ISPs Look To Make Money With Mined Data

Computer security expert Joshua Wright says over the past five years or so, a lot of ground has been lost when it comes to online privacy. Wright tells Linda Wertheimer that Internet service providers, ISPs, are realizing there may be some new business opportunities with collected user information.

Copyright © 2010 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

RENEE MONTAGNE, host:

This is MORNING EDITION, from NPR News. I'm Renee Montagne.

LINDA WERTHEIMER, host:

And I'm Linda Wertheimer, in for Steve Inskeep.

If you have any concerns about online privacy, here are a few more things to worry about, including deep packet inspection. It's very similar to a wiretap. In fact, that's where it got started. Law enforcement could tap telephone lines, but because of technical issues, could not tap Internet communications. But the government is now using a law that requires Internet service providers - ISPs - to make it possible for law enforcement to carry out online surveillance.

Joshua Wright, a computer security analyst, says those same service providers then realized there might be some new business opportunities here.

Mr. JOSHUA WRIGHT (Senior Security Analyst, InGuardians): Some ISPs started thinking about this. And they said: Gee, we're providing this interface for law enforcement to use this information. Aren't there opportunities for us to use this information creatively, as well?

WERTHEIMER: And how would that work?

Mr. WRIGHT: An ISP is in a unique position to monitor all of the Internet activity from your computer. Where you might visit Amazon.com - and Amazon.com knows about the activity that you do when you're on their particular website, they don't necessarily have access to other websites that you browse, as well. But the ISP does have all that information. And so they're in a very powerful position to be able to collect and mine all of that data.

When you go to use Amazon, you are arguably opting in to that service. You're deciding to do business with Amazon. They provide targeted advertising to you to continue selling their products. And most people find that reasonable.

What we have with this deep packet inspection from ISPs is a different situation, where it's not opt in, and in some cases it's not even opt out. The ISP is collecting all of this information and using it to deliver targeted advertisements to you, but you don't have any influence to say I want to receive these or I do not want to receive these.

WERTHEIMER: You say that we don't opt in. The Internet service provider does it. What about the opting-out part? I mean, is there some way that you can go in and, you know, take a toothbrush to your hard drive and get all that stuff out of it?

Mr. WRIGHT: With deep packet inspection, it's not an analysis that's being stored on your computer, and there's nothing you can do to scrub it from the ISP's history. By virtue of being in the middle, between your computer and whatever destination website you're going to, the ISP is always in a position to collect that data.

WERTHEIMER: We've talked about the computer, the Internet service providers, but there are plenty of other places, aren't there, where we are sharing information about ourselves and maybe not really thinking about the implications of sharing that information - like, for example, when we watch television.

Mr. WRIGHT: Certainly. DVR technology, the digital video recorder from companies such as TiVo or directly from your cable provider. The provider knows what television shows we're recording, when we're watching those television shows, what commercials we skip, what commercials we watch. All of that information is now accessible. Now, when you're watching TV in the privacy of your home, it's no longer as private as it once was.

WERTHEIMER: What about cell phones, the music that we download, the pictures that we send to our parents, all that kind of thing?

Mr. WRIGHT: It's amazing, the amount of information. For example, if you take pictures with your cell phone, a lot of cell phones will embed your current latitude and longitude in that photograph. So if you upload that picture to a website such as Flickr or Facebook, somebody can retrieve that picture and then identify where you were when you took that picture. With a little additional information analysis - a Christmas party as mom's house, for example - we can build these kinds of relationship and informational trees based off all that content.

WERTHEIMER: How bad is it? How much should we worry about it?

Mr. WRIGHT: We have a significantly reduced expectation of privacy today than we did five years ago, 10 years ago. And if it continues in this pattern, I think that privacy will be dead, if it's not already. What concerns me is that once the privacy is gone, once all that information's being collected, it's immensely difficult to reverse the tides and try to collect it back.

WERTHEIMER: Joshua Wright is a senior security analyst for a computer security firm here in Washington. It's called InGuardians.

Copyright © 2010 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.