Many Politechnicals wrote in to condemn Comcast and to take issue with my defense of them. One common complaint was that Comcast is violating the law. Even well-known privacy advocates who should have known better raised this claim. It is an untrue allegation. In response to a request I made this morning, Comcast sent me their terms of service agreement, which explicitly anticipates and permits the kind of data collection Comcast was doing until earlier this week. I've put it here: http://www.politechbot.com/docs/comcast.policy.021402.txt >5. COLLECTION, USE AND DISCLOSURE OF INFORMATION ON SUBSCRIBER USE >Collection of Information: Comcast collects, uses and releases >information on Customer use of the Service as necessary to render the >Service, to otherwise undertake legitimate business activities related to >the Service and to comply with law. Comcast may collect information in >accordance with applicable law concerning Customer's use of the Service and >customer preferences which are reflected in the choices that a customer >makes among the range of services offered as part of the Service, the time >that the customer actually uses the Service, the menus and features used >most often by the Customer, and other information about a customer's >"electronic browsing." Federal law says that cable providers may record information with "the prior written or electronic consent of the subscriber concerned" -- which Comcast did by conditioning delivery of its service on agreement to this subscriber policy. Rep. Ed Markey (D), a privacy fundamentalist who really should have done his homework, claimed that Comcast may have violated federal law. A quick glance at Comcast's terms of service would have shown Markey that he was mistaken -- but he seems to have been more interested in getting his name in print than doing any research. What's also disturbing is that none of the news reports I have seen acknowledges that every Comcast user (assuming they read the contract) agreed to this monitoring and therefore Comcast violated no laws. Some responses, below, say that Comcast has a monopoly and therefore should (apparently) be strictly regulated by the government. But that's a little much to swallow. Your privacy relationship with companies is essentially an economic one: You weigh the costs of providing them with your data against the benefits of cheaper service or coupons or whatnot. Supermarket discount cards are a classic example of a few dollars off in exchange for your data (personally, I refuse to use them). But even if Comcast is the only cable-modem provider in your area, you still have alternatives. If you value your privacy so highly you refuse to use their service, you can try dialup, DSL, ISDN, or satellite services such as StarBand and Tachyon. You can do more web-surfing at work. You can sign up for Comcast anyway and do your web browsing through an anonymizing service. And so on. Personally, I wouldn't sign up for Comcast if my web browsing activities were recorded, but I recognize that this is my personal preference. Others may be glad to do it in exchange for a cheaper monthly bill, and still others may not care at all. As far as I can tell, this outcry can be summarized thusly: Comcast was doing exactly what it said it would do, and exactly what customers agreed it could do. Therefore everyone's outraged! -Declan Previous message: http://www.politechbot.com/p-03140.html --- From: "Richard M. Smith" <rmsat_private> To: <declanat_private> Subject: RE: A defense of Comcast's recording web traffic of subscribers Date: Wed, 13 Feb 2002 20:21:11 -0500 A few real basic questions here: 1. Why was Comcast keeping browsing histories of all its customers in the first place? 2. How come they stopped doing it immediately when a newspaper article was written about the practice? 3. Was the practice really disclosed in their service agreement? Richard --- To: declanat_private cc: politechat_private Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers Date: Wed, 13 Feb 2002 21:14:02 -0500 From: Dan Geer <geerat_private> I don't know, Declan, but as far as I can tell this is, just as you described, back-biting amongst the back-benchers. Everything is based on an "expectation of privacy" when it is solely the mass ignorance of what is possible that instantiates the "expectation" part of that equation. Either we establish ownership rights or something like it to data, and in so doing positively confirm that from the point of view of a data source copying its electronic data does not involve a loss to the source of their use of the data or the data's fidelity, or we stop yammering about privacy as a surrogate for class warfare. Note that I say this as a "privacy nut," i.e., someone who expects to hear no complaints about my pissing off my front porch, who will live off grid if I can take modern medicine with me, and who doesn't think there's a lot of difference between universal Internet access and Paul Ehrlich's celebrated "Population Bomb." My head hurts, perhaps I should soak it. --dan --- Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers From: Billy Harvey <Billy.Harveyat_private> To: declanat_private Date: 13 Feb 2002 20:37:24 -0500 > So if Comcast's privacy policy permitted this, what's the big deal? Anyone > looking for a more privacy-protective service (and the point about > subpoenas for stored data is a good one) should have taken their business > elsewhere. To Earthlink, for example, which seems to be offering just that. > > -Declan Declan - there is no performance reason to collect and maintain for any period of time the IP address of the originator. It gave Comcast the ability to snoop, yet they continued to claim they did this only for performance studies, and wouldn't back down until they saw it was actually illegal - and that they were going to be called on it. When someone is willing to break the law in one manner, it leads to a suspicion that they will do so in other ways (selling the information to third parties, etc.). Billy --- From: "Tom Ucko" <tomuckoat_private> To: <declanat_private> Subject: Re: A defense of Comcast's recording web traffic of subscribers Date: Wed, 13 Feb 2002 22:28:05 -0500 > 3. Whoops! Turns out federal law says a cable operator "shall not use the > cable system to collect personally identifiable information concerning any > subscriber without the prior written or electronic consent of the > subscriber concerned." (Let's hope that Comcast's lawyers did their > homework when writing their privacy policy, otherwise might we see a class > action lawsuit asking for statutory damages of $1,000 per user?) I know it's in the policy that I agreed to when I became Comcast customer. Of course, few customers (and reporters) actually read the policy. --- From: "Philo" <philoat_private> To: <declanat_private> Subject: RE: A defense of Comcast's recording web traffic of subscribers Date: Wed, 13 Feb 2002 20:55:40 -0500 > So if Comcast's privacy policy permitted this, what's the big > deal? Anyone > looking for a more privacy-protective service (and the point about > subpoenas for stored data is a good one) should have taken their business > elsewhere. To Earthlink, for example, which seems to be offering > just that. > "Let them eat cake"? Declan, there are many people for whom Comcast is the only broadband available. DSL is not universally available. Sincerely, Philo --- From: "Jim Rapp" <infockerat_private> To: declanat_private Date: Wed, 13 Feb 2002 21:09:55 -0500 On 13 Feb 2002, at 19:46, Declan McCullagh wrote: > So if Comcast's privacy policy permitted this, what's the big deal? > Anyone looking for a more privacy-protective service (and the point> about subpoenas for stored data is a good one) should have taken their> business elsewhere. To Earthlink, for example, which seems to be> offering just that. The big deal Declan is Comcast likely wants to AOLize what was the @Home service. With @Home I had a static IP address and I was not forced to go through a proxy. Comcast has converted me to DHCP and mandates I go through a proxy. They are also capping the downstream data rate to 1.5MB, the Usenet service they will use also has a cap. The privacy concern looks like another area that they want to aggregate data and milk customers for all they are worth. Let's see will they also log that I might download from a decade Usenet music newsgroup, RIAA gets the info. and starts going after users for copyright infringement? If Earthlink also provided cable net access (would have to be over the Comcast system though), I would be happy to go with them, but the only cable net service game in town at this point is Comcast. I am glad to see Concast' feet held to the fire a bit, even if the reaction may be a bit strong, as because they do have a lock on high speed cable net service they can't treat their users as they do their cable subs and expect to get away with it. You must have wanted some feedback to go trolling like this, and you got some! Jim --- Date: Wed, 13 Feb 2002 18:32:50 -0800 To: declanat_private, politechat_private From: Lizard <lizardat_private> Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers The problem I have with this is verification. SleazyISP can wave around their 'privacy policy' all they like, but how do you verify that the company is, in fact, deleting data? The contract is the basis for all just human interaction in a free society, but a contract which cannot be enforced is worthless. I wonder if there's a market niche for 'privacy verification companies', which will can perform spot checks of database contents to verify they do or do not contain what they're supposed to. --- Date: Wed, 13 Feb 2002 18:34:23 -0800 (PST) From: J Edgar Hoover <zorchat_private> To: Declan McCullagh <declanat_private> cc: <politechat_private> Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers On Wed, 13 Feb 2002, Declan McCullagh wrote: > Call me a curmudgeon, but all this doesn't seem that terribly alarming -- > assuming Comcast is telling the truth when saying (a) data were retained > for only a week, (b) their privacy policy permitted this, and (c) the info > was used for performance purposes and not given to anyone else. Put another > way, there are benefits to aggregating information on web use: It can help > improve network performance and lower the cost of the service. A) It has only been on for a week. B) The Privacy Policy, Terms of Service and Subscriber Agreement are contradictory, overly verbose and extremely broad. They also weren't entered into voluntarily, or actively. We weren't asked to accept or acknowledge the terms. Comcast simply used their power as a monopoly to force their terms and their service on us. Sure, the excite@home collapse meant someone had to pick up the internet service. But there are plenty of experienced ISPs with non-orwellian privacy policies that would be glad to do the job. > So if Comcast's privacy policy permitted this, what's the big deal? Anyone > looking for a more privacy-protective service (and the point about > subpoenas for stored data is a good one) should have taken their business > elsewhere. To Earthlink, for example, which seems to be offering just that. The big deal is they are a monopoly. They forced the new terms. Where they provide cable service, they are the only cable ISP. DSL is an alternative to some, but not everyone that has cable has another broadband option. Also, any claims about perfomance increase is hogwash. By the nature of the way this cache works, it is slower than a direct connection to the server. It has problems galore. I still can't post to slashdot.org. I've been trying to post to the Comcast thread for 2 days, but the proxy keeps truncating the URL. I'm being censored from posting to the thread about comcast's abusive proxies by comcast's abusive proxies. Yes, I do understand that this is probably mere incompetence on their part. After running Comcast's statements through my bullshit filter, what they are saying is they plan to not log the source IP of web requests. This means, the address of your machine won't be recorded in logs. What you sent and what you retrieved will. I consider my train of thought, the threads of my research on the web, to be my personal intellectual property. My technique is mine. Even if it's anonymous, I don't want it in the public domain, or in the hands of a company that waffles and denies until wacked in the face with proof of their misdeeds. As a content publisher, I'd suspect you'd be concerned too. This is a foot in the door to the technology that allows them to block, edit or 'personalize' the way your site is displayed to their customers. They didn't tell us they were going to do it. They are still doing it. And they say "trust us". Yeah, right. --- Date: Wed, 13 Feb 2002 18:41:00 -0800 (PST) From: Krishna Mattegunta Kant <kkantat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers > So if Comcast's privacy policy permitted this, what's the big deal? > Anyone looking for a more privacy-protective service (and the point > about subpoenas for stored data is a good one) should have taken their > business elsewhere. To Earthlink, for example, which seems to be > offering just that. That's not necessarily an alternative. If you want 3Mb downstream and 1Mb upstream to your home, cable is pretty much your only choice. DSL doesn't cut it. Since cable companies have local monopolies, there is really no option to take your business elsewhere. Secondly, I agree that some monitoring is useful for network planning and service assurance. However, "user browsing data" can mean many things. Collecting personal and specific customer data (such as what websites customers visit) is not only sleazy, but also practically useless from a network OA&M perspective. Anonymized IP-layer info is more than sufficient for any network planning needs. I am glad at least that the stored statistics are aggregated to bulk form, according to Comcast's statement. I will be happier when they stop collecting application-layer data completely (except in the case of specific Service Level Agreements with particular customers, i.e. the customer asks for it explicitly). --Krishna --- Date: Wed, 13 Feb 2002 22:30:57 -0500 (EST) From: John R Levine <johnlat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers > So if Comcast's privacy policy permitted this, what's the big deal? I happen to agree that there's no reason to believe that Comcast had malicious intent when they collected log data from their web cache, but I see two big deals. The first is that in today's data privacy climate, it's just dumb to start collecting info on people without telling them, regardless of the legalities. Even though Comcast didn't plan on doing anything other than collecting stats, the mere fact that the information's known to be there opens the door to serious privacy invasions, e.g., "we're from the police, we think there may be a child pornographer on your network, so tell us everyone who's visited any of these URLs in the past week." If you got javascript spam that opened www.baby-lolitas.com in your browser when your mouse happened to linger for three seconds on the subject line of the message in Outlook, you'll have a problem. The other is that there's a major disconnect between what people think the privacy laws are and what they really are. People are incredulous when I tell them that there are basically no privacy laws that affect the Internet, that if a site publishes a policy saying "we'll vacuum up every scrap of info we can find about you, cross-match it with every database we can find, and sell the results to any low-life who pays us money", TrustE will cheerfully give them a seal to put on their web site and it's utterly legal. Sooner or later, we need basic European-style privacy rules such as no secret dossiers and no repurposing without explicit consent, but considering how much American marketers hate any limitation on their ability to invade your privacy, I'm not holding my breath. Regards, John Levine, johnlat_private, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Write for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47 --- Date: Wed, 13 Feb 2002 23:52:42 -0500 From: Robert Gellman <rgellmanat_private> To: declanat_private Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers So your point is that Comcast was only violating the law for a week, and that makes it all right? Keeping and using AGGREGATE data is perfectly fine under the statute, and no one would have objected to that. Once they were embarrassed, Comcast didn't seem to have any difficulty in changing the policy so there doesn't seem to be any operational excuse. If the data is essential to "improve network performance and lower the cost of the service" (a point that is still to be demonstrated), then it could have been accomplished legally with aggregate data. Comcast's statement talks about sharing personally identifiable data, when the law prohibits the COLLECTION of the data in the first place. The applicable word here is disingenuous. Comcast and its lawyers screwed up and the company ended up with a ton of bad publicity. It may not be the biggest privacy violation of all time, but they deserved what they got. And had the story come your way, I suspect that you would have written it just as AP did. Bob -- + + + + + + + + + + + + + + + + + + + + + + + + Robert Gellman <rgellmanat_private> + + Privacy and Information Policy Consultant + + 419 Fifth Street SE + + Washington, DC 20003 + + 202-543-7923 (phone) 202-547-8287 (fax) + + + + + + + + + + + + + + + + + + + + + + + + --- Date: Wed, 13 Feb 2002 21:34:40 -0800 (PST) From: J Edgar Hoover <zorchat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers For some background, check out the comcast thread where it all started at; http://www.securityfocus.com/archive/82 Then check the comments on the thread at slashdot.org for some interesting perspectives on both sides. --- From: Alan <alanat_private> Reply-To: alanat_private To: declanat_private Subject: Re: FC: A defense of Comcast's recording web traffic of subscribers Date: Wed, 13 Feb 2002 23:23:48 -0800 On Wednesday 13 February 2002 16:46, you wrote: > So if Comcast's privacy policy permitted this, what's the big deal? Anyone > looking for a more privacy-protective service (and the point about > subpoenas for stored data is a good one) should have taken their business > elsewhere. To Earthlink, for example, which seems to be offering just that. Many of their users CANNOT, as comcast has a monopoly in many areas. When they have you between a rock and a hard place, "going somewhere else" is not a very viable option. Comcat's attitude was probably "What are they going to do? Use modems?". --- From: "Vincent Penquerc'h" <Vincent.Penquerchat_private> To: "'declanat_private'" <declanat_private> Subject: RE: A defense of Comcast's recording web traffic of subscribers Date: Thu, 14 Feb 2002 10:40:52 -0000 > So if Comcast's privacy policy permitted this, what's the big > deal? Anyone I beg to disagree. This kind of "if you don't like it, pick something else" presupposes that it is possible to pick something else. This may be possible now, but a shift in "what's available" is not instant. Nowadays, there are more and more issues about data being collected, and used in various ways. To me, this says that this trend, if not countered, will go on and at some point, picking something else will not be possible any more, as all available choices will have some kind of "we own your data" in their privacy policy. But at the time this arrives (in the very near future, I guess), the opinion will probably be already made to accept this idea, and the focus will be on the next big thing: will it be companies saying "we want to be able to make you buy this product because we think it might please you" ? Today's privacy concerns will be forgotten, because they will be gone forever for the majority of the people. Does my idea seem far fetched ? I recently received spam (actual physical mail, not email) telling me that they sent me this ads in spite of me "opting out". because they "thought it might interest me". And another thing, a privacy policy is mainly two things, depending on how you read it: 1: something to keep people from complaining (we care about you) 2: an excuse to hide what they're doing (didn't you read the policy ?) If a company ever finds it will make more money if they change their policy, you can bet they will change it right away. A privacy policy at the moment just seems to be yet another way of telling a potential customer "we're good, we care about you, give us your money". Just another commercial. I've stopped believing capitalists. They're just as liars as others. -- Vincent Penquerc'h --- ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 10:46:34 PST