Last week, we wrote about Charter’s decision to begin tracking its users internet activity and inserting targeted ads. One of our readers wrote in to let us know he discovered that Charter’s insecure opt-out solution—downloading a cookie that must be downloaded for each user and browser, and downloading it again whenever the cache is cleared—only blocks the ads from showing up; it doesn’t block Charter from monitoring users’ searches and web activity.
Reader Jesse writes (emphasis added):
I spent a long time last night looking into the way Charter is handling this program, and based on their own explanation it’s obvious that the cookie is not a “real” opt-out. Here’s why.
When a customer clicks a link, advertisement, or visits a page, Charter will capture the browsing data and send it to the third-party advertising provider. If Charter wanted to offer a functional opt-out, it would be at this deep-packet inspection level. The do not offer a way out of that service, however. The only thing they offer is the cookie-based solution you’ve previously covered, which merely tells the third-party organization not to match the machine with the DPI-harvested data or deliver the advertising. Customer browsing is still being captured and is still being turned over regardless of anyone’s individual opt-out status, but the third party is just blocked from doing anything with it by the cookie.
I might also point out that by doing this Charter is explicitly requesting that their customers choose not to follow safe browsing best practices. Every modern browser available today has an option for clearing cookies when the browser is closed, and many people choose to take advantage of this practice, myself included. Charter is either demanding that I and many others either fill out their form several dozen times per day (every time we open our browser) or specifically switch off browsing features intended to keep customers safe. Neither of these are acceptable, of course.
I am going to contact Charter’s executive team again this morning on the matter, as well as an attorney. I have not been notified of Charter’s changes through a letter or email, and learned about this program last night via other means. Having read through the Cable Privacy Act, which governs Charter’s use of personally identifiable information, I have discovered no fewer than three potential violations. Moreover, Charter is required by law to make any collected data available to its customers, so I would suggest that all Charter customers request their DPI browsing data on a daily basis, and file appropriate complaints when they fail to deliver it as required by law.
They’re not going to stop doing this until or unless they lose more money than they make on it. We have vehicles available to us to lose them vast sums of money on this project, if only the word gets out.
Subsection D of the Cable TV Privacy Act states, in part: “A cable subscriber shall be provided access to all personally identifiable information regarding that subscriber which is collected and maintained by a cable operator. Such information shall be made available to the subscriber at reasonable times and at a convenient place designated by such cable operator.” It’s debatable whether the data Charter is collecting is “personally identifiable information” under this statute, which excludes from the definition “any record of aggregate data which does not identify particular persons.” Maybe a subpoena would clear things up.