ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent

from the more-of-the-same dept

Back around 2007 or so there was a bit of a ruckus when broadband ISPs were found to be selling your “clickstream” data (which sites you visit and how long you’re there) to any nitwit with a nickel, then basically denying they were even doing that. Concerns about that now seem quaint.

In the years since, technologies like deep packet inspection have allowed ISPs to collect and sell details on every aspect of your online life, then, through obfuscation, proxies, and empty promises of “anonymization,” insist they’re not doing exactly that. Or, as the wireless industry’s location data scandals have shown, collect and sell your daily movement habits, initially with only a fleeting concern about user privacy and security.

Now, sources in the infosec community tell Motherboard ISPs are also (again, via proxies) selling access to “netflow data.” As the name suggests, netflow data details the day to day broader stroke network traffic (pdf), whether that’s overall network loads, which servers are talking to one another, network topology, etc. The data is generally beneficial to researchers to understand network and user behavior, and to security experts to help mitigate network attacks. But it’s also valuable, and increasingly, it’s being offloaded to businesses who are then turning around and selling it:

“I’m concerned that netflow data being offered for commercial purposes is a path to a dark fucking place,” one source familiar with the data told Motherboard. Motherboard granted multiple sources anonymity to speak more candidly about industry issues.”

Recall that modest FCC broadband privacy rules designed to give users a little more transparency into this stuff were killed by the GOP in 2017 (using the Congressional Review Act at telecom industry behest) before they could even take effect. And recall that, thanks to a cross-industry coalition of lobbyists, the United States still doesn’t have even a basic privacy law for the internet era. As a result, any shred of data that can be collected and sold is, securing that data is often an afterthought, and consumers more often than not have absolutely no transparency into anything.

The data provides comprehensive insight into not just what’s happening on the originating ISPs network, but everybody’s network, including what data is being pushed through VPNs. ISPs offload this data to security vendors in exchange for security threat analysis work. Those vendors then turn around and act as data brokers, selling access to this data to a wide variety of third parties… without consumer awareness or consent. ISPs then can tell reporters “we don’t sell access to user data” because, technically, they aren’t directly “selling” it:

“The continued sale of sensitive data could present its own privacy and security concerns, and the news highlights that ISPs are providing this data at scale to third parties likely without the informed consent of their own users.

“The users almost certainly don’t [know]” their data is being provided to Team Cymru, who then sells access to it, the source familiar with the data said.

Again, there’s always a lot of hand-wringing about the potential impossibility of privacy legislation given the potential for harm. But it remains entirely possible to craft comprehensive, basic federal rules that, at the very least, mandate absolute transparency with the end user. Instead of doing what we’ve created with a wild west like ecosystem of app makers, phone makers, software giants, telecoms and others selling every shred of data they can find, often failing to adequately secure it, and with consumer protection (or even awareness) a distant, belated afterthought.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent”

Subscribe: RSS Leave a comment
Sok Puppettesays:

Re: Pay for some privacy

Against somebody with a broad enough view of Netflow, VPNs don’t do anything. The article is talking about Cymru, and if I wanted to name anybody outside of government spies who might have that kind of broad view, it would be them. They’ve been doing deals to get data for ages. In fact the article specifically mentions deanonymizing VPN traffic.

I’ve seen people at least claim to have deanonymized even Tor flows, although they were relatively big, conspicuous flows.

Plus, of course, you’re putting total trust in the VPN.


For all the ways

That tese corps make money of of us. It gets real silly, on their side, That most of the corps have our Data anyway. Including Overseas.
We know our gov. is monitoring us, which is abit silly, but from What location? Is the ISP the one doing all this work? Because then they would be getting very good money, and all this should be Allot cheaper, as we are paying with our taxes. If the gov. has enough people and programs to Monitor even 1/2 of the chats and forums, that is even More money we are paying in taxes. And then we can consider all the Grants given to the corps to get things Done, and still Not done over the past 20 years. Still it is our taxes. And I still wonder about the backbone, and if it has been fully upgraded.

That One Guysays:

... right?

No worries, I’m sure that with the political pressure that has been aimed at the likes of Facebook and Google relating to user privacy those same politicians will be falling over themselves to give similar treatment to ISP’s, dragging them over the coals for excessive data gathering and misuse of that data and threatening them with regulation if they don’t toe the line and respect user privacy.

Any day now…


It may sound cynical, but this feels entirely intended.

When anyone who feels "hurt", or "insulted", or "defamed", all they would need to do is find a broker who could sell them sufficient access to combine a twitter timestamp (over a broad period and number of tweets, granted), to pinpoint a source.

Looking at you Devin!

Even with whitenoise apps to attempt to blanket out frame sizes or timings, it could very plausibly used to find who tweeted, who visited, who uploaded whatever content you wish to obliviate, and then never have to publicly announce how you came to your determination.

A simple law would prevent that (obviously, with various caveats for national security, but it would need to be heavily caveated to prevent governmental abuse). But they’re not interested in such things.

Why cut off your nose when you can sniff out a mean person who insults your delicate sensibilities.


Whats to stop a bad imposter from accessing this data to find backup repositories, or cross cloud databases, from discovering hidden servers, ones not directly addressable via public DNS in order to attack something that may not be as well defended as publicly known servers.

At my firm, we use proxies to hide our infrastructure addresses, and we continually rotate IPs, yet we still get attempts to access our servers, sometimes minutes after a rotation.

This has shown a potential route that is being used to find them.



What are they actually getting from this stuff that can be directly privacy related?
Is it that someone visits a porn site or that a specific person did.

While I generally don?t care some do. Is this any different than cookie data I supply when I allow cross site tracking for relevant advertising?
Or is this an actual case of personal privacy!

I can?t get from this (and hundreds of other) article what data these profiles contain that is related to an individual.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it