Rietta
Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Troubling ISP Privacy Repeal: The Data Will Be Breached

Comments

The U.S. Congress & The President's Troubling Repeal of Internet Privacy Protections - Photo Credit: © 2013 Frank Rietta.

Your Internet Service Provider has direct access to the type of information on you and your family that the National Security Agency uses for spying.

Your ISP knows when you are at home and when you are not, when your kids are doing their homework. They know or can know what you’re watching on Netflix (even when its encrypted) and YouTube. If any member of your household ever views pornographic content, your ISP knows how much and at what times such content is accessed. They can infer through traffic analysis how many people are living at your home and even know how many iPhone and Android devices that you have. And even though they cannot see into your encrypted search queries on Google, your ISP knows every medical website that you visited to research a condition that you think you have or are looking into a drug that your doctor has prescribed to you.

The Congress and President have given a green light to ISPs to abuse Americans’ privacy

If this is a wake up call to the unmatched privileged position that your ISP has in your life, know that your privacy is at far greater risk than it was prior to President Trump’s signing the law that repealed FCC rules on Internet Service Providers’ treatment of private Internet history data on On Monday, April 3, 2017. The text of the Joint Resolution 34 states:

Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274 (December 2, 2016)), and such rule shall have no force or effect.

With those seemingly simple words, your ISP is now free to collect, database, analyze, and market to advertisers, and sell raw private Internet history data. Moreover, your ISP many not even need to notify you if your data is breached by hackers or any other third party. Moreover, we’re worse off than before the FCC regulation because while in the past they may have treaded lightly on these issues for fear of regulation, now they have a clear and unequivocal signal that Congress and The President of the United States wholeheartedly endorse the collection, aggregation, and selling of your private history and that only an act of Congress will change it!

ISPs are now free to engage in at least 5 really creepy business practices

The Electronic Frontier Foundation has published a list of creepy practices that the Congress has now approved, most of which at least some of the major ISPs are already documented to have done already:

  1. Injecting undetectable, undeletable tracking cookies in all of your HTTP traffic
  2. Pre-installing software on your phone, including spyware to record every URL that you visit , even the URLs of HTTPS encrypted websites that the ISP would not ordinarily be able to intercept via network traffic
  3. Snooping through your traffic and inserting ads
  4. Hijacking your searches
  5. Selling your data to marketers

The usage of spyware to gather full URL addresses of encrypted websites and APIs is particularly frightening as these often contain sensitive account information such as account ID numbers and other sensitive data that was intended to be encrypted for its protection while being submitted by mobile apps and web browsers to their servers. Such spyware is malicious in nature, even if it is installed by your ISP. This is the sort of spy activity that AT&T, Sprint, and T-Mobile have all engaged in if we are to believe what has been publicly reported subsequent to the Carrier IQ Settlement, case number 12-md-02330-EMC in the United States District Court Northern District of California.

A purely free market approach fails to constrain ISPs, which are powerful oligopolies that have enormous and invasive access to Americans’ private data

It is understandable that the current Republican-controlled Congress will generally be inclined to reduce regulations upon businesses, as is in line with core free market conservative principles. However, in the case of Internet Service Providers it is negligent in that these are extremely powerful regional oligopolies that have enormous and invasive access to Americans’ private data.

Most Americans in metropolitan areas have access only one or two broadband internet providers (typically the regional cable monopoly and the phone company). The choice of mobile providers is only slightly better but with data caps, it is not a suitable replacement for an entire household.

Those living in rural areas are worse off and may have access to only one or even no broadband providers and at most one mobile provider that has a signal. By the numbers provided in the latest FCC’s Broadband Progress Report, while 10 percent of all Americans overall lack access to broadband service, 39 percent of rural Americans (23 million people) lack access it! This leads to a distorted market where there is no meaningful competition and Americans are forced to take whatever service they can get and have very little walk-away power.

There are documented cases of Americans having to sell their home just because no Internet service was available at all; such as the case of Seth Morabito, a Washington-based software engineer, who says that Comcast and Comcast Business both falsely assured him that he would be able to get service. His situation arose to national attention in 2015 and was only resolved by a truly unique situation where he ended up paying to have the regional public utility to run fiber (only after officials saw the news stories) and then peer with a commercial ISP to get access at his home, a feat that most Americans would be unable to accomplish.

In short, there is little to no meaningful competition among ISPs that provide household Internet access, consumers have little or no walk away power, and thus the free market does not constrain misbehavior by providers. Our country cannot prevent private data from being data breached without dis-incentivizing its collection, databasing, and analysis in the first place. And this is a mater of national interest with millions of everyday Americans being impacted by personal and financial consequences of having their data breached by hackers and compromised by various nation-state level international adversaries. The truth is that the computing technology industry simply does not have the practices necessary to design, implement, and deploy at scale, and operate secure computer systems in either the cloud or even in private facilities. In the current state, no matter how hard they may try a determined adversary will breach the security of any company or government agency and when that happens data will be stolen. The same can and will ultimately happen to the data that the ISPs will be invariably collecting. This is why the biggest security wins are to change business models to not require data that is dangerous if its stolen. In effect, the biggest win is for the ISPs to change to treat private customer data as digital toxic waste to be disposed of as quickly as possible rather than as an asset to keep around to inevitably be compromised.

The sad truth is that normal market forces are simply not doing enough to protect the public from harm. Companies are incentivized to gather as much private data as possible and then monetize it. The cost of the breach often an externality in that the negative cost is borne by ordinary Americans rather than the companies who financially gain from the pervasive use of Americans’ private data.

Next steps

As an American, you need to pay attention to what is being done to your privacy and security! First, please remember that while some will frame a tradeoff between privacy and security, what is really at stake is your personal security vs insecurity. Secondly, continue the conversation among your friends and family so that everyone may understand what freedoms and privileges are at risk. Thirdly, be in contact with your elected officials both at the State and Federal level. If the Federal government will not protect the people, then the people must take steps to protect themselves.

References

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security consultant, software developer, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Comments