Bitwise

Privacy Is Becoming a Premium Service

AT&T wants customers to pay the company not to spy on them. And it’s not an outlier.

att spying.
Beware the all-seeing cable giants.

Photo illustration by Derreck Johnson. Photos by Purestock, iStock.

Big Cable is watching you.

Cable companies have some of the worst customer service reputations around, one of the reasons why the net neutrality cause got so much support in a mostly laissez-faire age. Undaunted by the recent Federal Communications Commission decision to reclassify them as Title II utilities, which restricts their ability to make content providers pay to play for faster traffic speeds, cable companies are looking into more insidious ways to profit from owning the Internet’s pipes. Take a recent move by AT&T: spying on its customers. It’s just the latest installment of the consumer data mining sweepstakes, in which corporations are rushing to profile consumers in ways that would make the National Security Agency blush.

We’re accustomed to the nickel-and-dime service charges that get tacked on to our cable bills, like irritating rental fees for modems. (Buy your own—seriously.) Obscure combo deals and expiring discounts make it difficult to tell if you’ve actually signed up for the cheapest price. But AT&T’s fiber Gigapower service has a new optional charge. It doesn’t give you anything, except privacy. A Feb. 18 report in the New York Times by Natasha Singer described the “AT&T Internet Preferences” program, through which AT&T will target advertising to you based on your Internet activity: “You let us use your individual Web browsing information, like the search terms you enter and the [W]eb pages you visit, to tailor ads and offers to your interests,” an AT&T press release reads. To get a package without advertising costs at least $29 more per month, the company says, but Gigaom’s Stacey Higginbotham found that it is more likely to be somewhere in the range of $44 to $66. That’s up to 50 percent more to get the level of privacy one would expect from, well, an average Internet plan. With Internet service providers looking to make back as much money as possible on their expensive investments in high-speed fiber networks, AT&T’s two-tiered privacy plan may augur an increasingly privacy-free future.

AT&T promises it won’t sell information on your complete Web-browsing habits, but that’s a bit of an empty claim. AT&T collects this information, shares it with advertising providers, and then profits off of the advertising revenue generated by the personalized ads. (AT&T says the ads may come through your browser, by email, or possibly via Web-TV offerings.) There is no direct exchange of information for cash, but that’s not the concern. The concern is that your data becomes promiscuous, leaking out of AT&T into various third-party databases of consumer information. This data may not contain your Social Security number or credit card information, but as I’ve chronicled, even seemingly innocuous information like your ZIP code or your movie purchases can very easily deanonymize you.

How AT&T obtains your information is even more interesting. The company spies on you using deep packet inspection, which means it basically sniffs all the traffic that goes across its network. (“AT&T Internet Preferences works independently of your browser’s privacy settings regarding cookies, do-not-track and private browsing,” AT&T’s website reassures you.) DPI is popular among the governments of China, Iran, and other countries that monitor the Internet activity of their residents. Using DPI, AT&T sees everything you do on the Web, crunches the data to build a profile on you, and uses that profile, most likely in conjunction with third-party ad-broker services, to serve you ads customized to your particular demographic and interests. Your online purchases, the news stories you click on, the medical information you look up, the porn you watch—unless a website uses Secure Sockets Layer certificates (as most banking and email providers do), AT&T will see what you’re doing, whether you’re on a laptop or an iPad or a phone. The monitoring is entirely invisible. We’re used to thinking of ISPs as mail carriers, delivering packets to and from our computers; now they’re opening the packets to see what they can learn about us.

ISPs are uniquely positioned to obtain your data because no other entity sees all of your Internet traffic. Even large advertising providers like Google or Facebook can only track you across sites on which they have cookies, and even then, intelligent use of privacy settings and browser extensions can restrict the data that advertisers can collate on you. This isn’t true with AT&T Internet Preferences. It sees everything, and there is no way to stop it short of using an encrypted virtual private network for all your Internet traffic—which in all likelihood would slow down your connection well below fiber speeds, defeating the point of Gigapower.

I wouldn’t touch Gigapower with a 10-foot Internet cable. Even with the expensive opt-out package, “AT&T may collect and use web browsing information for other purposes,” according to its website. It just won’t use your information to sell ads. But with the infrastructure to profile users, why not collect information anyway and save it for a rainy day? Storage is cheap, and you never know when a mountain of information on your customers might become useful.

AT&T’s behavior is not an outlier. As Joseph Turow chronicled in his book The Daily You, we increasingly live in a world in which our own personal data subsidizes our purchases and the services we use. Programs like Facebook’s now-defunct Beacon, which monitored users’ browsing activities all over the Web, have increasingly become the norm, with shadowy companies like Acxiom amassing profiles on hundreds of millions of consumers. Such profiling extends beyond entities like Acxiom, Facebook, and Google to computer manufacturers, which load their cheapest laptops with tons of bloatware in order to raise their lean margins—disastrously so, in the case of Lenovo and Superfish.

AT&T’s behavior is disturbing in its commercialization of one of the most sensitive portions of the network, the last leg in which all the traffic going to a single residence can be grouped together and analyzed. Like the Lenovo incident showed us, AT&T’s move suggests we’re entering an increasingly stratified tech world in which privacy will only be available at a premium cost—and even then, perhaps only partially. If we don’t want privacy to only exist for those technically savvy enough to get on VPNs and encrypt all their traffic, consumers and governments both need to make their voices heard. In 2009 after a public outcry and a class-action lawsuit, Facebook shut down Beacon (though it’s gone on to achieve many of the project’s goals through subtler means). AT&T needs to hear that message too.