User-tracking systems rare but not unprecedented

Programs like AT&T’s Internet Preferences are not unprecedented. Charter, a cable company, planned to implement a similar tracking and advertising system in 2008, but decided not to after facing criticism. A rural provider called CMA Communications apparently inserted ads onto Apple.com and other websites a couple of years ago.

Comcast has been serving Comcast ads to devices connected to its public Wi-Fi hotspots, but not on its home Internet service. Comcast does deliver targeted ads based on viewing history to its TV subscribers.

Verizon Wireless customers' browsing is tracked by an online advertising clearinghouse that "tak[es] advantage of a hidden undeletable number that Verizon uses to monitor customers' habits on their smartphones and tablets," ProPublica reported in January. Verizon later agreed to let customers opt out of the tracking. Verizon also has a "Verizon Selects" service that delivers personalized marketing in exchange for "Smart Rewards" points that can be turned in for prizes. The program is opt-in and there is no fee to avoid joining.

Although AT&T has gone further than its biggest competitors, any Internet provider could track its customers’ browsing and use the information to make money on advertising.

“Internet service providers provide Internet connection to end users, and the natural consequence is that it is possible to monitor the network traffic over those channels. In this light, any ISP is capable of performing such analyses,” Olejnik told Ars.

“If you're an engineer you know that every ISP has every scrap of data of everything coming in,” White said. “They have to manage their networks, they have to on the DNS side, they have to on the attack side, on peering, all of that. It's really not a question of ‘do we have your data,’ it's which groups in house are going to be able to see that.”

Olejnik described in detail what kinds of information Internet service providers could collect about their users:

According to the information on their website, AT&T will be analyzing the websites accessed by users—the websites, frequency of visits, time spent on them. Web browsing history conveys rich information about the users' preferences. Methods exist to analyze this data and extract various insight about users and their interests—the content they like. It may be, for example, possible to infer the user's age, gender, even incomes or racial profile, just based on Web browsing history. Consequently, this allows the profiling of users and it can be typically leveraged to target the user with specific advertising content. Similar [profiling] is also possible in the traditional model of Web advertising. However, [an] ISP is in a privileged position due to the potential of controlling virtually all network activities of its users. In particular, ISPs have perfect user identification and tracking capabilities; it is straight-forward to associate a particular network traffic with specific real users. Moreover, AT&T mentions the possibility of analyzing data "like search terms." Web browsing histories, and in particular search terms, may reveal the users' interests in specific topics, such as medical information. Consequently, by the analysis of user browsing patterns, as well as the typed search terms it may also be possible to infer medical conditions. In these scenarios, users would be advised to use search engines over secured connections (HTTPS). Obviously, Internet Service Providers already may possess some information about their subscribers, for example their names, ages, and genders. But they may not have this information relating to the other household members. Since Web browsing histories carry detailed insight, it may be possible to create other versatile analyses. Perhaps it would be possible to distinguish between the particular household residents, since Web browsing patterns can be attributed to particular people. Research shows that Web use patterns of men and women may differ in some circumstances. But this difference can also be attributed to the psychological traits of users, e.g. introverted people may access different websites than extroverted ones. The datasets of users' Web use patterns may certainly offer a lot of possibilities in these regards.

It’s all seamless

The “U-verse with AT&T GigaPower” fiber service is available in Austin, Texas; Dallas-Fort Worth; Kansas City; Raleigh and Winston-Salem, North Carolina; and could be coming to dozens more cities. The Internet Preferences data collection program does not apply to AT&T’s slower home Internet services, such as DSL and fiber-to-the-node, or its wireless network, although AT&T could extend Internet Preferences to those networks if it wants to.

AT&T customers probably won’t notice any differences between service with Internet Preferences and without. “If AT&T hadn't announced this, you wouldn't even necessarily know that they were doing this sort of deep packet inspection,” Gillula said.

AT&T told Ars that targeted ads shouldn’t appear any differently from regular ads. “Customers will not necessarily receive more ads when online, instead the ads received may be more suited to his/her interests," AT&T said.

AT&T said it isn't replacing ads on non-AT&T websites with its own—that means AT&T isn't hijacking ad requests and redirecting the requests to its own servers. Instead, AT&T works with publishers to book advertising space on websites like any other ad network would, a company spokesperson told Ars. AT&T also said the program uses "ad network placements."

AT&T runs its own ad network for TV ads called "AdWorks." The online advertising portion of the AT&T ad network was reportedly shut down in 2013, but it apparently still exists in some form. Whether AT&T is using AdWorks or purchasing ads for Internet Preferences through a third-party ad network, the company should be able to place its ads without having to resort to Javascript injection or other means.

Just as Internet Preferences ads probably won't look out of place in your browser, running a traceroute isn't likely to reveal that your traffic is being routed to AT&T’s analysis system. “It's possible they've set it up so you could actually see that you're being routed through AT&T's boxes first, but it's also entirely technically feasible that they set it up so it's completely transparent and there's no way for you to tell,” Gillula said.

Subscribing to a VPN (virtual private network) service would encrypt your traffic before it hits AT&T’s servers, preventing the ISP from analyzing it. VPNs can degrade Internet performance because they cause traffic to also travel through the VPN provider’s servers, and you have to decide whether you trust the VPN provider more than you trust AT&T. But some Internet users may think a VPN worth the expense.

“One possibility is you sign up for AT&T’s $30 discount and then you sign up for a $5-a-month VPN, and you say, ‘Screw you, AT&T,’” Gillula said.

White says AT&T hasn’t provided enough detail for experts to determine whether it’s really protecting customers’ privacy.

“We're down to a fairly limited number of ISPs in the US anyway, and there's not been a good track record of those large providers like Comcast and AT&T, so I think a lot of the skepticism is warranted, and I think a lot of the burden is on them to show that they are honoring their privacy policies,” White said. “Some of us think the idea of monetizing ad profiles for consumer ISPs is just unfathomable in the first place… but if there is a tier where they claim there are privacy enhancements and [it's] less invasive, the security community and privacy community are going to be looking very closely at those claims to make sure they're as stated.”

We asked AT&T’s spokesperson if the company is willing to let its system be examined by privacy experts but did not receive an answer.

If you care about privacy and cost, it's a difficult choice

Consumers can complain to the Federal Trade Commission (FTC) about privacy violations, but AT&T’s Internet Preferences doesn’t appear to be facing any challenges. When contacted about AT&T’s Internet Preferences, an FTC spokesperson said the commission’s policy is “not to comment on companies’ practices unless it’s part of a lawsuit or report.”

The FTC’s role in investigating Internet service providers could be coming to an end because of the Federal Communications Commission decision last month to reclassify broadband as a common carrier service. Common carriers are exempt from FTC jurisdiction, but the FTC says it can pursue violations that occurred before the reclassification, and the FCC’s new Open Internet Order paves the way for new privacy obligations to be imposed on broadband providers.

An FCC spokesperson declined comment on AT&T’s Internet Preferences but noted that the Open Internet regulations require the rates and terms of all plans to be disclosed. The FCC will also impose privacy requirements under Section 222 of the Communications Act, but the FCC has not yet written broadband-specific privacy rules. The existing privacy rules are geared toward telephone service.

For now, AT&T customers who value their privacy will continue to face a tough decision.

"For that price, I'd want proof that AT&T is no longer technically capable of tracking users who opt out," Ars forum member kdemmello1980 wrote. "Otherwise, it's bullshit, and all users of U-verse need to start using a VPN for everything."