Your ISP is Selling your Data—Despite Swearing Not To

“Netflow Data”—information recording which internet resources you’re talking to—is big business. It’s being traded by brokers, with zero transparency.

But didn’t ISPs promise not to sell it? Well, yes. And then again, no: It turns out these data brokers aren’t precisely “buying” it from your ISP. But it amounts to the same thing.

It depends on the meaning of the word “is.” In today’s SB Blogwatch, we ponder semantic chicanery.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Complaining about psychics.

And VPNs Won’t Help

What’s the craic? Joseph Cox reports—“How Data Brokers Sell Access to the Backbone of the Internet”:

Conflicted
[It’s] an open secret [that] internet service providers quietly give away detailed information about which computer is communicating with another to private businesses, which then sell access to that data to a range of third parties. … “I’m concerned that netflow data being offered for commercial purposes is a path to a dark ****ing place,” one source familiar with the data told [me].

Crucially, this data can be used for, among other things, tracking traffic through virtual private networks, which are used to mask where someone is connecting to a server from, and by extension, their approximate physical location. … “I’m less worried about a bad guy hacker and more worried about a bad guy government or company or politician,” one source familiar with the data said.

They were [also] concerned about the sale of netflow data, but [the data] “also enable security organizations to do some really awesome work. So I’m conflicted about it.”

I hope Karl Bode’s well—“ISPs Give ‘Netflow Data’ To Third Parties, Who Sell It Without User Awareness Or Consent”:

Securing that data is often an afterthought
Technologies like deep packet inspection have allowed ISPs to collect and sell details on every aspect of your online life, [and] then … insist they’re not doing exactly that. [It’s] valuable, and increasingly, it’s being offloaded to businesses who are then turning around and selling it. … ISPs then can tell reporters, “We don’t sell access to user data,” because, technically, they aren’t.

As the name suggests, netflow data details the day to day broader stroke network traffic, whether that’s overall network loads, which servers are talking to one another, network topology, etc. The data is generally beneficial to researchers to understand network and user behavior, and to security experts to help mitigate network attacks.

Thanks to a cross-industry coalition of lobbyists, the United States still doesn’t have even a basic privacy law for the internet era. As a result, any shred of data that can be collected and sold is. Securing that data is often an afterthought, and consumers more often than not have absolutely no transparency into anything.

Mind. Blown? ganoushoreilly’s, too:

The reality
What blows my mind is the number of people signing up for these “VPN” services thinking they’re secure. Time and time again we’ve found that they are logging and if they aren’t, it’s logged at the flow point.

I can say though for a fact that a few of the largest security companies have been paying for strategic access to netflow in the US for years. The reality is there are good arguments pro and against, and that doesn’t even account for any “netflow” visibility US and Foreign Agencies may have.

Time for a colorful metaphor? Aighearach obliges:

It was never actually private
It’s like if you go to a clearing deep in the woods. There is nobody else around.

You might even feel comfortable engaging in private activities. But it is not actually private; another person may pop out of the woods at any time. A hunter may be … watching you from halfway up a tree. You may be being recorded on a trail cam. The people managing the forest may … later build a trail that comes right past “your” clearing.

It was never actually private—merely remote.

A little too colorful? u/battinski puts it another way:

GCHQ and NSA
Let’s assume the ISP’s are sharing all the data between each other and pooling it for analysis. … This is going to be a massive and unwieldy amount of data, which they’ll need special tools/powerful systems/cleverness to work through effectively.

Whilst not out of the realm of possibility, it’s not trivial. … I’m sure big players like GCHQ and NSA do stuff but … why would someone consume that energy without a reason?

Worried yet? You should be, says 0x0A1B2C:

Utterly terrifying
This is nothing new in terms of technology. ISPs have a legitimate reason to want to analyze traffic in that context. There is a fairly competitive market for software that ties it all together with DNS monitoring and metadata done through internet scans.

[But] the fact that ISPs are … letting this data out of their control is utterly terrifying.

O RLY? Hyperbole much? “Utterly terrifying”? Well, TheNameOfNick reminds us of this quote:

Hayden
Reminder: “We Kill People Based on Metadata.” … Former Director of the NSA and CIA, General Michael Hayden.

But the guv’mint is here to help us, right? Here’s villgax to hinder them:

It’s only a matter of time
Worldwide governments are starting to seek backdoors/monitoring into everything. It’s only a matter of time before either hardware or OS creators are all compelled.

Meanwhile, u/UnitHistorical8299 isn’t hysterical: [You’re fired—Ed.]

And that’s why I make and use python scripts that send random HTTP requests to random websites and opens random websites on browser clients. My data value is negative lol.

And Finally:

“Psychics … or rather shysters pretending to have psychic abilities”

Hat tip: Invisible Wizard

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Yogendra Singh (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi