ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent
from the more-of-the-same dept
Back around 2007 or so there was a bit of a ruckus when broadband ISPs were found to be selling your “clickstream” data (which sites you visit and how long you’re there) to any nitwit with a nickel, then basically denying they were even doing that. Concerns about that now seem quaint.
In the years since, technologies like deep packet inspection have allowed ISPs to collect and sell details on every aspect of your online life, then, through obfuscation, proxies, and empty promises of “anonymization,” insist they’re not doing exactly that. Or, as the wireless industry’s location data scandals have shown, collect and sell your daily movement habits, initially with only a fleeting concern about user privacy and security.
Now, sources in the infosec community tell Motherboard ISPs are also (again, via proxies) selling access to “netflow data.” As the name suggests, netflow data details the day to day broader stroke network traffic (pdf), whether that’s overall network loads, which servers are talking to one another, network topology, etc. The data is generally beneficial to researchers to understand network and user behavior, and to security experts to help mitigate network attacks. But it’s also valuable, and increasingly, it’s being offloaded to businesses who are then turning around and selling it:
“I’m concerned that netflow data being offered for commercial purposes is a path to a dark fucking place,” one source familiar with the data told Motherboard. Motherboard granted multiple sources anonymity to speak more candidly about industry issues.”
Recall that modest FCC broadband privacy rules designed to give users a little more transparency into this stuff were killed by the GOP in 2017 (using the Congressional Review Act at telecom industry behest) before they could even take effect. And recall that, thanks to a cross-industry coalition of lobbyists, the United States still doesn’t have even a basic privacy law for the internet era. As a result, any shred of data that can be collected and sold is, securing that data is often an afterthought, and consumers more often than not have absolutely no transparency into anything.
The data provides comprehensive insight into not just what’s happening on the originating ISPs network, but everybody’s network, including what data is being pushed through VPNs. ISPs offload this data to security vendors in exchange for security threat analysis work. Those vendors then turn around and act as data brokers, selling access to this data to a wide variety of third parties… without consumer awareness or consent. ISPs then can tell reporters “we don’t sell access to user data” because, technically, they aren’t directly “selling” it:
“The continued sale of sensitive data could present its own privacy and security concerns, and the news highlights that ISPs are providing this data at scale to third parties likely without the informed consent of their own users.
“The users almost certainly don’t [know]” their data is being provided to Team Cymru, who then sells access to it, the source familiar with the data said.
Again, there’s always a lot of hand-wringing about the potential impossibility of privacy legislation given the potential for harm. But it remains entirely possible to craft comprehensive, basic federal rules that, at the very least, mandate absolute transparency with the end user. Instead of doing what we’ve created with a wild west like ecosystem of app makers, phone makers, software giants, telecoms and others selling every shred of data they can find, often failing to adequately secure it, and with consumer protection (or even awareness) a distant, belated afterthought.