Comment by josho
1 month ago
The solution here shouldn't be technical; it should be legal.
If we rely on the technical path, Comcast can achieve the same by how many active IPv6 addresses are in use. Even if you aren't using your phone, the device is going to be constantly pinging services like email, and your ISP can use that to piece together how many people are at home.
If we rely on legal protection, then not only Comcast, but all ISPs will be prohibited from spying on their customers. Ideally the legislation would be more broad and stop other forms of commercial/government surveillance, but I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.
We suffer from a problem that engineers want nothing to do with politics. I 1000% agree we need a digital bill of rights. It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-
I want privacy codified in human law. I didn't vote for standards bodies to pave the road to hell by removing every goddamned persistent handle we can find from existence. I didn't vote for the EU to reinvent an internet worse than popup ads by attacking the symptoms not the cause. I would rather have the internet of the 2000s back in a heartbeat than keep putting up with shitty “technical solutions” to corporations having too much power at scale. I don’t care if people break the law: prosecute them when they do and make the punishments enough to deter future law breakers.
There is absolutely something civilized beyond a lawless advertising wild west where the technical solution is to all be masked Zorros.
Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it.
> I want privacy codified in human law
Article 12
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks
- Paris, 1948, Universal Declaration of Human Rights
Which says nothing about a business profiling customers that walk through the door and selling its profiles to aggregators. It says nothing about requiring consent before soliciting individuals or subjecting them to psychologically manipulative advertisements. Etc. We need more.
2 replies →
That's a declaration, which is not binding. The ECHR art. 8 has similar contents and is binding. However, it has a 'unless we really want to'-portion:
"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
Currently 'the West' happens to be doing its best to quash international law, so I'd expect even that thin veneer to crumble rather soon.
if there are no consequences to violating a law is it a law?
1 reply →
> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it.
Do yourself a favor and enable the Cookie lists in uBlock Origin.
I'm personally grateful that a law requires my consent before tracking me. That means I should not be tracked without me saying OK without monetary risks.
> Do yourself a favor and enable the Cookie lists in uBlock Origin.
Could you elaborate on this please? I'm sifting through the options and not sure what I'm looking for (disclaimer: I have never once opened the uBlock Origin settings menu in all the years I've used it).
4 replies →
Setting a language preference cookie is not tracking and I will die on that hill. The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user. Collecting a crash report is not tracking a user. Even first party product analytics is not tracking a user.
Tracking a user across domains using a 3rd party aggregator to serve add and do attribution is the evil. And the EPD far overshoots the mark of specifically addressing that evil.
22 replies →
>>We suffer from a problem that engineers want nothing to do with politics.
More on point, we suffer from a problem that far too many people of all walks of life want nothing to do with politics.
Plato made the most accurate point 2300 years ago: "The penalty for not being involved in politics is you will be ruled by your inferiors."
And, even though you may not be interested in politics, politics is ALWAYS interested in you.
It should be noted that Mein Kampf's first three chapters are pretty much a call for the common citizen to start becoming more interested - if not involved - in his local politics. I am of the opinion that this is the reason that the book was banned. The antisemitism in the book is far more restrained than I was expecting. But the call to hold politicians accountable to the people - that was a surprise.
1 reply →
The reason is our government and regulators are captured by business concerns which profit from our data. The government in turn views mass surveillance as a powerful tool for social control. Although there are many more people whose privacy is violated by these policies than benefit from them, the rich and powerful minority is more organized in its efforts and thus comes out ahead in the balance of power.
> the rich and powerful minority is more organized
They show up. I've worked on privacy legislation at the state and local level. Barely anybody calls or writes in support. That means barely anybody would turn up to a contested primary election over it, or donate to a challenger, or organise the foregoing en masse. Contrast that with bread-and-butter or activist issues, where it's immediately clear there is political capital at the very least on the board.
21 replies →
> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-
https://www.i-dont-care-about-cookies.eu/
Yep, you're right on the money. The correct course of action is for those of use who recognize this to cease arguing on the Internet with those who don't and connect with one another offline. We're in dire need of something akin to a 21st century Continental Congress.
"engineers want nothing to do with politics". Do you mean Comcast engineers see this as a purely technical challenge without caring about implications? In general we are seeing more engineers taking positions on a variety of political issues.
While I agree that we should have legal codes protecting our online and digital rights, I’m convinced that there are enough Bad People on the Internet that we do indeed still need strong technical protections as well.
I’ve been asked at work to build less than savory stuff, here are some general observations, none of which are admittedly an excuse:
* you get caught up in the moment, hell bent on solving the problem you don’t really think twice
* you don’t want to get that stink on you, you don’t want to be that guy that brings this type of stuff up
* you are mindful of the fact that you are being very well compensated to build it and you don’t want to lose your job
* you know it’s going to fall on deaf ears - maybe they will pay lip service, maybe they won’t but either way nothing will happen
* in the back of your mind you figure someone else is fighting the good fight
On and on, so many different things can go through your mind, who knows which it’ll be on any given day, on any given project
And sometimes, you don't even know what the feature will even be used for.
Today it's an automatic subtitle generator for people with hearing difficulties. Tomorrow it'll be an AI training data generator. In a year, the NSA will re-purpose it into a mass surveillance tool.
3 replies →
This is all true, and I suppose I participated in a signed update mechanism that I knew the (corporate) end user probably wasn't going to be given the keys to. But, I think there's a difference between this and deliberately going to work on a system that's clearly just top-down designed for something low.
For example, I don't think there's anyone in the (large!) fixed-odds betting terminal industry that can honestly say their work is a good thing for the end users.
What law would you propose? I think the hard part is "Instagram and TikTok remain free-with-ads."
Good riddance to everything supported by ads.
I genuinely wonder if people would wind up spending less money if they had to pay for services than if they get exposed to ads that lead them to buy more things. But either way, once ads and "free with ads" are gone, there's much more room for other competitors.
2 replies →
Would ads still be worth enough if they were targeted based on things like what you watch/read/follow/subscribe to on that platform and your general location?
Or can instagram only be free if ads are targeted to detailed profiles of individuals built over decades as they are tracked across the whole internet?
2 replies →
The problem is that the internet is international and laws are national or even by state.
There are 24 states that require ID to view porn sites. The laws are being completely ignored by popular websites that are not based in the US.
Yep. And plenty of US sites ignore international laws about slandering Mohammad, and so on.
I’m not sure the lack of a global hegemony is a “problem”.
1 reply →
> The problem is that the internet is international and laws are national or even by state
How is the this a problem for ISPs coöperating with law enforcement?
> We suffer from a problem that engineers want nothing to do with politics.
It's not even politics, it's simple ethics.
Why would you need a user identifier to block a consent banner? You don't technically. The website requires it because it is a shitty website.
It would be enough to have your browser store a cookie without personal information with { cookieconsent: "STFU" } or some variable in local storage. If the website respected that, we would be fine.
Personal identifiers are not needed and foul compromises aren't acceptable.
I think I’m kind of on your side in general, but I have more of the opposite feeling about legal versus technical solutions. If we had no idiotic EU cookie laws, no “consent” bs required, a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever. It seems like this would be very easy, except for the fact that the number one ad network is also the only browser vendor that matters.
But the attempted legal solutions suffer from being inside the sandbox, meaning all the “cookie management” software is a pile of hacks that barely work, and rely on browsers, as you’ve noticed, to allow their cookies in the service of…limiting cookies. And of course they also suffer from the politicians who wrote them having no clue how any of this works. I suspect if they did, they’d see how dumb it is to regulate that 10,000,000 websites each implement a ton of logic to self-limit their cookies they set (hard to police, buggy) instead of telling 2-3 companies they have to make their browsers have more conservative defaults with how they keep and send cookies back. (easy to prove it’s working with testing).
> If we had no idiotic EU cookie laws
The obnoxious cookie banners are not required by "idiotic EU cookie laws".
> a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever.
1. This was already implemented
2. Tracking isn't limited to cookies only
> except for the fact that the number one ad network is also the only browser vendor that matters.
Oh, so an "easy" solution isn't easy after all. Who would've thought.
> And of course they also suffer from the politicians who wrote them having no clue how any of this works.
But you do? Like how you only speak about cookies when tracking and user data isn't limited to cookies? Or how "stupid EU cookie law" doesn't even talk about cookies (if we're talking about GDPR)?
Usually the people who really have no clue are exactly the people who say that "there's an easy technical solution".
2 replies →
What law do you think mandates those annoying cookie popups?
It would be nice if you could argue, “well, just be a good site and don’t use marketing cookies”, but the ePrivacy Directive requires consent for performance and preference cookies too. Perhaps a liberal reading arguably allows classification of certain statistics and preferences functions to be strictly necessary, like “I wouldn’t provide this service without crash reporting because I’d go insane so it’s strictly necessary”, but most lawyers would be ill before advising as much.
https://gdpr.eu/cookies/
10 replies →
> Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it
I don’t know that a reasonable person would compare privacy threats to the threat of death from gun violence.
They exist in totally different altitudes of concern.
> The solution here shouldn't be technical; it should be legal.
I disagree. Solutions should be technical whenever possible, because in practice, laws tend to be abused and/or not enforced. Laws also need resources and cooperation to be enforced, and some laws are hard to enforce without creating backdoors or compromising other rights.
"ISPs will be prohibited from spying on their customers" doesn't mean ISPs won't spy on their customers.
We need more funding for open-source WiFi Sensing counter-measures, e.g. EU research, https://ans.unibs.it/projects/csi-murder/
> this paper addressed passive attacks, where the attacker controls only a receiver, but exploits the normal Wi-Fi traffic. In this case, the only useful traffic for the attacker comes from transmitters that are perfectly fixed and whose position is well known and stable, so that the NN can be trained in advance, thus the obfuscator needs to be installed only in APs or similar ‘infrastructure’ devices. Active attacks, where the attacker controls both the transmitter and the receiver are another very interesting research area, where, however, privacy protection cannot be based on randomization at the transmitter.
https://github.com/ansresearch/csi-murder/
> The experimental results obtained in our laboratory show that the considered localization method (first proposed in an MSc thesis) works smoothly regardless of the environment, and that adding random information to the CSI mess up the localization, thus providing the community with a system that preserve location privacy and communication performance at the same time.
There is no technical solution for this unless you want to invest billions/trillions in building new computing and networking platforms created with privacy in mind.
ISPs will always have the ability to at least deduce whether a connection was used, the MAC address, and it there is WiFi, unfortunately whether people are physically present.
If we look at the roadmap for WiFi/phones/etc, they will soon gain the ability to map out your home, including objects, using consumer radios.
"There is no technical solution for this"
This isn't really true. The easiest technical solution to the problem of ISPs using your wifi data is to simply use your own WiFi router which does not send the data to them.
12 replies →
You can’t solve social problems with technical solutions. Technical solutions won’t work without some kind of legal backing to force it.
Sometimes mathematics and physics provide superior solutions than man-made laws. Encryption for example. It's better to make something impossible, than to have laws that are routinely ignored by law enforcement.
>You can’t solve social problems with technical solutions.
Sure, this has a fair amount of truth to it. However, security is not a social problem, it's an economic one. No one, not even the most well funded and skilled organizations like the NSA, has access to infinite resources. Whether a given attack/data harvesting effort costs $1 million, $10 thousand, $100, $1, or $0.01 makes an enormous difference in impact. Can a given three letter agency afford to spend $1m on anyone? Sure. Can they afford it against everyone? No. Same with private orgs, if harvesting data costs $10000/person, it has to generate well over that much money in profit to make it worth it. Is that likely on average? Probably not. If it costs fractions of a cent, then they will be incentivized to scale it as hard as possible, since payoff from even one person will cover thousands of duds.
So sure, by all means we should pursue laws too, as that also shifts costs a bit. But there is zero reason not to simultaneously pursue technical means to make costs as high as possible. Both tracks matter a lot.
2 replies →
It makes it much more difficult to be profitable if its illegal. This deters the majority of opportunists leaving only the dedicated criminals. And just like thief's people might understand why they steal no one sheds a tear when they go to prison.
And how do you technically stop an ISP from using the radio in their hardware to detect small changes in phase angle of signals in your home?
Own your own hardware is how.
Comcast cannot administer my router/AP or modem.
Some other ISP's like AT&T force you to use their gateway. I try and avoid these companies or severely limit the functions of the built in gateway.
3 replies →
Some ISPs allow you to bring your own modem, so there wouldn't be any hardware other than your own and whatever they install to bring it into your home.
You attach large sacks of potatoes to the ceiling fans and lighting fixtures that are connected to strings and random timers to move them. The potato bags perfectly simulate human motion.
Every house should look like a party of 50.
Invest in potatoes
Disconnect and ground the antenna and supply your own equipment?
3 replies →
When we find them spying on customers they will take it all the way to the supreme court where the definition of spying will be put the wringer and flushed of all actual meaning. Then the law will be struck because it violates the corporation's 1st amendment protections concerning 'free speech'. See also Citizen's United.
Technical and legal solutions are for different classes of problems.
Encryption is a technical solution trying to solve the problem of people being able to steal your data/money without your knowledge.
The law/police are the solution to the 5 dollar wrench problem, where you are very aware of the attack but unable to physically stop it
And the law can’t stop someone from using a $5 wrench before the harm is done…
1 reply →
The legal part should be requiring a technical solution.
E.g. the you should be able to own your router and even if you choose to rent you should have full control over the software.
It might make it a bit harder to use the information obtained through spying, though. Both is good.
> The solution here shouldn't be technical; it should be legal.
The parent commenter was highlighting that law enforcement can compel them to provide the data.
The customer has to opt-in to WiFi motion sensing to have the data tracked. If you see something appear in an app, you should assume law enforcement can compel the company to provide that data. It's not really a surprise.
> If we rely on legal protection, then not only Comcast, but all ISPs will be prohibited from spying on their customers.
To be clear, the headline on HN is editorialized. The linked article is instructions for opting in to WiFi motion sensing and going through the setup and calibration. It's a feature they provide for customers to enable and use for themselves.
Idk, there's a lot of questionable things here and Xfinity doesn't have the best track record that gives me a lot of confidence that we should trust them. This seems like an easily abused system that can do a lot of harm while provides very little utility to the vast majority of people.
“Please accept our new terms of service to continue using your internet connection”
Your honor, they clearly opted in to us spying on absolutely everything they do or think.
> The customer has to opt-in to WiFi motion sensing to have the data tracked.
Not for long, there’s money to be made by adding this to the cops’ customer lookup portal.
There's money to be made by selling this to advertisers.
>opting in to
Yea, at least in the US you have almost zero consumer rights around this.
Once they find some marketing firm to sell the data to suddenly it will be come opt-out in a new update and most people will blindly hit agree without having a clue what it's about.
> I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.
"Best we can do is letting all the AI companies hoover up your data too"
It doesn't require IPv6. The modem is just as aware of all the private IPv4 addresses on your network as well as all the public IPv6 ones.
Unless you put your own gateway (layer 3 switch, wifi ap, linux router) in front of it.
From my understanding it tracks signal strength between two points (gateway and printer for example).
Putting your phone in airplane mode doesn't make it think you have left the house.
> If you’d like to prevent your pet’s movement from causing motion notifications, you can exclude pet motion in your WiFi Motion settings by turning on the Exclude Small Pets feature. > Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans.
That would require Comcast to have access to your router, or more precisely, the NAT.
Comcast sells a router gateway combination device that's probably required for this motion sensing anyway. If you have that they could already check device counts and in fact their Xfinity app lists connected devices in detail.
For most people their Comcast modem _is_ their router.
2 replies →
> The solution here shouldn't be technical; it should be legal.
I expect more than a few commenters here will disagree with you. Some rather vehemently.
To those that do so, I'd encourage you to read the novel Attack Surface by Cory Doctorow. While it's fiction, in the book, Doctorow makes a pretty compelling argument for the notion that when it comes to privacy, we can't win by "out tech'ing" the governments and corporations. We're simply too heavily out-resourced. If I'm interpreting his message correctly, he is saying basically what Josho is saying here: that we have to use the political/legal system to get the privacy protections that we care about enshrined into law and properly enforced.
Now, is that going to be easy? Hell no. But after reading the book I was largely sold on the idea, FWIW. That said, the two approaches aren't necessarily mutually exclusive. But I do believe that those of us who care about privacy should focus more on using our (knowledge|skills|resources) to try to foster change through politics, than on trying to beat "them" with better tech.
YMMV, of course. But if you haven't read the book, at least consider giving it a shot. Probably Doctorow makes the argument better than I can.
"The solution here shouldn't be technical; it should be legal."
Laws can be broken. Laws of physics cannot. Best to utilize both a legal and physical defense.
> The solution here shouldn't be technical; it should be legal
Technical solutions tend to last longer. Legal solutions have a habit of being ignored when they become inconvenient.
The legal default should be that collecting this sort of data should always be illegal without informed consent and never used beyond the remit of that consent. As inconvenient as it sometimes is, the world needs GDPR.
> The solution here shouldn't be technical; it should be legal.
It should be both, one serving as a backup to the other. Theft is illegal, yet we lock our doors.
just buy your own simple modem and install your own wireless access point.
do not buy any device from comcast you dont fully control!
Until the day when to use the service you have to use their device. Or it's being used at work, a hotel, in stores, in your kids school, or anywhere you have no say on the devices used.
Also make sure your phone and other every day carry items never connect to the Internet via your ISP’s network or emit radio signals while nearby your home.
In the EU, residential users have a right to use their own routers. IMHO, this should be the norm, and ISPs shouldn't be shipping routers to users.
Problem is, most folks aren't aware of how much spying the ISP routers do, and they want the most easy and convenient choice. Hence the status quo.
Same in the US!
Unfortunately, only the nerdiest nerds do things like buy their own routers...and that sort of thing is pretty much impossible to evangelize.
In the future when you say things like this, please say "First" or else you're starting an endless back-and-forth of one-ups and false dichotomies.
A legal precedent easily leads to a technical block.
> The solution here shouldn't be technical; it should be legal.
The technical solution seems strictly preferable
Legal "protections" only protect you up the moment a warrant is issued, if that
>> The solution here shouldn't be technical
The solution can be technical, but only if it is also sneaky. Blocking or disallowing certain information is one thing but making that information worthless is better. A simple AI agent could pretend to ping all sorts of services. It could even do some light websurfing. This fake traffic would nullify any value from the real traffic, destroying the market that feeds this surveillance industry.
I see a UI that allows homeowners to fake certain people being in the house when they are not, either replaying traffic or a selection of generic bots that mimic the traffic of various cohorts.
> Comcast can achieve the same by how many active IPv6 addresses are in use
Isn't this basically impossible with IPv6 Privacy Extension Addresses?
you cant tell most of those things because same ip doesnt coorespond to a unique service and plenty of programs and websites phone to servers where addresses have changed. there is no static database.
you also cant associate it to a person automatically. the burden of proof is high - how many jurors have tech at home they know nothing about and maybe got hacked?
> The solution here shouldn't be technical
Why not? Just run your own router instead of the one your ISP tries to give you.
What if I left my device at home?
It would work even better. From the linked support page:
"Motion is detected based on the amount of signal disruption taking place between the Xfinity Gateway and your selected WiFi-connected devices, so motion from small pets (around 40 pounds or less) can be filtered out while keeping you notified of large movements more likely to be caused by humans."
With enough signals, gait recognition for example is possible, and those same signals could be corroborated with presence or absence of concomitant device signals to determine if your device is moving with your person, and if not, to then flag this for enhanced monitoring if evasion is suspected.
The point is every single thing I own should be "on my side". My car should not store my location history. My wifi router should not track presence and movement. My printer should not add any watermarks or telltale dots. My stuff should actively make it difficult or impossible for hackers, advertisers, or law enforcement to recover any useful information.
This means, respectively: ensure personal info is stored securely so hackers can recover little. Don't transmit info to remote servers to limit what advertisers get. And just store as little as possible in the first place because this is the legal means to have little to subpoena or discover.
Useful info, when absolutely necessary, should be locked behind a password, as constitutional rights preclude law enforcement from making someone disclose it.
16 replies →
when I'm at home, my device is just sitting on the desk. rarely is it in my actual hand being carried with me. also i'm old, so i don't have it in my hand while sitting on the couch or in bed either. that's why my laptop is for. something with a real keyboard and screen and not something that's going to give me scoliosis for hunching over to read all the damn time
Ipv6? I ain't enabling that anyway
> ... I can't imagine a world where Congress could actually achieve something that widely helpful for regular citizens.
The solution is to not use the internet if you care about your privacy.
We are now treating foreign students with suspicion when they don't have a satisfactory internet footprint. Only a matter of time until that gets turned against the citizenry. Submit to surveillance capitalism or go to jail you deviant.
Heh, soon your modem will report to the SS on how many undesirables you are sheltering in your home.
Us humans love building the Torment Nexus.