cross-posted from: https://covert.nexus/post/27235
The FTC released a staff report in 2021 analyzing the privacy practices of six major U.S. Internet Service Providers. The report found that these ISPs collect as much, if not more, data on their customers’ browsing habits than popular advertisers like Google and Facebook. Additionally, some of these ISPs either operate their own advertising businesses or sell the data to third parties, such as the NSA.
Observations
- Many ISPs in Our Study Amass Large Pools of Sensitive Consumer Data.
- Several ISPs in Our Study Gather and Use Data in Ways Consumers Do Not Expect and Could Cause Them Harm.
- Although Many ISPs in Our Study Purport to Offer Consumers Choices, These Choices are Often Illusory.
- Many ISPs in Our Study Can be At Least As Privacy-Intrusive as Large Advertising Platforms.
Oh how lovely…
Maybe I’m just not getting it, but if we’ve mostly transitioned to HTTPS and encrypted DNS… what exactly can the ISP learn other than the address they serve and MAC of your gateway? Is this report for those who use their ISP’s DNS?
With very little effort it would be possible to mitm all the customers and it would all be pointless. Look at what Facebook is recently done to steal user data. They have apparently been doing their attack for years.
I’m going to need a source on both those claims to better understand how they can happen.
For an ISP to mitm, they’d need to sign and send the website certs themselves, and that’d show up in most browsers as a big red flag.
As far as Facebook goes, I was sure that’s just javascript and tracking cookies that they’re paying websites to use. No mitm there.Facebook internal documents from their current lawsuit discovery process. Facebook call this project ghostbuster:
https://www.documentcloud.org/documents/24520332-merged-fb
https://mashable.com/article/facebook-snapchat-data-project-ghostbusters-mark-zuckerberg
Mental Outlaw briefly outlines how the mitm attack works without alerting the browser of bad certs:
https://www.youtube.com/watch?v=WkLvpxImRGw&t=30
Your ISP doing a mitm attack would be multi-step and unlikely, but not impossible. The most likely use case would probably be the involvement of the federal government or bad actors who have compromised a CA, which has happened in the past:
https://en.m.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
https://security.googleblog.com/2015/09/improved-digital-certificate-security.html?m=1
For a malicious ISP to try to intercept traffic on it’s own, I imagine an attack like this would be used:
https://techgenix.com/understanding-man-in-the-middle-attacks-arp-part4/
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=WkLvpxImRGw&t=30
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
This information, although not new, sheds light on the misconception prevalent even amongst industry professionals today that ISPs only retain customer usage data related to IP address assignment.
However VPNs are exactly the same as ISPs, especially when it comes to actions forced by the government in the jurisdiction they are in.
Which is why good vpns are hosted in countries with extremely high privacy laws. And some can even be bought and used without giving any personal info. And why most vpns are RAM only and literally can’t log any records.
But you knew this before you spouted off, right?