Online Privacy and ISPs | Institute for Information Security & Privacy, Georgia Tech

Peter Swire, Justin Hennings, Alana Kirkland; Online Privacy and ISPs; a whitepaper; Institute for Information Security & Privacy, Georgia Tech; 2016-05; 131 pages.
Teaser: ISP Access to Consumer Data is Limited and Often Less than Access by Others

Authors
  • Peter Swire
    • Associate Director,
      The Institute for Information
      Security & Privacy at Georgia Tech
    • Huang Professor of Law,
      Georgia Tech Scheller College of Business
      Senior Counsel, Alston & Bird LLP
  • Justin Hemmings,
    • Research Associate,
      Georgia Tech Scheller College of Business
    • Policy Analyst
      Alston & Bird LLP
  • Alana Kirkland
    • Associate Attorney, Alston & Bird LLP

tl;dr → ISP < Media; ISPs are not omnipotent; ISPs see less than you think; Consumer visibility is mitigated by allowed usage patterns: cross-ISP, cross-device, VPN, DNS obfuscation, encryption.  Anyway, Facebook has it all and more.

Consumer profiling observation is already occurring by other means anyway.

<quote> In summary, based on a factual analysis of today’s Internet ecosystem in the United States, ISPs have neither comprehensive nor unique access to information about users’ online activity. Rather, the most commercially valuable information about online users, which can be used for targeted advertising and other purposes, is coming from other contexts. Market leaders are combining these contexts for insight into a wide range of activity on each device and across devices. </quote>

<translation> The other guys are already doing it, why stop ISPs? </translation>

ISP surveillanceObservation of consumers is neither Comprehensive, nor Unique

<quote> The Working Paper addresses two fundamental points. First, ISP access to user data is not comprehensive – technological developments place substantial limits on ISPs’ visibility. Second, ISP access to user data is not unique – other companies often have access to more information and a wider range of user information than ISPs. Policy decisions about possible privacy regulation of ISPs should be made based on an accurate understanding of these facts. </quote>

<view> It’s unargued why comprehensive or unique are bright-line standards of anything at all. </view>

Previously filled.

Mentions

Claims

  • ISPs < Media
    The dumb-pipe, bit-shoving, ISPs see less than media services, who see semantic richness.
  • Cross-device is the new nowadays.
  • Encryption is everywhere.

Definitions

Availability
  • a technical statement
  • contra “use” which is an action by a person
Cross-Device Tracking
Deterministic
Logged-In, Cross-Context Tracking
Probabilistic
Not Logged-In, Cross-Context Tracking
Cross-Device Tracking
  • Frequency Capping
  • Attribution
  • Improved Advertising Targeting
  • Sequenced Advertising
  • Tracking Simultaneity
Limits the use of “data” (facts about consumers)
  • at the point of collection
  • at the point of use
Location of a consumer
  • Coarse contra Precise
  • Current contra Historical

Summary

The document has both a Preface and an Executive Summary. so the journeyperson junior policy wonkmaker can approach the material at whatever level of complexity their time budget and training affords.

Preface

  • Technological Developments Place Substantial Limits on ISPs’ Visibility into Users’ Online Activity:
    1. From a single stationary device to multiple mobile devices and connections.
    2. Pervasive encryption.
    3. Shift in domain name lookup.
  • Non-ISPs Often Have Access to More and a Wider Range of User Information than ISPs:
    1. Non-ISP services have unique insights into user activity.
    2. Non-ISPs dominate in cross-context tracking.
    3. Non-ISPs dominate in cross-device tracking.

Executive Summary

  • Technological Developments Place Substantial Limits on ISPs’ Visibility into Users’ Online Activity:
    1. From a single stationary device to multiple mobile devices and connections.
    2. Pervasive encryption.
    3. Shift in domain name lookup.
  • Non-ISPs Often Have Access to More and a Wider Range of User Information than ISPs:
    1. Non-ISP services have unique insights into user activity.
      • social networks
      • search engines
      • webmail and messaging
      • operating systems
      • mobile apps
      • interest-based advertising
      • browsers
      • Internet video
      • e-commerce.
    2. Non-ISPs dominate in cross-context tracking.
    3. Non-ISPs dominate in cross-device tracking.

Table Of Contents

Online Privacy and ISPs: ISP Access to Consumer Data is Limited and Often Less than Access by Others

Summary of Contents:

  • Preface
  • Executive Summary
    • Appendix 1: Some Key Terms
  • Chapter 1: Limited Visibility of Internet Service Providers Into Users’ Internet Activity
    • Appendix 1: Encryption for Top 50 Web Site
    • Appendix 2: The Growing Prevalence of HTTPS as Fraction of Internet Traffic
  • Chapter 2: Social Networks
  • Chapter 3: Search Engines
  • Chapter 4: Webmail and Messaging
  • Chapter 5: How Mobile Is Transforming Operating Systems
  • Chapter 6: Interest-Based Advertising (“IBA”) and Tracking
  • Chapter 7: Browsers, Internet Video, and E-commerce
  • Chapter 8: Cross-Context Tracking
    • Appendix 1: Cross-Context Chart Citations
  • Chapter 9: Cross-Device Tracking
  • Chapter 10: Conclusion

Mentions

  • HTTPS
  • Interest-Based Advertising (IBA)
  • Tracking
  • Location
    • Coarse Location
    • Precise Location
  • Natural Language Conversation Robots (a.k.a. ‘bots)
    • Siri, Apple
    • Now, Google Now
    • Cortana, Microsoft

Argot

Also see page 124 of The Work.

  • Availability → contra Use
  • Big Data → data which is very big.
  • Broadband Internet Access Services → an ISP, but not a dialup service
    as used in the Open Internet Order, of the FCC, 2015-24, Appendix A.
  • Chat bot → <fancy>Personal Digital Assistance</fancy>
  • Cookie
  • CPNI → Customer Proprietary Network Information
    47 U.S.C. §222. Also, Section 222 are at 47 C.F.R.§ 64.2001 et seq.
  • Cross-Dontext
  • Cross-Device
  • DNS → Domain Name Service
  • DPI → Deep Packet Inspection
  • Edge Providers → smart pipes, page stuffing, click-baiting; e.g. Akamai, CloudFlare, CloudFront, etc.. exemplars.
  • End-to-End
    • Argument
    • Encryption
  • Factual Analysis → this means something different to lawyers contra engineers.
  • FCC → Federal Communications Commission
  • Form
    Form Autofill, a browser feature
  • FTC → Federal Trade Commission
  • FTT → Freedom To Tinker, a venue, an oped
  • GPS → Global Positioning System
  • HTTP → you know.
  • HTTPS → you know.
  • IBA → Interest-Based Advertising
  • IP → Internet Protocol
    • Address
  • IoT → Internet of Thingies Toys Unpatchables
  • IRL → <culture who=”The Youngs”>In Real Life</culture>
  • ISP → Internet Service Provider
  • Last Mile, of an ISP
  • Location
    • Coarse → “city”- “DMA”- or “country”-level
    • Precise → an in-industry definition exists
  • Metadata → indeed.
  • OBA → Online Behavioral Advertising
  • Open Internet Order, of the FCC.
  • OS → <ahem>Operating System</ahem>
  • Party System
    • First Party
    • [Second Party], no one cares.
    • Third Party
    • [Fourth Party]
  • Personal Information → the sacred stuff, the poisonous stuff
  • Personal Digital Assistant → a trade euphemism for NLP + command patterns for IVR; all the 1st-tier shops have one nowadays.
    • Siri → Apple
    • Now → Google
    • Cortana → Microsoft
  • Scanning
  • Section 222, see Title II
  • SSL → you mean TLS
  • Title II, of the Telecommunications Act.
    • Section 222,
  • Tracking
    • (Across-) Cross-Context
    • (Across-) Cross-Device
  • TLS → you mean SSL
  • UGC → User-Generated Content (unsupervised filth; e.g. comment spam)
  • URL → you know.
  • VPN → run one.
  • WiFi → for some cultural reason “wireless” turns into “Wireless Fidelity” and “WiFi”
  • Working Paper → are unreviewed work products..
  • Visibility → bookkeeping by the surveillor observer.

Actualities

References

Of course, it’s a legal-style policy whitepaper. Of course there are references; they are among the NN footnotes. In rough order of appearance in the work.

 

Comments are closed.