Quote:
Originally Posted by Ulysses_
The proper question should be how do you prove electronically that your ISP is doing this without a contractual permission.
Haven't checked any contract yet, original or any updates, but it seems unlikely they would be stupid enough to mention such a disturbing thing and risk prosecution if a lawyer customer of theirs sues them for violation of the privacy of communications law that exists here, which only police can override and only with an attorney warrant. They'd probably go the sneaky way, or it happens without the managers' knowledge.
Proving ISP complicity is more technical therefore more appropriate and a proper technical challenge at LQ.
|
You can't really prove anything about what your ISP is doing with your packets. Keep in mind to all, once you put your packets out on the Internet they are in a public domain, and expect that anyone along that packet flow can do anything with them once they leave your router. Even if you use encryption, anyone like for example government or anyone with the power and capability, could still do whatever they want to them, like for example, try and decrypt and read them. Most ISP's nowadays have 'packet sniffers' on their networks for 'troubleshooting purposes' and may keep your packets for 6 months, a year, or as long as the storage capacity they have available, and they may keep the metadata longer than that. I used to work for another company (after I left working for an ISP) that makes packet sniffers, and the government was their largest customer, with the cellphone providers all coming in at a distant second... Think about that before you send out a packet to your ISP.
Keep in mind, there are 3 types of data (from a security standpoint)... General data you don't care about if people see, PI data (data with Personal Information), and SPI (data with Sensitive Personal Information). Depending on the classification of the data, you prioritize your data (keep them in separate buckets), and then consider how much you want to spend to keep them secure (both data-at-rest, and for data-in-transport).
Internet security has always been about cost vs risk assessment (since no data security scheme is 100% foolproof). Apparently Yahoo kept their cost low and it came back to byte them. You can either keep your data in a 'dark site', or play the game and put it out on the Internet, and then you must understand the cost of doing so.
There are simple and practical ways to keep your ISP from looking at your data (depending on their level of sophistication of course), as others have mentioned, like VPN, pointing to other DNS servers, and whatnot. It still just depends on how bad they want to look at your data. Your private VPN company in Brazil or Australia could be looking at your data instead and selling it. The idea though is once you put your packet out there, it is out there and it could get duplicated and analyzed 20,000 times, for 35 years to come. And even when using https for online banking or whatever else like medical, the security is only as strong as the weakest link. We've seen hospitals get hacked and 2000 customer's SPI is not as secure as they thought it was.
My point is, even with legal agreements, a disgruntled employee at the ISP can misuse the system, or the company can just be shady and go around the agreement because how will anyone find out, so I prefer to operate under the mentality of 'think' before you put your packet out there. You can take measures to lower risk, but you can never fully eliminate all risk. But most entities wouldn't spend the money to try and get my data that I put out there, because it doesn't have much worth to it anyway. And with my bank and such, I just cross my fingers and hope their security is tight, but if they do get breached, remember to use different passwords for everything so you lower your attack surface area to small sectors..
Also, someone mentioned about browsers collecting data. Yes, this is probably more common problem than ISPs collecting/selling your website preference data. If you use Chrome and Google, you can use the Google Analytics Opt-out plugin, install Adblock, etc to help in blocking what your browser sends out (of course can disable cookies, but that makes the browser experience suffer on many websites)..
.