ISP data collection from home routers
Hello there, Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience. To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise. I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client. I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then). And home users are _completely_ unaware of this. So my question to you folks is: - What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it. - Is anyone aware of any public discussion on this? I have never seen it. Thanks, Giovane Moura
Hi Giovane On 24.03.22 11:43, Giovane C. M. Moura via NANOG wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
Creepy. And the provided CPE usually sucks too, what a deal... I feel validated in preferring to use my own router at home.
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
For the policies probably this is a good place to start if you are interested in US legislation (you didn't specify any location), as it's not federally regulated from what I gather: https://www.ncsl.org/research/telecommunications-and-information-technology/...
- Is anyone aware of any public discussion on this? I have never seen it.
I remember reading some discussion around ISPs selling browsing behavior data that they collect from their subscribers in the tech press during Pai's term as the head of the FCC. It was probably on Ars Technica or Techdirt.
Thanks,
Giovane Moura
Best, Joel -- Joel Busch, Network SWITCH Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 30, direct +41 44 268 16 58 https://switch.ch https://swit.ch/linkedin https://swit.ch/twitter
It sounds like the kind of data you can retrieve through TR-069. To be able to use it, you have to either log on to the router and set the TR-069 server, or push out the setting via DHCP, which means you need to have layer 2 access to the device. This limits the ability to apply/change the setting. Yes, there is a scary amount of data you can collect, including the wifi name and password. You can also push out settings to the devices, which is the main purpose. If a customer calls up and says their wifi isn't working, you can reset the password for them and get them to try again rather than trying to talk them through how to do it themselves. -----Original Message----- From: NANOG <nanog-bounces+philip.loenneker=tasmanet.com.au@nanog.org> On Behalf Of Giovane C. M. Moura via NANOG Sent: Thursday, 24 March 2022 9:44 PM To: North American Network Operators' Group <nanog@nanog.org> Subject: ISP data collection from home routers Hello there, Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience. To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise. I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client. I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then). And home users are _completely_ unaware of this. So my question to you folks is: - What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it. - Is anyone aware of any public discussion on this? I have never seen it. Thanks, Giovane Moura
This is an enormous problem, see: https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report... Consumers should have legal say in how or wether their data are harvested and also sold. Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.” FCC License KJ6FJJ Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG <nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
Consumers should have legal say in how or wether their data are harvested and also sold.
They do. https://www.fcc.gov/general/customer-privacy On Thu, Mar 24, 2022 at 9:12 AM Lady Benjamin Cannon of Glencoe, ASCE < lb@6by7.net> wrote:
This is an enormous problem, see: https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report...
Consumers should have legal say in how or wether their data are harvested and also sold.
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ
Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG < nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
Without disagreeing that privacy concerns in general are rapidly becoming extinct with generations… Surely you are not suggesting that my friends-only Facebook profile is somehow publishing my WiFi SSID? (For example) Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.” FCC License KJ6FJJ Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 6:26 AM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
Consumers should have legal say in how or wether their data are harvested and also sold.
They do. https://www.fcc.gov/general/customer-privacy
On Thu, Mar 24, 2022 at 9:12 AM Lady Benjamin Cannon of Glencoe, ASCE <lb@6by7.net> wrote: This is an enormous problem, see: https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report...
Consumers should have legal say in how or wether their data are harvested and also sold.
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ
Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG <nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
Friends only Facebook? Do you think Facebook, the company with the data, cares if you have a particular flag set??? Who cares about the SSID??? On Thu, Mar 24, 2022 at 9:40 AM Lady Benjamin Cannon of Glencoe, ASCE < lb@6by7.net> wrote:
Without disagreeing that privacy concerns in general are rapidly becoming extinct with generations…
Surely you are not suggesting that my friends-only Facebook profile is somehow publishing my WiFi SSID?
(For example)
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ
Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 6:26 AM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
Consumers should have legal say in how or wether their data are harvested and also sold.
They do. https://www.fcc.gov/general/customer-privacy
On Thu, Mar 24, 2022 at 9:12 AM Lady Benjamin Cannon of Glencoe, ASCE < lb@6by7.net> wrote:
This is an enormous problem, see: https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report...
Consumers should have legal say in how or wether their data are harvested and also sold.
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ
Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG < nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
Who cares about the SSID???
I don't remember the data model, but I remember that they retrieved data very often, multiple times a minute. (some ppl in the list may have access to this data and know it very well) They can easily profile you and know when you're at home, and when you're gone. Some people may find this interesting... To have a really meaningful discuss on the privacy implications, we would need to see the data model, and the frequency that they pool the data. /giovane
On 2022-03-24 10:04 a.m., Giovane C. M. Moura via NANOG wrote:
They can easily profile you and know when you're at home, and when you're gone. Some people may find this interesting...
To have a really meaningful discuss on the privacy implications, we would need to see the data model, and the frequency that they pool the data.
Is your concern that ISPs have access to this information, or that it's something they could possibly be selling to a third party? Those are two completely different discussions. K
Not sure why they are different; most ISPs are not a pure play and can use that data for other aspects of their business that you may not have agreed to (e.g. Verizon FiOS feeding to Verizon Wireless). Comcast/NBC, etc. pj capelli pjcapelli@pm.me No one can build you the bridge on which you, and only you, must cross the river of life - Nietzsche Sent with ProtonMail secure email. ------- Original Message ------- On Thursday, March 24th, 2022 at 10:24 AM, Kord Martin <kord@firstnationscable.com> wrote:
On 2022-03-24 10:04 a.m., Giovane C. M. Moura via NANOG wrote:
They can easily profile you and know when you're at home, and when
you're gone. Some people may find this interesting...
To have a really meaningful discuss on the privacy implications, we
would need to see the data model, and the frequency that they pool the
data.
Is your concern that ISPs have access to this information, or that it's
something they could possibly be selling to a third party? Those are two
completely different discussions.
K
On Thu, Mar 24, 2022 at 10:04 AM Giovane C. M. Moura via NANOG < nanog@nanog.org> wrote:
Who cares about the SSID???
I don't remember the data model, but I remember that they retrieved data very often, multiple times a minute.
Please keep in mind that TR-069 (which in all likelihood is how the data you remember captured was captured) provides raw packet access to the customer side of the device. yes, this is a problem, yes it's certainly been/being abused. Yes the protocol is garbage and implementations are also garbage :( see the, at least 1, blackhat/defcon presentations about TR-069 problems. https://www.youtube.com/watch?v=XXhV7zpc6m8 https://www.geekzone.co.nz/forums.asp?forumid=49&topicid=214760&page_no=5 https://www.blackhatethicalhacking.com/news/multiple-backdoors-and-vulnerabi... there's really no reason at all to have this exposed as it is :(
" They can easily profile you and know when you're at home, and when you're gone." And? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Giovane C. M. Moura via NANOG" <nanog@nanog.org> To: "Josh Luthman" <josh@imaginenetworksllc.com>, "Lady Benjamin Cannon of Glencoe, ASCE" <lb@6by7.net> Cc: "North American Network Operators' Group" <nanog@nanog.org> Sent: Thursday, March 24, 2022 9:04:06 AM Subject: Re: ISP data collection from home routers
Who cares about the SSID???
I don't remember the data model, but I remember that they retrieved data very often, multiple times a minute. (some ppl in the list may have access to this data and know it very well) They can easily profile you and know when you're at home, and when you're gone. Some people may find this interesting... To have a really meaningful discuss on the privacy implications, we would need to see the data model, and the frequency that they pool the data. /giovane
That link is more reflective of the FCC circa 2011. More recent actions taken by the FCC under Pai had weakened consumer protections for data collected by ISPs and was reflected in multiple news articles from 2017-2019. https://en.wikipedia.org/wiki/2017_Broadband_Consumer_Privacy_Proposal_repea... https://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0328/DOC-344... https://www.ftc.gov/news-events/news/press-releases/2019/08/ftc-revises-list... Including this relatively recent article by the FTC. The same FTC tapped by the FCC as being the more responsible party for enforcing privacy protections for consumers. They are even saying that their privacy study showed very little protections for consumer data being harvested by ISPs with few options to restrict their use. https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report...
On Mar 24, 2022, at 9:26 AM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
Consumers should have legal say in how or wether their data are harvested and also sold.
They do. https://www.fcc.gov/general/customer-privacy
On Thu, Mar 24, 2022 at 9:12 AM Lady Benjamin Cannon of Glencoe, ASCE <lb@6by7.net> wrote: This is an enormous problem, see: https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report...
Consumers should have legal say in how or wether their data are harvested and also sold.
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ
Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG <nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
You're statement seems to imply that if someone publicizes certain personal data on Facebook that they shouldn't care about any other data being collected any other entity, do I have that right? While I agree that many consumers don't place much value on their own data, resulting in them not particularly caring about that data, in my experience it often stems from ignorance of what can be done with that data (if they even know that the data is being collected in the first place). Once the implications of sharing specific data is known, my anecdata has shown that the average person will make some adjustments to their data-sharing habits. At the very least, an informed decision can be made. However, when it comes to intricate technical data from their home routers being hoarded, we can't really expect the average consumer to form an informed decision on the data being shared, can we? I don't think the default should be "collect as much as we can because they probably won't care" in the absence of an informed consumer. Regards, Mu ------- Original Message ------- On Thursday, March 24th, 2022 at 9:26 AM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
Consumers should have legal say in how or wether their data are harvested and also sold.
They do. https://www.fcc.gov/general/customer-privacy
On Thu, Mar 24, 2022 at 9:12 AM Lady Benjamin Cannon of Glencoe, ASCE <lb@6by7.net> wrote:
This is an enormous problem, see: https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report...
Consumers should have legal say in how or wether their data are harvested and also sold.
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE 6x7 Networks & 6x7 Telecom, LLC CEO lb@6by7.net "The only fully end-to-end encrypted global telecommunications company in the world.”
FCC License KJ6FJJ
Sent from my iPhone via RFC1149.
On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG <nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
On Thu, 24 Mar 2022, Mu wrote: [...]
While I agree that many consumers don't place much value on their own data, resulting in them not particularly caring about that data, in my experience it often stems from ignorance of what can be done with that data (if they even know that the data is being collected in the first place). Once the implications of sharing specific data is known, my anecdata has shown that the average person will make some adjustments to their data-sharing habits. At the very least, an informed decision can be made.
However, when it comes to intricate technical data from their home routers being hoarded, we can't really expect the average consumer to form an informed decision on the data being shared, can we? I don't think the default should be "collect as much as we can because they probably won't care" in the absence of an informed consumer.
Regards,
Mu [...]
I discuss the relation between (sometimes unseen) data collection valuation and the decision to allow it at pages 1728-1745 (Part II sections B-D) of Regulating Mass Surveillance as Privacy Pollution: Learning from Environmental Impact Statements, 2015 U. Ill. L. Rev. 1713 (2015), availabe from https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2400736 -Michael -- A. Michael Froomkin https://law.tm 305-284-4285 ssrn: bit.ly/1XlTJLz Laurie Silvers & Mitchell Rubenstein Distinguished Professor of Law Editor, Jotwell: The Journal of Things We Like (Lots), jotwell.com U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA It's hot here
On Mar 24, 2022, at 7:26 AM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
And that's the point; with Facebook and Twitter they are giving up their data willingly (granted they often barely (or don't at all) comprehend the amount and type of data, but there is at least nominal consent). With the routers, they have *zero* idea; even if the "consent" is buried in their terms to which they 'agreed', they have no idea. Anne -- Anne P. Mitchell, Attorney at Law CEO Get to the Inbox by SuretyMail Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law) Board of Directors, Denver Internet Exchange Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School Prof. Emeritus, Lincoln Law School Chair Emeritus, Asilomar Microcomputer Workshop Legal Counsel: The CyberGreen Institute In-house Counsel: Mail Abuse Prevention System (MAPS) (Closed in 2004)
On Thu, Mar 24, 2022 at 09:26:31AM -0400, Josh Luthman wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
So your theory is that just because YOU have Facebook and you're fine sharing information (/don't care/whatever), that *I* have to suffer that fate as well? Perhaps you hadn't noticed, but there's a very active business in the form of VPN's, DNS-over-HTTPS, and other privacy-enhancing technologies that seem to indicate that people do have an interest in privacy and limiting the amount of ISP monetization of their data that can go on. Just because some people might be fine with their data being leaked does not mean that everyone is fine with it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov
On 3/24/22 06:26, Josh Luthman wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter.
That's called informed consent. And Facebook and Twitter use TLS to protect the data in transit.
Consumers do not care enough about their privacy to the point where they are providing the information willingly.
That's the point. The customer is providing information willingly when they post to social media. The ISP is collecting data without consent. -- Jay Hennigan - jay@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
I think that if the end user at signed contract agreed with this data collecting and also if there's a mechanism that the same user could deny the data collection, its look fine to me, there's compliant here in Brazil with LGPD (our variant from GDPR) and i think that users could see it as a "plus" cause the majority of ISPs don't have a service that inspect CPE WIFI's quality. Em 24/03/2022 14:00, Jay Hennigan escreveu:
On 3/24/22 06:26, Josh Luthman wrote:
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter.
That's called informed consent. And Facebook and Twitter use TLS to protect the data in transit.
Consumers do not care enough about their privacy to the point where they are providing the information willingly.
That's the point. The customer is providing information willingly when they post to social media. The ISP is collecting data without consent.
Most end users (at least in the US) don't have a choice as many jurisdictions have sold a franchise (monopoly) to one provider. Either they sign or they don't get internet. Perhaps 5G will broaden the number of providers end users can choose from, and not be forced into this kind of contract. But why do you think any ISP would agree to not collect this information? pj capelli pjcapelli@pm.me No one can build you the bridge on which you, and only you, must cross the river of life - Nietzsche Sent with ProtonMail secure email. ------- Original Message ------- On Thursday, March 24th, 2022 at 1:11 PM, Christian David <christian@cdavid.eti.br> wrote:
I think that if the end user at signed contract agreed with this data
collecting and also if there's a mechanism that the same user could deny
the data collection, its look fine to me, there's compliant here in
Brazil with LGPD (our variant from GDPR) and i think that users could
see it as a "plus" cause the majority of ISPs don't have a service that
inspect CPE WIFI's quality.
Em 24/03/2022 14:00, Jay Hennigan escreveu:
On 3/24/22 06:26, Josh Luthman wrote:
I'm surprised we're having this discussion about an internet device
that the customer is using to publicize all of their information on
Facebook and Twitter.
That's called informed consent. And Facebook and Twitter use TLS to
protect the data in transit.
Consumers do not care enough about their privacy to the point where
they are providing the information willingly.
That's the point. The customer is providing information willingly when
they post to social media. The ISP is collecting data without consent.
" Most end users (at least in the US) don't have a choice as many jurisdictions have sold a franchise (monopoly) to one provider. Either they sign or they don't get internet." That's not true. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "PJ Capelli via NANOG" <nanog@nanog.org> To: "Christian David" <christian@cdavid.eti.br> Cc: nanog@nanog.org Sent: Friday, March 25, 2022 10:04:56 AM Subject: Re: ISP data collection from home routers Most end users (at least in the US) don't have a choice as many jurisdictions have sold a franchise (monopoly) to one provider. Either they sign or they don't get internet. Perhaps 5G will broaden the number of providers end users can choose from, and not be forced into this kind of contract. But why do you think any ISP would agree to not collect this information? pj capelli pjcapelli@pm.me No one can build you the bridge on which you, and only you, must cross the river of life - Nietzsche Sent with ProtonMail secure email. ------- Original Message ------- On Thursday, March 24th, 2022 at 1:11 PM, Christian David <christian@cdavid.eti.br> wrote:
I think that if the end user at signed contract agreed with this data
collecting and also if there's a mechanism that the same user could deny
the data collection, its look fine to me, there's compliant here in
Brazil with LGPD (our variant from GDPR) and i think that users could
see it as a "plus" cause the majority of ISPs don't have a service that
inspect CPE WIFI's quality.
Em 24/03/2022 14:00, Jay Hennigan escreveu:
On 3/24/22 06:26, Josh Luthman wrote:
I'm surprised we're having this discussion about an internet device
that the customer is using to publicize all of their information on
Facebook and Twitter.
That's called informed consent. And Facebook and Twitter use TLS to
protect the data in transit.
Consumers do not care enough about their privacy to the point where
they are providing the information willingly.
That's the point. The customer is providing information willingly when
they post to social media. The ISP is collecting data without consent.
You don't even have to use their equipment. My provider at home is Charter / Spectrum. I own my own cable modem / router ,they have no equipment in my home. Their privacy policy is pretty standard. Essentially : - Anything they can see that I transmit they will collect. - Anything they can see when I use their apps , even if I'm not on their network, they will collect. - They will use that information for their technical and business reasons, whatever they want. - I am very limited in what I can request that they don't collect or use. None of this is new in the US. I think more people care about this than we think, but people don't really have an option to vote with their wallets. On Thu, Mar 24, 2022 at 6:45 AM Giovane C. M. Moura via NANOG < nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
View of traffic into the ISP with Netflow/etc is very different than all on my lan traffic. Tr-069 is bad news. On Thu, Mar 24, 2022, 15:53 Tom Beecher <beecher@beecher.cc> wrote:
You don't even have to use their equipment. My provider at home is Charter / Spectrum. I own my own cable modem / router ,they have no equipment in my home. Their privacy policy is pretty standard.
Essentially : - Anything they can see that I transmit they will collect. - Anything they can see when I use their apps , even if I'm not on their network, they will collect. - They will use that information for their technical and business reasons, whatever they want. - I am very limited in what I can request that they don't collect or use.
None of this is new in the US. I think more people care about this than we think, but people don't really have an option to vote with their wallets.
On Thu, Mar 24, 2022 at 6:45 AM Giovane C. M. Moura via NANOG < nanog@nanog.org> wrote:
Hello there,
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
Thanks,
Giovane Moura
On 3/24/22 12:53 PM, Tom Beecher wrote:
You don't even have to use their equipment. My provider at home is Charter / Spectrum. I own my own cable modem / router ,they have no equipment in my home. Their privacy policy is pretty standard. Essentially : - Anything they can see that I transmit they will collect. - Anything they can see when I use their apps , even if I'm not on their network, they will collect. - They will use that information for their technical and business reasons, whatever they want. - I am very limited in what I can request that they don't collect or use.
None of this is new in the US. I think more people care about this than we think, but people don't really have an option to vote with their wallets.
Even if you own your modem, the DOCSIS specs require that it be completely controlled by the MSO, right? Mike
Even if you own your modem, the DOCSIS specs require that it be completely controlled by the MSO, right?
Pretty sure that's correct, yes. On Fri, Mar 25, 2022 at 4:47 PM Michael Thomas <mike@mtcc.com> wrote:
On 3/24/22 12:53 PM, Tom Beecher wrote:
You don't even have to use their equipment. My provider at home is Charter / Spectrum. I own my own cable modem / router ,they have no equipment in my home. Their privacy policy is pretty standard. Essentially : - Anything they can see that I transmit they will collect. - Anything they can see when I use their apps , even if I'm not on their network, they will collect. - They will use that information for their technical and business reasons, whatever they want. - I am very limited in what I can request that they don't collect or use.
None of this is new in the US. I think more people care about this than we think, but people don't really have an option to vote with their wallets.
Even if you own your modem, the DOCSIS specs require that it be completely controlled by the MSO, right?
Mike
yes, because otherwise the contention (it's a shared access media, after all) and RF channel bonding/allocation wouldn't work. Configuration depends on what the exact CMTS configuration is on your last mile coax segment. however it's also possible to have the cable MSO push an update to cablemodems which locks out a read-only diagnostics/info page that would otherwise be available. On Fri, 25 Mar 2022 at 13:47, Michael Thomas <mike@mtcc.com> wrote:
On 3/24/22 12:53 PM, Tom Beecher wrote:
You don't even have to use their equipment. My provider at home is Charter / Spectrum. I own my own cable modem / router ,they have no equipment in my home. Their privacy policy is pretty standard. Essentially : - Anything they can see that I transmit they will collect. - Anything they can see when I use their apps , even if I'm not on their network, they will collect. - They will use that information for their technical and business reasons, whatever they want. - I am very limited in what I can request that they don't collect or use.
None of this is new in the US. I think more people care about this than we think, but people don't really have an option to vote with their wallets.
Even if you own your modem, the DOCSIS specs require that it be completely controlled by the MSO, right?
Mike
Sounds good to me. Solve the end-user problems, since they don't have the ability or care to do it themselves and doing so manually has too much latency and doesn't scale. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Giovane C. M. Moura via NANOG" <nanog@nanog.org> To: "North American Network Operators' Group" <nanog@nanog.org> Sent: Thursday, March 24, 2022 5:43:58 AM Subject: ISP data collection from home routers Hello there, Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience. To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise. I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client. I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password! (it's been several years since then). And home users are _completely_ unaware of this. So my question to you folks is: - What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it. - Is anyone aware of any public discussion on this? I have never seen it. Thanks, Giovane Moura
participants (19)
-
Anne Mitchell
-
Christian David
-
Christopher Morrow
-
Eric Kuhnke
-
Francis Booth
-
Giovane C. M. Moura
-
Jay Hennigan
-
Joe Greco
-
Joel Busch
-
Josh Luthman
-
Kord Martin
-
Lady Benjamin Cannon of Glencoe, ASCE
-
Michael Froomkin - U.Miami School of Law
-
Michael Thomas
-
Mike Hammett
-
Mu
-
Philip Loenneker
-
PJ Capelli
-
Tom Beecher