Which ISPs Are Spying on You?

Found on Wired on Tuesday, 29 May 2007
Browse Internet

Wired News, with help from some readers, attempted to get real answers from the largest United States-based ISPs about what information they gather on their customers' use of the internet, and how long they retain records like IP addresses, e-mail and real-time browsing activity. Most importantly, we asked what they require from law-enforcement agencies before coughing up the data, and whether they sell your data to marketers.

Only four of the eight largest ISPs responded to the 10-question survey, despite being contacted repeatedly over the course of two months. Some ISPs wouldn't talk to us, but gave answers to customers responding to a call for reader help on Wired's Threat Level blog.

AOL, AT&T, Cox and Qwest all responded to the survey, with a mix of timeliness and transparency.

But only Cox answered the question, "How long do you retain records of the IP addresses assigned to customers."

Some of the most sensitive information sent across an ISP's network are the URLs of the websites that people visit. This so-called clickstream data includes every URL a customer visits, including URLs from search engines, which generally include the search term.

When asked if they allow marketers to see anonymized or partially-anonymized clickstream data, AOL, AT&T and Cox said they did not, while Qwest gave a muddled answer and declined to answer a follow-up question. Comcast, EarthLink, Verizon and Time Warner didn't respond.

It should be illegal for an ISP to sniff the traffic of its users. Collecting the clickstream is basically wiretapping, which usually requires permission from a judge. Sharing this with marketers is highly questionable: imagine your phone company records your calls, erases your number (but not those you dialed) and gives them away. Furthermore, storing IP information already violates privacy laws in other countries.