UPDATE: Charter Will Track Your Internet Activity Regardless Of Whether You Opt Out

Last week, we wrote about Charter’s decision to begin tracking its users internet activity and inserting targeted ads. One of our readers wrote in to let us know he discovered that Charter’s insecure opt-out solution—downloading a cookie that must be downloaded for each user and browser, and downloading it again whenever the cache is cleared—only blocks the ads from showing up; it doesn’t block Charter from monitoring users’ searches and web activity.

Reader Jesse writes (emphasis added):

I spent a long time last night looking into the way Charter is handling this program, and based on their own explanation it’s obvious that the cookie is not a “real” opt-out. Here’s why.

When a customer clicks a link, advertisement, or visits a page, Charter will capture the browsing data and send it to the third-party advertising provider. If Charter wanted to offer a functional opt-out, it would be at this deep-packet inspection level. The do not offer a way out of that service, however. The only thing they offer is the cookie-based solution you’ve previously covered, which merely tells the third-party organization not to match the machine with the DPI-harvested data or deliver the advertising. Customer browsing is still being captured and is still being turned over regardless of anyone’s individual opt-out status, but the third party is just blocked from doing anything with it by the cookie.

I might also point out that by doing this Charter is explicitly requesting that their customers choose not to follow safe browsing best practices. Every modern browser available today has an option for clearing cookies when the browser is closed, and many people choose to take advantage of this practice, myself included. Charter is either demanding that I and many others either fill out their form several dozen times per day (every time we open our browser) or specifically switch off browsing features intended to keep customers safe. Neither of these are acceptable, of course.

I am going to contact Charter’s executive team again this morning on the matter, as well as an attorney. I have not been notified of Charter’s changes through a letter or email, and learned about this program last night via other means. Having read through the Cable Privacy Act, which governs Charter’s use of personally identifiable information, I have discovered no fewer than three potential violations. Moreover, Charter is required by law to make any collected data available to its customers, so I would suggest that all Charter customers request their DPI browsing data on a daily basis, and file appropriate complaints when they fail to deliver it as required by law.

They’re not going to stop doing this until or unless they lose more money than they make on it. We have vehicles available to us to lose them vast sums of money on this project, if only the word gets out.

Subsection D of the Cable TV Privacy Act states, in part: “A cable subscriber shall be provided access to all personally identifiable information regarding that subscriber which is collected and maintained by a cable operator. Such information shall be made available to the subscriber at reasonable times and at a convenient place designated by such cable operator.” It’s debatable whether the data Charter is collecting is “personally identifiable information” under this statute, which excludes from the definition “any record of aggregate data which does not identify particular persons.” Maybe a subpoena would clear things up.

Cable TV Privacy Act, 47 USC § 551 [Cornell Law]
(Photo: Getty)

Comments

Edit Your Comment

  1. dragonfire81 says:

    This does not sound at all legal to me. I’m pretty sure you can’t monitor someone like this if they specifically request not to be. Charter users should start talking to lawyers about this.

  2. zentec says:

    It gets worse. While Charter does not provide any personal information related to the “one way hash” that’s assigned to each customer, that doesn’t mean that other parties are not going to put the personal information they have on you with the Nebuad identifier.

    The second you indicate interest in an ad by asking for more information or buy something and follow the trail of advertising to storefront to checkout, you can believe that your “one way hash” provided by Nebuad will be correlated to the information you just provided. From there, they know who you are, and they will never let it go.

    I’m sure Nebuad’s CEO has a prepared statement about how this won’t happen. I have every reason to believe that it will happen, because online marketers want so badly to know who it is viewing their ads right down to their underwear size. And the see absolutely nothing wrong with that.

  3. SulekhJaffe says:

    This is the same sort of thing that is happening in the UK with a company
    called Phorm. A group of concerned users and techies have started something
    of a backlash against Phorm, arguing that Phorm’s “product” breaks data
    protection and European Privacy laws. Already Phorm has been dumped by
    newspaper The Guardian with a scathing rejection about how Phorm didn’t fit
    with their business ethics.

    Major ISP BT has been forced to admit that it tested Phorm’s product without
    users’ consent on at least two occasions, in breach of legislation in the eyes
    of a number of commentators. BT are expected to test Phorm again imminently
    while Carphone Warehouse have said it will be opt-in only on a network basis.

    Virgin Media are the third ISP to express an interest in Phorm and have
    endured a barrage of criticism for their silence on the issue. Recently they
    issued a press release which contradicted some of Phorm’s claims: they have
    not agreed to implement Phorm; there is no foregone conclusion it will be
    implemented; VM will assess the impact on its reputation of their association
    with Phorm before reaching a decision.

    There’s video footage of a public meeting about Phorm at http://tobymeres.net
    where Phorm’s legal status is questioned. Phorm have repeatedly failed to
    show the legal advice they claim to have received stating their “product” is
    legal.

    Cookie based opt-out is flawed. Only network based opt-out – where data goes
    nowhere near the third party systems – is the real deal.

    Jamie Dowling
    Wolverhampton, England

  4. Jaysyn was banned for: http://consumerist.com/5032912/the-subprime-meltdown-will-be-nothing-compared-to-the-prime-meltdown#c7042646 says:

    No problem, they’ll just get Dubya to make this retroactively legal. Problem solved.

  5. @Jaysyn: How about retroactively mandatory?

  6. scoosdad says:

    I have not been notified of Charter’s changes through a letter or email, and learned about this program last night via other means.

    Reader Jesse has not been notified of this, most likely due to the fact that Charter is only rolling this out now in four limited markets. He might not have gotten a letter because they may not be planning to do it to him {yet}. I’m in one of the four affected markets, and I’ve seen the ‘four market’ info mentioned in many of the online articles about this.

    To add insult to injury, the cookie that is set, expires one year after it is set. So even if this was a valid means of opting out, it expires without warning anyway in one year.

  7. Hanke says:

    Hey, if I wanted my internet access with advertising, I’d stick with a free or low-cost providor that I KNOW will serve me ads; if I am paying for a connection with my cable company, I am PAYING for the access, and I don’t want ads. It’s like Buying a car from GM and being told that I can only use Exxon gas.

  8. gqcarrick says:

    I am so glad there isn’t Charter as an ISP around my neighborhood.

  9. stan0614 says:

    [www.mvps.org]

    I ALWAYS download and use this HOST file on my PC’s.
    Blocks malware, adware, spyware and bad site in General.

    FREE and customizable.

    Have someone with a bit of computer knowledge to help you install.

  10. howie_in_az says:

    @dragonfire81: One could probably successfully argue that the data is not personally identifiable as Charter could not say whether the person behind the IP address was in fact you. Check the RIAA -vs- * arguments for more info on this (an IP address does not a person make) in addition to the AOL search records. Good for the RIAA -vs- * lawsuits, bad in this case as Charter wouldn’t have to turn over any acquired data.

    I’m sure that with enough public outcry Charter would abandon their Total Information Awareness ‘enhancement’, but can people be bothered to actually write letters and make a fuss over it?

  11. howie_in_az says:

    @stan0614: Hay that’s great, but when your ISP is inspecting your packets as they come in and go out and performing things upstream from your PeeCee, all the malware blockers in the world aren’t going to help.

  12. Concerned_Citizen says:

    The very nature of being able to target your browser with ads based on your own previously collected data means it is being logged with an identifier that is linked to your charter account which is linked to your current ip address. Even if the third party does not have full access to the system that links the random identifiers to usernames/ip address, they clearly can query it automatically to gain current ip addresses. And an ip address coupled with the current time is all you need to identify anyone. Then of course if this tracked info includes urls or page content, it most certainly contains identifiable information from such activities as googling your home address, or online usernames with real information in their profiles. But in the end if you do something illegal online this system makes it easy to locate you and will contain all the evidence to convict you.

  13. QuantumRiff says:

    The thing that scares me the most is that charter’s privacy policy says they will turn over information to law enforcement, or through a court order (like a lawsuit supenea). Even if the data is “anonymized” it can point you out, as AOL learned a year or two ago, when it released a few gigabytes of search data that was “anonymized” to help people develop search algorithms, and many of the people were figured out within a day.

    Quite honestly, it feels like illegal search and seizure, since they are basically wiretapping my internet connection, and that will be available to others. (I don’t pirate movies or music, but still don’t want the RIAA to go through my info!)

  14. rellog says:

    This program is no different than warrantless wiretapping, and should be illegal. I guess next, phone companies will start listening “only for key words…” to sell us products before our call connects.

  15. Shadowman615 says:

    If you use the free and popular CCLeaner utility to clean out your browser cache and cookies, you will have the option to keep some of your cookies every time you clean. Many other third-party browser cleaning utilities also offer this. Just set it to keep the opt-out cookie and always use that to clean your browser cache instead of the browser itself.

  16. amyschiff says:

    @howie_in_az: I love the kitty lime avatar.. I use it on my work IM screenname!

  17. racermd says:

    If you must (or cannot use anything but) Comcast, there’s a simple way to prevent all this nonsense: Firefox with Adblock Plus and NoScript.

    Comcast can still watch packets going in and out of your modem, but you’re preventing the ads and other nastyness from getting through.

    Adblock Plus uses a blacklist/whitelist filter (and is maintained constantly) to prevent the bulk of ads from reaching you. It displays a flag on the space where an ad was removed so you can still enable it on a case-by-case basis. You also have the option of adding your own URLs to the whitelist/blacklist.

    NoScript simply prevents ‘active’ content from being displayed. It works via a whitelist-only method and is sparsely populated upon install (Google and the site for NoScript are in it by default). However, it’s pretty easy to enable an entire domain or subdomian on a temporary or permanent basis. Since Flash can be caught by NoScript (again, it’s configurable), it can be pretty stringent. However, you can unblock single elements without unblocking everything else on a page.

    This is the exact setup I use and I’ll never go back to wide-open browsing again. It’s only a part of my safe browsing habits, but it goes a very good start.

  18. racermd says:

    Whoops…. Read “Charter” in place of “Comcast”, though it would certainly apply no matter who you’re going through for internet.

  19. blackmage439 says:

    Wide Open West just implemented a freakishly similar policy at the same time. “Targeted advertising” with flawed keep-the-cookie opt-out mechanism. No more pr0n for me…

  20. rockstarjoe says:

    Wow, this is really an awful program. I think something like this would force me to cancel my internet subscription, and I am addicted to the internet!

  21. Trai_Dep says:

    Simple rule of thumb: if they collect data, others will read it. Divorce proceedings, hackers, “law” enforcement authorities, record labels or whoever pays a few nickels to Charter.
    What could possibly go wrong? …Yeah.

  22. Anks329 says:

    I’m thinking it’s becoming more and more important that everyone use some sort of encrypted tunnels when connecting to the internet.

  23. howie_in_az says:

    Sounds like ssh tunneling to squid proxies will be all the rage with Charter customers.

  24. neuman1812 says:

    Ah crap..all I have is charter and Verizon to chose from for access. So I get Charter to scan my internet..or Verizon and their customer service crap…

  25. kyle4 says:

    If it continues there could be a class action lawsuit involved. It is, as other posters said, the equivalent of wiretapping your internet. It’s a scary thought.

  26. joellevand says:

    Thank goodness we don’t have Charter in this area, or I’d be looking at dial up again. Ick. :(

  27. vastrightwing says:

    Maybe you can never opt-out, but you can make their data mining useless by adding lots of noise. Just get a web-bot crawler and let it crawl all over the internet at night when you’re asleep. It will consume lots of bandwidth and confuse the data mining algorithms. The company buying the statistics will realize after a few months that the data is no good to them and they will stop. It will help protect you since finding any relevant data about your surfing habits will be impossible.Maybe you can never opt-out, but you can make their data mining useless by adding lots of noise. Just get a web-bot crawler and let it crawl all over the internet at night when you’re asleep. It will consume lots of bandwidth and confuse the data mining algorithms. The company buying the statistics will realize after a few months that the data is no good to them and they will stop. It will help protect you since finding any relevant data about your surfing habits will be impossible.

  28. cyberscribe says:

    Lots of negative media publicity really is the best way of dealing with this sort of thing.

    Also, the internet community itself has always shown itself to be devilishly ingenious when it comes to quickly developing new and better ways to defeat such unwanted snooping.

  29. in2insight says:

    Perhaps an article from the editors /gurus on how to prevent Charter from getting our information?
    I have OpenDNS already. Is that enough?

  30. SpenceMan01 says:

    Charter customers will NOT receive notification of changes to the privacy policy. From Charter’s HSI Privacy Rights:

    [www.charter.com]
    “We may modify this privacy statement at any time. A revised privacy statement will be posted at http://www.charter.com. If you find the changes unacceptable, you have the right to cancel service. If you continue to use the service following the posting of a revised privacy statement, we will consider that to be your acceptance of and express consent to the changes.”

  31. scoosdad says:

    @SpenceMan01:

    Charter customers will NOT receive notification of changes to the privacy policy.

    I’m in one of the four affected Charter markets, and I have the letter right here. It’s definitely a written notice that was specifically addressed to me as a subscriber for legal means, that describes what they’re doing, and how to opt-out if you desire. I’d call that notification, though the whole process sucks bigtime and as many have pointed out, flawed.

    The full letter is reproduced here:

    [www.dslreports.com]

  32. First, I’m writing to WOW and demanding that they have a conversation with me about this (and my lawyer, if necessary).

    Second, I’m going off to read “Little Brother” again…

  33. TangDrinker says:

    Congress is investigating – Markey, chairman of House subcom on Telecom sent a letter to Charter.

    [markey.house.gov]