Judah Phillips points to a trend of ISP employing packet sniffers on user traffic:
Site owners collect data about what you do on ONE site (or a portfolio of their sites). ISP’s collect data about what you do on EVERY site you visit. As I understand it, some of these companies create an anonymous profile of your surfing activity by assigning a unique key to your browser.
If this technology is being widely employed by ISPs, then there’s a whole additional layer of people observing our behavior.
In addition to highlighting some interesting possibilities regarding this data capture, he proposes some interesting options for consumers:
- Move to an obvious “opt-in” model with full disclosure. Tracking via “deep packet inspection” should be an all opt-in model. If you want anonymous data from your browser collected so that you can be behaviorally targeted, then you should opt-in to be. Right now, it’s seems to be all opt-out. You probably don’t know if it’s being done to you. It’s buried in fine print you’ve probably never read. Is that your fault you didn’t read the fine print? Yeah, but the point is it shouldn’t be buried in the fine print…
- Provide me with access to the data collected. If I opt-in, I should be able to see the data collected from my browser. It’s very simple. I demand to see what you are collecting about my browser. If you are building a profile, then I demand to see the data collected in the profile. If it’s all anonymous, then explain how it is in detail, and then follow rule #1.
- Enable me to edit or prevent the data from being collected. If I opt-in, I want to be able to edit or prevent certain types of data from being collected. If you’re tracking my browser, alert me before the data is transmitted, so I can decide if I want to share it. If a profile is built, I want to be able to edit it!
- Let me opt-out at any time EASILY. If I’ve opted in, and I’m unhappy with the service, allow me to opt-out simply. Having to set an opt-out cookie on my browser is absolutely and completely absurd. I want to be able to fully opt-out at the ISP level, just once forever, not at the browser level every time cookies are deleted. Make it easy and permanent, not easily deletable.
- Disclose who you sell my data too. Like online list rentals, the next step in all this ISP profiling is selling the data to third-parties. Let me know what you’re doing with my data-before you do it- so I can opt out or prevent it from being sold to parties to which I don’t want it being sold.
I think all of these are solid ideas, but they point to a larger picture. ISPs are important because they can monitor all non-encrypted traffic across your total browsing experience. But do the processes of data collection and the rights of data holders change just because of their power? Shouldn’t the same standards hold across the board? I think the five points he listed above would be a good starting point for a lot of discussion concerning online data capture.
Note: If you’re resistant to the idea of packet sniffing, you can: run an SSH tunnel to a trusted proxy, download Tor, or pay for a service like Anonymizer.