- Oct 16, 2010
- 4,477
- 1,765
I'd like to preface this post by saying that this may come off like a rant, and it may very well be one. Many people advise to never write or opine on something when you're angry, but I'm not writing an on-the-record PR statement for business purposes or anything like that, so please indulge me. Also, I don't have a blog and don't plan on having one, so I'll let the melodious symphony that is my blithering rant grace y'all instead.
It's an undeniable fact that data sharing is an industry of its own. And by that, I don't mean the sharing of information done by billions including ourselves every second; I mean data compiled on people, be it the kind of information you'd just share with anyone like what you studied/are studying in college, to private bits of information kept only by certain parties such as your medical records, and even trivial stuff that normally wouldn't―and shouldn't, unless you're some kind of celebrity or public figure―appear anywhere on record such as your favourite food and drinks.
This kind of business is lucrative, if sometimes unethical, but it definitely has a lot of uses (and abuses). Sending your curriculum vitae to apply for a job position? Your potential employer likely has signed up with a profiling company to do background checks. Planning to buy a new house or apartment? The dealer would surely like to at least check if you have any crime/misdemeanour records. This is neither new or a secret, and while you may disagree with the fact that it happens at all, there's a defensible rationale behind the argument that a company needs to know what kind of person it's hiring and a landlord needs to know what kind of person they're leasing property to.
But what if, say, you use a service and it shares, gives away or sells―none of which make any distinction for the customer, really―your details to a third party? (I'm not talking about anything related to all the revelations about the NSA here, nor do I plan to touch the issue at all. I've ranted enough about that; this one's about deals between two or more private entities as opposed to a government compelling a private entity to hand over data.)
People often say, "if you don't pay for a product, you ARE the product." I've long ridiculed this kind of statement because, even putting aside the issue of sharing customer data, many businesses that actually do charge significant money treat their customers worse than those that don't. For example, I loathe Google, but for a company that provides free services in exchange for collecting your details, it provides good services (as long as you don't encounter a situation where you need support from an actual human such as getting a DMCA 'strike' on your YouTube account). On the other hand, Amazon charges you for both hardware (Kindle) and service (ebooks) but can still give you the finger[1] anyway. Or how about telcos (telecommunications companies)? You pay them good money for your data, mobile, telephony and other plans, but hey, they still screw[2] you[3] over[4] nonetheless, and are definitely the leading experts in that regard.
Case in point: earlier today, I was browsing the web from my phone on home Wi-Fi connection (as opposed to using 3G provided by the mobile carrier) and noticed something strange. Without going into technical details (which I can provide if you're curious), it suffices to say that I found out someone or something was tampering on my unencrypted connection[5] and, after some extensive testing and a little research, came to the conclusion that it was no malware, hacker or government intrusion. It was advertising served by none other than my own ISP, done by infusing a snippet into our connection that would, among other things, get certain system information such as OS version and screen size.
Are you fucking kidding me?
No, the code injected isn't malicious or otherwise harmful on its own. No, my ISP isn't hijacking my connection and attempting to infect my PC with malware. But this kind of trick is as sneaky, intrusive and unethical as the methods used by hackers who actually do all of the aforementioned. And, to customers, this makes little to no difference: in both cases, your Internet connection is tampered with, you're served with intrusive advertising, and certain information regarding your Internet activity is seen by a third party. I know a thing or two about security and can deploy means to protect myself from malware and privacy intrusions, so personally, I could just shrug this off and walk away whilst laughing at my ISP's feeble attempt. (On the other hand, more 'sophisticated' attempts would only lead to the deployment of even more intrusive and less ethical means. This is a zero-sum game.)
But not the average customer. They probably wouldn't know, understand or even care about the issue were it to be presented before their eyes. Some might argue that 'sheeple' deserve everything that's coming at them because they're not willing to learn to protect themselves or something, but if you stop for a bit and think of blaming the perpetrator instead of the victim, it's fucking crazy that (often big) businesses can pull off this kind of faggotry and get away with it every single time. Some might think going down the judiciary road is a good idea, but that isn't a viable solution either: hiring an attorney would, in mere days or even hours, cost more than what I earn in a month, whereas the opponent is a government-backed behemoth of a corporation which, at best, would offer a settlement―and money isn't what I want here―and, at worst, could make my life legally and financially miserable by sending a horde of lawyers after me. This is a stupid fray to jump into.
Yes, I know ISPs hijacking your connection to serve you ads is nothing new. As far as I know, though, the idea that has been entertained so far mostly revolves around DNS hijack[6] ―which redirects you to a page laden with ads (as opposed to the typical "unable to connect" or "address not found" page) served by the ISP, similar to what OpenDNS does. Some also thought hijacking Google toolbar search results was a brilliant idea,[7] although they backed down to the concerns raised. (Of course, as is the typical PR bullshit spewed by a company employing unethical business practices in the first place, they didn't seem to be willing to come clean on the details either.[8]) Where I live? People don't seem to give two fucks as long as their need for bread and circuses is appeased. Those that do, from what I've seen at local community websites, are so few that their buzz is likely to fall on deaf ears and be left unheard.
There's delicious irony in how, just a few days ago, a friend of mine living in another country was talking about how he kept getting weird, ad-laden redirection pages―which, after some digging, is apparently the ISP hijacking DNS and search results― and in response I said something along the lines of, "man, I have ninety-nine problems with my ISP and think they're pretty unethical, but advertisement hijacking ain't one!" For the record, my ISP has actually done the DNS hijacking trick before, although it was just a standard "help" page and wasn't as intrusive as to hijack toolbars and search results as well. What's doubly depressing, though, is that now, just a few days later, I found out that my ISP's already taken it to the next level. (They have likely been doing this for a while, but I always encrypt my traffic when accessing the Internet from PC, so I'd never noticed it previously.) And this isn't a trick that people could easily overcome by using a third-party DNS service[9] either.
The only viable methods I've found require either encrypting traffic (e.g. by using a VPN), blocking the remote resources infused into your connection (e.g. by using a site-blocking feature found in many anti-virus programmes or, if you're more savvy, altering the "hosts" file on your system) or protecting yourself against cross-site scripting[10] (e.g. by using browser add-ons such as NoScript). Simply deactivating JavaScript (also doable using NoScript, which I really recommend as it blocks most sites by default) seems to prevent the sneaky ad from executing the code, and thus preventing it from harvesting your details. The average Joe and Jane, however, tend to browse the Internet without tweaking such options, which means that they're protected by none of the aforementioned. ISPs and telcos, sadly, only stand to profit from such naiveté, as customer behaviour is very lucrative to capitalise on.[11] And maybe mine isn't the first to directly inject advertisements to let them spy on customers first-hand[12] (as opposed to selling customer data), but that doesn't make it any less detestable.
This is unacceptable.
In many fields, most primarily Internet business, it's a general notion that using a free service means you're subject to advertising whereas using a paid service ensures you're free from it. This underlies an assumption that advertising is equal to some sort of plague or contagion, something worth spending money to get rid of. Sure, some marketing firms and partners thereof realise this and are able to make viewing ads an interesting experience in and of itself,[13] and 'personalised ads' are actually often useful to customers, but there's a healthy discussion to be had concerning the methods employed to 'personalise' such ads. What the practices I mentioned above, however, are on an entirely different level: you pay full price for the service while the service provider sells your data to third parties, lets in advertising firms to directly monitor your online behaviour, and serves you ads as a result. This is no longer a trade-off between paying for a service or letting them serve you ads in exchange for a service. This is a condition where you're not doubly, not triply, but quadruply screwed over.
And, thanks to monopolies, often you simply can't vote with your wallet (or attention, for that matter). Many chastise services like Google for capitalising on and tracking your online behaviour, but if you dislike what a service does, alternatives are just a few clicks away (I personally use DuckDuckGo as my primary search engine myself). Obviously, avoiding online trackers is also much easier than avoiding deep-packet inspection (i.e. spying) conducted by your ISP. A mere browser add-on like Ghostery does the job to keep most online trackers from building a dossier on you, but short of encrypting all your traffic, there's not much you can do to avoid ISP intrusion. And if you want to tell the provider to go take a hike? A great deal of people in most countries probably only have one or two ISPs available in their area unless they live in big cities, and those two might as well be equally evil, behemoth-sized corporations employing unethical practices.
This reminded me of what my mom said a couple weeks ago. She told me she received a call from the ISP offering her to sign up with some sort of insurance. Besides being sharp in general, my mom isn't without experience with this kind of offer, and she shot a straightforward question at the ISP person: "so, my details are shared with this insurance company, then?" The caller desperately tried to deny that, but I suppose they were just a low-level peon who may honestly have no idea about the policies up there. And, as expected, they hung up as soon as my mom said she didn't use a credit card. It baffled me why an ISP would make that kind of marketeer-style call, short of itself being a full-fledged telemarketing company on top of being an ISP. Which might actually be true, if the amount of spam text messages and phone calls bothering me even when I'm (well, it's "was" now) in class or working is any indication. Granted, I use a different provider as my mobile carrier, but the underlying assumptions remain the same.
It's also disheartening how much the average person cares about such privacy. Or maybe they only care when shit hits their buttons. To wrap up this excessively long rant with another one, I've also felt offended by how someone―almost certainly from the university I graduated from, either a fellow student or even a professor―shared my contact details with a marketing company. Shortly after graduation, I received an email containing a job offer. The same offer also appeared on my phone through two text messages, reminding me that there would be two days of interviews available for interested applicants. The most interesting part? Both messages were sent from different, throwaway numbers. (Those numbers belong to the kind of cheap mobile plans that are usually only valid for 2 weeks and have enough commission only to make a few calls and maybe a few hundred texts.) Also, in the email, they stated they were looking for "tele account executives," which I'm sure is just a fancy way of saying "telemarketers."
Now, I do have an idea who the culprit might've been, and it's likely that they didn't do this for profit. In fact, judging by the recipients listed in the email (hello, marketeers, you may want to learn a thing or two about using BCC in emails), they probably did this with a good intention―helping fresh graduates find a starting job. And I appreciate the thought. But this only highlights to show the inherent naiveté in the average person when it comes to this kind of issue. Frankly, this does nothing but worsen the situation, as it gives more and more companies free rein to do what they're doing.
And those of us who do understand the issue, think it's unethical, and try to inform the others about it? We get grouped together with conspiracy theorists.
[/rant]
Share your thoughts.
It's an undeniable fact that data sharing is an industry of its own. And by that, I don't mean the sharing of information done by billions including ourselves every second; I mean data compiled on people, be it the kind of information you'd just share with anyone like what you studied/are studying in college, to private bits of information kept only by certain parties such as your medical records, and even trivial stuff that normally wouldn't―and shouldn't, unless you're some kind of celebrity or public figure―appear anywhere on record such as your favourite food and drinks.
This kind of business is lucrative, if sometimes unethical, but it definitely has a lot of uses (and abuses). Sending your curriculum vitae to apply for a job position? Your potential employer likely has signed up with a profiling company to do background checks. Planning to buy a new house or apartment? The dealer would surely like to at least check if you have any crime/misdemeanour records. This is neither new or a secret, and while you may disagree with the fact that it happens at all, there's a defensible rationale behind the argument that a company needs to know what kind of person it's hiring and a landlord needs to know what kind of person they're leasing property to.
But what if, say, you use a service and it shares, gives away or sells―none of which make any distinction for the customer, really―your details to a third party? (I'm not talking about anything related to all the revelations about the NSA here, nor do I plan to touch the issue at all. I've ranted enough about that; this one's about deals between two or more private entities as opposed to a government compelling a private entity to hand over data.)
People often say, "if you don't pay for a product, you ARE the product." I've long ridiculed this kind of statement because, even putting aside the issue of sharing customer data, many businesses that actually do charge significant money treat their customers worse than those that don't. For example, I loathe Google, but for a company that provides free services in exchange for collecting your details, it provides good services (as long as you don't encounter a situation where you need support from an actual human such as getting a DMCA 'strike' on your YouTube account). On the other hand, Amazon charges you for both hardware (Kindle) and service (ebooks) but can still give you the finger[1] anyway. Or how about telcos (telecommunications companies)? You pay them good money for your data, mobile, telephony and other plans, but hey, they still screw[2] you[3] over[4] nonetheless, and are definitely the leading experts in that regard.
Case in point: earlier today, I was browsing the web from my phone on home Wi-Fi connection (as opposed to using 3G provided by the mobile carrier) and noticed something strange. Without going into technical details (which I can provide if you're curious), it suffices to say that I found out someone or something was tampering on my unencrypted connection[5] and, after some extensive testing and a little research, came to the conclusion that it was no malware, hacker or government intrusion. It was advertising served by none other than my own ISP, done by infusing a snippet into our connection that would, among other things, get certain system information such as OS version and screen size.
Are you fucking kidding me?
No, the code injected isn't malicious or otherwise harmful on its own. No, my ISP isn't hijacking my connection and attempting to infect my PC with malware. But this kind of trick is as sneaky, intrusive and unethical as the methods used by hackers who actually do all of the aforementioned. And, to customers, this makes little to no difference: in both cases, your Internet connection is tampered with, you're served with intrusive advertising, and certain information regarding your Internet activity is seen by a third party. I know a thing or two about security and can deploy means to protect myself from malware and privacy intrusions, so personally, I could just shrug this off and walk away whilst laughing at my ISP's feeble attempt. (On the other hand, more 'sophisticated' attempts would only lead to the deployment of even more intrusive and less ethical means. This is a zero-sum game.)
But not the average customer. They probably wouldn't know, understand or even care about the issue were it to be presented before their eyes. Some might argue that 'sheeple' deserve everything that's coming at them because they're not willing to learn to protect themselves or something, but if you stop for a bit and think of blaming the perpetrator instead of the victim, it's fucking crazy that (often big) businesses can pull off this kind of faggotry and get away with it every single time. Some might think going down the judiciary road is a good idea, but that isn't a viable solution either: hiring an attorney would, in mere days or even hours, cost more than what I earn in a month, whereas the opponent is a government-backed behemoth of a corporation which, at best, would offer a settlement―and money isn't what I want here―and, at worst, could make my life legally and financially miserable by sending a horde of lawyers after me. This is a stupid fray to jump into.
Yes, I know ISPs hijacking your connection to serve you ads is nothing new. As far as I know, though, the idea that has been entertained so far mostly revolves around DNS hijack[6] ―which redirects you to a page laden with ads (as opposed to the typical "unable to connect" or "address not found" page) served by the ISP, similar to what OpenDNS does. Some also thought hijacking Google toolbar search results was a brilliant idea,[7] although they backed down to the concerns raised. (Of course, as is the typical PR bullshit spewed by a company employing unethical business practices in the first place, they didn't seem to be willing to come clean on the details either.[8]) Where I live? People don't seem to give two fucks as long as their need for bread and circuses is appeased. Those that do, from what I've seen at local community websites, are so few that their buzz is likely to fall on deaf ears and be left unheard.
There's delicious irony in how, just a few days ago, a friend of mine living in another country was talking about how he kept getting weird, ad-laden redirection pages―which, after some digging, is apparently the ISP hijacking DNS and search results― and in response I said something along the lines of, "man, I have ninety-nine problems with my ISP and think they're pretty unethical, but advertisement hijacking ain't one!" For the record, my ISP has actually done the DNS hijacking trick before, although it was just a standard "help" page and wasn't as intrusive as to hijack toolbars and search results as well. What's doubly depressing, though, is that now, just a few days later, I found out that my ISP's already taken it to the next level. (They have likely been doing this for a while, but I always encrypt my traffic when accessing the Internet from PC, so I'd never noticed it previously.) And this isn't a trick that people could easily overcome by using a third-party DNS service[9] either.
The only viable methods I've found require either encrypting traffic (e.g. by using a VPN), blocking the remote resources infused into your connection (e.g. by using a site-blocking feature found in many anti-virus programmes or, if you're more savvy, altering the "hosts" file on your system) or protecting yourself against cross-site scripting[10] (e.g. by using browser add-ons such as NoScript). Simply deactivating JavaScript (also doable using NoScript, which I really recommend as it blocks most sites by default) seems to prevent the sneaky ad from executing the code, and thus preventing it from harvesting your details. The average Joe and Jane, however, tend to browse the Internet without tweaking such options, which means that they're protected by none of the aforementioned. ISPs and telcos, sadly, only stand to profit from such naiveté, as customer behaviour is very lucrative to capitalise on.[11] And maybe mine isn't the first to directly inject advertisements to let them spy on customers first-hand[12] (as opposed to selling customer data), but that doesn't make it any less detestable.
This is unacceptable.
In many fields, most primarily Internet business, it's a general notion that using a free service means you're subject to advertising whereas using a paid service ensures you're free from it. This underlies an assumption that advertising is equal to some sort of plague or contagion, something worth spending money to get rid of. Sure, some marketing firms and partners thereof realise this and are able to make viewing ads an interesting experience in and of itself,[13] and 'personalised ads' are actually often useful to customers, but there's a healthy discussion to be had concerning the methods employed to 'personalise' such ads. What the practices I mentioned above, however, are on an entirely different level: you pay full price for the service while the service provider sells your data to third parties, lets in advertising firms to directly monitor your online behaviour, and serves you ads as a result. This is no longer a trade-off between paying for a service or letting them serve you ads in exchange for a service. This is a condition where you're not doubly, not triply, but quadruply screwed over.
And, thanks to monopolies, often you simply can't vote with your wallet (or attention, for that matter). Many chastise services like Google for capitalising on and tracking your online behaviour, but if you dislike what a service does, alternatives are just a few clicks away (I personally use DuckDuckGo as my primary search engine myself). Obviously, avoiding online trackers is also much easier than avoiding deep-packet inspection (i.e. spying) conducted by your ISP. A mere browser add-on like Ghostery does the job to keep most online trackers from building a dossier on you, but short of encrypting all your traffic, there's not much you can do to avoid ISP intrusion. And if you want to tell the provider to go take a hike? A great deal of people in most countries probably only have one or two ISPs available in their area unless they live in big cities, and those two might as well be equally evil, behemoth-sized corporations employing unethical practices.
This reminded me of what my mom said a couple weeks ago. She told me she received a call from the ISP offering her to sign up with some sort of insurance. Besides being sharp in general, my mom isn't without experience with this kind of offer, and she shot a straightforward question at the ISP person: "so, my details are shared with this insurance company, then?" The caller desperately tried to deny that, but I suppose they were just a low-level peon who may honestly have no idea about the policies up there. And, as expected, they hung up as soon as my mom said she didn't use a credit card. It baffled me why an ISP would make that kind of marketeer-style call, short of itself being a full-fledged telemarketing company on top of being an ISP. Which might actually be true, if the amount of spam text messages and phone calls bothering me even when I'm (well, it's "was" now) in class or working is any indication. Granted, I use a different provider as my mobile carrier, but the underlying assumptions remain the same.
It's also disheartening how much the average person cares about such privacy. Or maybe they only care when shit hits their buttons. To wrap up this excessively long rant with another one, I've also felt offended by how someone―almost certainly from the university I graduated from, either a fellow student or even a professor―shared my contact details with a marketing company. Shortly after graduation, I received an email containing a job offer. The same offer also appeared on my phone through two text messages, reminding me that there would be two days of interviews available for interested applicants. The most interesting part? Both messages were sent from different, throwaway numbers. (Those numbers belong to the kind of cheap mobile plans that are usually only valid for 2 weeks and have enough commission only to make a few calls and maybe a few hundred texts.) Also, in the email, they stated they were looking for "tele account executives," which I'm sure is just a fancy way of saying "telemarketers."
Now, I do have an idea who the culprit might've been, and it's likely that they didn't do this for profit. In fact, judging by the recipients listed in the email (hello, marketeers, you may want to learn a thing or two about using BCC in emails), they probably did this with a good intention―helping fresh graduates find a starting job. And I appreciate the thought. But this only highlights to show the inherent naiveté in the average person when it comes to this kind of issue. Frankly, this does nothing but worsen the situation, as it gives more and more companies free rein to do what they're doing.
And those of us who do understand the issue, think it's unethical, and try to inform the others about it? We get grouped together with conspiracy theorists.
[/rant]
Share your thoughts.
~>
Shine