent or register before I can) more than once a week.

BTW -- if you're wondering who your main competition will be when you enter the workforce... you may be a genius or subgenius, but your competion has police and military contacts any knows everything you do, and basic security to prevent this costs $1 million dollars.

Listening in? Um, yeah. (5, Insightful)

Perp Atuitie (919967) | more than 6 years ago | (#22972792)

Critics liken it to a phone company listening in on conversations.
Um, my ISP IS my phone company. If they can get away with reading my emails and stuff like this comment, what's to stop them from listening to my phone calls? We're really at a crossroads: either the law makes ISPs common carriers with no interest in, or control over, content like a real phone company, or we lose most of the potential of the communications tech revolution.

Re:Listening in? Um, yeah. (1)

mapkinase (958129) | more than 6 years ago | (#22972984)

Technically, it is more difficult to parse out possible ad targets from the content of your phone calls. The information of where you are calling and when might be the only thing that is more or less useful for their evil advertising schemes.

Re:Listening in? ISPs should be "common carriers" (1)

dstates (629350) | more than 6 years ago | (#22973206)

The HUGE difference is that your telephone communications are carried under "common carrier" rules. There is a legal expectation that your telephone conversations are private, that you can use your telephone to talk to anyone and that all common carriers will inter-operate. These rules were put in place because local telephone companies are government grants monopolies.

When it is acting as your ISP, your telephone company is not governed by common carrier status. USA Today has an article today pointing out that essentially all ISP service agreements give them the right to inspect your communications, alter the contract without notice, block access to sites and terminate your service at will. For example, these agreements allow and ISP to block access to competitor web sites if they feel that the site has objectionable content like claims to provide better service at lower costs.

The problem with all the "encrypt everything" posts is that encryption costs money. Why doesn't Slashdot offer? Because it would cost them a fortune to add all the server hardware needed to meet the demand.

The problem with all of the "I dropped my ISP" posts is that in most communities you have little or no choice in broad band providers, basically the cable company and the phone company. Just like local telephone companies, broad band ISPs are effectively local monopolies and should be governed by the same common carrier rules.

What is the potential harm? How would you feel if you learned that you weren't hired for a job because your name was on a list of potentially disruptive employees who read (or even worse, post to) Slashdot?

Don't just kvetch on Slashdot. Write to your congressman and senators and tell them that this is a serious issue for you.

Re:Listening in? Um, yeah. (1)

Reziac (43301) | more than 6 years ago | (#22973076)

I was just wondering something like that myself: at what point does this sort of datamining overstep privacy to the point that it revokes common carrier status??

Also, AOL's little fiasco proved that you CAN identify individuals through their searches... what's to prevent this from being used similarly?

I also have to wonder about what if the ISP is "clean" but their backbone is datamining??

ISPS ARE NOT COMMON CARRIERS (1)

oyenstikker (536040) | more than 6 years ago | (#22973134)

and they never have been.

Re:Listening in? Um, yeah. (0)

Anonymous Coward | more than 6 years ago | (#22973122)

Actually, we CAN listen to your phone calls. I used to do that straight from the switch when I was working as a Telco field engineer. I even recorded the conversations of one of my ex-girlfriends. If I can do that, just for being a psycho-stalker, think about what I can do if I have a memo telling me to do so...

Re:Listening in? Um, yeah. (1)

argent (18001) | more than 6 years ago | (#22973294)

If they can get away with reading my emails and stuff like this comment, what's to stop them from listening to my phone calls?

Apart from the law, the fact that speech recognition is a much harder problem?

Critics? (0, Offtopic)

baffled (1034554) | more than 6 years ago | (#22972812)

How can the article summary call defenders of our privacy critics? People who stand up for our privacy are critics? OP has a strange point of view..

Re:Critics? (1)

dstates (629350) | more than 6 years ago | (#22973250)

Point taken, I was quoting from the Washington Post text and should have modified this.

Communications privacy is a serious issue. Write to your congressman and senators and tell them that this matters.

Encryption? (1)

ameline (771895) | more than 6 years ago | (#22972886)

I expect that they will combine this snooping with throttling of all encrypted (or otherwise random) looking packets.

Up to 2 years imprisonment (5, Interesting)

gweihir (88907) | more than 6 years ago | (#22972924)

If you do this in the EU. Packet pauyloads are off-limits without court order. You may not even store them.

Re:Up to 2 years imprisonment (1)

yuna49 (905461) | more than 6 years ago | (#22973246)

From TFA:
In England, Phorm is expected in the coming weeks to launch its monitoring service with BT, Britain's largest Internet broadband provider.

Last I heard the United Kingdom was a member of the European Union. Perhaps BT's attorneys have a different interpretation of the laws than you?

"Customer revolt" (4, Insightful)

frdmfghtr (603968) | more than 6 years ago | (#22972942)

FTA:

For all its promise, however, the service providers exploring and testing such services have largely kept quiet -- "for fear of customer revolt," according to one executive involved.
Guess what pal..the word is now out.

Ever get the feeling the the Internet just isn't worth it anymore?

bah (1)

Sicnarf (529730) | more than 6 years ago | (#22973060)

Shame on them ISPs. Makes me wanna signup to proxify, so that I can opt out of the ridiculous eavesdropping that's taking place. incase consumers don't know, here are some tools to protect yourself:


Scroogle with HTTPS [scroogle.org] , -> i use this as my primary interface for searching on google, since your search queries reveal alot of personal information and gets used for marketing purposes. :(

Tor Anonymity Network [torproject.org] , with Firefox plugin to quickly enable/disable anonymous browsing.

Proxify with HTTPS [proxify.com] , although for advanced stuff they want you to signup to their service :(


Last but not least: GnuPG [gnupg.org] , for encrypting your private data.

Enough! (3, Informative)

iamacat (583406) | more than 6 years ago | (#22973092)

Time has shown that nobody will protect your privacy besides yourself. It's time for ALL Internet traffic and ALL phone traffic to be encrypted with an option to get SSL keys for each machine or phone from trusted authorities in different countries. This way a particular person asserting privacy is not labeled a terrorist, Comcast can not selectively block bittorrent, Chinese firewall is out of business and phone companies do not need immunity for spying on subscribers. IPV6 will have to be adopted anyway in the next 10 years and it included encryption, so the time is right to make both switches at once with little extra IT overhead.

Encrypt everything! (3, Interesting)

IGnatius T Foobar (4328) | more than 6 years ago | (#22973126)

The government may have the resources to break strong encryption in real time, but even the largest ISP's do not. So maybe now the FreeS/WAN project no longer sound like tinfoil-hatted paranoiacs when they push opportunistic encryption at every node [freeswan.org] . Everything gets encrypted automatically and transparently when talking between two OE nodes, regardless of the protocol.

This was their goal, but hostility and forking ensued when most people really wanted to just have an IPsec implementation on Linux. OE is still a good idea, though, and that's what they're focusing on now.

The obvious design win would be if Linksys and Netgear built OE into their consumer grade firewall/routers. Then everyone would have it, not even know it, and when large site operators started deploying it on their network edges, massive amounts of crypto would start traversing the Internet, and no one would be bothered by it.

That's really the key to good system design: add complexity, but don't bother the end user -- it's not his problem.

Come on, overreaction (1)

DamienRBlack (1165691) | more than 6 years ago | (#22973166)

The companies don't use this for targeted per-person adversing. They use the general metrics to figure out what adword to pay more for, or what sites get more conversion, or what spelling error are most common in searches. Stuff that could help them do SEO type things. Yes, they are probably shady types trying to weasel google and other to giving them a higher rating than they deserve, but not THAT shady.

Sounds like it is time (1)

Kylere (846597) | more than 6 years ago | (#22973180)

For Anonymous to target the personal information of the CEO's, CIO's and other staff of the ISP's involved.

VPN FTW (2, Informative)

billcopc (196330) | more than 6 years ago | (#22973210)

Funny, while loading this page I got a "bandwidth cap warning" from my ISP, stealthily inserted into the page (Rogers Cable).

I expect nothing less from the despicable scam shop that is Rogers, but it's still kind of creepy.

For me, it's not a huge deal because I run a number of geographically diverse servers, I can VPN or proxy my traffic through any combination of them, should the need arise. Like any invasion of privacy, I'm not concerned about the marketing uses, it's the inevitable abuse that scares me, either by ISP staff sniffing passwords, or script kiddies rooting the monitoring systems (and/or the idiot sysadmin's PC).

The thing is, at this point I've given up on common sense. Things will continue to get more and more ridiculous until we reach a breaking point... the bubble will burst and there will be backlash against these invasions of privacy, but only when the common fool finally realizes their life is being tarnished by the practice.

Until then, we'll continue to be labeled as paranoids with our tinfoil hats.

NebuAd info, and a request for info (3, Interesting)

Animats (122034) | more than 6 years ago | (#22973226)

I just checked NebuAd's Privacy policy [nebuad.com] :

NebuAd products do collect and use the following kinds of anonymous information:

  • Web pages viewed and links clicked on
  • Web search terms
  • The amount of time spent at some Web sites
  • Response to advertisements
  • System settings, such as the browser used and speed of the connection
  • ZIP code or postal code

Now that's way out of line for an ISP to collect, let alone send to an ad agency.

We may be able to do something about this.

We run SiteTruth AdRater [sitetruth.com] , which rates advertisers. We have a Firefox extension which displays a rating icon for each ad served. When an ad link goes by, and it's not in the browser cache, the extension contacts our server for a rating of the advertiser. So we collect, over time, a list of advertisers for various ad systems. We're not collecting data about users; we're interested in advertiser behavior. (You can read the source code for the plug-in, so there's no mystery about what we're doing.)

We're not currently tracking NebuAd, Front Porch, or Phorm ads; we've been focusing on the bigger players. It looks like we need to be tracking this behavior. If anyone can find ad links from those services, please post the ad link here, or mail it to "info@sitetruth.com". We need some examples so we can modify the plug-in to recognize them.

If we can collect sufficient information about this class of advertisers, we may publish their customer list, which would be useful for boycott purposes. Thanks.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>