The proper question should be how do you prove electronically that your ISP is doing this without a contractual permission.

Haven't checked any contract yet, original or any updates, but it seems unlikely they would be stupid enough to mention such a disturbing thing and risk prosecution if a lawyer customer of theirs sues them for violation of the privacy of communications law that exists here, which only police can override and only with an attorney warrant. They'd probably go the sneaky way, or it happens without the managers' knowledge.

Proving ISP complicity is more technical therefore more appropriate and a proper technical challenge at LQ.

Almost every company has some sort of privacy agreement. They all seem to say it's OK for them to give/sell/leak your data to their "partners".


Kmart used personal information in Californnnnia and got sued for it.

Here's an example contract:

http://www.intouchadvance.co.uk/wp-c...ch_Advance.pdf

What phrase am I looking for? Searching for "third part" does not get anything useful.

Any telco is going to collect and sell your data one way or another - and there is always some very fine print/legalese to cover their asses. If you are that concerned the obvious solution is a VPN or if you are Stallman paranoid , go a step further and get all your website through tor and wget - and view things offline.

I am looking into vpns - particularly because I don't feel I should be subject to any sort of 'regional' restrictions of the internet because of my location - i.e - if I want to watch a certain video on youtube, or something say from the BBC or whatever, and I am blocked by geography - that to me seems ironic and dumb considering that the internet wasn't in any way designed to isolate one's region.

Just like those who try constantly to work around Netflix's content restriction in other countries - they're paying for the service, so as far as I'm concerned - they should have all access and non of this geo restriction due to some copyright argument bs. Besides, if thats the case then it will just encourage MORE piracy anyways; but I digress since I have gone into a tangent as I tend to do.

You can't really prove anything about what your ISP is doing with your packets. Keep in mind to all, once you put your packets out on the Internet they are in a public domain, and expect that anyone along that packet flow can do anything with them once they leave your router. Even if you use encryption, anyone like for example government or anyone with the power and capability, could still do whatever they want to them, like for example, try and decrypt and read them. Most ISP's nowadays have 'packet sniffers' on their networks for 'troubleshooting purposes' and may keep your packets for 6 months, a year, or as long as the storage capacity they have available, and they may keep the metadata longer than that. I used to work for another company (after I left working for an ISP) that makes packet sniffers, and the government was their largest customer, with the cellphone providers all coming in at a distant second... Think about that before you send out a packet to your ISP.

Keep in mind, there are 3 types of data (from a security standpoint)... General data you don't care about if people see, PI data (data with Personal Information), and SPI (data with Sensitive Personal Information). Depending on the classification of the data, you prioritize your data (keep them in separate buckets), and then consider how much you want to spend to keep them secure (both data-at-rest, and for data-in-transport).

Internet security has always been about cost vs risk assessment (since no data security scheme is 100% foolproof). Apparently Yahoo kept their cost low and it came back to byte them. You can either keep your data in a 'dark site', or play the game and put it out on the Internet, and then you must understand the cost of doing so.

There are simple and practical ways to keep your ISP from looking at your data (depending on their level of sophistication of course), as others have mentioned, like VPN, pointing to other DNS servers, and whatnot. It still just depends on how bad they want to look at your data. Your private VPN company in Brazil or Australia could be looking at your data instead and selling it. The idea though is once you put your packet out there, it is out there and it could get duplicated and analyzed 20,000 times, for 35 years to come. And even when using https for online banking or whatever else like medical, the security is only as strong as the weakest link. We've seen hospitals get hacked and 2000 customer's SPI is not as secure as they thought it was.

My point is, even with legal agreements, a disgruntled employee at the ISP can misuse the system, or the company can just be shady and go around the agreement because how will anyone find out, so I prefer to operate under the mentality of 'think' before you put your packet out there. You can take measures to lower risk, but you can never fully eliminate all risk. But most entities wouldn't spend the money to try and get my data that I put out there, because it doesn't have much worth to it anyway. And with my bank and such, I just cross my fingers and hope their security is tight, but if they do get breached, remember to use different passwords for everything so you lower your attack surface area to small sectors..

Also, someone mentioned about browsers collecting data. Yes, this is probably more common problem than ISPs collecting/selling your website preference data. If you use Chrome and Google, you can use the Google Analytics Opt-out plugin, install Adblock, etc to help in blocking what your browser sends out (of course can disable cookies, but that makes the browser experience suffer on many websites)..

.

I don't think I'm up against government entities or 3LA's, flattering as hell as that would be.

If I connect to a blog hosted in Europe and a forum hosted in Japan, aren't the routes very different so only the ISP can see both sets of packets?

Btw I have two ISP's (a fast one and a slow one as a failsafe). Any ways to use this to bait the aforementioned criminals into exposing their id's? Different routes being used give me ideas.