Hacker News new | ask | show | jobs
by AstralStorm 2624 days ago
The ISP can easily build a reasonably reliable profile based just on packet size and timing. TLS and most VPNs do nothing to these.

If they actually wanted to. You could sure them under wiretapping laws if they did.

If you cannot trust your ISP, you cannot really have any privacy without truly extensive measures. Not even Tor is enough, it does not pad and change timing enough.

The real problem is cookies, requirement for email backed login and phone home downloads. (E.g. images such as social buttons, JavaScript. They can also leak cookies or make them live longer.)

The last one is combatted to an extent by mix networks like Tor, or better yet, by aggressively caching and/or predownloading.
4 comments
crooked-v 2624 days ago
> You could sure them under wiretapping laws of they did.

I assume you meant "sue", but, no, that's not actually a guarantee, because companies can require that you "voluntarily" agree to mandatory arbitration in order to get any service at all.

link
AstralStorm 2624 days ago
Those clauses are illegal, much like indemnification by you of a big ISP. Even clauses of choice of law are very suspect.

Relying on such a clause to attempt to prevent a civil suit is stupidity, if only because people are not properly informed of what the clause meant, making it void. (I could quote a few cases. But I am not a lawyer. Microsoft and EULA comes to mind.)

And by EU law, they are completely null and void by just being illegal.

That said, most of those suits do not reach court by means of settlement, not arbitration.

link
crooked-v 2623 days ago
> Those clauses are illegal

Not in the US!

https://en.wikipedia.org/wiki/AT%26T_Mobility_LLC_v._Concepc...

link
TeMPOraL 2624 days ago
> If they actually wanted to. You could sure them under wiretapping laws if they did.

Could you? I was under the impression that (in the US) the main difference between a phone line and an Internet connection is that former is legally protected against wiretapping and the latter not so much.

link
danShumway 2624 days ago
> You could sure them under wiretapping laws of they did.

Has this ever worked though? Cursory searching, I don't see or know of any examples of lawsuits that have actually succeeded on this front. And it's not like ISPs have never given consumers an opportunity before.[0]

[0]: https://www.cnet.com/news/verizon-draws-fire-for-monitoring-...

link
AstralStorm 2624 days ago
The cases are almost always settled for reasons I outlined in response to another thread. (mostly related to peering and PR damage, that can kill an ISP)

The app is a tiny blip on the radar waiting for careless. (Read the darn contact, especially if you get a discount.)

link
danShumway 2624 days ago
You're not exactly boosting my confidence here.

The easy sniff-test for whether or not existing laws are enough to dissuade an ISP from building user profiles is to check to see if it was enough in the past to stop them from doing so.

Do we have any cases of where an ISP broke wiretapping laws and was punished severely enough in a settlement or trial that it either killed the ISP or forced them to restructure or rebrand?

If ISPs can pull off highly profitable abuses and get away with it by just settling when they're called out, that's no guarantee that they aren't going to do the same thing in the future. Verizon bragged that they broke wiretapping laws in 2012. How are they doing now? Still struggling to recover from that, I would expect?

Certainly not selling real-time location data to bounty hunters.

link
fulafel 2624 days ago
Identifying based on traffic analysis is easily feasible if they collude with advertisers, since they can then correlate traffic by timing. ("Which ISP can sell us subscriber data with TLS traffic to our our ad at the same times that the ad was served with this visitor-id?")
link