ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent

from the more-of-the-same dept

Back around 2007 or so there was a bit of a ruckus when broadband ISPs were found to be selling your “clickstream” data (which sites you visit and how long you’re there) to any nitwit with a nickel, then basically denying they were even doing that. Concerns about that now seem quaint.

In the years since, technologies like deep packet inspection have allowed ISPs to collect and sell details on every aspect of your online life, then, through obfuscation, proxies, and empty promises of “anonymization,” insist they’re not doing exactly that. Or, as the wireless industry’s location data scandals have shown, collect and sell your daily movement habits, initially with only a fleeting concern about user privacy and security.

Now, sources in the infosec community tell Motherboard ISPs are also (again, via proxies) selling access to “netflow data.” As the name suggests, netflow data details the day to day broader stroke network traffic (pdf), whether that’s overall network loads, which servers are talking to one another, network topology, etc. The data is generally beneficial to researchers to understand network and user behavior, and to security experts to help mitigate network attacks. But it’s also valuable, and increasingly, it’s being offloaded to businesses who are then turning around and selling it:

“I’m concerned that netflow data being offered for commercial purposes is a path to a dark fucking place,” one source familiar with the data told Motherboard. Motherboard granted multiple sources anonymity to speak more candidly about industry issues.”

Recall that modest FCC broadband privacy rules designed to give users a little more transparency into this stuff were killed by the GOP in 2017 (using the Congressional Review Act at telecom industry behest) before they could even take effect. And recall that, thanks to a cross-industry coalition of lobbyists, the United States still doesn’t have even a basic privacy law for the internet era. As a result, any shred of data that can be collected and sold is, securing that data is often an afterthought, and consumers more often than not have absolutely no transparency into anything.

The data provides comprehensive insight into not just what’s happening on the originating ISPs network, but everybody’s network, including what data is being pushed through VPNs. ISPs offload this data to security vendors in exchange for security threat analysis work. Those vendors then turn around and act as data brokers, selling access to this data to a wide variety of third parties… without consumer awareness or consent. ISPs then can tell reporters “we don’t sell access to user data” because, technically, they aren’t directly “selling” it:

“The continued sale of sensitive data could present its own privacy and security concerns, and the news highlights that ISPs are providing this data at scale to third parties likely without the informed consent of their own users.

“The users almost certainly don’t [know]” their data is being provided to Team Cymru, who then sells access to it, the source familiar with the data said.

Again, there’s always a lot of hand-wringing about the potential impossibility of privacy legislation given the potential for harm. But it remains entirely possible to craft comprehensive, basic federal rules that, at the very least, mandate absolute transparency with the end user. Instead of doing what we’ve created with a wild west like ecosystem of app makers, phone makers, software giants, telecoms and others selling every shred of data they can find, often failing to adequately secure it, and with consumer protection (or even awareness) a distant, belated afterthought.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “ISPs Give 'Netflow Data' To Third Parties, Who Sell It Without User Awareness Or Consent”

Subscribe: RSS Leave a comment
17 Comments
Sok Puppettesays:

Re: Re: Pay for some privacy

Against somebody with a broad enough view of Netflow, VPNs don’t do anything. The article is talking about Cymru, and if I wanted to name anybody outside of government spies who might have that kind of broad view, it would be them. They’ve been doing deals to get data for ages. In fact the article specifically mentions deanonymizing VPN traffic.

I’ve seen people at least claim to have deanonymized even Tor flows, although they were relatively big, conspicuous flows.

Plus, of course, you’re putting total trust in the VPN.

ECAsays:

For all the ways

That tese corps make money of of us. It gets real silly, on their side, That most of the corps have our Data anyway. Including Overseas.
We know our gov. is monitoring us, which is abit silly, but from What location? Is the ISP the one doing all this work? Because then they would be getting very good money, and all this should be Allot cheaper, as we are paying with our taxes. If the gov. has enough people and programs to Monitor even 1/2 of the chats and forums, that is even More money we are paying in taxes. And then we can consider all the Grants given to the corps to get things Done, and still Not done over the past 20 years. Still it is our taxes. And I still wonder about the backbone, and if it has been fully upgraded.

That One Guysays:

... right?

No worries, I’m sure that with the political pressure that has been aimed at the likes of Facebook and Google relating to user privacy those same politicians will be falling over themselves to give similar treatment to ISP’s, dragging them over the coals for excessive data gathering and misuse of that data and threatening them with regulation if they don’t toe the line and respect user privacy.

Any day now…

Anonymoussays:

It may sound cynical, but this feels entirely intended.

When anyone who feels "hurt", or "insulted", or "defamed", all they would need to do is find a broker who could sell them sufficient access to combine a twitter timestamp (over a broad period and number of tweets, granted), to pinpoint a source.

Looking at you Devin!

Even with whitenoise apps to attempt to blanket out frame sizes or timings, it could very plausibly used to find who tweeted, who visited, who uploaded whatever content you wish to obliviate, and then never have to publicly announce how you came to your determination.

A simple law would prevent that (obviously, with various caveats for national security, but it would need to be heavily caveated to prevent governmental abuse). But they’re not interested in such things.

Why cut off your nose when you can sniff out a mean person who insults your delicate sensibilities.

Anonymoussays:

Whats to stop a bad imposter from accessing this data to find backup repositories, or cross cloud databases, from discovering hidden servers, ones not directly addressable via public DNS in order to attack something that may not be as well defended as publicly known servers.

At my firm, we use proxies to hide our infrastructure addresses, and we continually rotate IPs, yet we still get attempts to access our servers, sometimes minutes after a rotation.

This has shown a potential route that is being used to find them.

Lostinlodossays:

Question

What are they actually getting from this stuff that can be directly privacy related?
Is it that someone visits a porn site or that a specific person did.

While I generally don?t care some do. Is this any different than cookie data I supply when I allow cross site tracking for relevant advertising?
Or is this an actual case of personal privacy!

I can?t get from this (and hundreds of other) article what data these profiles contain that is related to an individual.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow