Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Businesses The Internet

ISPs May Be Selling Your Web Clicks 110

Mozzarella writes "Could our ISPs be selling our click data without us even knowing it? It seems like the practice is happening a lot more than we realize, and can be tracked for each user. Complete Incorporated's CTO David Cancel told Ars Technica that his company (an internet research firm) licenses click information from ISPs for 'millions of dollars' to figure out how we use the web. From the article: 'He did not give a specific figure about what this broke down to in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month — this estimate was erroneously attributed to Cancel himself in some reports on the event. Cancel said that this clickstream data is 'much more comprehensive' than data that is normally gleaned through analyzing search queries.'"
This discussion has been archived. No new comments can be posted.

ISPs May Be Selling Your Web Clicks

Comments Filter:
  • by BristolCream ( 102658 ) on Friday March 16, 2007 @04:20PM (#18380695)
    There is little new here. Companies such as http://www.hitwise.com/ [hitwise.com] have been purchasing raw traffic data for years. They place a box at switch level and monitor everything about everyone and the sell on the reports for profits. The last time I had a quote from them it was in the region of $28k to monitor footfall to a single site for a year. Access to the full data set can run into the hundreds of thousands.
    • Re: (Score:3, Informative)

      by cswiger ( 63672 )
      Well, you can get free tools like analog or webalyzer, or commercial things like Unison, which process a webserver logfile and generate all kinds of reports like search terms, OS & user-agent breakdowns, aggregated over various time-intervals, without installing an inline traffic sniffer.

      But there's a difference between a website analyzing the traffic sent to it, particularly if reasonable notice in the site's privacy policy is there, and reselling that data to third parties, or gathering data from all
      • Re: (Score:3, Informative)

        I'm not talking about statistics collected at site level. Hitwise place a box at switch elvel with consumer ISP's, tracking everywhere they go and eveything the do. Seriously. Read all about here [hitwise.com].
    • Re: (Score:2, Informative)

      by Anonymous Coward
      What is needed is an anonymous network beyond the government watched Tor and simple proxifiers. A new network is needed. A few people have created an anonymous, deniable, virtual Internet using OpenVPN and Quagga. anoNet has all the luxuries of the Internet (http, ftp, IM, IRC, p2p, search, etc.). They also have full DNS and IP/AS registration to keep things sane. Unlike the Internet all registration is anonymous and private. This network is not a warez network at all, merely a group of people who want a di
    • Since obviously it's far too late to Delete, Abort, Retry or Ignore.

      But seriously, what we need is a widespread, free Tor that obfuscates what we browse from our own ISP. That's who we want real anonymity from!

    • There's also the whole "who cares?" factor.

      The only possible use for this information is to better target advertising. And frankly, I like targeted advertising a lot more than un-targeted advertising, so I'm all for it. It costs me nothing, doesn't hurt me in any way, but potentially could stop me from having to see tampon ads. All for it.
      • Well I care.. How about an opt-in version of this system where users can opt-in to have everything they do monitored, and get targeted ads (and perhaps a discount) as a bonus?
        I'm going to make a wild guess that ISPs don't make it opt-in because they know no-one would, because people do care about privacy.
        • I'm going to make a wild guess that ISPs don't make it opt-in because they know no-one would, because people do care about privacy.

          Nah, people are lazy when there's no obvious impact. That's why IE is the dominant browser - it's default, and the reasons to switch aren't meaningful to most people, if they even know they can switch.

      • by jo42 ( 227475 )
        Advertising sucks goatse's backside.
  • Is this legal? (Score:5, Insightful)

    by Raul654 ( 453029 ) on Friday March 16, 2007 @04:21PM (#18380697) Homepage
    If this is being done without users' consent, then it strikes me as being dangerously close to wiretapping, which is illegal.
    • Re: (Score:2, Interesting)

      by Seumas ( 6865 )
      This wouldn't matter to me if the data was anonymized so that it was impossible to correlate the data beyond "all of these are by the same individual", but no way to identify by IP address or anything else.

      The problem, as we saw with the data AOL released last year, is that there is most certainly identifiable data in the clicks, such as phone numbers, credit card numbers, usernames, passwords, real names, social security numbers, medical information and other private data.
      • Re: (Score:3, Insightful)

        Even if the information isn't immediately personally identifiable it is fairly easy, through analysis of the cross-section of a few related databases, to make it so. It's just math and most cookies have some uniquely identifiable characteristic. Perhaps they can't tie information A with person B, but it isn't too difficult to tie information A to information C to information D and then cut the database down to people who have A, C, and D. Iterate if necessary.
      • Re: (Score:3, Interesting)

        by drinkypoo ( 153816 )

        The problem, as we saw with the data AOL released last year, is that there is most certainly identifiable data in the clicks, such as phone numbers, credit card numbers, usernames, passwords, real names, social security numbers, medical information and other private data.

        That's not the only problem. Let's say for the sake of argument that you don't use adblock and you do load images from, say, doubleclick that have unique URLs. If that URL exists in your search data, then even if your IP has been cleared,

      • by Thaelon ( 250687 )
        FUD.

        Clicks don't contain any such information.
    • Yes (Score:2, Insightful)

      by memeplex ( 910698 )
      It is WITH user consent via the 99.9%-unread EULA. Compete could license data from say, NetZero, also funded by Charles River. Or maybe from Alexa toolbar-collected data, since the Alexa Research team all went to Compete around the year 2000. Read the EULA.
      • by Infonaut ( 96956 ) <infonaut@gmail.com> on Friday March 16, 2007 @05:21PM (#18381293) Homepage Journal

        It is WITH user consent via the 99.9%-unread EULA.

        If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

        Whether the right to sell data relating to your Internet use to third parties something a reasonable person would expect is debatable. Someone could challenge those portions of the EULA covering click info, on the basis that they are not to be reasonably expected in an end user license covering a contract for Internet access.

        The challenge wouldn't necessarily prevail in court, but it could be made. The legal theory behind this is that when one party holds a substantial bargaining advantage over the other, and has employed contractual language that is dense and lengthy, it is unreasonable to expect that the disadvantaged party will be able to spot every element of the contractual language. After all, the company can employ a lawyer to put all sorts of bizarre language into a contract, and most consumers are not schooled in such language, nor do they necessarily have the time to go through the language of each and every EULA. Thus, if the party with an advantage employs tricky language in the EULA, that language can be considered unenforceable.

        • Now if this "permission to track users for purposes of selling info" clause is found in the EULA for all major ISPs, whose case does that strengthen? If everyone has it, then it is standard and thus should be reasonably expected. On the other hand, if everyone has it, then the user is at a complete disadvantage on that point. The case would probably go to the ISPs, if for no other reason than "the terrorists" excuse. They have to track everyone it's their patriotic duty.
        • Re: (Score:3, Insightful)

          If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

          Whether the right to sell data relating to your Internet use to third parties something a reasonable person would expect is debatable. Someone could challenge those portions of the EULA covering click info, on the basis that they are not to be reasonably expected in an end user license covering a contract for Internet access.

          S

        • I dont know about you but I would check for stuff like that in a ISP Contract.
          I highly doubt a court would find such contracts unenfoceable.
        • Tell it to the judge ;^)
        • If the EULA enforces things that a reasonable person wouldn't expect to find in a contract of this type, the unreasonable elements of the EULA may be found unenforceable by the courts.

          Where have you been the last 5 or 6 years? This sort of thing is well established in EULAs, and "reasonable" persons who are suppose to read their EULAs, can be "reasonably" expected to know that this sort of thing takes place. I don't think your argument will float.

          • by rtb61 ( 674572 )
            How about phone line interception. ADSL is electronic communications on a phone line, as far as I know it is illegal to intercept electronic communications on a phone line except for and restricted to limited quality control monitoring. Um has some one been naughty and needs to spend some time in a room with bars before invading peoples privacy again.

            And for the umpteenth time you can not, absolutely not, in any way shape or form, write a condition into a contract that over rides the law (well techinicall

        • In the EULAs I've seen they say they sell aggregate info about where users surf but not personally identifiable info. It just occurred to me that their trick may be that they don't consider your IP address to be "personably identifiable" info. If that's the case then I'd say that if they are selling the browsing history of IP addresses then they are in violation of their EULA because I think a reasonable person would consider their IP address as personally identifiable, especially if it were a static addres
    • Re: (Score:3, Insightful)

      by vandon ( 233276 )

      If this is being done without users' consent, then it strikes me as being dangerously close to wiretapping, which is illegal.

      Remember that EULA you clicked 'I agree' on without reading?
    • And to think all this time I thought cancel meant something else.
    • I agree that without our consent, this does sound like wiretapping...however... This is what scares me, I clicked "I agree" on my 38-page SBC DSL contract without reading the fine lines. As negligent as that is...I'm sure there are quite a few of us who have done the same thing. I'd love for a lawyer to pick it apart, and find where we agreed to this.
      • Re: (Score:3, Informative)

        by scribblej ( 195445 )
        I use ComCast.

        When you sign up, they have a disk you are supposed to use to get started.

        It's a damn internet connection. I don't need a disk for that. nor will I use one. Plus, I'm on Linux, which they don't support.

        The practical upshot of this is, I've never seen a contract. I called them up to activate service over the phone. No EULAs, no clicking, no "I agree," nothing.

        • Re: (Score:3, Informative)

          You probably agreed to quite a few things.

          By using this service you are agreeing to

          • Operator Acceptable Use Policy
          • Cable Modem Service Subscription Agreement
          • Time Warner Cable and Affiliated ISPs Subscriber Privacy Notice

          and, from the Operator Acceptable Use Policy

          e) In addition to the foregoing, Operator and ISP each shall have the right at any time to add to, modify or delete any aspect, feature or requirement of the ISP Service, including but not limited to content, equipment and system requirements.

      • by Joebert ( 946227 )

        This is what scares me, I clicked "I agree" on my 38-page SBC DSL contract without reading the fine lines.

        Alas, gone are the days when they made all the important stuff real small & stuck it at the bottom so you could find it easily.
    • by slowbad ( 714725 )
      Done without consent? But do you really believe any website when they implicitly state they won't ?

      Go over to Google News, create an alert, submit/confirm your email address and then consider this:
      "Google will not sell or share your email address"

      Does that mean a class action suit against them every time they comply with a government request?

    • by jackv ( 1068006 )
      The danager with keyword matching , which is what these systems are based on , is the contextual aspect. Yes, someone has typed in a particular site , but what did they do on it and also where they the ones on it?
  • "Good lord, it's full of... porn"
  • Insert joke about a click business represented by a guy named Cancel here.
  • by msauve ( 701917 ) on Friday March 16, 2007 @04:34PM (#18380873)
    write a randomizer (using wget?) to pollute their data?
    • Possible (Score:4, Informative)

      by HomelessInLaJolla ( 1026842 ) * <sab93badger@yahoo.com> on Friday March 16, 2007 @04:39PM (#18380919) Homepage Journal
      While a counterattack is possible there are two mitigating factors:

      First, philosophically, it is always the course of greater wisdom to explore extinguishing the problem using passive resistance (eg. avoiding offending services). Sadly, this is rarely effective against a determined aggressor but it does prevent unnecessary conflict by establishing a baseline of just how determined the aggressor is.

      Second, in terms of time, the information gathering industry is way ahead of us and the internet laws are written to be easily used against people who would interfere with their exploits.

      All in all, though, data pool pollution would be an effective approach if the aggressor has been determined to be resolute and the legal aspect weren't so grim.
      • Second, in terms of time, the information gathering industry is way ahead of us and the internet laws are written to be easily used against people who would interfere with their exploits.
        It's akin to vandalism, ruining the work of these companies. However, If you have a problem with the specific practises of this company, perhaps it's worth attacking them from a legal front?
  • by value_added ( 719364 ) on Friday March 16, 2007 @04:44PM (#18380979)
    For his part, David Cancel told Ars that he "strongly supports an increase in the methods and degree to which disclosure is communicated," not only for clickstream data but for any kind of data collected on users' personal surfing habits.

    Nicely put. I'd even go so far as to suggest it's even nicer than what we typically hear during White House press conferences.

    He stated that "all users should be informed explicitly when their data can be sold to a third party."

    The tricky part. A nice sounding pronouncement, but it sidesteps the issue of whether they are, and if so, to what extent, etc. And it overlooks what we should expect, which is typically a progression starting with a scandal, followed by a Mistakes Were Made apology, followed by calls to action and the scattered efforts of those affected but who otherwise have little say in the matter, and if we're lucky, a legislator giving a There Oughta Be a Law speech before some subcomittee.

    I've often wondered what the cable companies are doing with respect to TV watching. On the one hand, it seems perfectly reasonable that they could devise a system whereby they could collect statistics on my viewing habits and sell them to Nielsen's. On the other, I'm not aware of whether they can, have plans to, or already do. Maybe someone more knowledgable can clue me in.
    • by jfengel ( 409917 )

      Mistakes Were Made apology
      Usually by the guy who Takes Responsibility, in the form of issuing a press release. (As opposed to, say, resigning, being fired, going to jail, paying a fine, actually changing the underlying cause, etc.)
    • by fermion ( 181285 )
      It can be argued that such data, if amalgamated, belongs to the ISP. They are the only ones that can reliably collect such information, and it can help them and other services maximize the end user experience. Complaining that they collect this data is like complaining about the people who pick the trash for recyclables and antiques.

      And there is reason to complain in both cases. If the trash digger causes a disturbance, or the ISP forces the user to install software, or causes delays by redirected all

  • Looks like you are clicking a link...

    Cancel or Allow Cancel to view your clicks?

    huh?

    • Anyone else see potential for an Abbot & Costello homage here?

      "What should I do, Cancel Allowing, or Allow Cancel?"
      "Who wants to read your clicks"
      "Cancel"
      "I didn't say to cancel the dialog, I asked who was reading these."
      "I just told you, Cancel."

      The captcha word is Library, which doesn't sell your clicks.
  • Boy if HotSpotVPN is not going to make hay off of this, I don't know what will.
  • Typo (Score:3, Informative)

    by merreborn ( 853723 ) on Friday March 16, 2007 @05:27PM (#18381353) Journal
    That's $0.40 dollars per user, not $40. The cents sign is missing from the summary.
    • by bitt3n ( 941736 )

      That's $0.40 dollars per user, not $40. The cents sign is missing from the summary.

      Except for Verizon customers, who are worth $0.40 cents.
  • Mwahaha, my plan to distort tracking information by clicking on millions of porn links has not been in vain !
    • Yes because if you want to raise eyebrows, be a male clicking on porn links. They'd never expect it!
  • MY ISP knows that I download lots of porn, read slashdot and fark. well, for starters, my ISP serves me those pages. So, um, I'd hope they are involved.

    Though in this case, if they tie names or other identifiers to the data I could see the uproar. I mean we do pay the ISP, so they shouldn't go out of our way to spread our info to others [more than it already is].

    Of course this opens the door to "unlisted" ISP accounts where the ISP doesn't log your data if you pay a premium ...

    oh shit I gave them an idea
    • Yes, you gave them the idea that they can sell you a premium "unlisted" account, then turn around and sell your data anyway. I mean, so far as I'm concerned an honest ISP wouldn't be selling my information in the first place, so why should I believe them when they say they aren't? A decent company would at least have let me know up front, or maybe offered a piece of the action. A discount for the use of my personal information would be nice, hell, my local grocery store does that much.

      Bloodsucking leeche
      • It's typical to all communication providers around the globe. This is what happens when you pay for service rather than for product. Any provider can always (re)invent some bazarre kind of `service', to make you pay more for the same thing. It is just a question of wording.

        P.S. Sure, they will always sell your private data to anyone with an open wallet. No matter what they pretend.

        P.P.S. Any "honest" ISP may easily become dishonest after the mere change of management.
  • ... tracked for each user. Complete Incorporated's CTO David Cancel...

    ... in terms of dollars per ISP user, although someone in the audience estimated that it was in the range of 40 per user per month...

    The company is Compete Inc., and the estimate was 40 cents per user per month.

  • Before my ISP started selling my clicks, they were piling up all over my apartment. I welcome their new plan!
  • This reminds me of something I've been mulling around in the back of my mind a lot lately - I think the net needs to move towards every connection being encrypted. I mean, why are we sending URLs as plaintext in the first place? The only thing my ISP should see is a target IP address and an encrypted stream. Maybe the internet powers that be should be coming up with new IP standards (eTCP?)
  • caching proxies? Wouldn't they skew the collected data?
  • Assuming you think this is a problem (and I'll wager most of us here do), competition can solve this. Some companies can charge more for having a privacy clause in your contract. Others can compete by offering less service but at the expense of your data. Effectively you'd subsidize your internet connection by selling metrics on yourself.

    The only problem, of course, is if fraud is going on: if companies are using the data in a way inconsistent with their agreements.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...