Anti-ISP Hysteria Turns Privacy Into a Scam

It takes three steps for the legitimate desire for private communications to be turned into a scam that tricks and exploits people. Here are those three steps.

1. Get politicians to passionately argue for their right to spy on people.

If governments invade people’s privacy then some will seek more secure methods of communicating. This then leads to an endless escalation, which each additional step drawing more attention to the government’s desire need to spy on you. Governments can give themselves the power to intercept every message, but then terrorists will turn to encrypted services like Whatsapp. Politicians can wail that encryption is “completely unacceptable” but unless they can change the rules of mathematics and how computers work they cannot prevent determined people from implementing new ways of securing their comms. I assume that Vladimir Putin employs people who encrypt his phone calls and secure his files, even if that never occurred to Angela Merkel and if Hillary Clinton’s colleagues only recently learned about phishing. In short, everybody is getting an education into the technical possibility that they are being spied upon, courtesy of politicians who say they must have the power to do it.

2. Spread the fear from the public sector to the private sector.

So far we just had governments spying on you and abusing legitimately helping themselves to accessing your data. But who sets the rules for when businesses may legitimately do the same? Governments make that decision too. So when Donald Trump wins an election you might expect a degree of worry about corporate entities being given new leeway to exploit data, and recently a fuss has occurred over the decision to let American ISPs use the data they gather about customers without asking explicit permission to use it. Or as the Electronic Frontier Foundation (EFF) put it:

Putting the interests of Internet providers over Internet users, Congress today voted to erase landmark broadband privacy protections.

According to the EFF, this will inevitably lead to a data armageddon.

…companies like Cox, Comcast, Time Warner, AT&T, and Verizon will have free rein to hijack your searches, sell your data, and hammer you with unwanted advertisements. Worst yet, consumers will now have to pay a privacy tax by relying on VPNs to safeguard their information. That is a poor substitute for legal protections.

…big Internet providers will be given new powers to harvest your personal information in extraordinarily creepy ways. They will watch your every action online and create highly personalized and sensitive profiles for the highest bidder.

Without a doubt Internet providers… will engage in egregious practices…

The EFF does some good work but they also tend to talk a lot of anti-capitalist bullshit too. One good reason to doubt the egregious behavior of ISPs is that the rules being repealed by Congress were never put into effect. So if customers have not previously been ‘hammered with unwanted advertisements’ is it not clear why they will now get hammered just because nobody enforces a new rule that nobody has enforced before. Forbes helpfully explains the situation:

The rejected regulations were a radical departure from policies enforced by the Federal Trade Commission since the dawn of the commercial Internet.

They would have required ISPs — and only ISPS — to obtain affirmative consent or “opt-in” from every individual user before collecting and using information for any purpose, including the placement of contextual advertising.

Congress was right to disapprove them.

But just to be clear, the net impact on your privacy of this action, assuming President Trump approves the resolution, will be absolutely zero.

In part, that’s because the proposed rules never took effect. They would have applied only to ISPs, moreover, who currently do little advertising.

And if that is not sufficiently persuasive, Forbes illustrates that there are a couple of businesses that do all of the things that the EFF is complaining ISPs should never be allowed to do.

Even if the proposed rules had not been rejected, however, they would have had no effect on how data about your web browsing and other interactions with content providers are collected and used.

Instead, the proposed rules would have only limited efforts by ISPs to enter the market for Internet advertising.

That’s a market increasingly dominated by just two companies: Google and Facebook. As a new study from eMarketer noted earlier this month, Google now accounts for over 40% of the $83 billion digital ad market and nearly 80% of total US search ad revenues. Facebook, which dominates display ads, will earn $16 billion this year alone.

With the two incumbents firmly in control of Internet advertising , the FCC’s proposed barriers to entry for new entrants, like similar efforts to keep Uber, Lyft, Airbnb and other sharing economy services from competing with established transportation and hotel companies, made no economic sense.

So basically, the EFF is worried is that the sky will fall on our heads if ISPs start doing what Google and Facebook do already. However, the problem with scaremongering is that it works. People can be frightened and upset even if they have nothing to fear. Net neutrality is a great example, with supposedly intelligent people arguing that net neutrality rules are vital to prevent censorship, even though none of the supposed ISP censors had actually censored anything before the introduction of net neutrality rules. On the contrary, ISPs were routinely criticized by politicians for not censoring enough. The same playbook is being used here, whipping up a public furore about the way Trump is letting greedy corporations abuse the data of ordinary people. And somewhere Google executives are sagely nodding their heads, approving of the public’s concerns, whilst they seek to keep their costs down by disguising the way they fund the net neutrality lobby.

3. Sell a bogus solution that pretends to protect privacy but exploits it instead.

People do not make good decisions when they are frightened into making them. So let us repeat the EFF’s advice for how to protect yourself:

…consumers will now have to pay a privacy tax by relying on VPNs to safeguard their information.

And how does the ordinary person know that a virtual private network (VPN) really is private? Just because a business says they offer a VPN service does not mean you can trust them. Or to put it another way, if your starting position is that ISPs are all run by greedy despicable capitalists who will do anything to make money, what leads you to think that VPN providers are run by saints and angels?

Cue the entry of MySafeVPN, a business whose very name is designed to reassure you that using their services will protect you from harm. Unfortunately, it turns out they are a bunch of scammers, trying to make money from all those people frightened into using a VPN. Motherboard’s Nicholas Deleon wrote about being emailed by MySafeVPN, even though there was no good reason for them to have his email address…

…it’s likely that MySafeVPN used the data from hacked message boards to contact current and former Plex and Boxee users.

When somebody tried to use the MySafeVPN service that they paid for, they found even worse:

Now, a member of the Plex message board who goes by the handle tiefel did, in fact, try to subscribe to MySafeVPN, handing over $24.99 via PayPal for a three-month subscription. But, as he later told me via email, he “started to suspect the validity of MySafeVPN” when he couldn’t find the actual VPN server to connect to. How about that? A company selling VPN service that doesn’t actually offer a VPN server to connect to. That’s some business model!

Conclusions

Let us engage in a sarcastic slow hand-clap for overreaching politicians, hysterical activists, and the lazy journalists who repeat their nonsense instead of challenging it. Will they take their share of the blame for every wasted dollar on a VPN service that the customer did not need, or which is run by an opportunistic conman? Nope. They will turn it into an argument for more of the things done by politicians, activists, and journalists. What was really needed here was some common sense, specifically that:

  • governments can undermine faith in privacy at least as easily as corporations do; and
  • ISPs should be treated as innocent until proven guilty.

It makes no sense for politicians to bleat about protecting privacy whilst they seek to encroach upon it. Even the most childish partisan acknowledges that bad people can pursue their goals by entering into government as well as by running businesses. Crude stereotypes about the holiness of government versus the sinfulness of the private sector will not withstand much scrutiny.

The same thinking applies to the people running ISPs. They may not be angels, but they are not devils either. If there really is a need for a rule to protect people from ISPs abusing their data, it would help to show some evidence first. Otherwise we end up with a lot of self-congratulatory scumbags frightening ill-informed members of the public, leading some of them to run headlong into the embrace of the first criminal who pretends to solve their problems.

Anyone who understands tech, comms and risks should recognize the consequences when irrational fear is used to motivate decision-making. The same psychological ploys are used by hackers, fraudsters and criminals. They manipulate fear to make people gullible. They say your hard drive is infested with viruses to persuade you to download their malware. They phone with warnings about suspicious transactions on your account, and then ask for your password. The emotion of fear does not lead to sensible risk management; it leads to bad decisions. The ISP-hating fearmongers take no responsibility for their actions, but they are as much to blame for the rise of privacy scammers as the criminals themselves.

Eric Priezkalns
Eric Priezkalns

Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar’s National Committee for Internet Safety and the first leader of the TM Forum’s Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric’s history as editor.

  • akrittok

    I think that until we reach a point where basic technology education is part of school curriculum we’ll always have that. Any subject touching privacy even from afar can be turned into a very profitable business, with a lot of traffic created artificially. I saw recently even a respectable magazine like the Register commenting on this and picking on a poor congressman who said that if people don’t like the new ISP permissions they should stop using the internet :)
    People just want to have fun I guess.