The Greatest Threat to Privacy: The Internet Service Provider

I have recently posted on SSRN the article that ate my summer, The Rise and Fall of Invasive ISP Surveillance. I make many claims in this article, but the principal one, and the one I want to spend a few posts elaborating and defending, is found in the first sentence of the abstract: “Nothing in society poses as grave a threat to privacy as the Internet Service Provider (ISP).” In this first post, let me explain why ISPs pose an enormous threat to privacy:

Simply put, your ISP has the means, motive, and opportunity to scrutinize nearly every communication departing from and arriving to your Internet-connected computer:

Opportunity: Because your ISP serves as the gateway between your computer and the rest of the Internet, every e-mail message, IM, and tweet you send and receive; every web page and p2p-traded file you download; and every VoIP call you place travels first through your ISP’s routers.

Means: A decade ago, your ISP lacked the tools to efficiently analyze every communication crossing its network, because computers were relatively slow and networks were relatively fast. I use the analogy of the policeman on the side of the road, scrutinizing the passing cars. If the policeman is slow and the road is wide and full of speeding cars, the policeman won’t be able to keep up.

Over the past decade, while network bandwidth has increased, computer processing power has increased at a faster rate, and your ISP can now analyze more information, more inexpensively than before. The roads are wider today, but the policemen are smarter and more efficient. An entire industry–the deep-packet inspection industry–has arisen to provide hardware and software tools for massive, widespread, automated surveillance.

Motive: Third-parties are placing pressure on ISPs to spy on users in unprecedented ways. Advertisers are willing to pay higher rates for behavioral advertising. For example, Ikea will pay more to place an ad in front of people who have been recently surfing furniture websites. To enable behavioral advertising, companies like NebuAd and Phorm have been trying to convince ISPs to collect user web-surfing data they do not collect today. Similarly, the copyrighted content industries seem willing to pay ISPs to detect, report, and possibly block the transfer of copyrighted works.

Because of these three factors, ISPs are scrutinizing more information–and different forms of information–than they ever have before. AT&T has begun to consider monitoring for copyright violations; Charter Communications signed up with NebuAd, sparking a firestorm of publicity and legislative interest which pushed Charter to abandon the deal; and a few British ISPs have begun to use Phorm’s services. I predict that these examples presage a coming storm of unprecedented, invasive ISP monitoring.

In the next post, I will compare the threat to privacy from ISP monitoring to the threat from other entities, in particular, Google and Microsoft.

You may also like...

47 Responses

  1. Bruce Boyden says:

    Why is it a threat to my privacy though if my traffic is scoured by some ad bot?

  2. Paul Ohm says:

    1. Firms like Phorm and NebuAd are not simply scouring, they’re storing information that can be used to reconstruct web surfing behavior. (They’ll respond with claims of anonymization, but I spend a lot of time in the Article debunking those claims. See Part III.A.)

    2. The systems required to redirect, scour, and store web surfing data are fantastically complex. (Phorm redirects web queries as many as four times before letting you get the page you tried to view.) There are lots of places in this chain for something to go wrong and spill information in unintended ways.

    3. Because your ads become tuned to your web surfing behavior, your private habits might be revealed to the people who share your computer. To use Ross Anderson’s example, a woman hiding an abortion from her partner may not want ads for baby-related products popping up on websites.

    4. Although this isn’t really your question, deep-packet inspection is going to allow ISPs to do much, much more than just scour for ads.

    If you want much more on this, see Parts I.C. and III.A of the article.

  3. Bruce Boyden says:

    Let me spell out my concern a little bit more. There’s threats and then there’s threats. The data that ISPs have access to certainly could be a threat, but I guess I’m skeptical that it actually is the greatest threat to privacy in our society. A planet-crushing meteor impact is a threat to my very existence, but it’s not one I spend a lot of time worrying about. From what I can tell of what Phorm and NebuAd are doing, it would take a pretty dedicated stalker to get anything useful about me or anyone else out of the data they are collecting, assuming the stalker could get his or her hands on it. And like Jerry Seinfeld said about blood on your shirt, if I have a dedicated stalker, NebuAd is the least of my worries.

    Re: 3, again, there’s all sorts of problems from shared computers, not the least of which is the browser history. Also keyloggers. Are targeted banner ads really high on the list?

    4 is an interesting issue. What *could* ISPs theoretically do under the “service quality control check” provisions of the Wiretap Act, assuming that’s what applies? That they have a motive to do, anyway. They could and want to screen content for keywords for ads. Is there anything else ISPs would *like* to do that is arguably consistent with the ECPA?

  4. Paul Ohm says:

    Thanks Bruce, as always, for the thought-provoking questions.

    I agree that we need to be careful when talking about threats not to confuse the merely possible with the likely or probable. The first third of my (long) Article tries to establish why ISPs are likely, not just able, to collect vast amounts of information soon.

    Without rehashing everything said in the article, it is enough to say that none of the traditional regulators of online behavior–technology, norms, markets, or laws–will stand in the way of aggressive ISP monitoring. Technology I discussed in the post. The norms of network monitoring are hopelessly vague. Market pressures are pushing ISPs to look for new sources of revenues, and behavioral marketing is the best source.

    And law? Given our last discussion thread, I’m surprised to hear you use the phrase “arguably consistent with the ECPA.” What isn’t “arguably consistent with the ECPA,” especially if Hall v. Earthlink is extended to cover virtually all ISP behavior?

    In my next post (which may become unnecessary if we keep going!) I will point out how other entities, in particular Microsoft, can potentially access as much or more information than an ISP. But although Microsoft can access more information than an ISP (because of its OS market share), it is less of a threat to privacy because norms and the market are keeping it honest.

    In an earlier draft of this paper, the first sentence read, “No other entity in society poses as great a threat to privacy than the Internet Service Provider.” Can you agree with that claim?

    If not, tell me what other entity in society poses a greater threat.

  5. Bruce Boyden says:

    It’s not an entity, per se, but I’m worried about the stalker mob — a brief flurry of attention that grabs all of the publicly available droppings of someone’s life (telephone number, email address, children’s schools, Facebook page) and widely distributes them to a ravenous mob out of all social context. Second to that would be identity thieves or other malevolent individuals — again, not an entity, I suppose. Third, insecure data aggregators — not with randomized browsing histories, but with retail purchases or health information matched to name and credit card number. I’m worried about all of those more than ISPs making marketing deals.

    I agree Hall v. Earthlink seems to exclude all ISP equipment from the Wiretap Act — although there’s still 2702, the Cable Act, and the CPNI rules. But I think you agree that Hall is subject to strong criticism. (And to the extent it isn’t, 2510(5) has outlived its usefulness.) So, ISPs will need a fallback argument that their activities are protected under 2511(2)(a). Can they make that argument for whatever activities it is that we’re worried about? I think serving better ads is probably pushing the limits as it is, but that section hasn’t been litigated much except in a few search warrant cases.

  6. Your ISP has nothing on you compared to the dossier Google has. It’s absurd to worry about ISP “surveillance” when the real threat to privacy is so obvious.

  7. @Richard, Your ISP has everything Google/Microsoft/Yahoo has, plus all of your surfing, email, IM, P2P that doesn’t involve Google.

    I’m not that worried about Google or other single services, especially since I:

    1. consciously split my activities across multiple service providers and many accounts

    2. clear private browser data regularly, and only login to services when I need them

    3. change my IP address regularly

    4. block certain ad (and malware) servers in my hosts file

    For further protection, there are anonymizing services such as Tor.

    Actually, major email providers like Google give options to fully encrypt email traffic, so email is one area that is of little concern to me with regard to ISPs.

  8. Some hopeful news…

    ISP Web Tracking Dead As Net Eavesdropping CEO Resigns

  9. Paul Ohm says:


    Yes, that’s exactly my point. Your ISP can see everything (aside from encrypted communications and things you send through another provider) you do online, including all of the things Google can’t see.

    So unless you use Google for everything you do online (not an impossibility, given the tendency for Google to expand like an ideal gas) you can “hide” from Google. You can’t very easily hide from your ISP.

    And thanks for the link to the NebuAd news. I’m shocked my article had such an immediate impact! 🙂

  10. Frank says:

    This looks like a fascinating paper and has the potential to totally reframe the “net neutrality” debate. Your points about the weakness of anonymization technology are very interesting, and remind me of several recent presentations I’ve seen by Carnegie Mellon professors (including Latanya Sweeney and Alessandro Acquisti) on reasons to doubt assurances of anonymization.

    As Ronald Reagan said: Trust but verify. I don’t see the verifiability component of these assurances, be they from deep packet inspectors or search engines.

  11. Brett Glass says:

    I am an Internet service provider, and I’m concerned that this inflammatory posting appears to be riding on a larger, more general trend in which bloggers and “activists” are demonizing ISPs because they’re a convenient target.

    In fact, we as an ISP are very strident guardians of our users’ privacy. They’d be sitting ducks for all manner of exploits if we didn’t block them automatically and configure users’ systems and networks to be resistant to them. We monitor traffic only for the purposes of debugging, detecting network abuse, and detecting violations of our Acceptable Use Policy. We don’t want to snoop on our users; in fact, we CAN’T if they follow our own advice about how to use the Internet securely.

    The one thing our users do NOT need is hype like the above, which — in an attempt to alarm the public and attract attention — tries to cast us as our users’ adversary rather than as their ally. And it’s irresponsible, IMHO, to post such nonsense.

  12. Paul Ohm says:


    Thank you very much for your comments.

    The point that ISPs come in many shapes and sizes is well taken. Even small ISPs, however, are positioned to intercept client communications if they want to (and it sounds like you don’t want to) and the Deep-Packet Inspection industry is willing to sell products to you regardless of your size.

    But, I will concede without reservation that my calculation of the threat to privacy is aimed mostly at large ISPs, because the argument relies on the recent onslaught of stories about ISPs who have begun to tip-toe (or in some cases, hurdle) across previously drawn ethical lines in the sand about the type of monitoring an ISP should ethically be allowed to do. All of the ISPs I list in the Article are big ISPs. You may be “monitor[ing] traffic only for the purposes of debugging, detecting network abuse, and detecting violations of our Acceptable Use Policy” but unfortunately the same can’t be said for AT&T or the companies lined up with NebuAd and Phorm, or the companies who use Sandvine’s products to try to identify certain types of p2p traffic.

    I do take exception to your characterization of my post as merely “hype” and “nonsense.” The post describes and links to a huge, heavily-researched law review article. The article is still only a draft, and I have plenty of time to change it if I can be convinced parts of it are wrong or overly alarmist. I would be very grateful if you took the time to read the entire thing and give me your comments.

  13. Paul Ohm says:


    We seem to be debating past one another. You keep imagining ISPs that feel bound by statutory privacy laws (or something else–ethics?) These hypothetical law-fearing ISPs seem not very threatening, I agree. On the other hand, I’m imagining ISPs that don’t feel bound by statutory privacy laws–or at least they think it’s worth the liability risk to push the legal boundaries because the rewards are very high. These hypothetical law-flouting ISPs seem much more threatening to me than the entities in the examples you give.

    So which of us is right may depend on whether ISPs fear or flout the law. I think that the headlines of the past year suggest that ISPs are tentatively experimenting with the “law flouting” model. Unless something pushes back against them (civil lawsuits, new laws, criminal investigations), the experiment will spread throughout the industry.

  14. Brett Glass says:

    Size is not an indication of ethics. To assert otherwise is an ad hominem argument. If our ISP were to become large (as I hope we will), it would not change our practices or policies with regard to privacy.

    What’s more, you are demonizing what you call “deep packet inspection” — a term which you make out to be absolutely and obviously evil. The fact, first of all, is that Internet packets have no “depth.” They are one-dimensional. They are not “envelopes” with contents; they are analogous to postcards.

    Secondly, the term makes it sound as if a human is “looking at” the packets rather than a machine which is simply sorting them and gathering statistics on them (a practice which is necessary to deliver good service and stop network abuse).

    Finally, as I keep drumming into my users’ heads at every opportunity, there is no reasonable expectation of privacy in a packet that traverses the public Internet.

    As an ISP, I fiercely defend my users’ privacy. However, it must be recognized that my ability to do this ends where the public Internet begins. I always warn my users that there is NO reasonable expectation of privacy in an unencrypted packet on the public Internet. None at all. All of it is readable by dozens — maybe hundreds — of complete strangers on its way to its destination.

    Whether or not your local ISP’s equipment examines them (and there is good reason for them to do SOME looking — for example, to see if they are Voice over IP and give them priority to keep the call clear), they will pass through dozens — maybe hundreds — of machines that might. Some of that equipment may belong to private parties or corporations and not an ISP or telecommunications provider. Some may not even be in this country (and so may not be subject to ANY restriction the US government might impose upon one’s behavior with respect to them). How many such parties are there? Well, Microsoft recently increased the default “time to live” of a packet — that is, the number of parties that can handle it before it is considered to have irretrievably lost its way to its destionation — to 128. Yes, that means that 128 complete strangers may carry the packet on its way to its destination. This means that there’s no more expectation of privacy than there would be if you held a conversation in a crowded room — or, to use a better analogy, passed unfolded notes across a crowded room.

    Your packets may also pass over the air via unencrypted wireless networks (or ones with encryption that is trivial to break, such as WEP).

    In short, this is not the telephone system. It’s a cooperative, somewhat anarchistic “network of networks,” held together by weak and changing contracts, agreements, and conventions. There’s no central control center that can guarantee your privacy.

    Therefore, as I always tell my customers, if you want to send something that’s really confidential over the Net, make darned sure that you are using encryption. Otherwise, no matter what your ISP does, it’s subject to sniffing and snooping in so many places that you simply cannot expect it to be private — and no court that truly understands how the Internet works would rule otherwise.

    As an ISP, we do our best to educate our users about this, but it always bears repeating. Deep packet inspection? “Shallow” packet inspection? Makes no difference. Quit dealing in rhetoric. Every user must simply expect his or her Internet packets to be looked at. Do so, and you will not be disappointed when it happens.

  15. Excellent piece …

    Unintended consequence FTW … more encryption for the masses … *smart* ISP will offer enterprise encryption (even Google does that now) as a *value* and pitch for privacy …

    They could even charge a premium & explain how to deal with such exotic concepts as key escrow & key management …

  16. Bruce Boyden says:

    Paul, now I’m a bit confused. If we assume ISPs are not going to follow the law, then there’s not much point in clarifying the law or passing new laws to address the problem, is there? I mean, we might as well just give up and go home. But I understood your paper to suggest that clarification of the ECPA would help solve the problem. Why would it, if ISPs are so incorrigible?

    But I find it difficult to believe that ISPs or any other large corporations with assets easily reachable within the United States would continue to flout the law (assuming for the moment that they are), or actually commit *worse* violations, in the face of civil lawsuits at $10,000 a pop, class actions, criminal sanctions, and all the attendant bad publicity. I mean, it’s not every day you run across someone like John Zuccarini. So yes, I’m assuming that if there is a real danger from ISPs we need to worry about, it’s one that would come from exploiting loopholes, or at least very murky gray areas.

  17. Paul Ohm says:


    Maybe flout wasn’t the best word. I have good reason to believe that the lawyers working for ISPs have been writing memo after memo explaining how Hill, rights & property, rendition of service, and consent give them free reign to do whatever they want with their networks. Specifically, a number of lawyers have told me that this is what they have been doing.

    So to you and me, the behavior I fear is coming would look like flouting, because despite the complexity of ECPA, we know that there are limits. In contrast, I think the large ISPs have almost convinced themselves that ECPA places few hurdles in their way (particularly given ToS/consent) and I think the headlines prove that they are acting on this belief.

    That’s why we need to clarify ECPA, as my article suggests, but more importantly, that’s why we need the plaintiffs’ bar to step up and begin filing suits and, in the most egregious cases, we need DOJ to begin criminal investigations to test the theories circulating in these memos.

  18. Paul Ohm says:


    I’m taking a lot of this offline, but I had to respond to some of the things you have said, because you make some potentially misleading claims.

    First, be careful with the phrase “reasonable expectation of privacy” in a room full of lawyers. It is a term of art relating to the Fourth Amendment, and I think there absolutely is a reasonable expectation of privacy in the content of packets transiting the Internet. It’s hard to cite cases that say so, because the Wiretap Act imposes statutory privacy, so the FBI doesn’t wiretap willy-nilly, but if it did, I think most courts would apply Katz and Berger and say the Fourth Amendment applies to packet sniffing.

    Second, I think it’s dangerously misleading to say that packets are readable by “dozens–maybe even hundreds–of complete strangers.” Do you really believe this is true? My traceroute results rarely show more than a dozen hops and usually the domain names of only two or three or sometimes four providers. Thanks to BGP, packets tend to follow fairly efficient routes from A to B, and thanks to industry consolidation and peering and transiting, few providers tend to be involved in any particular route.

    Especially to the untrained reader, your last comment almost makes it sound like you are suggesting that Internet routing is a peer-to-peer free-for-all affair. It isn’t, and only a few companies–ISPs all–are involved in handling packets from A to B.

  19. anonymous says:


    This is enjoyable. Please Let Brett continue without direction. We all would like to know if he really is associated with an isp; therefore on behalf of all those interested, we would like to know the following:

    1)the id of his isp,

    2)amount of subscribers,

    3)if his isp is actually intercepting their subscriber’s web searches for advertising purposes,

    4)date they started/stopped,

    5)cities involved,

    Let’s skip the rambling diatribe about what happens, or could happen, to the packets when they transverse the net. I want to know what his isp does.

    Let’s skip attempting to claim that the Hall’s decision concerning “normal course of business” exception relates to wireapping for advertising.

    Hey brett,tell me more about your thoughts that consumers have no “reasonable expectation of privacy” while using your isp.

  20. Paul Ohm says:

    Just to clarify: when I said I was “taking a lot of this offline,” I meant, “Brett and I are discussing some of these issues in parallel via e-mail,” not “I’m going to remove some of this” nor “I’m going to try to direct Brett to talk about certain things.”

  21. Brett Glass says:


    With all due respect, nothing that I’ve said is misleading, and I’m sure that Richard Bennett (a brilliant network engineer who I see has commented here) will confirm this. The simple fact is that the Internet was designed for a friendly, academic environment. It was simply never designed to be private.

    To repeat some of the points I’ve made in a private e-mail message I sent to you today: Any real privacy which one can achieve on the Internet must be imposed from without (e.g. via encryption). I stand by my statement that sending a packet on the Internet is, literally, like passing an unfolded note across a room filled with hundreds of strangers. (And, as the note passes from hand to hand, everyone who handles it must look at it. Otherwise, they do not know which way to pass them next. In fact, each one must place a mark on the note before passing it on; that’s what the “time to live” field is about.) And trying to pass legislation demanding that they not look at the notes (especially when they need to look at them to route them) would be obviously be unreasonable and impractical.

    Due to this design, there is nothing an ISP can do to make the Internet intrinsically capable of providing a reasonable expectation of privacy.

    And, yes, I say that with full understanding of the Fourth Amendment implications of this concept. It can’t be called an “unreasonable search” for someone — government or not — to look at the packets as they go by; in fact, it isn’t a search at all. They were thrown out into the Net with an express understanding that they could be routed any which way, with each node making a “best effort” to eventually get them to their destinations. It is not “wiretapping,” because there is no “wire” which one must “tap into” to see the packets. And, yes, they can take dozens of hops, through dozens of networks owned by different people, changing course without warning, to get from point A to point B. I know, because as an ISP I have to track how our packets are being routed when a user complains of slowness or long latencies. We watch the routes switch multiple times per day. And we see some mighty circuitous routes, with packets bouncing multiple times between, for example, Denver and the West Coast before reaching their destinations.

    What’s more, Sandvine (and it’s interesting that they are the only ones mentioned as a “villain” on your site; Ellacoya and many others do similar things) is not doing anything wrong at all by identifying and prioritizing traffic and by blocking traffic which can harm the network. We can’t afford those expensive appliances, and so have written our own software to monitor our network for abuse and for violations of our AUP. We have to. Our quality of service depends upon it. And our customers all agree to our AUP when they sign up with us. Enforcing an AUP is not an invasion of privacy.

    But back to privacy: Scott McNealy’s famous statement, “You have no privacy; get over it” is not true of all things, but it’s a healthy attitude to take toward the Internet. If you want privacy in what you do on the Net, you must create it. And, fortunately, that is not hard to do.

    There’s no point in attempting to set consumers at odds with their ISPs, because their ISPs have no control over this. We safeguard users’ personal account information very closely. We don’t give out ANY information about our customers except pursuant to a lawful order such as a subpoena. We aggregate their browsing via a cache so that it’s hard to identify who is conducting an individual Web session. (AOL does this too, by the way.) And we let users know when we can see that there is spyware, a worm, or a Trojan horse on their machines (which, by the way, does require some monitoring of their data streams). But we can’t make the Internet what it is not. The draft paper which you’ve posted seems to blame us for that — and also to condemn the beneficial monitoring and filtering which we do carry out to prevent abuses such as P2P.

    I realize that, as an attorney who specializes in wiretapping cases, you may be hoping to make use of the hammer which you hold in your hand, and therefore to declare the Internet, via legislation, to be a nail. But it doesn’t make sense to force it into that mold. It’s a different beast, and in fact it was intentionally designed to be as different as possible from the old PSTN (public, switched telephone network). It does not make sense to try to legislate it into that, and to do so would destroy it. It is especially unfair to demonize ISPs, who (if they are at all professional) do their darnedest to inform consumers about how the Internet actually works.

    I realize that you’ve probably put a lot of effort into drafting your paper, but I urge you not to misinform the public by publishing it without correcting these fundamental problems. I also urge you to change the title so as not to defame ISPs.

  22. As Brett points out, most Internet traffic is sent in clear text over shared links accessible to a large number of people. If you expect your unencrypted communications to be private, you’re living in a dream world.

    The larger point is this: the ISPs don’t operate on a business model that requires them to know anything about your preferences. The service they sell requires them only to deliver packets within the response-time boundary appropriate to each application. So while an ISP has access to all the packets it passes, it has no particular interest in examining them beyond the nested protocol headers that identify the application. Furthermore, they have not invested in sufficient storage capacity to build dossiers on users.

    Google, on the other hand, has a business model that absolutely depends on knowing all about you, because that’s how they sell targeted ads. And while most of us access the Internet across a number of ISPs (one at home, another at work, and hotspots for wireless devices), Google’s e-mail and search products penetrate them all.

    Google has massive disk farms in some 40 locations around the world where they warehouse data on users, and none of the ISPs has anything remotely resembling that.

    In short, the ISPs lack the motive to invade our privacy, but Google’s business model absolutely depends on it.

  23. Bruce Boyden says:

    Brett, as you’ve seen I don’t agree with Paul on everything, but I would agree that there is a “reasonable expectation of privacy” (used in a technical legal sense — call it a “schmeasonable expectation of privacy” if you like) in email communications. Originally, phone communications were not accorded Fourth Amendment protection because of the very argument you make — phone conversations travel unprotected over wires that are located in public space, and in 1921 required the assistance of actual human operators to place the call, who often would listen in to at least the beginning of the conversation to make sure it was connected. So you might not have a reasonable expectation of absolute privacy from everyone during a phone call, but beginning with Katz in the 1960s you had a schmeasonable expectation of privacy from the government.

  24. Paul Ohm says:

    Unfortunately, I will soon go off the grid until Sunday, so I won’t be able to keep up my end of the debate.

    Richard’s points about motive are well stated. I will take them on in my next post, sometime next week.

    But one more thought about expectations of privacy: I think we are making different claims about privacy: you can make descriptive claims about how hard it is to have privacy online, predictive claims about how likely it is that others will want to invade your privacy (the motive question), normative claims about how much privacy we should have online, and doctrinal claims about whether particular types of packet sniffing or header collection violate a statute or the Fourth Amendment. I think Brett (and to a much lesser extent Richard) are making primarily descriptive (with some predictive) claims, while Bruce and I have been debating the predictive/normative/doctrinal questions. So we’re talking past one another a bit. Just saying that my communications might be intercepted is not the same thing as saying that there shouldn’t be a law (or that there isn’t already a law) prohibiting interception.

  25. Brett Glass says:


    Unfortunately, your “normative” claims reflect the norms of a different communications system — the telephone system — and not the Internet. The Internet was intentionally designed very differently and has different norms and expectations built in. You might say that those norms are part of a “doctrine” of their own upon which the Internet was founded. And that doctrine does include any notion of privacy except via end-to-end encryption.

    On the Internet, there’s no question that your communications will be intercepted. That’s the norm — in fact, it’s the way the Internet operates. Packets are “intercepted” (in the sense of being looked at by a machine, if not a human) every step of the way. What’s more, because the FCC has classified the Internet as a data service, most laws regarding “wiretapping” simply do not apply to it.

    If someone mistakenly thinks that is or her e-mail will be private when it is not encrypted, he or she is ignorant the way the Internet works. That may not be that person’s fault; no one may ever have educated him or her properly. (It seems to be far too common nowadays to throw people in front of computers without instruction — something that we would never do with cars.) These people need to understand that your e-mail can be private if you choose to encrypt it (which, again, is not hard to do), but it is not by default — because the Internet arose in a trusting environment where this was a reasonable default.

    Richard is correct in stating that ISPs have no motivation to record users’ communications, while Google/Doubleclick (remember, they’re now one company) does. So, to title your paper “The Greatest Threat to Privacy: The Internet Service Provider” is both misleading and inflammatory. So is the first sentence (quoted above). I urge you to reconsider both.

  26. anonymous says:

    let’s return to the issue.

    Does your ISP intercept subscriber communication for commercial advertising purposes, which as we know, is unrelated to the isp’s normal course of business exception, and not within the Hall discussion.

    If you actually are associated with an isp, and your isp’s practice is legal, then there should be no problem completing my inquiry noted above in my previous post.

    We do not want to discuss an isp’s subscribers communication once it leaves the control of the isp.

    We also do not want to justify the illegal interception of online communication by an isp, and/or their associated parties, by allowing you to argue, that since there is a likelihood it will occur from other source, then the isp inteception is merely the “lesser of two evils”.

  27. Brett Glass says:

    Hey, “anonymous:” I’m using my real name. Why aren’t you? Worried that you might be held liable for your defamation of ISPs?

    The fact is that my ISP does not collect ANY data for commercial advertising purposes, and will not do so. Period.

    The very fact that you’re suggesting it indicates that you’re on the same alarmist bandwagon as the “Network Nut-trality” nutcases (the ones that have just managed to impose bandwidth caps on broadband users nationwide, claiming that it is somehow “pro-consumer” to do so).

  28. "anonymous" (added quotation marks for identity purposes) says:


    As an introduction,I’m just a concerned citizen that appreciates their privacy,thus “anonymous by choice”.

    As for defamation,I hope only to defame ISP’s, and their associated 3p’s, that violate privacy laws;therefore I do not believe all ISP’s are a threat to privacy, but only a limited few.

    Glad to hear your thoughts:”The fact is that my ISP does not collect ANY data for commercial advertising purposes, and will not do so. Period.” As a rep of the isp industry,AND NOW THAT WE ARE FRIENDS, what are your thoughts about isp’s that do?


  29. Paul Washburn says:

    First of all, this paper looks fascinating. Thanks for the research!

    I also want to comment on Brett’s characterization of privacy. The assertion that packets ‘are not “envelopes” with contents; they are analogous to postcards’ is a great example why this threat is disconcerting. It would obviously be concerning if the Post Office started copying the contents of postcards into dossiers indexed by people’s address and then sold this information to junk mail advertisers. I am sure that despite the recognition and acceptance that everything written on a postcard is right in the open, any initiative on the part of the carrier to monetize their access to that information would be interpreted as bad faith. It is not logical to claim that because ISP’s need to read header information to route packets implies that we shouldn’t worry when they start to perform DPI and data mining (on traffic we are paying them to route) not for purposes of network administration, but to sell that information to advertisers.

    Furthermore, an expectation of ethical behavior (like the one we hold the Post Office to) does create a “reasonable expectation of privacy” regardless of the accessibility of the information.

    But all of this misses the larger point. I think (and I am sure I am not alone in this sentiment) that it is laudable that Brett Glass’ ISP adheres to the expectation that packet inspection etc. will be undertaken only to perform the service customers are paying for. The question is how can Brett’s ISP possibly survive when a company like Phorm can legally pay another, not so ethically inclined, ISP possibly as much as it receives in subscriber fees to use its existing equipment to gather, track, and sell data relating to customer traffic?

    A paper like this, far from being an ‘inflammatory posting… riding on a larger, more general trend in which bloggers and “activists” are demonizing ISPs because they’re a convenient target’, is a much needed warning to ethical ISPs large and small (because remember, ‘size is not an indication of ethics’) that unless the regulatory environment changes, the ethical behavior you are so proud of *will* put your ISP at a serious competitive disadvantage.

  30. "..." ,fka "anonymous, fka "anonymous" says:


    I was with you until you said:”…when a company like Phorm can legally pay another…” Let’s chat about “legally”, in refernce to nebuad, frontporch, and phorm:

    1)What are the legalities of their actions?

    2)What about the Isp’s actions, separate from the oba’s(online behavioral advertisers)?

  31. Sam says:

    I think his article is quite appropriate for today snooping society. I personally have NO respect for the police or government authorities (US), especially after the Ruby Ridge, Waco, Richard Jewell, and Dr. Hatfield fiascoes. The last thing people need is to have personal information and activities logged for the rogue authorities to pillage through to try to use some innocent activity to build a phony case against you. I personally use encrypted surfing and emails for almost everything. If I send a comment to someone, it will be by a remailer. They can’t reply, but I don’t find that necessary.

  32. Brett Glass says:

    “anonymous,” due to the inflammatory and combative nature of your postings I’m afraid that you’ll have to do a lot more to convince me that you are a “friend” of any ISP.

    Paul: It appears that you are unaware of the practice known as a “mail cover” (see The outsides of the mail you send — including post cards — can already be viewed by the government without a warrant. So can any mail that’s unsealed. Since all of an Internet packet is out in the open, viewing any part of it is analogous to this long accepted, constitutional practice. If you don’t want this, better “seal” it (in such a way that the government can’t open it even if it wants to) by encrypting it.

    Also, we as an ISP are not particularly worried that our competitors will gain a financial advantage over us by selling information about their users. The free market will work as it should, and users who don’t want to be subject to this practice will patronize us rather than ISPs which gather and sell their data.

    Users are free to sell their privacy if they want to (and it’s amazing how cheaply some will sell it), but that’s their right. The ones that do so are likely to be the same ones who will let spyware, viruses, and worms into their machines, and also to be spammed (which takes up lots of our bandwidth). So, we’ll be happy to let our competitors have those customers. 😉

  33. "..." says:

    brett: i like prince, i am allowed to change my name whenever i feel like it, as noted, i am now to be called “…”


    to all:, here’s my post to paul, everyone with that wants to add their thoughts, feel free. please jump in and let’s bounce this around.


    I was with you until you said:”…when a company like Phorm can legally pay another…” Let’s chat about “legally”, in refernce to nebuad, frontporch, and phorm:

    1)What are the legalities of their actions?

    2)What about the Isp’s actions, separate from the oba’s(online behavioral advertisers)?

    Posted by: “…” ,fka “anonymous”, fka anonymous at September 6, 2008 10:22 AM}


    paul: what brett is saying is that isp’s that intecept your online communication need only a search warrant from authorities to release your data, as opposed to an extensive legal process for them to wiretap to obtain the same info.

    finacial argument! yeah right!!!!

    isp’s are bing offerred $2.00 per person, per month for private data. I see somewhere it’s as high as $5.00 per person, per month, but with that option existing, we can be assured businesses won’t consider the proposition, wink wink…

    selling privacy..what’s “dat”

    death, advertising and taxes(dat)……..





    we can agree:



    99% of isp’s do not sell personal data, ok

    paul’s paper discusses the threat. What about if that threat has become reality. can we discuss those issues?

    what if the isp is…..monetizing on subscriber’s personal private data?

    what are the liabilites of the oba( online behavioral advertiser) that is assisting the isp, as opposed to the isp’s liabilites, as opposed to the concerted effort of both?

    now that’s is an interesting topic!.

  34. Paul Washburn says:

    Brett: I’m well aware of the American government’s access to both mail and network traffic. However, I’m sure you would agree that a government’s access to open mail and the Post Office aggregating and reselling information that’s “out in the open” are activities so disparate that we are hardly informed by a comparison between them. At least let’s compare the government aggregating and reselling information that they gather to advertisers. I wonder how that would be received.

    Also, I’m kind of surprised you are confident in your ability to compete with ISP’s who are perhaps receiving $1 from an advertiser and $1 from a subscriber for every $1 your subscribers pay you. After ‘drumming’ your user’s heads that “any real privacy which one can achieve on the Internet must be imposed from without (e.g. via encryption)…sending a packet on the Internet is, literally, like passing an unfolded note across a room filled with hundreds of strangers”, it’s really hard to see a savvy consumer paying your ISP a premium to not look at their packets before passing them on to the “hundreds of strangers” who will when they can use a cheap service like Relakks for 5 EUR a month that provides some guarantee of privacy.

    And don’t tell me that your ISP will compete entirely through the people who are savvy enough to know AND care that their ISP is aggregating and selling their data, want to do something about it and are willing to pay a 50% premium (which seems reasonable here), but have never heard of a VPN or other sort of tunneling.

  35. "..." says:


    I agreed with you to the end but you threw me a curveball:

    “but have never heard of a VPN or other sort of tunneling.”

    ok,let’s go down another thread, away from paul’s paper about what exactly isp’s, and any associated companies are doing, to be a threat to privacy. are we chatting about law, computers, geek stuff, or a combo of all?

    tell us what is happening over at the ….”5 EUR a month”..neck of the woods.

    how does vpn or tunneling involve ISP’S SELLING SUBSCRIBER’S DATA FOR PROFIT?

    Are we back to “privacy lost” in the cyber world since vpn’s use wi-fi; therefore isp’s are not a threat, but others not associated with ISP’s, AND NOT THE POINT OF THE PAPER, maybe be illegally intecepting communication when it’s being routed?

    If you know all about isp’s, AND ESPECIALLY CPOMPANIES CREATING DPI BUSINESSES TO WORKL WITH ISP’S FOR DATA MINING, AKA, DATA SALE, tell us who is doing what to whom. I won’t tell anyone.


    I’m all ears!

  36. Brett Glass says:

    “anonymous”: I certainly have not been offered $2 to $5 per subscriber for information about my customers, and I doubt that any other ISP has. Kindly substantiate your unsupported assertion.

    Paul: Again, it appears that you may be unfamiliar with the way in which the Internet operates. It is, by nature, decentralized and anarchistic. And that is the whole reason why it works. You still seem to be trying to force it into the mold of the old Bell System, even though doing so would destroy it. (Not to mention the fact that overbearing regulation such as that which Washington lawyers and lobbyists are proposing would strangle independent operators, leaving consumers facing a monopoly or duopoly.) Also, you, like “anonymous” above, are greatly overestimating the amount that anyone would be wiling to pay for consumer data.

    With all due respect, I believe that the lawyers should stick to drafting wills and chasing ambulances and stop meddling in a business that they know little or nothing about.

  37. "I'm confused" says:

    brett: calm down dude! weren’t you the ad hominem guy, “To assert otherwise is an ad hominem argument”

    as for what isp’s do in big states and big cities with large subscriber’s database to make it worthwhile for them!

    ATM for ISPs or Spy in a Box?by Jim Thompson

    [December 7, 2007]

    “In return for installing the black box in their network, a bounty is paid to the ISP that varies from $2 to $4 per subscriber.”

    Do you want more? I did see an article discussing $5 bucks a person, and the money made per year was incredible on a good size isp; moreover the deals also allow a % to the isp’s. That could possibly justify the total payout if $2-$4 is normal, then the % above the base could put it up to an average of $5.

    HEY! LEAVE MY BUDDY ALONE!…”Also, you, like “anonymous” above, are greatly overestimating the amount that anyone would be wiling to pay for consumer data.”

    “With all due respect, I believe that the lawyers should stick to drafting wills and chasing ambulances and stop meddling in a business that they know little or nothing about”…….OUCH!!!

    Ok then go ahead again and let’s talk about “reasonable expectation of privacy”

    that’s your area of expertise, right. privacy law for isp’s.. or is it how isp’s work,

    YO BRETT: now that you are calm,we all agree your the inside go to guy here. skip trying to protect your industry. we know your a good guy and legit, but feed us info on the bad guys..

    feel free to answer my previous questions, why would an isp associate with a oba to intecept the communication and allow them to sell the ads, why not do it themselves?

    let’s skip a man in the middle debate, and talk about “cut out the middle man” debate.


    I’m confused!…(new name)

  38. Brett Glass says:

    Jim Thompson, who writes for Jupiter Media, has, shall we say, a less than pristine track record as regards technical savvy or accuracy. What’s more, the article says “$2 to $4 per subscriber;” it does not say “$2 to $4 per month per subscriber.”

    If the amounts in the article are accurate at all, they are much more likely to be per year, not per month. In other words, negligible.

  39. "me" says:

    are you a happy person?

    i have read paul’s article and will cite it within a paper i am preparing. I spend much of my time researching this area of law and that is 1 damn good paper, but you whacked him!

    then you whacked poor ole me!

    then you started on paul washburn, and even criticized his knowledge!

    it’s ok to attack an industry, and have fun trying to prove that’s slander, but when you name a person, ie like the writer of an article, i hope he doesn’t read this post!

    well, i will check back to see if anyone returns to the topic of isp privacy threats, and especially my interest, the oba’s that are associating with the isp’s

  40. "me" says:


    are you a happy person?

    i have read paul’s article and will cite it within a paper i am preparing. I spend much of my time researching this area of law and that is 1 damn good paper, but you whacked him!

    then you whacked poor ole me!

    then you started on paul washburn, and even criticized his knowledge!

    it’s ok to attack an industry, and have fun trying to prove that’s slander, but when you name a person, ie like the writer of an article, i hope he doesn’t read this post!

    well, i will check back to see if anyone returns to the topic of isp privacy threats, and especially my interest, the oba’s that are associating with the isp’s

  41. Nathan says:


    Just one question on your generally well articulated post (04 sept 3:27).

    You said “we do carry out [filtering] to prevent abuses such as P2P.”

    How is P2P an abuse? It’s just straight-up network traffic like any other. If I’m subscribed for a 10 megabit line, is there a specific reason I shouldn’t expect to be able to make full use of my subscribed bandwidth (assuming the 10M is a hard cap?)

    Moreover, when you say P2P are you including commercial P2P (some like to interchange commercial and legitimate, but I don’t see corporate sponsorship as necessary for legitimacy)? An example would be companies like Blizzard that use P2P to push software updates to their clients rather than hosting the files themselves. Is this also somehow ‘abuse’ of your/my network?

  42. "me" says:


    ya, what nathan said, what do u have 2 say about that!,buddy?

    we talking dpi “filtering”?….how do isp’s dpi packets without dpi-ing packets?

  43. "GATOR" says:


    come out , come out where ever you are!, nathan’s question needs answering,

    he is concerned about your comment:

    “and also to condemn the beneficial monitoring and filtering which we do carry out to prevent abuses such as P2P”

    I’m a little confused:

    do isp violate ecpa/wiretapping laws when they p2p filter. are we talking level 7 filter?.

    what basis does a isp have to intercept any subscriber’s online commuincation, SINCE it is not in the normal course of their biz!…

    SINCE it’s not a virus, spyware, etc that would allow access to intecept the transmission, what justifys inteception.

    if you are pass level 1, provide me your authority,

    what is being done to the subscriber that is downloading p2p? was there notice provided?

    nathan wants to know!!!

    my teeth are showing!

  44. GATOR says:

    no one else want’s to jump in?

    1)isp’s want to stop p2p

    2)throttle down was secret plan,but no more,

    3) dmca defense won’t work

    4) risking ecpa wiretapping

    what’s gameplan now?

  45. I use the analogy of the policeman on the side of the road, scrutinizing the passing cars.

    Sub: Election tools for your state


    Your state is going to play a key role in the upcoming Presidential Election and our tools will help you in making registration to vote easy and obtaining an absentee ballot.

    Please check for more information

  46. Andrew Shaw says:

    This is getting silly.

    Point 1:

    If the US Post Office (a QuaNGO) were to allow a private company to station post-card readers (or envelope readers) in its mailrooms (or remunerate Post Office Employees, net of any contrary requirement from their employer) to read and store the contents (and store the addressee, the addressor, and an imputation of the subject of the communication), for the purposes of compiling dossiers on users of the communication service, and this were to be made public, we would expect the following:

    A. The PO would point out that non-encrypted public access to envelope and post-card information, while intended purely for routing purposes, is not in any way deemed private,

    B. The consumer would be told this was for his benefit,

    C. That controls were in place to prevent “abuses” — like P2P exchanges of copyrighted song lyrics, for example,

    D. That articles would be written condemning the practice and warning of its spread if not unchecked,

    E. The citizenry would be outraged by the “legalistic” justification it has commonly regarded as unthinkable and impermissible,

    F. The governmental representatives would be moved to action on behalf of angry voters in prohibiting the practice (inasmuch as angry voters vote, and nascent industries don’t fund campaigns),

    G. The situation would be precisely and exactly as it is now with respect to ISP’s claiming the right, the ethical justification, nay, the overarching personal and social benefit of snooping on their customer’s communications in order to sell the contents to 3rd parties (or even to amuse the bored 3rd-shift workers in the machine room).

    What’s the argument? It’s not hypothetical, it’s happening just as analogized. So to fault the analogy to defend the practice seems … foolish.

    And does Brett really inspect the “contents” of his user’s packets to prevent “abuses” like P2P?

    Maybe RIAA really /should/ station Lyrics Interdiction Agents in the Post Office.