Net Neutrality is a great big buzz-item right now, but I hate to tell you that battle has already been lost. It was lost in the late 90s, when marketing firms took over. All that the current controversy is arguing about is how much worse things are going to get.
You’re probably familiar with the fact that 99.9% of all email is spam (roughly). Until the web came along, that meant that almost all of the traffic on the internet was spam. Now, there’s probably a significant amount of media-streaming and porn, but only because those are bandwidth-heavy applications with a low transaction:usage ratio. The current “Internet Of Things” trend may also change that – there will be a lot of internet-connected toothbrushes announcing their current status to tracking sites and social media. And, there’s also the gigantic bandwidth-suck of software updates or or two gb/device/month according to my metered bandwidth (thanks, Verizon!) statistics.
There is (naturally) an entire ecosystem of businesses built to do this sort of thing. And they’re all very professional and above-board. They just exist to capture every keystroke you type at a website – what the website owners do with it; that’s not their problem. That’s true, too, but let’s not kid ourselves that they’re making any user’s experience or privacy better.What does “the exact details of a customer’s experience” mean? Everything: those security questions (“what is your cat’s name?”) you answer, or your credit data, what you look at, etc – that’s all going up the vacuum. And don’t kid yourself for a second that this is only being done by skeevy sites.
A study published last week reported that 482 of the 50,000 most trafficked websites employ such scripts, usually with no clear disclosure. It’s not always easy to detect sites that employ such scripts. The actual number is almost certainly much higher, particularly among sites outside the top 50,000 that were studied.
“Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, credit card details, and other personal information displayed on a page, to leak to the third-party as part of the recording,” Steven Englehardt, a PhD candidate at Princeton University, wrote. “This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.”
Englehardt installed replay scripts from six of the most widely used services and found they all exposed visitors’ private moments to varying degrees. During the process of creating an account, for instance, the scripts logged at least partial input typed into various fields. Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because, by default, they recorded all input typed into fields for names, e-mail addresses, phone numbers, addresses, Social Security numbers, and dates of birth.
If you ever wondered why some sites don’t work if you don’t whitelist every script, now you know why. If you’ve ever wondered why some sites are a bit slow, now you know why. If you’ve ever wondered where your bandwidth is going, now you know where.
Gap, Adobe, Microsoft, Unity 3D, Costco, Penn State (!), Ryanair, Autodesk, T-Mobile, CBS, gofundme, ToysRUs – if you want a list of 1,700+ sites with capture software, the researchers have published some of the ones they’ve found. [princeton] This is in addition to the tracking that’s already going on at your ISP – they’re stuffing tags into the unencrypted parts of your TLS connections, so they can identify who went where in case they can sell that information, too.
Then there’s the rather amazingly in-your-face customer capture idea that the NBA Golden State Warriors came up with: you can download a Warriors’ app to your smartphone, and it will drain your battery and gobble your bandwidth by turning your phone into a recording device for their marketing analysts. [beast]
The Warriors’ app bills itself as a way for fans to keep track of scores and stats. But while fans were watching the game, the app was watching them, fan LaTisha Satchell claims in a lawsuit. One of the app’s promotional tools allegedly turns a user’s phone microphone on and keeps it on, recording everything within earshot and relaying data back to the Warriors and a tech company, possibly in violation of wiretap laws.
“[The Warriors] gained access to tens of thousands of microphones belonging to consumers who downloaded the Warriors App and turned their mobile devices into bugged listening devices,” the suit alleges.
The unlikely snooping program started as an effort to sell merchandise and ticket upgrades, the suit contends. The Warriors wanted to know when fans were on Warrior-owned property, and how long they stayed there. The app tracked this through audio “beacons” that played through special transmitters in their arena and stores, the suit alleges. The app listened for those beacons and sent customized advertisements to a user’s phone.
See, marketing assholes aren’t even bothering to worry about their customers, anymore. Data, data, data! They’d hold you upside down, and stick a data probe up your butt, if they could. It wouldn’t bother them! Because they’ve convinced themselves that you really want that targeted advertising and you probably kind of consented to it by downloading their app. So, whatever.
The app has 10,000 or so 5-star reviews, and 500 or so 1-star reviews buried somewhere in the bottom of the listings. How much do you think the GW’s marketing people paid for all those 50-star reviews?
I suspect they buy in bulk.It looks like it’s about $1.50 per review. 10,000 positive reviews is nothing for a marketing budget like a sports franchise’s.
There is a gigantic ecosystem of marketing companies that are all devoted to helping you sniff deeper up every other marketing channel’s backside. None of this is actually to help make users’ internet experiences faster, better, easier, more reliable, or to protect their privacy – it’s all just attempting to be more intrusive. Because, like the police state’s retro-scope, marketing companies are trapped in this vicious cycle in which they can’t actually read our minds, so they keep trying to collect more and more and more in hope that eventually they will be able to.
Here’s a hint, by the way: offer me $50 and I’ll just tell you. Leave my browser and everything alone. But that’s not acceptable because it would cut out the middle-man, the marketeer, and then they’d have to get a job they were qualified for, like stealing candy from children or mucking out stables.There are other things wrong with this picture. Probably the biggest is that these platforms are “data agnostic” and will sell to anyone, for any purpose. Also, their security often sucks a goat’s buttocks.
What can you do with a trillion social media posts? Well, you can sell them to the NSA; it saves them a lot of trouble having to collect them. And you can stuff them up in Amazon Web Services and forget to secure them, so that anyone coming along can stumble on them. [ars]
The scrapings were left in three Amazon Web Servers S3 cloud storage buckets that were configured to allow access to anyone with a freely available AWS account. It’s only the latest trove of sensitive documents left unsecured on Amazon. In recent months, UpGuard has also found private data belonging to Viacom, security firm TigerSwan, and defense contractor Booz Allen Hamilton similarly exposed. In Friday’s post, UpGuard analyst Dan O’Sullivan wrote:
Massive in scale, it is difficult to state exactly how or why these particular posts were collected over the course of almost a decade. Given the enormous size of these data stores, a cursory search reveals a number of foreign-sourced posts that either appear entirely benign, with no apparent ties to areas of concern for US intelligence agencies, or ones that originate from American citizens, including a vast quantity of Facebook and Twitter posts, some stating political opinions. Among the details collected are the web addresses of targeted posts, as well as other background details on the authors which provide further confirmation of their origins from American citizens.
It’s an open secret that the US intelligence apparatus has been trying to get access to social media so that they can look for keywords in context that might indicate someone is planning a terrorist event or something. I.e.: really stupid terrorists (which is all they seem to catch!).
The article that described the breach didn’t name the vendor that provided the information; it took me several seconds to figure out that apparently was Crimson Hexagon (the Ars article appears to have deliberately been seeded with clues). The bits that worry me are:
Internet searches revealed multiple people who work for VendorX describing work they did for the US Central Command, based in Tampa, Florida. The project was called Outpost and was described as a “multi-lingual platform designed to positively influence change in high-risk youth in unstable regions of the world.”
A “multi-lingual platform designed to positively influence change in high-risk youth in unstable regions of the world” sounds a lot to me like one of those evil Russian troll-farms like the Democrats, Republicans, Israeli government, NRA and apparently everyone else has been operating for a long time. Automated propaganda: matched to your content and delivered to your browser.
Following the disastrous 2016 election and Brexit campaign there was some attention paid to organizations like Cambridge Analytics, that specialize in exactly this sort of stuff. My guess is that, as the media began to dig into Cambridge Analytics, they probably discovered that it’s just one of a gigantic ecosystem of monitoring, filtering, spinning, and robo-lying to sell diapers or unsuitable candidates. It really doesn’t matter which; the system is agnostic.
Net neutrality sounds nice, but the net has been an wholly owned subsidiary of corporate marketing since the early oughts. The scare-scenario that one big provider or another is going to start slowing down another’s traffic: the traffic is already being captured, slowed, and managed at every site and in your browser. The big enterprises are already making bandwidth war on each other and their customers; it’s been stealthy but it’s been going on for years already. Customer privacy and internet experience? That was encarrated immediately, around the time Google went public and sealed big marketing’s take-over of the internet. (2004)
Let me guess how this is going to play itself out: eventually Apple is going to realize that they don’t need to share with anyone, and can pull their entire ecosystem behind a curated experience. In return for mostly seeing no ads, and getting no spam or malware drivebys or whatever, you’ll be able to access Apple approved content providers who will have to (naturally) subsidize the ecosystem with nominal fees. And, if you leave the ecosystem, it’ll be worse than iTunes: buggy, slow, random crashes, and generally crappy. The worst part is that they’ll team up with a preferred bandwidth provider and it’ll probably be a monster crap-pile like AT&T or Verizon. Meanwhile, Amazon will have its own internet, and so will Google. That scenario is the only plausible way that everyone can get out from under Google’s control of the non-captive advo-sphere.
Given the US’ dominance of the internet, I’m surprised that no other country has made a separate walled garden other than China. The US is busy trying to make the whole internet its walled garden, while China is opting out. If I were a nationalist I’d be saying that all the other nations of the world ought to be seeing software and operating systems ecosystems as a strategic resource, and developing their own so they can capture their populations and control them. What else do you think is going on with all the internet Russians propaganda scare in the US?