Behind the Line: Your ISP selling your history?
I’m not one to wax political here, but the recent rule changes to allow Internet Service Providers to sell your data has smacked me in the face with so much misinterpretation right where I live that I want to set a few points straight. First of all, yes, I know my description is an oversimplification. There are great technical breakdowns of what ISPs may or may not be able to do now elsewhere from people who can word it better than I can. Here’s one. As usual I’m here to look at things from an underrepresented angle. I’m not going to say if this is good, or bad, but try to cut to some more truth of the matter. If you wish to be upset about it, it’s best to have your bases covered and your criticisms as accurate as possible.
Misconception 1 – ISP vs Website
I’ve heard it said that websites have been able to sell your history already. It’s a bit difficult to confirm that at the moment because the ISP news is drowning out search results. Presuming that this is correct, the argument is “You have to use your ISP, but you don’t have to use google.com or facebook.com, so that website doesn’t have your data.”
You can send data to all kinds of websites or services that you’re not connecting directly to. I’ve talked about analytics before, and will again, and there are services tied in all over the place to track stuff. Sometimes it’s directly to google or facebook when you load an unrelated page. I loaded SBNation with a logger on, and check out how many other services were called:
A lot of these are external resources for pictures, or ads, but really, any ad you see is coming from someone watching your browsing habits already. Websites get that data and try to offer you stuff you want. It’s how the internet makes money there. The absence of that kind of business intelligence contributed to the .com crash, people assuming that standard ad models would apply in the new medium.
So yes, your data is out there whether your ISP does something with it, or not. Remember, you’re the one going to their site and doing stuff. This isn’t exactly like someone spying on you. This is more like people recording what you told them. Sure, that can be creepy too, but it’s not the same thing.
Misconception 2 – HTTPS will protect me
So, if the ISP can track your data, I can use HTTPS with SSL encryption to protect my data. Encrypted means other people can’t read it, so I can browse and search HTTPS stuff without the ISP seeing, right?
SSL will encrypt the data itself that is being transmitted, that’s true. But, if you’re worried about people looking in on your… let’s say late night browsing habits, that only protects the contents, not the address. In another analogy, SSL is like a security envelope. It makes it harder to read what’s inside the envelope, even if you hold it up to the light, but you can still see the to and from addresses. Think about it, for your ISP to connect you to the site, it HAS TO HAVE the web address you’re going to. This includes searches. Most of those are transmitted in the URL in plain text. Even Google searches function like that. For example:
That’s a secured and encrypted connection, so the ISP won’t see that the first result is my archives, but they know my IP address searched for it. And speaking of my IP address…
Misconception 3 – Personally Identifiable Information
There’s also the thought that YOU have a fingerprint that your browsing history is tied to. If someone wants to look up information about what you, singularly you, as an individual, has done online that they will now be able to pay an ISP to get that.
We aren’t in the AOL days where you have to have an individual log in to get internet access. We’re in an age of Wi-Fi access points, mobile data, dynamic IPs, and information security. You can access the internet from anyone else’s IP address, and other people can access from your IP address. Will my ISP know that I connected to listen to Hero Talk on Podbean when on a public open Wi-Fi access point? No, because they have nothing to tie that together to when I’m listening to Point Streak at home. They also can’t connect that to when I’m watching Vega Goose Says at work. Each of these would be on different devices, from different access points with different IP addresses.
I’ll concede that it could conceivably be possible to do a lot of work to find little things to tie your data together, but that is prohibitive. You would need to have some idea of where to look to tie one event from one website to another event from another website. It would be easier and cheaper to hire a private investigator. But this again transitions to another point
Misconception 4 – Data Mining
Even with all these limits, now an ISP can start selling off my data like to the highest bidder, right?
Sure, there can be a lot of data available that can be sold, but we’ve already seen that to identify your data is not easy. Furthermore it’s difficult to arrange data to make it easy to work with. It has to be organized, and you have to be able to query it accurately and efficiently. And this is all true just for one game’s data, much less the entire browsing data from an ISP, or one user. The amount of data that an ISP would have to capture constantly would be absolutely staggering.
Consider, how much data is on the internet? How many times does that data go from one place to another? If truly all of the data was going to be saved, then an ISP would have to save some significant portion of the size of the internet daily. So keep in mind that it would never be all of the data, just that high level data like your URLs, because analytics primarily works in aggregate data, not personal data. Speaking of…
Misconception 5 – Care in personal vs aggregated data
But with all of this tracking going on, won’t they be tracking my own personal data?
Data for an individual is not very useful when tracking data like this. As a service provider I’m not interested in what one person does. I’m interested in what hundreds, thousands, or tens of thousands of people do. If I can say “everyone in the Los Angeles area under 25 does this at least once a day”, that’s useful because it represents a significant amount of traffic. On the other hand if I say one person does it 50 times a day, that may be a lot for one person, but it’s not a lot compared to the group. However, if you could find something that tied together everyone who does it more than 25 times per day, that would be significant, because then you could target ads to them, or do something to keep them engaged in this widget.
I’ve dealt with data. Not a lot, and not at many places, but I have. In my experience there is almost no concern about an individual. We want to know global trends. Have the information boiled down into a dashboard with a few charts showing critical metrics. There are SO many people, and SO much data, that it is prohibitive to try to pry into it on an individual level. It’s simply not profitable to do so anyway.
Bonus Misconception – Private Browsing
So, I can use the private browsing setting on my browser, right?
Private browsing will only prevent you from saving local data. It will still send all the same data to others. Your browser tells you that when you enter private mode.
If it sounds like I’m defending this motion, that’s not my intention. I’m merely trying to dispel misconceptions about what this means. Even with all of these limitations, there is a path for this information to be abused. Everyone should be aware, though, that a good portion of this data is already available to abuse through different channels. So, if you’re of the opinion that this is crossing the line, you should be aware that we were probably already over the line. This headline is merely shining a spotlight on the issue. Also, should this wind up rescinded at some point, be sure to think about the other angles associated with it, because that alone may not take us to where you think we should be.
Kynetyk is a veteran of the games industry. Behind the Line is written to help improve understanding of what goes on in the game development process and the business behind it. From “What’s taking this game so long to release”, to “why are there bugs”, to “Why is this free to play” or anything else, if there is a topic that you would like to see covered, please write in to firstname.lastname@example.org