(Image courtesy of: Rick Snapp)

CenturyLink customers in Utah were rudely interrupted earlier this month by an ad for CenturyLink’s pricey security and content filtering software that left their internet access disabled until they acknowledged reading the ad.

Dear Utah Customer,

Your internet security and experience is important to us at CenturyLink.

The Utah Department of Commerce, Division of Consumer Protection requires CenturyLink to inform you of filtering software available to you. This software can be used to block material that may be deemed harmful to minors.

CenturyLink’s @Ease product is available here and provides the availability of such software.

As a result of the forced ad, all internet activity stopped working until a customer opened a browser session to first discover the notification, then clear it by hitting the “OK” button at the bottom of the screen. This irritated customers who use the internet for more than just web browsing.

One customer told Ars Technica he was watching his Fire TV when streaming suddenly stopped. After failed attempts at troubleshooting, the customer checked his web browser and discovered the notification message. After clicking “OK,” his service resumed.

A CenturyLink spokesperson told KSL News, “As a result of the new law, all CenturyLink high-speed internet customers in Utah must acknowledge a pop-up notice, which provides information about the availability of filtering software, in order to access the internet.”

In fact, according to a detailed report by Ars Technica, CenturyLink falsely claimed that the forced advertisement was required by Utah state law, when in fact the company would be in full compliance simply by notifying such software was available “in a conspicuous manner.”

CenturyLink chose to turn the Utah law to their profitable advantage by exclusively promoting its own product — @Ease, a costly ISP-branded version of Norton Security. CenturyLink recommended customers choose its Advanced package, which costs $14.95 a month. But parental filtering and content blocking tools are not even mentioned on the product comparison page, leaving customers flummoxed about which option to choose.

In effect, CenturyLink captured an audience and held their internet connection hostage — an advantage most advertisers can only dream about. CenturyLink countered that only residential customers had their usage restricted, and that because of the gravity of the situation, extraordinary notification methods were required.

But as Ars points out, no other ISP in the state went to this extreme level (and used it as an opportunity to make more money with self-interested software pitches).

Bill sponsor Sen. Todd Weiler (R), said ISPs were in compliance simply by putting a notice on a monthly bill or sending an e-mail message to customers about the software. Weiler added that ISPs had all of 2018 to comply and most had already done so. AT&T, for example, included the required notice in a monthly bill statement. CenturyLink waited until the last few weeks of the year, and used it as an opportunity to upsell customers to expensive security solutions most do not need.

With the demise of net neutrality, ISPs that were forbidden to block or throttle content for financial gain are now doing so, with a motivation to make even more money from their customers.

Just had @CenturyLink block my internet and then inject this page into my browser (dns spoofing I think) to advertise their paid filtering software to me. Clicking OK on the notice then restored my internet… this is NOT okay! pic.twitter.com/NtCZUeJF8I

— Rich Snapp (@Snapwich) December 9, 2018

Expect a notice similar to this in a future cable or telephone company bill.

Cable and phone companies will now need your permission before they can market sensitive private information about you to third parties.

In a 3-2 decision (Democrats in favor, Republicans opposed), the Federal Communications Commission today issued new rules that will limit how providers collect and share information about your location, the websites you visit, and the subjects you are interested in based on your online travels. Broadband providers will have to get explicit approval from their customers before they can trade or sell information they have gathered. Providers will still be able to sell your name and address to advertisers, as long as they offer a provision allowing customers to opt-out of shared marketing.

The FCC’s decision has major implications for providers’ future revenue from lucrative targeted advertising. For that reason, and others, providers were angered by the new restrictions, particularly because they don’t apply to content providers like Google, which was largely built on revenue from targeted web advertising. Consumers can avoid using Google and its services, but they cannot avoid their broadband provider, which may be why the FCC targeted the privacy measures on those selling broadband instead of those pushing web content.

Wheeler

“It is the consumer’s information. How it is to be used should be the consumers’ choice, not the choice of some corporate algorithm,” said FCC chairman Thomas Wheeler.

The two Republicans on the Commission immediately attacked the privacy protections as unnecessary, echoing the sentiments of the cable and phone companies.

Commissioner Michael O’Reilly warned broadband providers could still buy the information they would have collected themselves, and as a result, prices will rise for consumers. Commissioner Ajit Pai accused the Democrats on the Commission of “corporate favoritism” towards Google.

Here are the full details about the new privacy policies:

The rules separate the use and sharing of information into three categories and include clear guidance for both ISPs and customers about the transparency, choice and security requirements for customers’ personal information:

• Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.
• Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.
• Exceptions to consent requirements: Customer consent is inferred for certain purposes specified in the statute, including the provision of broadband service or billing and collection. For the use of this information, no additional customer consent is required beyond the creation of the customer-ISP relationship.

In addition, the rules include:

• Transparency requirements that require ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared, as well as how customers can change their privacy preferences;
• A requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data consistent with FTC best practices and the Consumer Privacy Bill of Rights.
• Common-sense data breach notification requirements to encourage ISPs to protect the confidentiality of customer data, and to give consumers and law enforcement notice of failures to protect such information.

Comcast has strongly denied reports it threatened customers with service termination for using the Tor anonymous web browser, designed to obscure a web user’s identity or location.

Over the weekend, Deep.Dot.Web reported that Comcast agents were contacting customers using the Tor web browser and warned them their Internet access was in peril if they continued using the anonymous browsing software, claiming it was against Comcast’s acceptable use policy.

Allegedly, Comcast representatives “Jeremy” and “Kelly” claimed Tor was “an illegal service” and demanded the customers reveal the web sites they were attempting to reach using the browser.

The representative identified as “Kelly” claimed:

“Users who try to use anonymity, or cover themselves up on the Internet, are usually doing things that aren’t so-to-speak legal. We have the right to terminate, fine, or suspend your account at anytime due to you violating the rules. Do you have any other questions? Thank you for contacting Comcast, have a great day.”

The Tor browser was designed to protect the identity of its privacy-minded users from nosy government agencies and law enforcement elements, but has also been used to hide illegal activities ranging from child pornography and drug dealing to murder-for-hire and espionage-related activities. But the majority of the estimated four million Tor users rely on the browser primarily to help them overcome Internet censorship blocks or geographic restrictions on online video content.

Tor directs each user’s Internet traffic through a free, worldwide, volunteer network of more than five thousand relays to hide a user’s location and usage from anyone conducting network surveillance or traffic analysis. Technically, users who volunteer to run a relay may be in violation of Comcast’s acceptable use policy, which states (in part):

[Customers may not] use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“PremisesLAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers.

But whether the messages reported by Deep.Dot.Web were simply the result of an overeager support employee or actual company policy is now in dispute.

Comcast emphatically denied the customer contacts reported by Deep.Dot.Web ever took place and claimed Comcast has no restrictions on customers using the Tor browser.

“The anecdotal chat room evidence provided is not consistent with our agents’ messages and is not accurate,” said Comcast’s Charlie Douglas. “Per our own internal review, we have found no evidence that these conversations took place, nor do we employ a Security Assurance team member named Kelly. Comcast doesn’t monitor users’ browser software or web surfing, and has no program addressing the Tor browser. Customers are free to use their XFINITY Internet service to visit any website or use it however they wish.”

A company blog post this morning broadened the company’s denials:

Comcast is not asking customers to stop using Tor, or any other browser for that matter. We have no policy against Tor, or any other browser or software. Customers are free to use their Xfinity Internet service to visit any website, use any app, and so forth.

Here are the facts:

• Comcast doesn’t monitor our customer’s browser software, web surfing or online history.
• The anecdotal chat room evidence described in these reports is not accurate.
• We respect customer privacy and security and only investigate and disclose certain information about a customer’s account with a valid court order or other appropriate legal process, just like other ISPs. More information about these policies can be found in our Transparency Report here.
• We do not terminate customers for violating the Copyright Alert System (aka “six strikes”), which is a non-punitive, educational and voluntary copyright program. Read more here.

AT&T has got your number.

AT&T wants to know what you are doing on the Internet.

If you agree to share your browsing history and view targeted contextual advertising from AT&T and its partners, the company will give you a monthly discount off the price of its new GigaPower gigabit fiber network.

Now launching in Austin, AT&T GigaPower charges $99 a month for 300Mbps standard service (speeds will be raised to 1,000Mbps in 2014 at no extra cost — equipment, installation and activation fees are extra). But customers can knock $30 off the monthly price and skip the new customer fees by enrolling in AT&T’s new “Premier” package, which runs $70 a month.

GigaOm discovered some interesting language in AT&T’s fine print about its Premier service: “[The discount] is available with your agreement to participate in AT&T Internet Preferences. AT&T may use your Web browsing information, like the search terms you enter and the Web pages you visit, to provide you relevant offers and ads tailored to your interests.”

Exactly how AT&T intends to implement its contextual advertising program remains largely a mystery. Google includes contextual ads in its Gmail service, its search engine results, and in online advertising from participants in Google’s AdWords program. AT&T lacks an advertising platform as large as Google or Microsoft’s Bing, so questions are being raised about how exactly AT&T will be able to find enough places to present online ads.

GigaOm suspects AT&T might use deep packet inspection to monitor customers’ web traffic to collect browsing information for contextual ads. Others suspect AT&T will replace certain existing third-party ads found on independent websites with its own advertising. Either is likely to bring the company scrutiny, both from Internet Privacy advocates and website owners that find their advertising replaced by ads from AT&T and its partners.

AT&T’s response to GigaOm left a number of questions unanswered:

We use various methods to collect web browsing information, and we are currently reviewing the methods we may use for the Internet Preferences program. Whichever method is used, we will not collect information from secure (https) or otherwise encrypted sites, such as online banking or when a credit card is used to buy something online on a secure site. And we won’t sell your personal information to anyone, for any reason.

[…] We won’t sell your personal information. Rather, AT&T may use your personal information to direct another advertiser’s ad to you, but that advertiser would never have access to your Personal Information. For example, after you browse hotels in Miami, you may be offered discounts for rental cars, but that rental company doesn’t know who you are.

AT&T is experimenting with consumer acceptance of discounting service in return for giving up some privacy. It says it is giving customers the choice to opt out by signing up for the more expensive “standard” service.

U-verse television service is also available to customers of both packages for an extra $50 a month. Telephone service adds another $30 a month.

AT&T has started rolling out its GigaPower service in the French Place, Mueller, Zilker, and Onion Creek neighborhoods and will select future places to expand based on interest registered by local residents on AT&T’s GigaPower website.

“We’ve already received great input from thousands of Austinites eager for the fastest speeds,” said Dahna Hull, general manager of Austin’s AT&T Services, Inc. “These votes are helping us identify where the need for speed and advanced TV services is the greatest and will help guide our future GigaPower expansion plans.”

[flv]http://www.phillipdampier.com/video/KXAN Austin Internet speed race in Austin is on 12-11-13.mp4[/flv]

Options for super high-speed Internet are heating up in Austin as AT&T introduces AT&T U-verse with GigaPower this week. KXAN reports the service will initially launch with 300Mbps service in a handful of neighborhoods, but upgrade to 1,000Mbps speeds in more locations next year. (2:30)

Verizon Wireless: You are being watched.

Would it bother you if the advertiser on that big billboard you just drove past could find out if you later visited that business in response? Should a store like Best Buy or Sears be able to know if you are only using their showrooms to see a product you will eventually buy online? Should your phone company be able to store your complete travel history for years and then create new products and services to pitch aggregated travel observations to anyone willing to pay?

Verizon Wireless does not think you will have a problem with any of this, because it has quietly begun selling this information through its Precision Market Insights (PMI) service.

AT&T is likely not too far behind with a similar service of its own, potentially earning millions from a comprehensive data trove tracking customer locations, travel history, and web browsing habits for an undetermined length of time.

The Wall Street Journal reports shareholder demand for higher profits is pushing cell phone companies to find new revenue streams, even at the potential risk of alienating customers and privacy advocates.

PMI clients may find out more about you than you realize, even though phone companies promise they will not sell personally identifiable information about their customers.

The Phoenix Suns are PMI clients, and by tracking game attendees, Verizon Wireless was able to tell the sports team:

• 22% of game attendees are from out-of-town;
• Most spectators had children at home, ranged in age from 25-54 and earned more than $50,000 a year;
• 13% of baseball spring training attendees in the Phoenix area also went to Suns games;
• Area fast food restaurants running Suns promotions saw an 8.4% uptick in business from Verizon Wireless customers.

Such information can let the sports team target advertisers and offer evidence-based statistics that any campaign will increase sales, and by how much. Malls can use PMI to find certain types of customers that have a history of lingering in mall stores. Billboard owners can see if their ad messages resulted in higher in-store visits.

Customers using a phone under a commercial or government account are exempt from the tracking program. All residential customers are automatically opted in to take part, unless they specifically opt out.

Privacy advocates are concerned carriers are storing personal customer usage data for an undetermined amount of time, and in a form that could be personally identifiable, even if the provider decides not to sell data with that granularity to third parties. That could make cell phone companies prime targets for government/law enforcement subpoenas.

Last year, Verizon sent a notice to customers opting them in to the program unless they specifically opted out. Stop the Cap! covered the story back then, helping customers wishing to opt out.

[flv width=”504″ height=”300″]http://www.phillipdampier.com/video/WSJ Cell Companies Track Customers 5-22-13.flv[/flv]

The Wall Street Journal reports wireless carriers were at first slow to sell data on their customers’ usage habits, but not anymore. Shareholders want new sources of revenue, and wireless companies are packaging and selling customer information to get it.  (2 minutes)