CDT’s Privacy Week Event

This is privacy week in DC. The Center for Democracy and Technology (CDT) put on a privacy workshop Tuesday featuring both tech and policy folks from across the spectrum of expertise as an appetizer. The Senate Judiciary Committee followed with a main course Wednesday, a hearing featuring the folks from the FCC and the FTC who enact the policies. As luck would have it I was at both events.

CDT is one of the more credible left-leaning public interest groups, certainly head and shoulders above Free Press and Public Knowledge. One thing it does right is employ a chief technologist. Both the current CT, Joe Hall, and the previous one, Alyssa Cooper, know their stuff. I criticize some of CDT’s technical analysis, but I can only do that because they’re willing to share their work. So even when CDT is wrong, they’re within the boundaries of acceptable analysis.

Three Technologists, Three Frames of Reference

So what happens when you get three technologists in front of room full of policy wonks to discuss the technical details of Internet privacy? In essence, you get three points of view that are generally technically correct but still different because there are more relevant facts underneath the policy discourse for each speaker to say each thing that needs to be said.

I emphasized the facts around the myth that ISPs are in a privileged position relative to other Internet players who have an interest in collecting personal preferences in order to target ads. The Internet is an end-to-end network in which some data moves in the clear but most information is cloaked while it passes through the network of networks between source and destination. The degree to which information is hidden from networks is determined by both users and “edge” service providers.

Edge players such as Google, Facebook, Amazon, and Netflix encrypt their traffic in a way that’s transparent to users. Web sites with URLs that start with “https:” instead of “http:” encrypt, and browsers follow suit automatically. Users can hide data from ISPs using VPNs. Some assert that VPNs are rare, but the Outlook email services I use with Outlook servers in DC have always tunneled through VPNs for the eight years I’ve been working with DC-based organizations. So they’re not rare to those who work remotely and use Outlook. VPNs are in fact utterly commonplace for people who work remotely.

There’s a lot of squabbling about the extent to which https is used today, but there’s no doubt that it’s easy to enable it and that it’s not an “all or nothing” proposition as Harlan Yu of Upturn claimed. A web page that’s encrypted with https can contain references to page elements that are either encrypted or unencrypted because each page element has a unique URL. So there’s still some misinformation floating around.

The Most Comprehensive View is Multiple Points of View

The most comprehensive view of a user’s Internet activity is actually had by the browser because applications decrypt and deal in clear text and because multi-platform browsers can be made to link the person to the various devices we use. You will never hear the FCC majority admit this, but it’s true. The only aspect of Internet behavior browsers don’t see is data transfers between non-browser applications such as, say, the Facebook app on a smartphone or iPad and the Facebook cloud. These interactions are encrypted, so home routers can’t break them down into details either.

Browsers aren’t directly involved in every interaction between every IoT device and its cloud server, but most IoT devices are controllable through a browser. The smart thermostat in my house is controllable through a smartphone app or a browser, and also from the power company. I don’t see the power company tweaking the set point on my AC in the summer, although I can see the effects of those interactions through Google Chrome, which means Google can see them as well.

Those who seek to insulate ad brokers and data brokers from competition from nascent ISP-based data brokers deny the reality of browser privilege through a variety of “yes, but…” weaseling, but it’s a stark reality that it’s good to be a browser if your business depends on harvesting and selling info in user preferences to advertisers. There’s no better source. And who makes browsers? Not that many players: Microsoft, Apple, Google, and Firefox account for 97.5% of them.

The Sad State of Internet Advertising

Similarly, it’s good to be a search engine because you know – without any extraneous professing – what your users are interested in at any given time. Before buying a chain saw last month, I researched models and prices with Google, Google shopping, Amazon, Home Depot, and several “10 best” sites.

One of the losers is still showing me ads for the model I selected, which thrills me not even a little. It’s actually quite depressing that the net result of all the data collection going on around the Internet only results in ads being shown to me for the one product I am least likely to buy. But that’s what the best minds of their generation are showing me.

But we all know who’s in the search business.

It’s also good to be a DNS provider because they’re given queries in clear text for the IP addresses tied to Internet domains such as WebMD.com, the ubiquitous example of sensitive information cited by all privacy hawks, doves, and weasels. There are several non-ISP DNS providers today, but only one of significant size: Google. And just FYI, WebMD is not a reliable source of medical information, so the most important thing a snoop learns from your visits there is that you’re not very astute about medicine. Try Mayo Clinic or Kaiser instead.

Very Little is Private from an Operating System

It’s good to be an operating system builder because operating systems have all sorts of information about network activity because the OS includes the TCP/IP code. The OS knows about your DNS queries, the sites you visit, and the amount of time you spend on those sites. Anything your ISP can learn about your Internet habits is also known by the OS inside your laptop, handset, IoT device, and home router.

Every interaction between an application and a service is mediated by an operating system that is perfectly capable of building a history of your activity and selling it if the designer so wishes. Who makes operating systems? Microsoft, Apple, Google, and several smaller players make them, and nearly every device builder can modify them. But operating systems don’t link a user to the many devices the user may employ as browsers do.

And it’s good to be a data broker, an ad broker, or a retailer. If you shop at Amazon or eBay frequently, those firms can build profiles of the things you’ve researched and bought and sell those profiles to ad brokers. This enables the retailer to make more money from you and for the ad broker to sell more of the ads you’re going to see.

Amazon uses this sort of information to pitch products that they think you might want to buy. Like Netflix movie recommendations, these pitches are often lame, but someday they might be useful. We can always hope, can’t we?

Conclusion

So what we got at CDT was three very selective views of the internet, and some policy wonk questions that showed a certain amount of bias. That’s actually a good thing, because the aggregation of the viewpoints brings us a little closer to the comprehensive view from which all good policy flows.

Next time I’ll share some perceptions of the Senate hearing, where sparks flew. The video of the CDT event is here.