What the loss of the Internet Privacy Bill means to you and I.

31 March 2017

It's probably popped up on your television screen that the Senate and then the House of Representatives voted earlier this week, 215 to 205, to repeal an Internet privacy bill passed last year.  In case you're curious, here's a full list of every Senator and Representative that voted to repeal the bill and how much they received specifically from the telecom lobby right before voting. (local mirror)  By the way, if you would like to contact those Senators (local mirror) or Representatives (local mirror) here's how you can do so... When the bill hits Trump's desk it's a foregone conclusion that he's going to sign it.  Some of the talking heads are expressing concern about this, while others are cheering that the removal of this regulation is an all-around win for the market, blah blah blah... but what does this actually mean for you?

First of all, if you're reading this, welcome to the Internet.  You're soaking in it.

Second of all, please read this blog post (local mirror) by the EFF.  Just a few years ago, a couple of very large ISPs (that you're probably a customer of) got caught doing things like monitoring your web searches and hijacking them with different results they were paid to insert and analyzing your net.traffic to figure out what advertisements to inject in realtime.  The bill that just got repealed put a stop to all of that.

I've spoken to a couple of people who expressed disbelief that such a thing was possible.  In point of fact, intercepting and meddling with communications traffic goes back a very long way.  In 1994 a bill called the Communications Assistance for Law Enforcement Act (CALEA) was passed and codified as 47 USC 1001-1010.  In a nutshell, what this law means is that manufacturers of just about every kind of network-side communications device, from the telephony switches that route your phone calls to the carrier class routers that make up the network core have surveillance capability built in.  In theory, only law enforcement agents with warrants are supposed to be able to use them.  In practice, they're used all the time by employees of the companies that own that equipment to silently troubleshoot problems before they get too out of hand, and yes, they get abused all the time for petty shit.  As you may have guessed already, the moment that CALEA-compliant equipment was deployed back in the day hackers immediately figured out how to use them more effectively than even the telecom companies and silently eavesdropping on people using that functionality was a common "This is how 1337 I am" stunt.  So, please keep in mind that this "monitor all the customers" infrastructure is going to be badly abused and constitutes one hell of a security risk.

CALEA is regularly updated as communications technology evolves, and now encompasses things like the backbone of the Net, Voice-over-IP telephony, cellular telephony and companies whose business it is happens to be running wireless hotspots.  As it so happens, much of this functionality is perfect for monitoring customers' traffic, analyzing it, and packaging it for sale as large bundles of anonymized information or as discrete dossiers, ala Cambridge Analytica.  Let me paint you a picture, based in part of how things worked before that bill was passed originally...

Let's say that you're a customer of a large cable broadband ISP; let's leave the quality of your service aside because it's parenthetical to this story.  Let's also say that you're part of what passes for a nuclear family these days, three people, one of whom is nearing the age of majority in your country.  Let's call them Alpha, Beta, and Gamma; you can mentally assign identities and roles to them as you will.  Let us further assume that several companies that specialize in psychometrics for profit ala Cambridge Analytica exist in this story; they do in real life, so they do here, too.

Alpha uses their laptop for both work and personal stuff.  The ISP in use at home uses both traffic analysis and a super cookie silently inserted with a man-in-the-middle attack to identify Alpha's laptop; the machines that Beta and Gamma use have similar super cookies injected into their browsers.  The ISP also has a business unit, and happens to be the Internet connection provider where Alpha works, so they know that Alpha works for $bigcorp as well.  From watching the traffic at work they know that Alpha works for the business intelligence unit of $bigcorp because they constantly do web searches on other companies, read lots of papers and articles published by their competitors, and access a online news services that specialize in aggregating corporate news.  They can tell from Alpha's net.traffic that they seem to concentrate on just a half-dozen companies in the same business vertical.  This information gets packaged up and quietly sold through a subsidiary; two of $bigcorp's competitors regularly buy these bundles and with a little analysis figure out that $bigcorp is positioning itself to knock down both of their next quarter product releases, and start making plans.

At home, Alpha's starting to feel burned out from consuming dozens of papers and news articles a day, and aside from that $bigcorp is slipping a little in the market.  It's just not working.  Alpha has run a couple of web searches looking for web forums where they can talk about work life, work-life balance, and burnout.  After a few days, Alpha seems to have found two that seem homey and they've settled in on those forums, filled out a profile, and started posting there later in the evening outside of business hours.  Less obvious is that the health insurance company $bigcorp buys its insurance policies through is also a customer of the ISP's information retail subsidiary, and they mine that data to figure out what might be going on with its clients' employees.  Alpha sticks out immediately in the 25% percentile of risk for mental health - not serious enough to constitute a serious payout but over time they can bleed the bottom line (if you think insurance companies are in the business of health care, you're wrong - they're in the business of making money by investing the premiums paid by their customers, and paying for healthcare is the line they use to get people to pay them).  Somewhere in the insurance company's massive machine learning system (and what company over a certain size doesn't have one - this is the twenty-first century, after all) a daemon is set to watch Alpha's account activity.  If it trips a threshold, Alpha's premiums could be quietly increased to recoup the losses of the cost of psychological counseling.  Alpha's part of their insurance premiums are paid automatically out of their paycheque before taxes are applied, so unless Alpha is scrupulous about downloading and comparing each pay stub Alpha probably won't notice the raise unless something or someone brings it to their attention.

Beta's work life isn't anything to write home about for the purposes of this story, but they do have a hobby of note: Writing scenarios for roleplaying games.  Lately, Beta's been running Conspiracy-X and Eclipse Phase for the family tabletop group and has been doing background research for the scenarios they've been writing.  They've been running web searches on such diverse and interesting topics as blast yields for inefficient nuclear warheads (one scenario involves a terrorist group that's not sure it has the expertise to build a nuke, so their plan pivots to build a dirty bomb; thing is, how big would it need to be to put the whole city at risk?), covert radio transmission techniques (heroes' cells need to communicate somehow, and the characters need to be as devious as the person running the game), genetic engineering of bacteria (a bioweapon figures into the Eclipse Phase campaign), and solid rocket boosters (ditto Eclipse Phase - the heroes are supposed to find a cache of ancient rocket motors from before the fall of Earth; the question is, how would very old SRBs fail if somebody tried to fire them up?).  The ISP at home is, of course, monitoring all of this traffic; their machine learning system wasn't trained on anything approximating roleplaying games so all of the traffic to those games' official forums scoots under the radar.  A half-dozen law enforcement agencies have deals in place to get priority access to this information, and a few weeks after those games happen the entire family starts having major problems at every airport they fly to.  They even miss a few flights because they got red-flagged as being nebulous risks of the sort that the TSA loves.  So much for good, wholesome family fun.  On the up-side, some of Beta's web searches are quietly tweaked to return results that feature a couple of independent game publishers (a dozen of them got together at the hotel bar at the last GenCon and decided to pool their discretionary funds to buy their way up in the ranks at the ISP in question).  Now the family's discovered some interesting and offbeat games that they've added to game night.

Gamma's the odd one out that keeps throwing everything off.  Rather than buying everything off of Amazon like everybody else, they buy ebooks directly from the author; this includes a couple of textbooks a month.  They have their own gaming desktop but also use Beta's laptop from time to time to log into Fetlife, which associates at least two super cookies with that socnet profile (make that three - Gamma's hard drive crashed, which meant a full rebuild and a new traffic profile).  Beta has their own Fetlife profile, so that makes two profiles with three super cookies.  The traffic analysis system can't make heads or tails of it all, so occasionally both of them get advertisements for each other (or would, if Gamma didn't use an adblocker) and the occasional discount code for an off-the-wall store that sells veterinary equipment.  Gamma's also taking up knitting and whittling, two crafts that traditionally don't go together in the same person, so that further skews the traffic metrics.  As if that didn't mess with the surveillance profile enough, Gamma's going back to school soon and is doing a little prepwork, so brushing up on physics is resulting in search results skewed in the direction of a high school teacher working at a reasonably affluent private school; this means lots of advertisements for laboratory equipment in bulk, lesson plans, and stupidly expensive peripherals for computers for physics experiments.  The metrics never really settle down, so the sales projections for the entire family get thrown off.  Even though there are at least three people living at that subscription-household, the activity and metrics are all over the place.  Is all this sales activity related?  Is it not?  Do they have a communal computer in the house that visitors are allowed to use (the telemetry from the router suggests this is the case)?  Should they be charged more for this?  The ISP can't tell.  This also has the net effect of messing with everybody who buys their aggregate traffic profile so once in a while they get weird advertisements and discount codes for the most random stuff, like veterinary equipment and truck tires.  When deep learning systems screw up, they screw up.

I realize that this story is a bit ham-handed; I'm tired and not thinking too clearly and... let's face it, ISPs did way more sketchy stuff just a year or two ago than I can reasonably come up with for a kind-of-short story.  Truth is stranger than fiction, they say, because fiction has to make sense.  In real life, anything that can possibly be monitized gets monitized, in part because making a buck is what corporations do, and in part because corporations run on way thinner margins than most people realize and every dime that hits the bank account matters.  I would have to say that there are companies that archive every byte of data they can get their hands on even if they can't use it yet, because at some point in the future they'll be able to leverage it.  So, if the last few paragraphs suck, I'm sorry.  Go read that EFF blog post I linked to because that's way more important than my ass-fractioned attempt at short fiction.