May 22, 2008
Opt-out, Technical
No Comments
Ever since I heard about Charter’s intention to capture my personal browsing habits and sell them to advertising companies, I’ve been looking for ways to protect my privacy against my own ISP. It’s not something any customer should have to do, and it says a lot about both Charter Communications and the elected representatives in the United States that we as customers find ourselves in this position.
Because of the specific manner in which Charter and NebuAD wiretap our connections, there is no way to route traffic around their snooping. We could use proxy servers, but there’s no guarantee that their deep packet inspection process couldn’t derive our intentions even from that. We could use encrypted proxies, but the average speed of a public encrypted proxy defeats the purpose of having broadband access anyway. We could just opt-out, but that’s a complete farce and would only give Adblock Plus new content to shut down. No, there just doesn’t seem to be a good technical way to get around Charter’s illegal monitoring program.
So why not just poison the data?
I’ve written a script which will access a random website, then randomly follow random links from that random website 30 times. It is called by a second script every minute which launches several iterations of the poisoning process, which runs several instances of the poisoning script concurrently. The result is a quick burst of activity which will mask any legitimate traffic my wife or I put on Charter’s system. Since NebuAD has no way of distinguishing the requests apart, the categorical interests which Charter and NebuAD assign to our household, and thus our advertising stream, will be completely useless to anyone.
It’s a shame that my only defense to being monitored by a private company in violation of several federal laws is to build a Linux workstation and script a custom solution. But that’s how it is, and until we either convince Charter to end their illegal wiretapping program or put them out of business, my Linux machine will visit thirty one web pages five times every minute.
That’s 155 pages per minute. 9,300 pages per hour. Over 220,000 pages per day.
You can download the poisoning script for yourself here. Feel free to modify and redistribute. If you find a way to significantly improve upon it, please send me a copy so that I can make it available.
May 20, 2008
Legal, Opt-out, Technical
1 Comment
A letter I wrote to The Consumerist a few days ago was just published as an update to their previous coverage of Charter’s illegal wiretapping program. It’s good that they’re covering this, because Charter doesn’t seem to understand that their customers are pretty much universally pissed. Here’s my letter (areas highlighted by The Consumerist have been left as such):
Dear Consumerist,
I spent a long time last night looking into the way Charter is handling this program, and based on their own explanation it’s obvious that the cookie is not a “real” opt-out. Here’s why.
When a customer clicks a link, advertisement, or visits a page, Charter will capture the browsing data and send it to the third-party advertising provider. If Charter wanted to offer a functional opt-out, it would be at this deep-packet inspection level. The do not offer a way out of that service, however. The only thing they offer is the cookie-based solution you’ve previously covered, which merely tells the third-party organization not to match the machine with the DPI-harvested data or deliver the advertising. Customer browsing is still being captured and is still being turned over regardless of anyone’s individual opt-out status, but the third party is just blocked from doing anything with it by the cookie.
I might also point out that by doing this Charter is explicitly requesting that their customers choose not to follow safe browsing best practices. Every modern browser available today has an option for clearing cookies when the browser is closed, and many people choose to take advantage of this practice, myself included. Charter is either demanding that I and many others either fill out their form several dozen times per day (every time we open our browser) or specifically switch off browsing features intended to keep customers safe. Neither of these are acceptable, of course.
I am going to contact Charter’s executive team again this morning on the matter, as well as an attorney. I have not been notified of Charter’s changes through a letter or email, and learned about this program last night via other means. Having read through the Cable Privacy Act, which governs Charter’s use of personally identifiable information, I have discovered no fewer than three potential violations. Moreover, Charter is required by law to make any collected data available to its customers, so I would suggest that all Charter customers request their DPI browsing data on a daily basis, and file appropriate complaints when they fail to deliver it as required by law.
They’re not going to stop doing this until or unless they lose more money than they make on it. We have vehicles available to us to lose them vast sums of money on this project, if only the word gets out.
I did contact an attorney here in town, but he flat-out refused to consider the case. Maybe his being on the Chamber of Commerce, who bears partial responsibility for saddling myself and my neighbors with the scourge that is Charter Communications by granting them a monopoly, had something to do with his decision. Congress has since gotten involved, so I’m going to wait before I call another one. We might yet still get out of this without individual legal action being necessary.
May 17, 2008
Legal, Opt-out, Technical
No Comments
Wired has done a great job of covering Charter’s new anti-customer-privacy advertising initiative, but their offering today simply takes the cake. Chock full of technical information, Wired takes a deep look at the technology employed by NebuAD in their collusion with Charter to spy on everything we broadband subscribers do online.
From the article:
NebuAd’s appliance categorizes users and their interests, and then uses the data to customize ads on the internet. Charter says the device will not actively inject NebuAd’s advertising into web sessions, but rather NebuAd will provide the profile information to third-party advertisers already paying to place their ads on major websites.
So now we’re learning that Charter sells our information to NebuAD, who then makes it available to even more companies? At exactly what point is the customer’s privacy taken into consideration in this chain of events? Is it before or after the data gets sold to NebuAD, who has no legal obligation not to resell your habits to every data-mining house on the planet?
Charter’s own opt-out page is careful not to claim that opted-out users won’t be monitored, saying only that if a user “would like to opt-out of this process” an opt-out cookie means they “will no longer receive ads that are tailored to your web preferences, usage patterns and commercial interests.”
Indeed, it is possible that the cookie system works to prevent opted-out users from receiving the third-party ads, and it could stop NebuAd from sharing a user’s profile with third-party ad networks — assuming those networks include a NebuAd image file, or some other embedded code, in the ads they serve on the web. But NebuAd’s claim that you can opt-out of the surveillance itself remains unexplained.
But don’t worry. I’m sure Ted Schremp has six or seven different explanations he can offer on the matter, each one more puppy dog and rainbow than the last.
In all seriousness, Charter Communications commits a federal crime every time it collects data on a customer which isn’t used to enhance their service. They commit a second federal crime every time they sell our information without our express consent allowing them to do so. Once the information is in NebuAD’s hands, though, they can do whatever they want with it. They’re not explaining their opt-out system because, to be blunt, they’re not under any obligation to reveal anything at all about it. Charter is the one on the hook for committing the crimes, so why not just let them lie about it?
There are also lingering questions about whether NebuAd’s systems are as non-invasive as described. A patent application filed by the company in March 2007 describes a monitoring system that actually manipulates data packets and replaces advertisements on third-party websites with their own ads.
Finally, Charter gets company as NebuAD commits federal copyright violations!
The legality of eavesdropping on Americans’ internet usage also isn’t clear. The practice could violate anti-wiretapping law, according to recent analyses of the legality of academic internet research, because the law says an ISP is only allowed to monitors its customers for security reasons.
Could violate the law? If the law says that an ISP can only monitor customers for security reasons, but Charter monitors its customers in order to sell their surfing habits for increased profits, then how exactly is that a matter of “could.” If I’m not mistaken, that’s a pretty direct violation.
But why wait for the lawyers to settle that? Charter wants to monitor you now.
May 15, 2008
Doublespeak, Opt-out, Utter BS
No Comments
Ted Schremp, senior vice president of product management and strategy, is back again today with a second interview, this time with CNET’s Declan McCullagh. This time he claims that Charter’s program does not utilize deep packet inspection, and that their new “enhanced service” is no different than giving their customers faster broadband speeds at no additional cost.
From the article:
Q: If you’re conducting deep packet inspection, that means you know what data your customers are transferring. Are you going to look for evidence of copyright infringement, child pornography, and so on as well?
The enhanced advertising solution does not utilize deep packet inspection. It looks at URL level information only. That’s another point of misinformation on the Net.
Q: You’re saying that URL-level information is not deep packet?
Suffice it to say that we’re using URL-level information only.
Huh, so I guess all of those articles out there on every other technical site and in every other interview, including the patent data from NebuAD itself describing their deep packet inspection model, is only “misinformation” and isn’t really using deep packet inspection after all. Is it just me or does this Ted Schremp guy sounds like he feasts on a big bowl of bullshit in the morning before he starts giving interviews just so his breath smells right for the occasion?
Q: If you’re getting a new stream of revenue from NebuAd, does that mean lower prices for your customers?
As we’ve gone into these pilots, we’ve conducted a series of focus groups to help us understand from their perspective, does this technology add value to their Internet experience, talk through privacy concerns, and so on. What our customers have shared with us is that they understand the fact that advertising is part of the Internet model. To the extent that fuels the economics behind the Internet, they understand that. They appreciate the notion that ads that are being served are attuned to their interests or potential interests.
We view it the same way as offering faster Internet speeds. This is no different. It’s about taking the latest technology and applying it as a way to be useful to our customers.
Schremp regularly talks about these focus groups, which must have been made up of hand-selected individuals chosen for their complete lack of understanding about the Internet, privacy, and technology. Based on the comments and articles I’ve seen, the only thing that Charter’s customers have confronted them with is negativity regarding this program. Of course Schremp has been programmed from birth to ignore negativity when presented with a better, less comprehensible company line, and proves once again in this interview that he is the perfect man to be selling this “enhancement” to Charter customers. It’s a wonder they aren’t actually raising prices over this.
And for the record, none of the Charter customers or technical service associates I’ve spoken with consider this on par with offering faster speeds. I don’t understand how spying on your customers, selling their private information to an advertising company, then lying through your teeth about how you’re going to collect, store, transmit, and secure their data is on par with bumping up your broadband rates. But then again I’m no Ted Schremp.
The key from our perspective is that we’re very customer-oriented in everything we do. The privacy concerns and the ability of our customers to opt-out and the fact that we’re talking today is indicative of that as well. We want to be very clear that they have a choice.
That’s great, Ted. Now exactly where can I exercise my choice not to be a part of your illegal wiretapping program?
May 15, 2008
Doublespeak, Opt-out
No Comments
Broadband Reports has a new article up about the NebuAD program too. It seems that everyone is getting in on the action now that Charter has made itself such a target for people concerned about online privacy. The article also addresses one of the many problems with the opt-out provided by Charter and NebuAD.
From the article:
Of course Charter’s FAQ on the service fails to inform customers that the cookie doesn’t stop them from tracking you, just from sending you personalized ads. Interestingly, Charter’s opt out form doesn’t bother to tell customers the name of the company (I assume it’s NebuAD, whose CEO I interviewed last February).
We know for sure that the company is indeed NebuAD. The article is also correct in that using the opt-out does not actually stop Charter from tapping your Internet connection, building an electronic dossier on your interests, then selling that information to NebuAD. Your request to be excluded from the system only impedes the advertising from actually being displayed in your browser. Behind the scenes, your privacy is still violated regardless of whether you opt out or not. Don’t count on Charter telling you that though. In this case, obscurity is their friend.
And although the story at Broadband Reports is short, there is one great gem at the very end:
Charter sells your browsing information for profit, while you get no reduction in service price and are forced to use an opt-out process that doesn’t entirely work. Sound like an enhanced online experience to you?
I couldn’t have put it any better myself.
May 15, 2008
Doublespeak, Legal, Opt-out, Utter BS
No Comments
The New York Times is running an online article by Saul Hansell about Charter’s snooping program, complete with an interview with Ted Schremp, senior VP for product management and strategy. What did Mr. Schremp have to say about his company collecting private data to be turned over to an advertising firm?
From the article:
He offered his personal view that the system was harmless and well within the norms of the Internet these days. “The mainstream Internet user is hugely aware of the fact that the fundamental economic model on the Internet is advertising,” he said. While some people object to targeted advertising systems like Google’s Gmail, which displays ads related to the text of e-mail users are reading, many others don’t.
First of all, Mr. Hansell doesn’t seem to understand the critical difference between Google’s advertising system, which collects user data and feeds it into a Google-owned and operated advertising algorithm, and Charter’s, which collects user data and sells it to an advertising company not otherwise associated with Charter’s customers. In the interest of clarification, let’s just simplify the comparison by saying that one is legal, and the other is not. Mr. Schremp is partly correct in his assertion that the fundamental economic model on the Internet does seem to be advertising, but that only goes for companies other than ISP’s. For companies like Charter the economic model is very, very different. Google and other such services simply do not have the same level of access to a user’s interests and traffic, and are not responsible for facilitating a user’s actual connection to the Internet. Their model, quite simply, is advertising. Charter, on the other hand, does a poor enough job at fulfilling their own fundamental economic model, that being Internet access, that they have no business attempting to put themselves into competition with companies such as Google.
“All we are doing is, in an anonymous format, providing additional context to serve those ads. To the extent those ads are more meaningful to me as Ted Schremp, I will have a better Internet experience than the generic ads that are part of Yahoo and everything online.”
I want you to think about whether or not the advertisements you see on web pages are meaningful to you personally, and to ask yourself how much better your Internet experience would be if the advertisements you saw were more targeted to your interests. Now, is that worth letting your Internet provider monitor your every move to capture your habits, then sell that information to a company trying to convince you to buy things?
For those customers who disagree, Mr. Schremp said that Charter was offering the ability for them to choose not to be part of the system. I suggested that most privacy experts prefer opt-in systems where information isn’t collected until the user explicitly grants permission. He said that opt-out has become the norm for all targeting on the Internet.
Opt-out has become the norm because companies such as Charter have declared it to be the norm. It’s a lot easier to leave the majority of your customers in the dark about your programs and profit from their private information than to beg customers to let you make extra money from the content of their lives.
Mr. Schremp did acknowledge that raising revenue was a main goal for Charter in this: “We want to leverage technology in a way that makes sense for our economic model.”
Here’s the real reason this is happening. NebuAd is paying Charter “several dollars per subscriber a month,” and Charter could really use the money, seeing as their stock price recently dropped so low as to see them delisted by Nasdaq. It’s a shame that their management is so inept as to believe that the road to becoming profitable runs directly through the very privacy they’re required by federal law to protect.
May 12, 2008
Opt-out, Technical
No Comments
A fellow named Matt wrote a fantastic letter to Charter about the spying program, and sent a copy to The Consumerist as well. This is the type of response that is needed if Charter executives are to be made to understand how terribly they have failed their customers.
From the letter:
The fact that this opt-out system relies on a cookie to keep users opted out is also a privacy issue. By telling customers who visit the opt-out page that, “if you delete your cookies or cache files… you will have to opt-out again,” you are encouraging users to keep those files that good privacy practices dictate should be frequently purged. Ironically, the best reason to purge one’s cookies often is to prevent internet marketers from tracking one’s behavior online.
Read the rest here.
Awesome letter, Matt. Thank you for making it public.