March 06, 2008

UK ISPs to Spy on Google Users (and Others)

Greetings. Given the CCTV surveillance fetish in the UK these days, it seems somehow sickly appropriate that British ISPs are in the forefront when it comes to spying on the content of their subscribers' Web browsing -- and it appears that Google users are in the bull's-eye.

Most of the related media attention so far has revolved around the manner in which the three largest UK ISPs have gone to bed with Phorm, toward the goal of monetizing Web browsing habits of subscribers and providing targeted ads.

Of course, there's a lot "soothing" promotional blather on the BT site claiming that the data collected regarding the sites that you visit is quickly deleted or anonymized. And while officially the ISPs claim that they haven't made a decision about opt-out vs. opt-in, the current British Telecom limited deployment (they call the "service" Webwise and promote it as mainly an anti-phishing system) appears to be opt-out (requiring either maintaining a special cookie in your browser or blocking all cookies from a particular site).

Third-party tracking of the Web sites that you visit is bad enough, but Webwise (and presumably the other incarnations of the Phorm system) go one big step farther -- they actually spy on your Web content and extract for their own use the search terms that you enter into search engines:

We [Webwise] use the website address, keywords and search terms from the page viewed to match a category or area of interest (e.g., travel or finance).

Given that the vast majority of searches these days are conducted with Google, it's obvious that this ISP-based system will be attempting to monetize the vast number of search transactions between users and Google, in a technical manner that seems eerily similar to wiretapping.

This is unbelievably intrusive and unacceptable, except perhaps on a fully-informed opt-in basis. When I use a search engine -- let's say Google -- I am expressing an implicit belief that my search data will not be abused or misused by Google. I have made no such determinations regarding any use in any manner of this search query data by ISPs or their partners.

I'm communicating with Google. Period. I don't care if the ISPs claim that the data is quickly discarded, or anonymized so well that it looks like an iPhone that's been put through a blender, nobody but Google and I have any rights to those search terms!

And we all know that search keywords can be very sensitive. Names, addresses, social security numbers (sloppy, but people do it), searches for new words to be used for domains or product names -- all manner of personally and commercially sensitive information can be found in search query data.

Anyone who tried this stunt on such a basis with physical mail or phone calls they'd probably land in prison. But ISPs are increasingly pushing the envelope in terms of spying on and even altering subscriber Web traffic. This latest example is utterly beyond the pale, and it's hard to see how such abusive behavior can continue to pass legal muster indefinitely.

If subscribers wish to opt-in to such systems with a full understanding of what's involved -- well, I wouldn't recommend it but that's their choice. However, if these systems are fully deployed in a manner that requires subscribers to opt-out to avoid having their communications with Google and other search engines being intercepted, then I foresee some very angry subscribers, and a particular search services giant who will likely be anything but amused.


Posted by Lauren at March 6, 2008 12:07 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein