If I visit a healthcare information website, like webmd.com, and it's unencrypted, then my service provider knows my name, address, and health attributes. If they kept logs about my visit to those pages, would this be considered PHI under the context of HIPAA? If so, perhaps a lawsuit could force a judge to claim service provider logs are indeed sensitive.
IANAL, but I don't think HIPAA applies. As I understand it, HIPAA only applies to doctor/patient interactions, not situations where the "patient"[1] is looking for data independently.
[1] patient is probably the wrong term here, without a doctor/nurse directly involved
My health system in Oregon is offering online consultation with medical professionals. I haven't used it yet but it seems more than email and it seems person to person, not person to medical journal article.
HIPAA privacy requirements apply to "covered entities" and their "business associates". A "covered entity" is a health care provider, a health plan, or a health care clearinghouse [1].
Your ISP would not be a covered entity.
If we assume that webmd.com would count as a "health care provider" (probably a questionable assumption) that would not be enough to get your ISP covered as a "business associate". Googling turns up rulings that ISPs are not HIPAA "business associates" when a patient uses them to reach a provider.
You don't email your lawyer. You ask Alphabet to do it for you (gmail).
Want to send a mail from home, as should be the norm? First, you need to get through your ISP's firewall. Many block the outgoing SMTP port, and there is nothing you can do about it. Others forbid you to use that port by contract. Some offer an SMTP relay to compensate, but then you're no longer sending your own email. Plus, they often limit you to 40 emails per day or so, and can spy on you, TLS or no.
Once your mail is sent, it has to pass through spam filters, and they all blacklist residential IP addresses.
> You don't email your lawyer. You ask Alphabet to do it for you (gmail).
I don't know what point you're trying to make. Are you assuming everyone uses Google's webmail interface or their apps? Maybe those blur the lines of classic Internet email delivery but when I use Mail.app to send an email, I am the one doing the emailing, not the Google SMTP server acting as a mail transfer agent (MTA).
> Many block the outgoing SMTP port
Comcast doesn't, Time Warner doesn't, Verizon doesn't. My hunch is the large majority of U.S. residential ISP customers can connect to an SMTP server other than their ISP's.
> but when I use Mail.app to send an email, I am the one doing the emailing, not the Google SMTP server acting as a mail transfer agent (MTA)
You seem to be confusing the MSA (https://en.wikipedia.org/wiki/Mail_submission_agent) and the MTA. If today your MUA (Mail.app) tried to connect to the destination mail host via SMTP directly it would get rejected. Some early MUAs did actually do that, but today almost all email gets relayed via an MSA and one or more MTAs.
As the Wikipedia article says, "Many MTAs perform the function of an MSA as well." I was looking at the article about MTAs [0], in which the diagram does not bother showing the sending MUA connecting to a distinct MSA. My MUA would not be rejected by the destination host if the recipient uses the same host as me.
> My MUA would not be rejected by the destination host if the recipient uses the same host as me.
Your MUA would be rejected if it acted as an MTA and connected on port 25 without authenticating. "Using the same host as me" is the case because the mail server knows that it is "your host" because your MUA is connecting to your email server's MSA using SMTP AUTH on port 587 or 465.
Well now you're moving goalposts, qualifying connections by port and authentication. I'm sure what you write is true of most ISPs and major email service providers but there are still SMTP servers in the world that don't require all MUAs to make authenticated connections; there's at least one at my university.
They don't require authentication because they only accept relay requests from within the university network. Otherwise they'd be an open relay, and those tend to relay spam as soon as spammer spot them, then they get blacklisted by most spam filters. In any case, this doesn't affect my main point: by using those, you still don't send your email yourself.
In my book, "sending your own email" means you operate your own mail server, without using any third party relay (not Gmail's, not your ISP's).
I'm personally halfway there: I have root access to a virtual machine on the cloud (gandi.net), and configured it to relay my email for me. Next step would be to have physical control, but I kinda abandoned that idea when I learned that residential IPs are blacklisted (Hotmail even made it an explicit policy, it won't even appear in the recipient's spam folder).
If you use Gmail via webmail at https://mail.google.com or have a MUA like smtpmail.el in Emacs connect to smtp.gmail.com, Gmail is still sending your mail.
We trust the postal office to act as a reliable dumb pipe. Most email services are far from that: they filter inbound email in a way you have little control of. They spy inbound and outbound mail, and use that information to send you ads.
Also, they control your right to send and receive email: if your account is terminated for some reason (they reserve the right to, blah, blah), you cannot move to a new provider, or redirect inbound mail or nothing: they own your email address.
I mean, if you want to make the point that e-mail is not secure, you can say "e-mail is not secure." That's a statement that actually makes sense. Your false pedantry isn't convincing anyone to agree with you, it just makes you sound like a crackpot.
Oh, it's much worse than "email is insecure". It's more like "somebody else controls your email, and they don't have your best interest in mind". What did you think Alphabet was, a charity?
Besides, there's more to it than (in)security. For instance, what happens to your various accounts tied to your email if your account gets terminated? You will not be able to redirect your incoming emails, and notifying your friends will be difficult if you relied on the web interface's address book.
Also, it's a hole ecosystem: if you use a big webmail, then you allow your provider to spy on everyone you exchange emails with. If you have the means to avoid those, it is your responsibility to do so. Surely you don't like inflicting this kind of spying on your friends, do you?
So far, the only reliable way to have proper control over our own email is to control our own domain name, and operate our own mail server. Or at least use small, trustworthy providers. In other words, "send our own email".
It's intellectual property/monopoly all over again. One will chose the terms that suits one's side of the debate. I side for privacy, security, and reliability; and argue that webmail providers do not provide any of them. This thread is the first time my "sending one's own email" wording hasn't been an unmitigated success.
Virtually everyone is clueless. I mean it, most people don't know the first thing about computers, or networks, or how data flows when they send an email or even read a web page. Many others underestimate the actual price they pay for their supposedly free web mail.
The issue here is one of control: relays can basically read every mail they relay, and the likes of Gmail do. Spying on you is how they make money. No targeted ad would be possible otherwise. And the automation only makes it worse (because it scales, and can be repurposed).
And the user can do nothing about it. That total lack of control is why I maintain they do not, in fact, send their own email. Now there's PGP, but that would look conspicuous. If everyone had their own mail server, TLS alone would provide pretty good security.
What angers me the most is, even I don't have a choice: most of my friends use a big webmail provider, which invades my privacy whenever I communicate with them. This would never happen if we all had our own mail servers.
> Now there's PGP, but that would look conspicuous.
Also, it doesn't hide the authenticated user, envelope mail from or envelope rcpt to values used in the message, unless, like you said, the sender and recipient(s) are using their own SMTP servers.
I remember when everyone could have their very own mail servers. Never since have I been offered such a vast and varied selection of ways to increase the size of my penis.
Perhaps I am misunderstanding you, but while it is certainly uncommon, it is absolutely possible to directly deliver mail to a recipient's SMTP server. In many cases, this can be done without any authentication whatsoever.
I run my own mail server. When I send an email via the web interface, would you not agree the MUA is attempting to directly connect to the destination host?
Depending on different factors, it may be classified as spam by the recipient, but from a reputable IP address it shouldn’t normally be rejected outright. Of course there are other factors like SPF, greylisting, etc... but email can be directly delivered.
If you send from non-SPF listed IPs you will get rejected in many places and most likely marked as spam in those you don't. SPF particularly and DKIM and other anti-spam measure are in wide spread use and enforced by the receiving SMTP server either directly or via spam scoring system rules.
And Gmail complies to privacy laws indeed. They can scan content automatically to show ads, but they cannot sell a list of people that you exchanged email with, at least not without your consent.
This is even worse than manually spying on people: automation gives leverage. Now all we have to do is repurpose these targeted ad engine to deduce things other than buying preferences.
Sure, they have their surface ethic (and Alphabet's employees have their actual ethic), but the tools they have in place for total surveillance is downright chilling.
But if that happened and then the HHS decided to pursue it, the ISP would claim they're simply a conduit for PHI and that the privacy rule doesn't apply.
Mere conduits have no memory —they wouldn't keep logs, let alone sell them to third parties.
If the ISP wants to "simply be a conduit", I can only applaud, as long as they follow the rules of common carriers they just implied by saying so: no snooping, no filtering, no selective throttling, no looking at TCP packets to look for a "25" (SMTP requests) and block them…
If they do that, they don't have to follow any privacy rule: they already respect mine.
I suppose a water "carrier" could have a sieve to filter away unwanted particles, or could add chlorine to kill bacteria, etc. But it certainly couldn't do anything equivalent to keeping or selling logs...
Well, they could drugtest your wastewater [0] and measure your water consumption with one of these "smart" meters at small intervals. It's not at the scale of data that an ISP could sift through, but with a little imagination, water can be a source of metadata...
AT&T, Charter, and others, have toyed with the idea of blocking Tor and VPN unless you buy a higher tier permissing those services. AT&T was charging $30 a month extra for this tier. And even now there are many reports still of performance tuning when using VPN, slowing down the connection.
These are classist policies and should be illegal. It is not OK in a civil society to say privacy is a product people buy, rather than a right.
Swedish ISP Bahnhof used the argument that an ISP shouldn't be seen as anything else than a postal service delivering packages. So this sort of feels like they want to open your letters, scan them, and maybe throw in a few coupons on matched words. But worse.
Not just Chinese ISPs. I've had Cox inject HTML/Javascript into my HTTP streams for a "test of their emergency messages system" and once for a customer survey.
The survey might have been a DNS redirect instead as by the time I noticed I had already navigated away from the original page and that was one of my few machines that can sometimes use my ISP's DNS.
The emergency message test was HTML/Javascript directly injected into a random non-encrypted page I had loaded.
Mediacom (cable internet in Iowa) does something similar. They insert a banner on the top of every HTTP page you view telling you when you're about to go over your 350GB data cap. Will appear until you click a button to dismiss it.
I work for an ISP and I can't imagine looking our customer's web browsing and such. The closest I come to that is Netflow data but (in our case) that's aggregated and doesn't identify specific customers.
> "Web browsing and app usage history are not 'sensitive information,'" CTIA said
I wonder if they might feel differently if someone hacked them or their ISP and posted a month's worth of traffic logs, etc., for the public to see.
Maybe if the Internet histories of a handful of the top-level folks at these organizations were shared with the world (along with their identities, of course), they would change their mind.
> Moreover, CTIA claims that Section 222's use of the phrase "customer proprietary network information" demonstrates that the regulation doesn't necessarily cover "personal" information. Section 222 provisions "apply only to commercially valuable—not personal—information," the group said.
Since the ISPs are planning to sell that personal information, it sure seems commercially valuable. It's a shame that, instead of ISPs simply not being dicks (er, "unlocking value"), we will have to waste time and money to encrypt everything and route it through TOR.
TOR is free and is specifically for the purpose of anonymizing your connection to the website you're visiting. This article isn't about authenticity of your identity, it's about confidentiality of your browsing history.
Using a simple free VPN to encrypt your traffic is enough. This does not cost time or money. Neither does TOR.
You shouldn't trust your ISP to not be collecting your information in either case. Even if they say they aren't spying on you that does not mean they should be trusted with any of your plaintext data.
Of course you shouldn't use a free VPN for anything sensitive, but to obscure your browsing data (like what you search for or what media you consume) it's completely fine.
> to obscure your browsing data...it's completely fine
You prefer taking your logs away from the potentially-prying eyes of regulated ISPs and giving them to an unknown, unregulated person? Free VPNs are a medicine that's--at best--only as bad as the malady.
That was great. Moreover, it gave me an idea. Oracle has been going after Android in patent suits. Joyent had patents on Solaris-based technology for cloud-style stuff Oracle might be interested in. Joyent was acquired by Samsung, a major Android vendor. I wonder if part of Samsung's motivation was countering Oracle with the I.P. Joyent had.
as a European I pity you for not having data protection regulations.
Instead you have to deal with unregulated, unreasonable despotism.
ISPs are telecommunication providers and bound to special secrecy, disclosing browsing history is punishable by criminal law (§ 88 TKG in Germany).
Cambridge Analytics showed us, how dangerous it is for democracy to know users habits, values, attitudes, preferences and their contact details and how easy it is to manipulate individuals.
US-Americans, you seriously need to wake up and get your democracy back before your society is to Orwellian.
Also, you are giving a bad example.
And stop cheering USA USA USA, your society is malformed and dysfunctional, you shouldn't be proud of it and lie to your self about it.
The FCC defined Web browsing history and app usage history as sensitive information, along with other categories such as geo-location data, financial and health information, and the content of communications. If the rules are overturned, ISPs would be able to sell this kind of customer information to advertisers.
Don't Facebook, et. al. do this already? Don't most people spend most of their time on Facebook anyway? ISPs just want a cut of the action.
Facebook is an endpoint people choose to interact with explicitly and voluntarily. If FB collects information, they are collecting information about communication to which they are a 1st party.
This is very different from a service provider collecting and selling information about communications between third parties.
I'd argue on the contrary, that both Facebook and Google via their ad networks and analytics tools embedded on websites collect an incredible amount of information that was not explicitly or voluntarily permitted by the user.
I don't necessarily disagree, but even then they can only do that if the user is visiting a FB or Google property, or a property that has entered into a relationship with them.
A service provider, on the other hand, is in a position that has absolutely no legitimate claim on the contents of communications between third parties.
Postal services are not expected to rifle through the contents of their customer's packages. Phone companies are not expected to record people's phone calls (or even reveal who's calling who). There is no reason why data communication providers should be allowed to do these things.
In principle nor ISP, nor Facebook is different from postal service. Their only function is to be an intermediate between users.
I would argue that as postal services can not force you to give up you a privacy with the contract terms (you are entering into a contract by sending a mail), so should not Facebok or ISP.
I don't disagree that ISP data collection is bad. But given that Facebook and Google can profile users who don't even use Facebook or Google through the majority of websites out there, I don't think we can pretend that this is a problem with ISPs but not a problem with web companies.
We should strongly push for real legislation that bars these companies from collecting browsing metadata from users, regardless of what service they're providing.
Yes, this is what I meant. I feel like most people's daily internet use is highly surveilled already. I can see the ISPs thinking "FB and Google can only get 80%, but we can see it all, if only we can get them to change the rules".
That's similar to what EPIC (the Electronic Privacy Information Center) said in a filing mentioned in the article:
> "Privacy rules for ISPs are important and necessary, but it is obvious that the more substantial privacy threats for consumers are not the ISPs," the advocacy group said. The bigger threat is posed by "the largest email, search, and social media companies."
By which they're obviously referring to Google and Facebook without naming them. CTIA, the mobile broadband lobbying group, cited this statement in their argument:
"even a prominent privacy advocacy organization asserted that it is 'obvious that the more substantial threats for consumers are not ISPs,' but rather other large edge providers."
I think that, while "large edge providers" may presently collect user information, there is greater potential for ISPs if left unchecked and harder for users to avoid.
I'm not sure I understand their use of "large edge providers" in this context - are they insinuating that backbone providers such as Level 3 are already collecting my web traffic when they peer with my ISP? Or is that just a odd reference to "the largest email, search, and social media companies" mentioned further on? The article goes on to talk about common carrier status, so it feels like they mean the former but that just doesn't make sense.
Either way, I think you hit the nail on the head with this statement: "there is greater potential for ISPs if left unchecked and harder for users to avoid."
The CTIA's logic here can be reduced to "they do it so we want to do it too", seemingly framed within their long-time disposition of not considering themselves the "dumb pipes" that they are. Giving residential ISP's access to use this information, combined with what they already have on file for accounting purposes, is a situation just ripe for abuse. The article then goes on to say "What's less clear is whether the FCC will have any authority over ISPs' privacy practices after the rules are eliminated" - so there there may very well be no recourse whatsoever through either the FCC or FTC if or when widespread abuse were to occur. And of course, that's not even to start the age-old discussion about how & where the data is stored (plaintext on an insecure FTP server), who has access to it (all employees & contractors), etc.
I am confident that this change from the FCC will only serve to screw over individual people at the gain of large corporations.
You have a choice not to use privacy abusing services like Facebook, and use privacy respectful ones like diaspora* instead. With ISP most users have no choice, and that's exactly the problem. They abuse their monopolistic position to snoop on people.
Looking for other's thoughts...