Netflow data, DNS capture, enrichment of cell tower access data (location), reporting on non-usage (idle time, tracking), Bill and household information, credit account usage, etc. SPs are huge sellers in this market.
We still need to encrypt the accessed resource and DNS queries everywhere.
Even once that’s done, things like opencaching will be used by SPs to gather tons of data where they participate.
Because our government is not really interested in protecting its citizens from abuse at the hands of corporations.
edit: you can see this clearly in the way they pay lip service to "breaking up big tech" (whether or not that's a good idea, this comment is not a statement of opinion on that subject) because it's politically sexy on both sides, while all these other, arguably more egregious abuses of consumer data are so far off the radar that most people probably aren't aware they're happening.
If the government showed an interest in abuse at the hands of corporations, it might start getting embarrassing questions about abuse at the hands of 3 letter agencies.
If it is, the stakes are much higher since they have real penalties if they fail to disclose the practice or lose control of that data. Anyone in the EU can send them a request under the GDPR to learn what’s collected, so it’s much easier to get caught.
GDPR and the tradition of not allowing why wire tapping / traffic mirroring without telling the subject (unless you are the government and have a warrant).
Wholesale data collection has become normalized in the US. For-profits, non-profits, it doesn't matter the industry, everyone is obsessed with capturing as much data as possible and believe it's just the standard way of business. No one outside of HN cares about PII or has an understanding of things like GDPR (it's just for the Europeans). Consumers are clueless or otherwise feel hopeless.
Just want to say for the sake of others reading that this comment is exaggerating + generalizing a bit.
Everyone is not obsessed with turning data into revenue. Most smaller tech companies (ie. Sub billions in revenue) are not in the game of monetizing data. My feeling is the market exists mostly between very well establish and very large companies (such as ISPs, advertising networks), but that same market doesn’t exist between newer / smaller companies that haven’t reached massive scale.
To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.
Everyone in the EU has heard of it, at least for the fact that everyone received a whole bunch of email that mentioned it on May 25th 2018. I'd say a lot of people know that "it's about privacy"; the actual understanding obviously varies.
No one heard about it, at least in Spain. My father asked me about it because he heard it on the news, but I'd say that 99% of my non-tech friends have no idea of what it is about. Anyway, I work for a large telco and they are very paranoid liabilities involving data. It's a behemoth, so you wouldn't expect them to be this careful.
As far as I remember, they still sell some anonymized data (they had some demos on how to plan public transport with location data) and I'd bet they are not doing much with DNS data.
> To anyone in the EU: is GDPR something that your non-technical friend will have heard of and knows what it is? Or is it similar to the US, where 75% of people probably haven’t heard of it or if they have, couldn’t say what the regulation does.
Basically everyone who is in EU needs to keep GDPR in mind. Especially if you are employed, then you need to keep in mind GDPR for the interests of your employer so that they are abiding the law, and won't get fined. It is actually legal people who know GDPR very well; not so much tech people. In a lot of Dutch companies a "functionaris gegevensbescherming" (FG; data protection officer) is mandatory, who basically deal with PII, and have known about GDPR (AVG) ever since it was announced it was going to be active (2 years before it was active). The Dutch professional association for the data protection officer was founded in 2003 [1].
On top of that, it was widely covered in newspapers, daily news, etc. If you are in EU and you have not heard about it you are living under a rock, or you're not a working adult (nothing wrong with either).
Anyone working in an office will have probably come in contact with GDPR. Blue collar workers probably not so much.
Maybe people will know it as the cause of cookie popup screens. But I'm also grossly over-estimating computer literacy among the general population so maybe not.
Anyone in the UK who does an office job has heard of GDPR. Most companies are having to update practices to comply with it. It's actually amazing how effective it's been at curbing the "let's just store everything" behaviour.
I'm guessing we're just trusting Google here (and Cloudflare 1.1.1.1 who now also does 10gb free VPNs) + the good will of engineers with access to this information within Google.
Big G is driven by money like any other company, but they lose more money if they don't employ top security practices and prevent others from getting their data. ATT's main business isn't selling the data, it's selling the pipes that carry data, so security on their data lakes is probably less of a priority.
> ATT's main business isn't selling the data, it's selling the pipes that carry data
... and I'm sure their shareholders are pressing them to forego the greater revenue from subscriber data so they can keep their dividend cheques comfortably small.
i suspect they somehow throttle this traffic -- i used to use 1.1.1.1 for a while and had to repeatedly switch out b/c my dns resolution times would be terrible after a while
If you are not using gmail and google search, and are using adblockers, Google shouldn’t really have any information on your IP, so it is anonymised data. Your ISP knows even your bank details.
But the limits of using google DNS (or even encrypted DNS) is that most commercial websites aren’t sharing IP addresses, so I bet the ISP can pretty much reconstruct the data it would get from DNS with very little effort just by looking at your IP traffic and mapping IP addresses to domains from other users DNS queries.
Theoretically, yes. For that to work, you also need everything on your network to never have encountered a google cookie, adwords, Android, Chrome, YouTube, Maps, Google DNS servers, any of various "smart" devices, etc. And hope those Google Global Cache servers living at your ISP are trustworthy.
If you use 8.8.8.8 unencrypted, then both your ISP and Google know your query. With DoH only Google will know. But often Google can figure it out even without DNS data.
You don't need to just blindly trust, there are ToS and privacy statements. My TL;DR is that Google doesn't use logs outside of service health (eg vs DDoS).
I don't know. I think not everything a large company does necessarily immediately pays for itself. Also, Google overall benefits when people use the web more.
Nothing or Google depending on how you want to think about it. Google needed this service for themselves, as the default fallback DNS for their devices, their domain registrar, for GCP and it made sense to just let the public use it too for some good PR.
We still need to encrypt the accessed resource and DNS queries everywhere.
Even once that’s done, things like opencaching will be used by SPs to gather tons of data where they participate.