Educational CyberPlayGround ®

Isp's Spy On You

1/26/2012 Big Brother 2.0 Minority Report is real: FBI wants to use social networks to prevent future crime and everyone is a target. Here's how the FBI envisions the app working: The information gathered from news and social media outlets would be overlaid onto a digital map, pinpointing the location of the “breaking events,” along with all other relevant contextual data. Additional information, including US domestic terror data, worldwide terror data, the location of all US embassies, consulates and military installations, weather conditions and forecasts, and traffic video feeds, would also be overlaid on the map. All of that seems fairly straight forward. In fact, we are surprised the FBI doesn't already have such an application at their disposal, since all of the features it outlines are well within the capabilities of a skilled software development team. Not to mention the fact that much of what the FBI hopes to use already exists in different parts. Websites like OpenStatusSearch.com, YourOpenBook.org, TweetScan.com and Tweepz.com make it possible to quickly and easily search for key words being posted publicly to Twitter and Facebook. All the FBI's dreamed-up app would do is combine these features into a single product, and expand them with additional governmental and law enforcement data, and mapping tools. However, the FBI doesn't just want to know about what's happening now; it also wants to predict events that are about to happen — to predict the future. If that sounds suspiciously like Minority Report, you're not alone.
" Social media will be critical to meeting the intelligence objectives stated above because it provides unique access to communications about the special event [i.e. political conventions, national holidays, or sporting events] in advance of its occurrence," reads the RFI.

Massive Tracking of Web Users Planned -- Via ISPs!
PRIVACY Forum Digest Thursday, 20 April 2000 Volume 09 : Issue 13 http://www.vortex.com/privacy/priv.09.13
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com


===== PRIVACY FORUM =====
<snip>

Date: Thu, 20 Apr 2000 18:04:08 -0700 (PDT)
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Massive Tracking of Web Users Planned -- Via ISPs!


Greetings.


This is not a delayed April Fools' Day joke. It's all too real, and I assume that you're already sitting down. Picture a world where information about your every move on the Web,including the sites that you visit, the keywords that you enter into search engines, and so on, are all shipped off to a third party, with the willing cooperation of your Internet Service Provider (ISP). None of those pesky cookies to disable, no outside Web sites to put on block lists--just a direct flow of data from your ISP to the unseen folks with the dollar signs (or pound, yen, euro, or whatever signs) gleaming brightly in their eyes behind the scenes. You'll of course be told that your information is "anonymous" and that you can trust everyone involved, that you'll derive immense benefits from such tracking, and that you have an (at least theoretical) opt-in or opt-out choice.

But just for some frosting on the cake, also picture that if you avail yourself of the opportunity not to participate in such tracking (via opt-out or opt-in choices), that you either cannot use the associated ISPs at all, or will be faced with paying significantly higher fees than persons who are willing to play along with tracking.

As you have no doubt guessed by now, this is not a theoretical scenario. We're on the verge of starting down the slippery slope to this end right now, with the imminent operations of Predictive Networks www.predictivenetworks.com and other similar businesses also in the works.

When I recently learned about Predictive (which has apparently been established for some time and seems to be well funded), I naturally visited their Web site, which was sadly lacking in obvious specifics such as an actual posted privacy policy. (I've since been told that this is a temporary condition which will shortly be remedied.) I spoke briefly with the firm's president and had a much more detailed chat with his V.P. for Business Development, and received an e-mailed copy of their privacy privacy. Both of these fellows were polite, cordial, and willing to provide me with the information I desired about their plans.

Unfortunately, the more that I learned from these sources, the increasingly concerned I became. In brief, Predictive's business is to engage ISPs (not just "free" ISPs where usage tracking has become typical, but conventional fee-based ISPs as well) in arrangements where the ISP will directly feed Web usage data to Predictive. The firm also claims to be working with Internet backbone providers. To quote from Predictive's privacy policy:

"Predictive Networks uses Digital Silhouettes to match Internet content and advertising with appropriate subscriber recipients. As a result, subscribers receive information that appeals to their current needs and interests. To develop a Digital Silhouette, The Predictive Network analyzes URL click-stream data, such as web pages visited, and date and time of visit. URLs are then evaluated against more than 120 affinity and demographic categories, and assigned a score between zero and one. The resulting Digital Silhouette is simply an anonymous set of numerical probabilities inferred from subscriber behavior. URL histories are not permanently stored and the data in the Digital Silhouette is not personally identifiable."
and:

"To provide subscribers with content most relevant to their current interests, The Predictive Network may retain key words from Internet searches. These key words are attached to the subscriber's anonymous Digital Silhouette and, like the Digital Silhouette itself, are not personally identifiable. The Predictive Network also gathers data about a subscribers' response to messages and content, which is used to fine-tune future messages and message format."

It is Predictive's contention that they do not maintain an ongoing history of sites visited (URLs), and that the Digital Silhouettes are maintained in an "anonymous" fashion--so they feel that there is no violation of users' privacy.

But outside of the fact that keyword search terms *themselves* can often contain personally-identifiable or other sensitive data, also note from the Predictive privacy policy that:

"To optimize the format of the content delivered to subscribers, the anonymous Digital Silhouette may include specifications about the subscriber's computer, such as processor type, browser plug-ins and available memory. For some of our ISP partners, Predictive Networks may provide a built-in dialer system. Should an ISP select this option, The Predictive Network may require subscribers to furnish their ISP user name and password. This information will be used strictly for account authentication purposes and will not be associated with the subscriber's anonymous Digital Silhouette. Our ISP partners can also the leverage the power of The Predictive Network for customer service purposes. Should a subscriber's ISP select this option, the ISP user name may be matched with the Digital Silhouette ID number. This will allow The Predictive Network to send specific individuals important customer service information. In addition, some subscribers may elect to have email service from their ISP. Subscribers on The Predictive Network that choose this option may be required to supply Predictive Networks with their email address. This information is used for email notification only."

In other words, there is a variety of personally-identifiable information that you may need to provide to Predictive at various times, and you are expected to trust Predictive not to purposely or accidentally misuse this data. You also must trust that Predictive will not associate this information with your "Digital Silhouette" in any manner--nor let anyone else make such an association. One wonders what would happen in the face of a court order to provide associated data for a civil or criminal proceeding or investigation.

Most of the familiar problems we've seen in the past with so-called "anonymous" tracking systems are present in this case. Privacy policies can be changed at any time (e.g., the recent DoubleClick fiasco). Detailed data that is theoretically discarded in the process of building "anonymous" profiles could be preserved at any time, simply through software alterations. The very *existence* of these sorts of data collection and tracking infrastructures is of great concern. Even with the best of intentions, the possibility for abuse is impossible to ignore--and as we know there is a vacuum of laws to provide consumers with useful protections in these areas.

Predictive claims that all of this effort is to bring better services to Web users. Their apparent view is that tracking people's usage to figure out what sorts of ads to send them is far better than simply *asking* people to select the sorts of materials that they might wish to receive.

Of course, whenever you use automated techniques to try figure out what people want based on the Web sites they happen to visit, there is the possibility of embarrassing errors. For example, people may be suckered into pornography sites by misleading banner ads, and not be at all interested in receiving adult-oriented advertising. Similar errors relating to other topic areas can occur from any number of the inadvertent Web sites that all of us hit in the process of typical Web browsing. Predictive will let people see the profiles that have been built about them--but sometimes you'll have to *pay* for the privilege! There are other interesting catches as well:


"In developing our anonymous subscriber Digital Silhouettes, Predictive Networks captures, analyzes and then discards URL click-stream data. While we do not permanently retain a record of each subscriber's usage, we can, upon request, make their Digital Silhouette available to them for review. Any subscriber on The Predictive Network has the right to view their Digital Silhouette free of charge twice during the calendar year. Subscribers will be charged $50.00 per request thereafter. Subscribers can obtain a copy of their Digital Silhouette by emailing Predictive Networks ilhouette @ predictivenetworks . com. The email request must contain the subscriber's anonymous ID number, which can be found on their computer by holding down the shift key and right-clicking on about. The corresponding Digital Silhouette will be emailed back to the subscriber within approximately ten business days. Subscriber should note that by emailing Predictive Networks, they may be "identifying" themselves to the Company. While we do not incorporate this information into our Digital Silhouettes, we do maintain a separate record of Digital Silhouette requests for accounting and billing purposes. Should a subscriber object to any or all of the information contained in their Digital Silhouette, they can opt-out of The Predictive Network permanently, or opt-out and re-register, which will erase the existing Digital Silhouette and begin a new one. Again, Predictive Networks urges subscribers to consult their Internet service provider before opting-out as doing so may affect their Internet service and/or their Internet service rate."


The last sentence above is of *special* interest to the question of how "optional" this tracking really would be. It is apparently Predictive's intention to encourage ISPs, both free and the conventional fee-based types, to partner with them to create new revenue streams for the ISPs (and for Predictive, of course). It would appear to be the plan that in most cases any use of free ISPs who have associated themselves with Predictive would be predicated on your acceptance of the tracking. You can opt-out, or refuse to opt-in, but then you can't use the ISP. Not much of an option! The details about the tracking may also be buried within an ISP's own privacy or other policy statements, making it even less likely that most people will ever bother reading or understanding all of the detailed ramifications of their using these systems.

It also appears to be Predictive's intention to encourage fee-based ISPs to offer lower rates to users willing to be tracked. This can rapidly degrade into a coercive situation where users who do not wish to participate in such tracking will be forced to pay ever higher rates simply to maintain the same level of privacy and non-tracking that they had in the first place (as the immortal Alice learned, "running faster and faster to stay in the same place"...) Can ISPs resist this temptation? If not, the *fundamental* structure of the Internet and Web will be permanently changed in a manner that could make reasonably-priced, non-tracked Internet access a rapidly fading memory, and make all of the abuse potentials of these tracking technologies the status quo engrained within the Internet infrastructure.

After Predictive gets their privacy policy online at their Web site, I urge everyone interested in these issues to read the entire text. There are many other interesting sections, such as how they're dealing with the issue of tracking children under the age of 13 (vis-a-vis the new Federal Trade Commission regulations on this topic). Basically, Predictive says that you either must keep such children away from the computer, or must agree that it's OK for the children to be tracked. It's all or nothing.

Predictive of course says that they are very concerned about privacy. They told me that they're forming a "privacy advisory board"--and so on.

I have a different suggestion. How about if the users of the Internet and World Wide Web, the millions and soon billions of individuals, take a stand while we still have the opportunity? We still have the chance to say that our personal information is our own and that our Web browsing behavior is private. We may yet be able to successfully assert that we won't be manipulated, coerced, or otherwise "bribed" into allowing our Web activities to (as "The Prisoner" put it) be "pushed, filed, stamped, indexed, briefed, debriefed, or numbered!"
The Internet and Web have tremendous commercial potential. But it can be achieved ethically and without the use of obnoxious technologies that are being shoved down our throats like feed for animals destined for the dinner table. The firms who view the Internet as little more than a "cash cow" are already placing the software rings in our noses in an effort to see us made easier to manipulate and control.


The stink of the slaughterhouse may not be far away.


--Lauren--
Lauren Weinstein
lauren@pfir.org or lauren@vortex.com
Co-Founder, PFIR: People for Internet Responsibility - http://www.pfir.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
------------------------------
End of PRIVACY Forum Digest 09.13
************************