Just Looking? ISPs Are Watching You Browse


You’re being watched. What’s more, you’re paying for the privilege. Every time you’re online, your Internet service provider (ISP) is keeping tabs on what sites you visit and how long you stay to create a unique user profile. And while ISPs say they’re not selling this data to companies or handing it over to government agencies, the year-old Snowden revelations and more recently discovered Verizon “perma-cookies” point to something altogether different. So what’s real the story?

Not So Bad?

As noted by Vuze, ISPs have some legitimate reasons to track your browsing habits. For example, the Copyright Alert System (CAS) allows them to detect infringement and protect rights holders, and in Australia ISPs may soon be required by law to store consumer surfing data for two years in an effort to combat cybercrime. Both ISPs and consumers have rallied against the idea, saying it’s invasive and costly, especially in terms of data storage.

In the United States, meanwhile, ISPs aren’t required to track IP and port connections, but many do and many hold on to that information for a period of time, possibly as much as a year or more. Still, this doesn’t sound so bad — basic IP data that’s relatively anonymous could be used to improve service delivery or justify infrastructure expansions.

But here’s the thing: ISPs could do more — much more — if they had a mind. This includes discovering exactly what kind of content you view, what you write in emails and what you purchase online. Most don’t because of the potential backlash that comes with violating consumer privacy rights, but it’s still a good idea to consider the use of a proxy service or virtual private network (VPN) to make sure there’s no way you can be tracked. Even if you have nothing to hide companies should have to ask, rather than assume your cooperation in recording online movements.

Cookie Monsters?

If that’s where all this ended — ISPs occasionally tracking you to pad their bottom line or broker deals with big retailers for better customer data, most users would probably chalk it all up as the price of being online. But the discovery of a “perma-cookie” used by Verizon and a similar scheme in development at AT&T has customers feeling ill.

It goes like this: over the last few years, Verizon has been dropping a string of 50 letters, numbers and special characters into all wireless traffic between users and websites. This string forms a consumer’s Unique Identifier Header (UIDH), which Robert McMillan of Wired calls a “short-term serial number that advertisers can use to identify you on the web.” These UIDH strings — and AT&T “tracking beacons” — persist for several days and unlike regular cookies, cannot be blocked or disabled by turning on private browsing or clearing your cookie cache. Verizon says it doesn’t use the identifiers to form customer profiles and gave consumers the chance to opt out. The caveat? You need to contact the company directly. Using a VPN will also block these cookies, as will encrypted proxy browsing, but it’s possible for proxies to be disabled by ISPs at will.

Who Watches the Watchers?

There is some oversight of ISPs via the Federal Communications Commission, which compels Internet providers to disclose their network management practices under the Open Internet Transparency Rule. The problem? Perma-cookies aren’t illegal, meaning ISPs can keep doing what they’re doing so long as they report their activities to the FCC.

Some popular websites are taking matters into their own hands: as noted by Technology Review, Facebook recently launched a “dark” version of its social media site at facebookcorewwwi.onion. The new site is only accessible using Tor anonymity software and ensures that users won’t be tracked by governments or ISPs, ideal for users in countries that ban social media or government workers concerned about censorship. It’s worth mentioning, however, that Facebook will still be collecting some data about its dark-side visitors, albeit much less than average.

So yes, you’re being watched, and companies are getting bolder. If you prefer anonymity there are a number of choices: talk to providers directly and opt-out of the more onerous policies, browse only “dark” websites or invest in a private network to provide total coverage.