Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password!
(it's been several years since then).
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
- Is anyone aware of any public discussion on this? I have never seen it.
It sounds like the kind of data you can retrieve through TR-069.
To be able to use it, you have to either log on to the router and set the TR-069 server, or push out the setting via DHCP, which means you need to have layer 2 access to the device. This limits the ability to apply/change the setting.
Yes, there is a scary amount of data you can collect, including the wifi name and password. You can also push out settings to the devices, which is the main purpose. If a customer calls up and says their wifi isn't working, you can reset the password for them and get them to try again rather than trying to talk them through how to do it themselves.
Consumers should have legal say in how or wether their data are harvested and also sold.
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
6x7 Networks & 6x7 Telecom, LLC
CEO lb@6by7.net
"The only fully end-to-end encrypted global telecommunications company in the world.”
I’m surprised we’re having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter. Consumers do not care enough about their privacy to the point where they are providing the information willingly.
Consumers should have legal say in how or wether their data are harvested and also sold.
Without disagreeing that privacy concerns in general are rapidly becoming extinct with generations…
Surely you are not suggesting that my friends-only Facebook profile is somehow publishing my WiFi SSID?
(For example)
Ms. Lady Benjamin PD Cannon of Glencoe, ASCE
6x7 Networks & 6x7 Telecom, LLC
CEO lb@6by7.net
"The only fully end-to-end encrypted global telecommunications company in the world.”
So your theory is that just because YOU have Facebook and you're fine
sharing information (/don't care/whatever), that *I* have to suffer
that fate as well?
Perhaps you hadn't noticed, but there's a very active business in the
form of VPN's, DNS-over-HTTPS, and other privacy-enhancing technologies
that seem to indicate that people do have an interest in privacy and
limiting the amount of ISP monetization of their data that can go on.
Just because some people might be fine with their data being leaked
does not mean that everyone is fine with it.
Please keep in mind that TR-069 (which in all likelihood is how the data you remember captured was captured) provides
raw packet access to the customer side of the device.
yes, this is a problem, yes it’s certainly been/being abused.
Yes the protocol is garbage and implementations are also garbage
see the, at least 1, blackhat/defcon presentations about TR-069 problems.
And that's the point; with Facebook and Twitter they are giving up their data willingly (granted they often barely (or don't at all) comprehend the amount and type of data, but there is at least nominal consent).
With the routers, they have *zero* idea; even if the "consent" is buried in their terms to which they 'agreed', they have no idea.
I'm surprised we're having this discussion about an internet device that the customer is using to publicize all of their information on Facebook and Twitter.
That's called informed consent. And Facebook and Twitter use TLS to protect the data in transit.
Consumers do not care enough about their privacy to the point where they are providing the information willingly.
That's the point. The customer is providing information willingly when they post to social media. The ISP is collecting data without consent.
You don’t even have to use their equipment. My provider at home is Charter / Spectrum. I own my own cable modem / router ,they have no equipment in my home. Their privacy policy is pretty standard.
Essentially :
Anything they can see that I transmit they will collect.
Anything they can see when I use their apps , even if I’m not on their network, they will collect.
They will use that information for their technical and business reasons, whatever they want.
I am very limited in what I can request that they don’t collect or use.
None of this is new in the US. I think more people care about this than we think, but people don’t really have an option to vote with their wallets.
That link is more reflective of the FCC circa 2011. More recent actions taken by the FCC under Pai had weakened consumer protections for data collected by ISPs and was reflected in multiple news articles from 2017-2019.
Including this relatively recent article by the FTC. The same FTC tapped by the FCC as being the more responsible party for enforcing privacy protections for consumers. They are even saying that their privacy study showed very little protections for consumer data being harvested by ISPs with few options to restrict their use.
I think that if the end user at signed contract agreed with this data collecting and also if there's a mechanism that the same user could deny the data collection, its look fine to me, there's compliant here in Brazil with LGPD (our variant from GDPR) and i think that users could see it as a "plus" cause the majority of ISPs don't have a service that inspect CPE WIFI's quality.
Several years ago, a friend of mine was working for a large telco and his job was to detect which clients had the worst networking experience.
To do that, the telco had this hadoop cluster, where it collected _tons_ of data from home users routers, and his job was to use ML to tell the signal from the noise.
I remember seeing a sample csv from this data, which contained _thousands_ of data fields (features) from each client.
I was _shocked_ by the amount of (meta)data they are able to pull from home routers. These even included your wifi network name _and_ password!
(it's been several years since then).
Creepy. And the provided CPE usually sucks too, what a deal...
I feel validated in preferring to use my own router at home.
And home users are _completely_ unaware of this.
So my question to you folks is:
- What's the policy regulations on this? I don't remember the features (thousands) but I'm pretty sure you could some profiling with it.
For the policies probably this is a good place to start if you are interested in US legislation (you didn't specify any location), as it's not federally regulated from what I gather:
- Is anyone aware of any public discussion on this? I have never seen it.
I remember reading some discussion around ISPs selling browsing behavior data that they collect from their subscribers in the tech press during Pai's term as the head of the FCC. It was probably on Ars Technica or Techdirt.
You’re statement seems to imply that if someone publicizes certain personal data on Facebook that they shouldn’t care about any other data being collected any other entity, do I have that right?
While I agree that many consumers don’t place much value on their own data, resulting in them not particularly caring about that data, in my experience it often stems from ignorance of what can be done with that data (if they even know that the data is being collected in the first place). Once the implications of sharing specific data is known, my anecdata has shown that the average person will make some adjustments to their data-sharing habits. At the very least, an informed decision can be made.
However, when it comes to intricate technical data from their home routers being hoarded, we can’t really expect the average consumer to form an informed decision on the data being shared, can we? I don’t think the default should be “collect as much as we can because they probably won’t care” in the absence of an informed consumer.
Is your concern that ISPs have access to this information, or that it's something they could possibly be selling to a third party? Those are two completely different discussions.
Most end users (at least in the US) don't have a choice as many jurisdictions have sold a franchise (monopoly) to one provider. Either they sign or they don't get internet.
Perhaps 5G will broaden the number of providers end users can choose from, and not be forced into this kind of contract. But why do you think any ISP would agree to not collect this information?
Not sure why they are different; most ISPs are not a pure play and can use that data for other aspects of their business that you may not have agreed to (e.g. Verizon FiOS feeding to Verizon Wireless). Comcast/NBC, etc.
