Tales of Broadband Privacy

Trying to explain it like you pick up your phone and call a trusted friend or family member, “I have cancer.” You make that call on your Cricket cellular service, it’s relayed through the AT&T network and delivered via a Verizon cell tower to a Sprint handset to your friend. Now, all of those cellular companies associate the words “I have cancer” with your phone number. The next morning, a solicitor knocks on your door, offering will & funeral services. You open your mailbox and find special offers for a wide range of cancer-related products. After lunch, someone from a pharmaceutical company calls to ask if you are interested in their latest cancer treatments. The next morning during a meeting your manager asks you if there’s anything you’d like to share. Unprompted, the person you work for tells you a story about how they lost a loved one to cancer, and how terrible health issues are.

•••

When you communicate on the Internet to load a website you use the http protocol (Hyper Text Transport). Recently, many companies started to use the secure protocol, so you’ll see “https” at the start of your links. However, you should understand how this works and who can see what. This is my understanding at a glance:

1. You type the text into your web browser, it’s usually a search that comes out the other end:
https://search.com/?search=what+you+searched+for

2. In order to complete this search the server needs to be changed from words to a a numeric address using Domain Name Service (DNS) in order to reach the server on the other side:
https://123.456.789.012/?search=what+you+searched+for

Question: Does the entire search string get sent to the Domain Name Service (DNS) computer that is the intermediary?

Answer: No, a name service lookup is performed to get the IP Address of the destination server. Some web browsers even save these addresses so future look-ups are not as commonly required.

Question: Who owns the Domain Name Service (DNS) computer? Can they sell my information as well?

Answer: You won’t know: no matter what consumers expect there is no transparency, choice, data security, or protection for sensitive customer information. Your carrier doesn’t even have to provide privacy notices or require that they ask you to opt in or out prior to sharing customer proprietary information.

Know that when you send this request, there are a few entities that can intercept what you send, and this is what they’ll know about you: Your IP Address, the date and time of the request, and if they combine it with previous requests they can figure out a lot about you just from those three things. They can also look at what server routed it to them to get an idea what part of the Internet your request is coming from.

Also, the Domain Name Service (DNS) computer might not be owned by your Internet Service Provider. So, you could be paying your cable company for Internet and they’re sending your Domain Name Service (DNS) requests to a different provider that they’ve sub-contracted. Or, you could change the numbers to OpenDNS and send your traffic to them.

The law doesn’t stop any of these entities from collecting and selling your data to the highest bidder, or simply publishing it to the Internet and letting another party use it to tie everything together.

3. An http(s) connection is established between your computer and the computer you wanted to request search results from. A reminder of what was sent:
https://123.456.789.012/?search=what+you+searched+for

This computer receives your IP address, can track the date and time you sent it, they can also track your web browser using cookies and other means. They can look at where your request came from to get an idea of what part of the Internet your request came through.

You can also establish a session or connection with a computer and submit search and other information without using a URL that spells it out. This tunnel would be more difficult to pinpoint, e.g. visiting Disney.com and searching for Mulan, assuming they submit the value to a session and not the URL like Disney.com/?search=Mulan

•••

Let us imagine for a moment that you pay your cable company for Internet but not television. Now, they look at your traffic and learn that you’re using a third party streaming box with your television. I already pay a fee to my cellular provider because of the cell phone I use. Now, I could be asked to pay an “Amazon Fire” fee, or a “Playstation Streaming” fee. What would stop them?

•••

Internet Adulterer Tracking

I worked for an Internet Service Provider in the nineteen nineties doing tech support. The building I worked in had three components, two of which were Sales and Tech Support. One of my coworkers’ wives worked in Sales and they had a couple of kids together. She decided to run off with a male coworker without explaining where she was going. This was back in the age of beepers, when the Motorola Razr was a big deal. I don’t believe she had a cell phone when she left.

At any rate, this coworker approached me to ask if I could figure out where they went. I used their login credentials and searched the dial-up modems, using the timestamps I was able to chart their progress through California and up to another call center on the west coast.

Using this information my coworker was able to contact his friends, family, and other coworkers who might have been giving his wife a place to stay. They tracked her down.

This was in the nineteen nineties. Imagine what can be done now with IP Address location services, GPS, and cell tower triangulation methods.

•••

One of my coworkers loved Twitter when it first came out. He was almost always using it at work. One day we got a new manager. This coworker was excited about a new website he found that used his Twitter information to build a graph that displayed a bar graph to chart the days and time when he was most active. Our new manager took a screenshot of it, put a rectangle around the work hours, and sent it back to him with the subject “Busted.”

I imagine with these new regulations stripped away, contacting an employee’s ISP and asking for a similar chart: for a small fee, show me the domain names, dates and times they are accessed. Is my employee really working or surfing Facebook? Now we’ll know.

•••

I imagine my children growing up in this new age. Their Internet history mingling with mine and my wife’s. Hopefully they’ll figure out how to separate clients at some point, I suspect they already can. Anyway, the job interview where my kids have to answer questions like, ‘It looks like you spend a lot of time on pokemon.com and indeed.com at the same time. If you are hired, how do you think this position would impact your pokemon conquest?’

These questions can go a lot further. Imagining someone visiting an insurance website regularly, the employer gets an idea the candidate is ill. Or, visiting a banking website and the employer runs credit checks, etc. It could go further, ‘I see you spend a a lot of time on Ashley Madison’ or any number of questionable domains. 4chan, Reddit; it could get political: ‘Why didn’t you hire him? He spends more than an hour on Fox News each day.’

•••

And on the topic of children, it’s illegal to track minors on the Internet. How will they know if a search coming from my Playstation’s web browser is coming from an adult at my residence or one of my children?

•••

The repeal of S.R. 34 is great news for the National Rifle Association! Using your Internet history anyone can create a database of probable gun owners. All they need to do is look for websites that sell gun accessories or ammunition. If local authorities purchased it they could correlate it with criminal records: are you on parole? Are you an ex-convict? If you’re surfing these websites it’s time for a warrant.

External links:

GDPR: European Union Privacy Laws; scroll to the 10 points at the end
http://www.itproportal.com/features/time-to-prepare-for-the-gdpr/

Who to blame:

Members of Congress who voted for this: the Senate
https://www.govtrack.us/congress/votes/115-2017/s94

Members of Congress who voted for this: the House
https://www.govtrack.us/congress/votes/115-2017/h202

Donald Trump
https://www.whitehouse.gov/the-press-office/2017/03/28/statement-administration-policy-sjres-34-%E2%80%93-disapproving-federal

Show your support

Clapping shows how much you appreciated Cud Blay’s story.