Congress is Watching You: What to Look For in the House Internet Privacy Debate
Now that the Senate has passed the Congressional Review Act resolution nullifying the Obama FCC’s “privacy-for-me-but-not-for-thee” regulations, the action moves to the House. Floor debate, scheduled for sometime Tuesday, is likely to echo the themes we heard in the Senate. The primary factual issue remains the same: those who like the FCC’s current regulations believe Internet Service Providers have a broader and deeper view of the Internet than do the large, distributed, highly intrusive tracker networks that record and trade our every move about the web. Those who seek to revoke the Obama regulations have a different (and better, in my opinion) understanding.
This is an empirical question that would not be a bone of contention if those on the opposite sides of the debate had similar regard for the facts. But those who believe the ISPs see more continue to repeat the same talking points and continue to ignore the criticism of their position. Perhaps we can get their attention by offering a somewhat personal analysis.
How Foes of the CRA Surveil Visitors to Their Campaign Websites
Senators Markey and Wyden delivered harsh criticisms of the CRA to their colleagues. Both claimed that ISPs see everything their customers do on the Internet and tracker networks only see that happens in their own domains. So they would have us believe ISPs can decode encrypted data – half more than 70% of all Internet traffic these days.
They would also have us believe Google only sees us when we visit google.com and Facebook only sees us when we visit facebook.com. The claim that tracker networks need us to visit their domains in order to follow our movements is laughably absurd, as we can see by examining the campaign websites maintained by Senators Markey and Wyden.
Sen. Markey’s campaign website is http://www.edmarkey.com/. The code for this site includes tracking scripts supplied by Google, Facebook, Twitter, and Optimizely. If you visit edmarkey.com, all four of these companies will know you were there, and all will harvest your personal information, use it for their own purposes, and sell it to 3rd parties to greater or lesser degrees.
Markey’s Facebook Tracker
Per FTC guidelines, the trackers Markey employs to spy on his visitors have to disclose their policies regarding the collection and sharing of information of varying degrees of sensitivity. Markey’s Facebook tracker collects personal information at all four levels of sensitivity:
- Anonymous (Ad Views, Analytics, Browser Information, Cookie Data , Date/Time, Demographic Data, Hardware/Software Type, Internet Service Provider, Interaction Data, Page Views , Serving Domains, Details Undisclosed)
- Pseudonymous (IP Address (EU PII), Location Based Data, Clickstream Data, Device ID (EU PII))
- Personally Identifiable Information (Name , Address, Phone Number, Email Address, Login, EU- IP Address, EU- Unique Device ID )
- Sensitive (Financial Information)
Facebook admits to sharing all of this data with third parties: “Aggregate data is shared with 3rd parties. Anonymous data is shared with 3rd parties. PII data is shared with 3rd parties. Sensitive data is shared with 3rd parties.” Markey employs two Facebook trackers, Facebook Connect and Facebook Social Plugins. Both connect visitors to edmarkey.com to facebook.com without full disclosure.
Markey’s Google Tracker
- Anonymous (Ad Views, Analytics, Browser Information, Cookie Data, Date/Time, Demographic Data, Hardware/Software Type, Internet Service Provider, Interaction Data, Page Views , Serving Domains.)
- Pseudonymous (IP Address (EU PII), Search History, Location Based Data, Device ID (EU PII).)
- PII (Name, Address, Phone Number, Email Address, Login, EU- IP Address, EU- Unique Device ID.)
- Sensitive (Financial Information, Health Information, Sensitive Data (details undisclosed))
All of this information can be shared with 3rd parties – even the financial and health data – under Google’s policy. Markey deploys DoubleClick, DoubleClick Ad Exchange Buyer, Google Analytics, Google Dynamic Remarketing, and Google+ trackers. Each tracker connects edmarkey.com users to Google.
The edmarkey.com Optimizely tracker is similar to the others regarding anonymous, pseudonymous, and PII, but it does not collect or share sensitive data.
Wyden Overshares with Ad Networks
Sen. Wyden’s campaign site, https://www.standtallforamerica.com, is much more sophisticated than Sen. Markey’s. For starters, it uses TLS encryption so no ISP can see what the visitors to the site are doing there. It also contains a larger body of surveillance code than the Markey site.
In addition to trackers for Google and Facebook that share sensitive health and financial data with third parties without disclosure, Wyden also surveils his visitors with trackers BlueKai,Cxense, ClearStream.TV, Dstillery, Eyeota, LiveRamp, Neustar Aggregate Knowledge, New Relic, PubMatic, RocketFuel, and ScoreCard Research Beacon.
While BlueKai, Clearstream,Cxense and Eyeota limit their collection to anonymous, aggregated, and pseudonymous data, the other trackers are quite intrusive. Neustar admits to collecting and sharing Financial Information, Social Security Number/Tax ID, and Health Information. New Relic, PubMatic, ScoreCard Research Beacon, and Dstillery all have policies similar to Neustar’s in terms of collection.
With respect to sharing, only New Relic and Pubmatic share sensitive information, but all of the others share PII. All in all, Wyden deploys 19 distinct trackers to share as much user information with third parties as possible. These third parties are not prominently disclosed on the site.
Can Google Track You Outside of google.com?
Yes. Does Google track you outside of google.com? Yes. Does Google share sensitive data about you with third parties it collects from sites like edmarkey.com and standtallforamerica.com? I don’t know that it does, but it’s entitled to by its privacy disclosures. And the same goes for a dozen other trackers unleashed on web users who visit these two sites.
So I would appreciate it if advocates of the Obama status quo would stop telling tall tales about tracking. The tracker networks see more than the ISPs do, especially where sites like standtallforamerica.com are concerned. This site feeds sensitive information to the tracker networks that they are free to sell. This was true before the FCC passed its ersatz privacy rules, after the rules were passed, and it will remain true after the phony rules are revoked.
But I’m willing to bet that the House debate will repeat the same fictions we heard from Markey and Wyden in the Senate.
Note: This post is based on information obtained using the Ghostery plugin. Install it yourself and check my work.