quantcast was sued for resuscitating browser cookies when flash LSOs persisted [1], ie taking the cookie value from the LSO and recookie-ing the browser. quantcast and clearspring settled for $2.5m [2]. The crux of the matter seemed to be that users didn't know such data was in flash cookies or associated with quantcast, making it hard to opt-out, though I'm not sure if this is illegal; and violated quantcast and the 3rd party sites' privacy agreements, which appears to be illegal. A lawsuit outline for one plaintiff is here [3] and the full text of the initial filing here [4]. I naively assume there is a clear parallel to this case, though perhaps verizon and turn have thoroughly privacy policied their way out, somewhere in 30 pages of legalese.
According to Jonathan Mayer,
Commercial supercookies, fingerprinting, and zombie cookies are tolerated
(if not permitted) under current United States law. [...] Any associated
consumer deception, however, is a violation of the Federal Trade Commission
Act and parallel state statutes. [5]
"Clearing cookies is not a reliable way for a user to express their desire not to receive tailored advertising,..." Okay, but is it a reliable way for me to express my desire for you not to track me? I assume you ignore the DNT header, and I already block your ads, but still...
"Turn fully supports enabling consumers to express their choice and consent in regards to data use for digital advertising." Choke on a bag of dicks, you sleazy, lying scum.
Hi, I see you'd like to start a quest into the dark heart of our corporate bureaucracy to join the other .0001% of customers who aren't having their privacy violated. We respect you. We love you (feel free to share that via social media). Welcome, and good luck.
Their opt out program relies on using 3rd party cookies and only blocks the display of ads (not the collection or other use of the data). Anyone who is doing this should just install an ad blocker.
So what you're saying is that we need everyone on the planet to install an app that automatically accesses Turn's website every few seconds ... just to be sure that they know we don't want tracking!
It's convenient for them that their server-side opt-out code cannot be audited. It would have been easier for them to just set an anonymous, client-side opt-out cookie.
A client-side cookie is not sufficient, you'd have to set it in every browser you ever use. Practically speaking it needs to be server-side, but should be (but never would be) opt-in rather than opt-out.
The other option is respecting DNT, but that is never going to happen as a default behaviour for all companies.
> Clearing your cookies is not the way to opt-out of tailored advertising, and may in fact be counterproductive if you’ve cleared the cookie that indicates you have opted-out.
I realize the technical reason cookies exist yet this seems wrong to me.
Yeah, that was main reason why I wanted to share his original post – the EFF (or ProPublica) stories aren't bad but he's done a great job writing about many things of interest to the HN community.
Didn't see this yesterday, and I'm sorry we didn't, because we would have switched out the URL. HN prefers original sources, and it's always nicer to give credit (and traffic) to the original creator or researcher.
Unfortunately, it's too late to make a difference now, so we'll just leave things as they were. However: if you (or anyone) notice something like this in the future, the best way to alert us is to email hn@ycombinator.com. We can't read all the threads but we do see all those emails, and usually pretty quickly.
Someone who understands this well needs to write a very short 'elevator' explanation for non-technical end-users that we all can copy and paste. That small act would be invaluable to spreading awareness, which is necessary for any progress.
I was going to send the EFF article to some Verizon customers I know but I realized they would have no idea what it meant. I don't have time to read it thoroughly and write an accurate, succinct summary.
Any volunteers? (The EFF is doing a disservice to the cause by not doing it themselves.)
Because your mobile device really belongs to the carrier and not to you, whenever you browse the web with it, they know who you are no matter what. They are now refusing to keep that information secret even if you want them to, instead selling it to advertisers without your consent (even despite your obvious non-consent).
They do this by sabotaging your mobile browser so it can't really delete certain cookies. When you try, they put them right back the next time you use the browser. They also have a way (called a UIDH header) to tell other sites that its you (so they can track your visits) even if you don't have a cookie in your browser.
That's a terrible synopsis. It doesn't have anything to do with the device at all, and that's the whole point!
No matter what you do to attempt to avoid this you can't if you use the Verizon communication layer. The only way around it is to use counter measures to avoid the Verizon software seeing your connection (ie, a VPN).
but cannot phones simply be tracked by their own id regardless of carrier. Say you swap from Verizon, if you hit one of their towers they could theoretically use that information even if your not a direct customer.
We know the FBI is reading the traffic so I am wondering why someone is surprised a company does it. Its not right for either party
they could also follow you non stop on the street and enter every store you go and take note of all your purchases by looking over your shoulder. and i don't think much of it is illegal unless you can prove it distress you
but I'm not a layer (I'm a productive member of society :)
Naive follow up question: Can doing something like routing through a VPN help with this? I assume not, since a forced cookie on your browser will make you always identifiable to the person on the other end, correct?
Using a VPN would encrypt your traffic, preventing Verizon from injecting a UIDH header. You could then clear your cookies and websites would not be able to re-add them via the UIDH header since it isn't being sent.
This isn't to say that the websites can't identify you via some other means, just that they no longer have the guaranteed UIDH header to identify you.
No the header injection happens after the request leaves your browser. However, adblock can prevent the request going to Turn and other ad sites in the first place. But then the website owner (eg Facebook) can work with the ad network to pass your info to them on the server side, although I'm not sure how widespread this is.
How about if I wanted to actively subvert the header? Would there be a way to beat Verizon's network to the punch by injecting the same header myself and populating it with garbage data?
The only way around that would be to take advantage of bugs in their parser. HTTP is a moronic spec, and it allows inane things. For instance, these are valid HTTP headers:
X-LineWrap: Hi my name is
Header Boy
The value of X-LineWrap should be "Hi my name is Header Boy". Edit: Actually I'm not sure if the space before the comment counts or not. Terrible text protocol formats FTW.
X-Comment: This is the value (but this is a comment!)
The value of X-Comment should be "This is the value".
X-MoreFun: I don't recall (offhand) how
this header value should
(really, the spec is a mess)
be interpreted.
The value of X-MoreFun should be (I think): "I don't recall how this header value should be interpreted.".
So, you might get lucky if they have a non-compliant parser and the target site has a compliant parser. In that case:
X-UIDH: garbage1
garbage2
Might get turned into:
X-UIDH: verizontrackingvalue
garbage2
In which case, a compliant HTTP parser would read the value as "verizontrackingvalue garbage2", which might be enough to mess up their tracking.
Also, HTTP has special handling of headers that are "comma separated lists". This should only apply to special-cased built-in headers. But you could try sending multiple X-UIDH headers, with commas in the values, to trick an overly ambitious parser. Maybe.
Anyways, this all depends on bugs in HTTP parsers, which probably exist. (Can you tell I despise the HTTP format?) But if exploited enough to matter, they'd simply patch them.
When you click a button on your mobile web browser, if you're a Verizon customer, advertisers see a special tag assigned to you by Verizon. Since Verizon assigned you the tag, they can give you the same tag on every website. Advertisers have ads on many websites, so they can see the tag and match your browsing history to their logs. In effect, because of the tracking tag Verizon assigns to you, any advertisement you see can track who you are and where you've been.
It should be made clear that it is not some pseudo anonymous "you" but it can be directly related to your phone and your contract and from that to you.
The tracking is everywhere, it is all around us, even now on this very site. You are tracked when you look out your window, or you turn on your television. You are tracked when you go to work, when you go to church, when you pay your taxes. It is the web that has been pulled over your eyes to blind you from the truth. You are a slave. Like everyone else, you were born into bondage, born into a prison that you cannot smell or taste or touch. A prison for your mind and especially for your Verizon phone.
Verizon operates at the network layer - if you are on their network presumably they will copy the real value over your garbage value.
If you aren't on their network then they can check IP address and ignore values not from the Verizon subnets.
There are a couple of other solutions you haven't mentions:
VPNs: Annoying and currently too hard for most people. Perhaps it is time for device (PC and mobile) manufactures to consider offering VPNs integrated with their devices.
Competition: If the US had a more competitive broadband market then people could choose other providers.
Legal action: If Verizon was sued and lost over this then it could have a cautionary effect. However, the loss would have to be huge for it to have an impact, and large financial settlements generally require proof of significant harm. That's going to be hard in this case.
True, but an enterprising individual could write an extension to cause non-Verizon users to start feeding fake unique identifiers into their own streams. Heck, you may even be able to hijack a website login using it.
> True, but an enterprising individual could write an extension to cause non-Verizon users to start feeding fake unique identifiers into their own streams.
Exactly. But instead of using it to try to change your UIDH within Verizon, it should encourage non-Verizon customers to just pollute the space with random UIDH values from all over the place.
True, but this header is presented to all sites visited. This wouldn't pollute Verizon's tracking (they could do this without the header). This may instead pollute the third parties which are taking advantage.
Tor Browser is perfectly suitable for everyday browsing. When's the last time you used it for any significant period of time? It's plenty speedy and very stable.
Please, instead of bemoaning your complete lack of privacy online, do something about it for a change. Download Tor Browser right now.
What kind of a weasel word is "everyday" browsing?
Tor has way more latency. It's been a while since I measured bandwidth, but relatively high bandwidth transfers like videos are everyday browsing nowadays. I, for one, frequently use Youtube playlists as ad-hoc background music, for example.
VPN is insanely easy today. IMO Everyone should use it by default. Too bad it causes an additional load on the internet for the encrypted tunnel traffic.
Another option is a blanket law about internet traffic that states no tracking can be made at all unless given express permission.
How do I install a VPN on my SmartTV exactly? How do I make it actually work, even using VPN-on-a-router, given the importance CDNs have and how they use the location of your DNS resolver to attempt to give you nearest copies?
How do I explain to the hypothetical 68 yo grandmother why she has to disable the VPN to use (Australian geoblocked catch-up TV Service) iView and then reenable it to browse, but she won't be able to buy Kindle books when it is enabled unless she had it enabled when she first setup an Amazon account and her credit card also has a US address, and...
How is a user supposed to move the keys from their mobile device to their PC when most users can't even get photos off their phones.
Convenience vs. security. It's incredibly convenient to be able to stream Netflix on a TV without having to purchase some other device, use multiple remotes, etc. I would say privacy-conscious consumers are likely the minority. I'd imagine most consumers would rather be able to watch movies with the push of a button than worry about the implications of letting their TV connect to the Internet.
Your grandmother being older and wiser than you, she would stop caring about the user-hostile businesses you mention. Being able to circumvent anti-privacy measures is a good skill to have, but actually doing it is ultimately less useful than quitting.
The recent European cookie law was close to that and got laughed at by tech people. Poor Europeans are constantly being asked for permission "Can we store a cookie on your computer?" whenever they visit a major website.
Also, how do you stop people tracking you by IP? Every web server's log does this by default. How do you allow sessions even? It's not easy to define tracking so it's different from essential operation.
> Poor Europeans are constantly being asked for permission "Can we store a cookie on your computer?" whenever they visit a major website.
As a non-European who visits the BBC, my impression is that it's even less useful than that (you can get that kind of annoying prompt just by setting cookie permissions on your browser to 'always ask'!). Instead of a prompt, you get an intrusive notice that they are setting cookies, and that your remedy if you don't want them to do it is to go away.
Regarding regulation, if, as the EFF suggests may be the case, Turn is causing the companies they do business with to violate their stated privacy policies, it would seem that the FTC could take enforcement action without new regulation being needed. An indirect way of kicking in Turn's teeth, but perhaps one that would work.
Step 1: Site operators install backend library to detect uid cookies and send them via API to a central database
Step 2: Privacy-minded activists install a browser extension that reads the uids from central database and spoofs HTTP headers with them. Extension could even cycle through uids on a daily basis to cause more mayhem.
Result: with just a few big sites running this, a few thousand people with the extension could irreparably corrupt the uid header's "uniqueness" and it could no longer be relied upon to respawn a lost cookie session. Because Turn wouldn't know whether it's a real mobile Verizon user, or a jackass with an extension.
Shameless plug: I've already written a browser extension http://flagger.io that spoofs HTTP headers in Chrome and Firefox. Would be easy to add this functionality if people can help on the backend side (writing libraries for node/python/ruby/php/etc.)
Reading through the original report, I'd doesn't seem that Turn's handling of the header is very sophisticated, in fact they just dumbly accept whatever header you give them.
(Interestingly unless they take extra precautions, this exposes them to a CSP sandboxing vulnerability)
Turn needs to handle these headers basically in realtime, and while I'm not saying it would be impossible to do IP filtering on a header, it would be expensive.
If outsmarting them became a cat and mouse game and people stay ahead of them at any point, that would be good enough to make third party companies that rely on Turn's zombie cookies to lose confidence. Unless turn publishes more info about how they circumvent the circumvention, and this would implicate them further politically and legally.
What they are doing is immoral and probably illegal.
There's no cat and mouse. IP filtering is trivial. Say Verizon has 50M IPs, and let's pretend each is a /22. That's 50K * 22-bit entries, but we'll be inefficient and round to 4 bytes. That's a 200KB lookup table. BFD, and that's an inefficient estimate.
HTTP is a terrible text-based format that's very inefficient to parse. The overheard of another IP lookup per request is negligible.
Your heart's in the right place, but your technical proposal simply doesn't accomplish anything.
And, if you could get traction on people installing plugins or whatever, you could just get them to install adblock.
Hmm... garbage doesn't work beause they override the UIDH as a MitM. So maybe this fact could be exploited in the opposite direction:
Start using the X-UIDH: header for some prominent but non-mission-critical feature in a format that is obviously not related to this tracking number. When Verizon rewrites the header, that feature breaks, and you can make a fuss about it in the media or sue Verizon for breaking your webpage.
(it sounds good on paper; this may not work in practice)
> 1) Regulation. Maybe it'll happen, I don't have much hope of it being done intelligently
Why so hopeless? My water is clean, airplanes and roads are safe, retail banks don't lose their customer's savings, etc. Not all regulation works, but this one is pretty straightforward.
Because the current US political climate is not in favour of regulations. It is true that we have all the regulations you describe, but each was fought tooth and nail when introduced!
EDIT: Original post had slightly more pointed political language.
verizon overrides; I'm not a web engineer but (I think) ssl protects tcp headers. if so, it's probably the only technical solution is either ssl everywhere or an ssl proxy run by users
I interpreted the suggestion as for those not using Verizon to inject fake UIDH. Of course, this could be filtered by making sure the traffic is actually coming from Verizon's networks...
It's frustrating, the internet has become such a creepy "you are the product" medium. The more of this I see, I start to feel like I don't want to be a part of it anymore.
Well, do you care enough to take your business elsewhere? That's really the last-ditch way for you to have any voice on this.
For whatever it's worth, I left them recently for this very reason (your choice is yours, mine is mine, no preaching or judgement here either) – I ended up having a few minute conversation with the confused (but nice) call rep who didn't understand what they were doing but seemed to empathize as I explained it. Ultimately, will my explanation matter? Probably not, but it was all the power I felt I had, beyond cutting them off from my monthly payments.
While still not trustworthy in my book, t-mobile is definitely an upgrade, at least in this regard.
In the US, consider Credo Mobile or T-Mobile. Even AT&T discontinued this practice when called out on it, while Verizon's is flatly recalcitrant; their privacy policy says, "If you do not want information to be collected for marketing purposes from services such as the Verizon Wireless Mobile Internet services, you should not use those particular services."
yeah, but people will justify it with a hard-on for verizon's network. where somehow in a large city, not a single other provider gets acceptable signal...
What about a browser extension and a website that tracked Turn's advertising clients? The website and extension are there to help users boycott Turn's customers.
Can anyone think of a way to automate the collection of those ads and linked clients? Crowd-sourcing maybe?
Just because you don't value your privacy doesn't mean you get to project those values on the rest of us. Spying on your customers doesn't magically become moral simply because technology has made it easy. It most certainly is not necessary.
Really, the only reasons surveillance as a business model has worked is most people don't realize the extent that it is going on and by the time they do a monopoly or oligopoly has already established itself. Taking advantage of ignorance is at best rude and offensive, and at worst it should be criminal.
Unfortunately, the laws have yet to catch up to abuses like Verizon's MitM rewriting of HTTP headers. Worse, fixing laws and enforcing them against these modern abuses is going to be very hard: regulatory capture's a 'helluva drug.
"Keep your head out of the past?" What a rediculous rebuttal. Parent poster is well within his or her rights to feel that way. All the evidence we've been presented with in the past few years should lead everyone to the same conclusion. You are being tracked and your data sold to the highest bidder. How is that not cause for concern? Just because it occurred in the past?
If you were an author (of any sort) could you claim that the transmissions of your material (text) that are under copyright were circumvented (DMCA) via a permacookie under your "moral rights" as an author to publish anonymously?
It may or may not work depending on the legal status of, among other things, the HTTP standards, but could you claim copyright on transmitted HTTP requests, at least if they contained sufficiently interesting contents?
If you could, then presumably one would have to say that ISPs have implied license to transmit those (implicitly) copyrighted requests to a third party, namely, the server. However, that implied license would presumably not allow the ISP to transmit a derived work to the third party, i.e., the original request augmented with the tracking header.
To argue this one would have to argue that the entire request, headers and all was copyrightable, but I suppose if one did something creative with the headers it could work; e.g., using the HTTP headers as a kind of poem. But of course there's ways to have creative content in something without it being art, just as long as the other side couldn't argue that the headers couldn't be copyrighted because the usual ones are largely predetermined by the standards.
Basically this is just the same idea you had, except instead of invoking the moral right to anonymity, it's invoking the easier-to-digest moral right to the content itself.
I'd say this was all baloney, but the DMCA is so ridiculously broad that it just might work. Of course, this is all pretending that the DMCA is meant to apply to corporations and not just us small folk.
hmm, not talking about the content provider. I am saying if I am an author who was publishing something under anonymity and I assumed I was anonymous because I "cleared my cookies/Enabled Do Not Track settings" during the publication of the material - only to discover that my cookies had been circumvented via permacookie by a commercial entity - is my "moral right" of anonymity is now gone? could I claim the permacookie method was a circumvention under the DMCA?
There is no "moral right of anonymity" in copyright law. Even supposing there was, de-anonymizing you would not violate anything in the DMCA. The anti-circumvention section prohibits circumventing technical access control measures, not circumventing "rights" in general. Circumventing the rights that copyright law does provide an author is just called copyright infringement.
My guess is that the "entrepreneurial" solution here would be a combination of:
- A browser that doesn't support cookies and provides the server with a client controlled session-id (perhaps a user-id also).
- Only uses SSL sessions to avoid middle-box injection of HTML headers (this still leaves the provider with the ability to inject data as IP options / TCP headers).
- A micropayment solution that allows content providers to get revenue from content rather than ads.
| A micropayment solution that allows content providers to get revenue from content rather than ads.
Even if this were popular, you'd still be tracked because it makes money. Really, so few people care about this deeply I don't think it will be solved. Sure, everyone hates it, but no one will switch carriers over it.
We are working on a browser (https://gngr.info) that supports cookies but doesn't enable them by default for all websites. We also don't enable JavaScript by default. User needs to enable these on a per-site basis. Enabling for all sites at once is also possible if the user so wishes.
In the near future, we also want to support https only sessions (opt-in to begin with and opt-out once https becomes more commonly deployed).
About micropayments, there are many. Flattr comes to mind. But I am sure there are more.
Why was this downvoted? It seems like a productive contribution to the conversation—in fact, it's a direct response to another user's question. I can imagine plenty of technical objections, but it seems that they should be made via responses, not downvotes.
EFF is working on a "HTTP Nowhere" option for HTTPS Everywhere, which only allows HTTPS connections. On Firefox there already is an HTTP Nowhere addon from someone else.
But as others have said, it's probably easier to just use Tor.
Somewhat related, does anyone know about Verizon FIOS TV commercial injections and how they possibly relate to FIOS internet tracking?
I have IBD and have been spending a lot of time on UC/IBD related sites lately. I've noticed quite a lot of tv commercials for IBD drugs on TV and mentioned it in passing to my friend. He said Verizon uses tech from RGB Networks and similar companies to inject custom commercials into the FIOS TV streams based on FIOS internet data.
It's strange to read this and then simultaneously read people complaining about HTTP2 requiring SSL. It'd surely be nice if law protected us from bad actors but SSL protects from this in a way that (hopefully) can't be circumvented.
SSL can't really stop it, I think. Here's a thread where I've speculated on a way to inject metadata into SSL handshakes[0] just like they're doing with HTTP headers. If that doesn't work (I'd be interested to hear why), someone else suggested using TCP-IP source/destination metadata queried from the ISP to resolve to a customer.
No. An MITM starts changing the ClientHello, and the PreMasterSecret should change because it's all hashed in, and therefore Finished will fail - that's the case with the TLS 1.3 draft and I wouldn't be surprised if TLS 1.2, too, although I'll put it on my list to check. Fallbacks complicate that, but the fallback SCSV signals enough to correctly sound the alarm there too.
I'm specifically on the lookout for sneaky ways to (GCHQ call it) "stain" traffic like that, and try to remove them. ("Kleptography" is similar, but the endpoint is complicit - there's not a lot can be done when the endpoint is complicit, but more deterministic primitives help both.)
These can be rather subtle - with temporal differentiation as well, even 1 bit allows for a basic binary search/partitioning attack, so anonymity networks like Tor, I2P etc have to be particularly careful about that.
(You shouldn't really be using TLS 1.0/1.1 anymore, and definitely not SSL.)
I'm sure you know a lot more than I, and you're pushing the boundaries of my limited knowledge, but I read a bit on some things you mentioned... I don't follow how the PreMasterSecret incorporates the ClientHello; PreMasterSecret seems to be just a protocol version and some random bytes. As for the Finished hash check, I didn't know about that, but can't a server complicit with the MITM (i.e., a site wanting to buy customer data from Verizon) fix up the hash by ignoring the bytes the MITM inserted? They would coordinate a scheme to reversibly inject tracking bytes, and pretend the bytes weren't there while hashing for Finished.
Since you mentioned complicit endpoints, I'm really wondering if I'm being naive here. It's certainly not as simple as injecting HTTP headers, but it looks possible if the ISP and target server collude, and the ISP makes sure to only tamper with traffic bound for servers that "know" to un-tamper it.
I could probably prove or disprove this for myself by writing a proof of concept, and maybe I will, but in case it is an issue that could be mitigated, I'd rather someone more qualified think about it sooner than I will figure it out.
Good point about "SSL", I was using the term loosely.
Complicit endpoints could just work with Verizon to enable a server to server API to get the subscriber ID of a particular TCP connection. In fact, since this is non visible to end users, if Verizon is clever, that's what they'll do. Then it would not have this public visibility.
I was going for a more direct analogue, and how inserting the ID is more seamless than a backend query, and how tampering with SSL is more technically interesting to me, but yes, you're right. Good point on how it would not be detectable. I wonder how many ISPs are doing it right now...
If the advertisers and your ISP are cooperating there's nothing you can do. They can easily just redirect all IP packets going to their advertising partners through some encapsulation that encodes your customer id out-of-band, encode it in to their NAT scheme, or just provide customers with static IPs and partners with regular dumps of the database.
It's simpler then that. The advertising based site wants to show you the ad, they have no incentive to implement SSL. There's no https://espn.com, for example. Even if they did implement https it would be mixed content because the ad networks' iframes or whatever are http.
The solution is things like NoScript or Adblock on Firefox (not Chrome which downloads the ad and just hides it). Or blackholing the ad networks in /etc/hosts.
Agreed. An entry in the hosts file for ad dot turn dot com could be a temporary fix-- until they use a different subdomain. A combination of the above is probably the most optimal solution.
Maybe instead of adblock for turn, someone should put together a plugin to generate a random header string sized at about 16k just for *.turn.com.
On a side note, if your browser automatically filled up the remaining allowed characters in the header (depends on the server of course), it'd be interesting to know how that would be handled by Verizon's support since all sites would get a 400 error when their header injection is enabled.
It's a wonder to me how no Verizon competitor has jumped at the opportunity to advertise this on a large scale with a message along the lines "it's evil, we don't do that".
If the users really care about this issue, that's what would happen on a functioning market anyway...
I doubt most people care. This isn't going to drive customers away. The only way it'll be stopped is if they're legally forced to. For example, see the history of cookies themselves and how most people never cared about them.
Not really. Even AT&T doesn't do this (they did at one point, but were apparently called out on it and stopped doing it), and they're pretty damn scummy.
Verizon really does come across as a Bond-style corporate villain in stories posted to Hacker News. I'm currently a TMobile customer, and I wonder how many of Verizon's shenanigans are actually just the common MO of all American telecoms.
It would otherwise seem egregious if only Verizon is throttling customers on "unlimited" plans, and only Verizon is selling their privacy for money, and only Verizon is pushing garbage smartphones onto customers that don't know any better.
How can they be so big if they suck so much ass? Are they successful only because they get their network deployment right? Are regulatory barriers protecting them from competition (I find that hard to believe because wireless, unlike broadband, seems to have multiple competitors in every market).
Maybe we just need to take public spectrum away from these donkeys and give it up for use by ad-hoc technologies. I suspect that if we make some standards (or even just broad rules of the road) some peer2peer telecom technologies might emerge and surprise us with their quality (just like BitTorrent is surprisingly good for file downloads, even though its decentralized completely).
If someone chooses to work for a sleazy company, say one that aggressively violates a person's expressed desire to not be tracked, I would not want to hire them or otherwise associate with them.
Should the engineers who enable companies like Turn be shunned by other engineers?
Not everyone has the luxury to be able to refuse or quit a paying job. It'd be harsh to judge like this. It would of course do to shun the firms which do this - ultimately we want to eliminate the behaviour - not the people.
I don't think that's a good idea. Yes the ad based business model has gone completely off the rails with their aggressive privacy violations and disgusting deception schemes. I think they should be stopped, if necessary by regulating them off the face of the earth.
But personally blaming and shunning regular employees of corporations that break the law or some ethical standard has far reaching ramifications. Bitter ideological battles would take over the personal lives of people who have no say in whether or not their employer decides to use a particular marketing scheme or do business in a particular country.
I think personal blame should be reserved for decision makers. If an employee knows about serious crimes committed by their employer they should simply report it to the police.
I'd rather not do things that give the state more power and control over individuals. So I'm not a big fan of regulation in general. I'd rather pursue voluntary means of encouraging virtuous action where and when I can.
Engineers who directly enable this kind of technology are (in my view) not materially different from individuals who write malware. These engineers are members of the group of decision makers, because they know exactly how the code they are writing will be used. I think it's right to not encourage or support their behavior.
In other words, the degree to which I would shun someone is proportional to the knowledge and control they had in the situation under consideration.
I don't think state control over individuals can be adequately characterised in terms of "more" or "less". Sometimes what governments do is to shift power and control from some groups of individuals to others, as in the case of consumer protection laws. In other cases they grab power for themselves, building a survaillance state.
I think the debate should be more about what governments should do and why, not just how much they should do, i.e big or small government.
In addition to the other replies you've got, this kind of judgement is, I think, beyond most people's capability to make. Should everyone who works at Turn be shunned, or just those who work on this project specifically? If a previously honourable company starts doing dishonourable work, how long a window does an engineer working there have to find another job before he or she is shunned? What does it mean to 'enable' Turn? That is, could a third-party indirectly enable them? How do we make the judgement when this has happened? For example, should W3C be shunned for making a standard that can be abused in this way?
For me, it's a matter of the degree to which the person sees the ramifications of what they are doing, and the degree to which they directly contribute to the bad actions.
For example, the management team that has built a business around tracking people who clearly do not wish to be tracked is highly suspect, in my view.
The sysadmin that runs the servers, less so. But if she/he knows what the company is all about, I'd urge him/her to either try to change the mindset within the company (likely, impossible) or start looking for another gig.
I would not ask anyone to sacrifice themselves, but neither should they be facilitating unhelpful behaviors.
Verizon, of course, is enabling Turn (as I understand the situation.) Companies that are customers of Turn are also enabling them, in my view.
Precisely because your questions seem particularly on point, I find them hard to answer; but I wanted to say that I appreciate your thoughtful engagement with respondents in this thread. It's a rare sight, even on HN, and a pleasure.
Should engineers who invent new rifle shells, or atomic bombs, or armed drones, or work at the NSA, or Tinder, or Uber, or Groupon, or Zynga be shunned? All of their employers are perceived by some as some as scumbags.
If your job that you liked came to you with a challenge like "I want you to invent a brand new way to track our users that nobody has thought of before", would you turn it down?
edit: or Facebook, or Google, etc? These companies are in the business of tracking their users' behavior to be sold to advertisers. I'm not really sure how that's different at the macro level than what Verizon/Turn is doing, and we're shunning an awful lot of engineers at this point.
I won't engage in work that I conclude is immoral, nor will I help others to pursue ends that I consider problematic. I think it's important that you always be free to come to your own conclusions on such matters as well.
Do you think that refusing to pay one's taxes, and thereby ultimately going to jail, is the best way to make a principled stand against the idea that taxation is theft?
As I understand it, in any specific context there are many principles to be considered in making a decision as to how to act.
For example, "Strive to act rationally" is an important principle for me. I try to act based on reason and evidence, to the best of my ability to do so.
Would you consider someone who chose to make a headlong rush at the IRS and their most sacred rule as acting rationally?
I would say such a person was tilting at windmills. I think there are more effective ways for me to work for virtue and justice in the world.
In other words, I don't see being principled as necessarily requiring martyrdom.
> These taxes are non-voluntary and coerced from me under threat of force.
One could say equally well that, for many of the engineers working on them, these reprehensible projects are non-voluntary and coerced under threat of economic ruin.
(To "you can always quit"—well, you can always renounce your US citizenship, too. To "then I'll just wind up paying taxes to some other repressive government"—someone contemplating quitting his or her job could also despair that he or she will just have to take another morally questionable job.)
"These taxes are non-voluntary and coerced from me under threat of force."
False. You can move to another country whose values/morals you agree with more, become a citizen, and renounce your American Citizenship. It's by no means easy but completely doable. You still live here and pay taxes to the US government because your "principles" don't yet outweigh the convenience of living where you do. Make no mistake, America has done, continues to do, and probably will do in the future, utterly terrible, immoral shit.
I have a different view, but first, thank you for sharing yours.
Yes, I could move to a different country. And I have thought about that quite a bit. There may come a time when I decide to do it.
But it's troubling, morally, to do so. Here's why.
An old man is walking down the street. He's a peaceful guy, minding his own business. A couple of thugs come up to him, stick a gun in his ribs, and demand his wallet.
He doesn't want to do it, but he reluctantly gives up his wallet, in the hope that they won't choose to harm him any further.
If after this incident, the man chooses not to move to a safer neighborhood, would you say that he is then endorsing the actions of the thugs?
In my view, the man has done nothing wrong. He did not initiate force against anyone else. When the thugs, who clearly do not respect individual rights demanded his money, he made a rational calculation and did what he concluded was most likely to save his life.
This is why, while I could move to another country, I'm (currently) unwilling to do so. I would prefer to stay in my home, and work as best I can to be an advocate for virtue and peaceful, voluntary cooperation.
And finally, yes, I agree with you, the government of the United States has done some horrible things. You might have noticed that I am not exactly an advocate of a large and powerful state. :-D
I feel like injecting headers is only the start of something far more pernicious; even SSL/TLS can't stop an ISP from determining and tagging where your traffic goes (and consequently, passing that information onto third parties) - all your traffic goes through equipment on their network, after all. As long as your connection to the Internet is tied to your identity in some way (and there is basically no way a non-free ISP is going to let that be anonymous), they can track you. "Obfuscatory routing systems" like Tor can help, but as long as ISPs can observe the traffic on their networks, they know.
OK, I can think of a few ways they might do this (DNS tricks and per-user IPv6 addresses, <src ip, src port, dst ip, dst port> => user mapping). These all seem significantly more complex than HTTP header injection though.
> In fact, Turn has told EFF that they do not believe that either Do Not Track or a user deleting their cookies is a signal that the user wishes to opt out from tracking.
What the fuck, Turn? You got a different explanation for what the fuck "Do Not Track" means?
Are they for fucking real right now? I mean, I've seen my share of grade-A corporate double-speak, but this takes the goddamn cake. Holy fucking shit. Thank God I'm not a Verizon customer in any capacity (that I know of). With this kind of bullshit, I don't plan on that changing any-the-fuck-time soon.
> IE10 defaults to Do Not Track enabled. So sending the header is not explicitly representative of the user's wishes.
"By signing up for [insert service here], you agree to the privacy policy."
How many times did you actually agree with the privacy policy? Devil's advocate, I know, but it's a sobering reminder that pretty much anything you use gives information that is sold. Open a bank account? If so, notice any new junk mail? Pretty hard to live life without a bank account. Your information is still sold to third parties.
To play another devil's advocate, shouldn't that also imply that IE10 users sending Do Not Track are in fact explicitly representing their desire not to be tracked? I mean by that same argument the user, by using Windows/IE10 did in fact choose the default settings of the browser, per the terms and conditions agreed to upon installing/purchasing Windows/IE.
Live by the T&C, die by the T&C - unless you can hide your scumminess through underhanded or obfuscated tactics.
> IE10 defaults to Do Not Track enabled. So sending the header is not explicitly representative of the user's wishes.
> Convenient, isn't it?
That might be an excuse, but it's not the reason. They easily could read the DNT header and the user agent, and trust DNT headers from non-IE10 browsers.
Absolutely. They're interpreting the situation with strict literality because it is in their benefit to do so.
They have a perfectly valid reason for what they do: it's strongly beneficial to their business model to operate in a scummy but probably-legal way. They are hardly unique in this.
Since we have little market recourse (Verizon is often the only option, and we are not customers of Turn), and we have no legal recourse (again, scummy but almost certainly legal in almost all circumstances)...what is left?
Well, there are technical solutions to the problem. TLS is a good start. Browsers can be smarter about third party cookies. The Verizon Overcookie can be stripped by a proxy. VPN can solve many problems... This glommed on tracking junk is fragile.
I strongly resent being drawn into the arms race, but it is winnable.
It will take something dramatic (and who knows how long) for our outrage to be shared by a critical mass of customers/voters, so for now, I think technology is the solution.
I don't use Internet Explorer. I use Firefox. If I have Do Not Track set (which I do), it means that I have explicitly requested to not be tracked, and that such a header is explicitly representative of my wishes.
The sooner we have a full list of all companies which are doing business with Turn, the happier I'll be, since that would provide me with a better target for my (admittedly excessively) strongly-worded frustration.
is i just me or is Verizon the most evil operator out there? Being based in EU I have no idea of course but there are hardly ever positive news coming out of that firm.
This may be a tortious (sueable) offense under the Intrusion Upon Seclusion principle. Possibly as a class action:
“It is unnecessary to determine the extent to which the right of privacy is protected as a constitutional matter without the benefit of statute.” Beaney, The Constitutional Right to Privacy in the Supreme Court in 1962 The Supreme Court Review 212 (Kurland ed. 1962); Olmstead v. United States, 277 U.S. 438, 478, 48 S.Ct. 564, 72 L.Ed. 944 (1928) (dissenting opinion of Brandeis, J.); “Dykstra, The Right Most Valued by Civilized Man”, 6 Utah L.Rev. 305 (1959); Pound, The Fourteenth Amendment and the Right of Privacy, 13 W.Res.L.Rev. 34 (1961). '[I]t is sufficient to hold that the invasion of the plaintiffs' solitude or seclusion, as alleged in the pleadings, was a violation of their right of privacy and constituted a tort for which the plaintiffs may recover damages to the extent that they can prove them. ‘Certainly, no right deserves greater protection…’' Ezer, Intrusion on Solitude: Herein of Civil Rights and Civil Wrongs, 21 Law in Transition 63, 75 (1961).
To make an intrusion on seclusion claim, a plaintiff must generally establish 4 elements:
First, that the defendant, without authorization, must have intentionally invaded the private affairs of the plaintiff;
Second, the invasion must be offensive to a reasonable person;
Third, the matter that the defendant intruded upon must involve a private matter; and
Finally, the intrusion must have caused mental anguish or suffering to the plaintiff.
Intrusion of solitude occurs where one person intrudes upon the private affairs of another.
Intrusion upon seclusion occurs when a perpetrator intentionally intrudes, physically, electronically, or otherwise, upon the private space, solitude, or seclusion of a person, or the private affairs or concerns of a person, by use of the perpetrator's physical senses or by electronic device or devices to oversee or overhear the person's private affairs, or by some other form of investigation, examination, or observation intrude upon a person's private matters if the intrusion would be highly offensive to a reasonable person.
Google, as guardian of Android, should look hard at ensuring user protections from this sort of behavior. Ubiquitous HTTPS might be an option (I haven't looked yet to see if the UIDH header can be defeated via that).
Frankly, I don't see how regulations or laws should protect the user for several reasons:
Firstly, there are already privacy laws yet it doesn't look as if they apply and that Verizon thinks that even in the case of a law suit Verizon will be able to benefit more than this law suit will cost.
Secondly, even if a court determines that the conduct of Verizon in this case is not legal, the verdict will still be special enough to not be applicable in a loop hole case. So I see protection provided by law as limited.
Thirdly, enforcement is rather difficult and not as obvious as, e.g., a daylight robbery, especially for non-technical observers which I presume to be the vast majority of law enforcement personnel.
And finally, (and rather an opinion) I think government is rather delighted to know who does what on the internet, so I don't see a real motive for them to move decisively apart from some half-* voter appeasement.
(We collaborated with Mayer on this research.)
Code and data that you can play with to verify these results / do other similar experiments, using our web privacy measurement tool OpenWPM: https://github.com/englehardt/verizon-uidh / https://github.com/citp/OpenWPM