> It has become more challenging to monetize customer data, so the advertising market is looking for new solutions to tap into. They do not want to go back to non-personalized advertising, so they are pushing the frontier to see what’s still possible. The Trustpid trial is an example of this.
Fuck the ad-tech industry. Seriously. Is there any line they won't cross?
There are literally no lines when money is at stake. Also, since there's a free market (by some kind), it makes world better. Or not. Who cares. Money is in spying on people, go take it!
Money is in ending human (and much other) life on earth with rapid resource depletion. Should we... go take it!?
I think the ultimate sign a person is no smarter than a dog is their inability extend reason beyond their personal circumstances.
Singularity theory was probably wrong about a convergence of technology and information to form a super-intelligence. We're just converging on a super-efficient stupidity. Collectively we're like a flame that will burn out.
Time to dump on them again: Vodafone has given me one of the worst Internet access experiences ever, in the middle of Europe. Their service is crap and people on the support line dare tell you, that you are a young person, so no need to get upset, when they give you shitte Internet service. They promise too much in their contracts and then cannot keep you a stable connection. Every now and then I get days, where the package loss is inacceptably high and my whole connection goes into garbage mode. Stay away from them if at all possible.
Hah, I also once had a technician come home to diagnose connectivity issues and in the process try to convince me that the shitty Internet speed I had was just fine for my needs, and how my needs were supposedly just as his.
> Vodafone has given me one of the worst Internet access experiences ever, in the middle of Europe.
Literally the same, but probably very different: also in middle of Europe they have recently put me in a prepaid plan with free internet, and I find myself mindlessly scrolling when I have to do other things.
It's easy to not to distract myself when I have to pay for it, but for free it's much harder.
If the service is worse than what's promised, you have decent legal options. Prove that you're getting less than you pay for and you may be able to cut the price.
Counter-point: I get decent Vodafone (ex-Unitymedia) service.
Chatting about individual experiences with their service is probably a welcome distraction for them.
However, the tools which are offered by the official institution (Bundesnetzagentur), which should hold watch over ISPs and their service, do not even measure package loss. All they measure is throughput and ping. That alone is not sufficient for proper gaming. Also an average ping does not suffice, if there are short ping spikes, which average out over the measuring period. Basically I know more than the tool checks and the things the tool checks are often not the problem. Furthermore I have to go through a process of measuring so and so many times on a schedule. Add to that, that the ping spikes are sporadic, so that I would have to be lucky, to actually record any.
It is quite telling, that the official tool for measuring a connection offers so little statistics, that it is basically useless for people, who just need a _stable_ connection (no package loss, low ping, no ping spikes, OK-ish throughput). The official tool does not allow me to "prove it".
Basically, I could live with half my speed, if the connection was super solid. Throughput is not everything, unless you watch 4k videos all day, where there is lots of buffering happening anyway. Instead, they promise everyone (mostly people, who don't know much about IT) "high speed", at the cost of reliability.
"In addition, Apple is developing features to restrict network operators from intervening in the data traffic. This is called [iCloud Private Relay] which ensures providers no longer have access by encrypting and redirecting the data via Apple’s servers."
It seems very likely that Apple would simply disable the ability to disable this if it is abused. (In this specific case, it seems likely that they'd leave it for WiFi but disable for mobile networks.)
This is not Apple versus Vodafone/Telekom, it's Vodafone/Telekom vs. EU citizens. The EU has already made the big move to just outlaw roaming charges within the EU, which was a mayor revenue stream for the carriers, for example.
And even these companies ruined that. Making it more expensive than it should realistically be. Living in country with large area and low population density our mobile charges are very reasonable. But somehow these companies don't manage to provide same service in much denser country. Thus pushing up the still allowed inter-operator roaming charges...
The EU already has a lot of regulations in place that particularly hurt EU companies. GDPR for example is good for citizens but requires extra effort by companies. Small US companies can ignore it until they are big enough to expand into the EU market but small EU companies need to follow the law from the start.
He just written an example - all EU companies need to follow GDPR from day 1 if they also operate here. Do you need a list of few thousand companies to consider it good enough example?
Another example - roaming charges dropped, this directly hurt all telcos big time.
GDPR is a set of regulations which are far easier to follow from the start than attempt to deal with after being in business for 20 years without having to consider.
The core of complying with GDPR are that you can provide a customer with a view of what data you hold on them, that you can delete it on request, that that data is accurate (and resolve if not), and if you’re doing anything non-obvious with it then you ask permission.
Designing for all of that from the start is relatively simple, particularly if you don’t go and integrate with every analytics/tracking SaaS under the sun.
Luckily for the EU not a single company was located in the EU prior to GDPR.
I mean nothing stops even small US companies from planning for GDPR if they want to expand to Europe. There's no advantage for European companies here.
Vodafone and Deutsche Telekom have already filed a complaint to the European Commission to stop Apple from doing this.
To me, the is the master level of being an asshole Company. Not only your are abusing your customers, but you even sue to ensure they can't use their rights...
Really no one with common sense should use one of these providers.
And I just imagine the senior manager there that decided or approved that. I hope so much that they are religious so that they know that they will go to hell directly!
It's a typical german cartel. In countries were they split up those cartels the prices went down and quality went up. I was once part of such a successful "Verfassungsklage".B ut it only did last for decade, then the cartels striked back. Not only in the telecom business, also in energy, press and automotive, and what ever else.
The state actively protects them, with telecoms they can even setup their own rules and bylaws.
The prices in Germany are already outrageous compared to other countries in Europe. I got a good deal and pay 30 Euro for unlimited data but I've recently checked for a friend and unlimited data would cost her about 70 Euro a month, which is ridiculous.
Yeah I pay 65 Euros a month for an unlimited mobile data plan with Deutsche Telekom, and that's with a young person discount and without a phone included.
If a company could charge you more for something then they are already doing it.
Companies don’t ask themselves “what’s a fair price for x”, instead they wonder “how can we get more money out of our existing customers”.
Sadly, this is irrelevant. Running a corporation within a capitalist system will always optimize for maximum value extraction. Even if they can charge more in base price, this scheme always yields even more on top.
10+ years ago at TELCO job, when listening to a meeting about how to pay for the lawful intercept database for complying with LEA warrants, I suggested making it a profit centre by making the data available to users themselves. Seems I was a bit ahead of the times and slightly off the mark with my terrible idea.
It looks to me that Vodafone attach an id to a flow by using the device network id (sim, imsi or maybe the MAIDs). Then the website, when generating the html page, can ask Vodafone this id and include a targeted ad.
>The article mentions they are injecting a http header
It does, but if you read carefully you'll see there's no source saying that's how that's being implemented. It's all speculation on the author's part. In fact, one of the sources linked (wired.com) says the opposite, claiming that it's "based on a user’s IP address", which wouldn't require any HTTP header injection.
That's only about how Verizon did it back in the day. They don't explain how Vodafone and DT are planning to technically achieve it, but it could simply be related to IP or similar lower level protocol addresses from 4/5G. As network operators, they have access to the Account:IP mapping, they don't necessarily need to inject anything special in the packets.
Yup, there is no way to hide basic packet information from your ISP without some kind of tunnelling like Wiregaurd or TOR.
I already stopped trusting my ISP after it was announced that one of the three UK LTE internet providers had implemented the "log absolutely everything" clause in the snoopers charter... I guess now the cats out of the bag, Vodafone is likely the provider, since they can probably build upon what they have already implemented and sell it to 3rd parties. Pretty gross.
They're the carrier: they know exactly at every time what IP:port belongs to each phone, otherwise they couldn't send the response packets back to the phone.
But they have to communicate this to the advertisers in the RTB bidstream, in a way that advertisers can decode to a unique subscriber identifier (or at least unique enough)
Sending just the IP would be useless, as the publisher already has the IP address (and sends it to bidstream, although it is truncated for privacy) so there would be little incentive to pay for the carrier data.
I worked in adtech for a while, and designed a system similar to this for a large UK carrier, although it never ended up being implemented as carrier was worried about optics.
The mobile providers use public spectrum that they license from governments.
Make it a condition of the license that they are only allowed to provide dumb pipes and PTSN services. It will reduce the value of the licenses, but not by much, because this is a service that they haven't introduced until now, so was not priced in to the original auctions.
Note that while using VPNs will assist, the telcos have your IMEI/PSTN numbers and assign the underlying IP connection (whether CGNAT or otherwise). So they can track the traffic at the L2/L3 level.
Then they can introduce a "merchant's service" that takes that traffic and maps it to an identifier that's provided to the websites/advertisers. Even if the L4 traffic is encrypted, the packets themselves could be extended to include the information they need before it exits their network.
But all they see is your IP connecting to the VPN IP. And the connection between the VPN and the site has a new IP connection, doesn't the VPN just send L4 data + its own user-ID?
This is exactly the reason why I am always so disappointed by many in the tech community in discussions about VPNs:
In almost every discussion about VPNs people say something along the lines of: “you can’t trust the VPN provider more than your ISP”. This has always been a dumb argument and this completely proves it.
ISPs are the worst. There is now only one in the Netherlands that I might trust (Freedom), but even they are using the network of another untrustworthy one (KPN) so I doubt they’d be able to do anything about it if the network owner would start something like this.
A permanent VPN connection is becoming more and more logical as long as you trust the provider more than your ISP. I use Mullvad.
Please let’s stop perpetuating the “now you are just moving the trust from ISP to VPN-provider” as a counter argument to using a VPN and start using it as a main reason to use VPN. Sad maybe, but necessary.
I disagree - VPNs are not a solution for this whole issue, but legislation is. The whole VPN business looks shady to me, maybe Mullvad is an outlier and a good citizen, but for how long?
Make data collection transparent, force companies to have opt-in for it and fine non-conforming companies.
Dt. Telekom and Vodafone recently lost their zero rating business (StreamOn or what it was called), they're in constant search for new sources of revenue.
If I understood correctly OP didn't say VPN was the only solution and stop there. Instead, the point was more along the lines of: ISPs showed us who they are, we should believe them. Don't trust them, use a VPN. Does that mean that you can't legislate? Of course not. But it seems that OP doesn't want to wait until that happens.
Looking at these offers I see in ads, I really wonder if not soon they won't be doing the same. The discounts are really weird. As it seems regular price is nowhere near where the costs are. Or then they are losing lot of money in customer acquisition which will soon lead to this kind of behaviour.
A VPN is also the only consistently good way to do ad-blocking on mobile. Mullvad, for instance, recently introduced ad-blocking, malware-blocking, and tracker-blocking in its mobile app. Previously I had to rely on the painfully poor ad-blockers that Apple allowed in its walled garden, and ads got through all the time. With the VPN, I am able to visit websites with virtually no ads appearing.
FWIW, my family, friends, and I have been using nextdns on idevices, consoles, “smart” tv to almost completely block ads and tracking via dns black holing. Pihole does the same if you prefer selfhosted. Recalcitrant apps like YouTube have no known solution because they take care of their own dns resolution. But for most other use cases (browser, telemetry, iOS apps) it works very well and I almost never see any ad anywhere.
This is the opinion of every German I've ever met, but as an outsider who formed their opinion before hearing the public's opinion, O2 gives me consistently better signal than my work phone where my boss decided to go with Telekom for some reason I have yet to ask after (but, knowing germans, I have a suspicion). This is in NRW mostly (both cities and forested area), can't remember if it was different in Frankfurt or Stuttgart, so at least not noticeably worse I guess.
The fairly recent (like, after people formed this opinion) merger with E+ probably helped, if I remember this provider's history correctly.
The Telefonica network isn't that bad where I am. I'm with an MVNO (Drillisch/premiumsim/discotel/sim.de/whatever shady awful brand you can think of) on that network and am pretty okay with it. They have the best prices (only ones I'd consider reasonable) and are starting to build their own network.
... maybe I should check whether they're doing this stuff too. My experience with them makes me believe "absolutely" (they're annoying to deal with, but hey, they're following the law).
Would using a "multiplexing" carrier like Google Fi (I don't know the real term for it) that can switch between several others at least reduce the value of this tracking?
Please elaborate. The telecom industry is highly subsidized, controlled and regulated by government.
Capitalism is not very well represented by the standards of the industry
Dude, it's news when an American ISP doesn't participate in dragnet surveillance [0], and it's at the level where switching your ISP isn't going to help.
My guess, It won’t be for long. These adtech psychos always come up with crap like this, say it legal & get regulated. Eventually.
Also. I don’t blame gpdr for shitty popups. I blame adtech. You can easily do websites without popups, they just don’t because they don’t respect their users.
Was Verizon and are those 2 companies the only companies doing this?
Are there any other known cases, just not made such fuss about in other countries?
I know that the Croatian branch of the German Telekom is often used as a testbed for new developments, like their IPTV service or fiber overland, so I wouldn't be surprised if that already was reality in Croatia or other branches of one of those corps, just kept under the rug.
The site operator asks Vodafone "what is the unique account ID for the machine accessing my site right now from 17.56.2.43:3452?", and Vodafone gives them an account ID. They can then use that account ID to correlate to previous interactions you had with their site, even if they were coming from different IPs.
Https and DoH don't protect you in any way from the site operator wanting to serve you ads, and Vodafone will always know what IP:port they assigned you personally (well, your phone).
Tor, VPN and proxy services can protect from this, since they decouple your original request from what the server receives. Of course, the latter two can also sell your information instead of Vodafone.
> Tor, VPN and proxy services can protect from this [...] Of course, the latter two can also sell your information instead of Vodafone.
This is a good point. However it's also worth pointing out that it's not a fruitless endeavour. There are very limited ISP options and none of them are transparent about logging but it's well known to happen. However with a VPN there are comparably limitless options.
They just need to be chosen carefully, and while you can never be sure it's better than the guaranteed invasion of privacy by your ISP.
Well what the article is saying is that the ISP would also hand out data on your previous interactions with any other websites. Which is completely insane of course.
If you have the technical know-how, you could also rent a cheap vps and set up a VPN/proxy yourself. That way you know exactly what is being logged and who has access.
Well, that doesn't help too much, since that single VPS is going to be associated with a single person anyway. You would have to change the IP of the VPS to constantly to get any significant privacy benefit.
SNI for one ( https://www.cloudflare.com/en-gb/learning/ssl/what-is-sni/ ). The handshake contains endpoint IP addresses, and they likely know what sites are on what IPs from either crawling the web like search engines do, or buying that data from somewhere.
Size of packets. Number of packets. Size of response. If the site content is static, that could give a good idea which page was loaded. Packet frequency. Enough to say if it's probably a page load or a realtime chat or a download, etc.
There are probably enough details in the handshake endpoints to tell them whether you visited Facebook in a browser or opened the Facebook app, for example.
What time you went to the site, how often you go there, how long you stayed. Vodafone mobile would know which cell tower(s) you are connected to. They can probably narrow in on whether you work and roughly where you work (cell towers you connect to during the day vs. at night) and from the land use in those areas they could guess roughly what you do. They know your home address for billing, so how expensive your home is and how desirable the area is, they could also guess at that from which cell towers you connect to.
What times you visit sites, whether you usually busy on a Friday evening or using your phone, whether you are regularly on gambling sites or regularly on crypto sites or healthcare sites.
Yes they can't see that you typed "glasses" into a Google search, but they can see you visiting google.com then visiting zennioptical.com. They can see you visiting Reddit and then whether you load a lot of imgur pictures or a lot of video traffic or load some fashion blogs and inferr what kind of things you're interested in.
Mobile is likely behind carrier grade NAT. That is very large NAT. Now when you connect to web site you have your "private" ip address. And then GCNAT maps this to some public IP:Port pair it has available. And due to TCP and UDP work the web sites has to know this pair as that is where responses are send to. And then NAT simply replaces this with "private" IP:Port pair.
Now ISP can simply read the data of active mappings from GCNAT. That is which user has which IP:Port pair in use and provide it for a price to anyone asking like the web server where user has connected.
(There is also the web servers IP:Port 443 involved. But that makes things more fine grained.
Not really. Based on the picture on the site[1], I can think of multiple ways of how that would work:
1. The site that wants visitor information makes a CORS/third party request to https://vodafone.example/api/GetSubscriberInfo, which then fetches the associated account information and returns it to the site
2. The site notes the IP + port + timestamp that was used for the HTTP connection, and then asks vodafone for the information.
> Vodafone Group is currently conducting a test involving other European telecommunication providers including Deutsche Telekom and a few advertisers and publishers to investigate the benefits of a new technical solution to facilitate digital advertising and marketing.
And then blaming us for using plastic straws, and gobbling up as much as energy they can every way possible to train algorithms and then serve ads.
If you think about it top coders in ad revenue companies like Google/FB are ad marketers.
Okay, so they ask you to opt in and you say no. IANAL but AIUI opt out or trying to force the issue (like making it a condition of service) are illegal, so if they actually follow the law pretty toothless.
I think once you sign a contract with one of these providers you’re basically signing away the rights to your personal information. GDPR wont protect you from state actors trying to spy on the people, but it will allow you to ask a company to delete all personal information about you. The problem is that doing so will effectively end the service for you. If all mobile carriers start enforcing predatory contracts then I don’t know if GDPR will be very effective here.
Something additional will be required to stop this tracking. As it stands right now some European countries have started forcing ISPs to save logs, that’s actually worse. We must make sure that it’s well understood that the public does not want these policies. The public must also deny any party their vote if fixing this is not in their agenda. Politicians are getting away with slowly eroding our freedoms without many people noticing or speaking about it, that has to change. We need to let them know that they have zero support from us if they decide to continue in this trajectory.
> If all mobile carriers start enforcing predatory contracts then I don’t know if GDPR will be very effective here.
I thought the GDPR didn't allow signing away of privacy? Because if it does, then it's utterly useless - every webpage comes with a 100-page terms of service these days.
> As it stands right now some European countries have started forcing ISPs to save logs, that’s actually worse.
In fact the European Court of Justice declared that illegal [1], yet many countries simply ignored that ruling. You would think this would result in a large media assault about "subverting the rule of law", but I guess that's only a concern when they dislike the one doing the subverting.
> I thought the GDPR didn't allow signing away of privacy? Because if it does, then it's utterly useless - every webpage comes with a 100-page terms of service these days.
If that was the case Europeans wouldn’t have been able to use services like Facebook or iCloud.
> In fact the European Court of Justice declared that illegal
For example, Sweden did it shortly after an ISP Bahnhof advertised to its customers that it would not save logs. What seemed at the time to have fuelled this whole thing was mostly entertainment companies pushing these policies against European countries to crack down on piracy. Obviously an unsuccessful project. Many of our politicians traded our freedoms for the sake of the entertainment industry not losing money (supposedly). It didn’t serve its purpose, rather it just gave the government(s) more power over the people.
Think of who is "they" who is targeting the ads, and what "they" is collecting the data.
Telcos are not giving anything except the IP address. If you go to other websites and don't provide your data to them, all they will have is an identifier about the IP. It is that data that can be managed under GDPR, but IP in isolation means nothing.
In addition to PII, GDPR also protects against collection of IP addresses and any other identifiers that can reveal a person: "Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. [--] Examples of personal data [--] * an Internet Protocol (IP) address" https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Context has nothing to do with it. IP addresses are specifically called out in the GDPR as being one type of personal data. The fact that you're repeatedly using "PII", an American term, indicates that you are viewing this from an American point of view.
Ok, it was my mistake to call it PII. My intent was to make a distinction between user data that is collected and that needs to be be given consent from the user to be processed by the service you are connecting to, and the further point is that no service is required by GDPR to ask the user "is it okay to log the IP from your request?" and that is the part that I am saying is context-dependent.
Again, it is not context-dependent. I suggest you educate yourself further on the GDPR, specifically the six legal bases upon which processing can occur.
The "six legal bases which processing can occur" ARE the context that I am talking about.
I suggest you let go with the pedantic posturing, and if you really think that GDPR has any way to actually stop these new actions from the EU telcos, go ahead and initiate legal action against them.
This is false: if they use the IP address to match the website visitor with the ISP customer, GDPR is very much relevant as GDPR restricts the use of personal data (including IP addresses) like this.
The reliable reference I can give you is the legal team from the company I was working for, who had to deal with all this shit and in the end said that session logs with IP addresses did not count as user data and therefore need not to be listed as part of "user collected data" in our privacy policy.
Another way that I can argue for this interpretation is simple: if you want connect to a hotspot in Germany, no one asks you if you opt-in to sharing your IP addresses. These, by itself, are considered "required information to appropriate service" (or something equivalent in legalese).
The third argument I can give is a bit circular: if GDPR had any way to rule this illegal, it would already have been met by huge outcry from the proper privacy NGOs. If it has gotten to the point where the companies are announcing tryouts, it means that the networks are confident enough that they are (at least in regards to GDPR) legally in the clear.
All in all, I hope that people crying for regulations and government intervention could understand once and for all that the laws that get approved are never going to do what they wished it did. I already got into plenty of arguments here with people that believe that GDPR is effective to protect users, but this is just yet-another example of regulatory capture.
Thank you for expanding on your point and your context.
1. Courts and legal teams don't always agree. Also, privacy scenarios are nuanced: when something falls under GDPR, it's not automatically illegal and you don't necessarily need to ask for consent either or even list it in your privacy policy. You need to read what the GDPR says and see whether you are within the lines or if you need to adapt your business model, processes, tech and/or disclaimers.
2. Connecting to a hotspot does not automatically mean collecting or sharing your IP address: Yes, a hotspot needs to store the DHCP lease while it's active and the MAC address while there's traffic, but GDPR often allows such processing that is limited to what is technically necessary and obvious. It would be different if the hotspot stored the data for longer time, shared it with third parties and/or used it for other purposes. Selling data without user consent is typically illegal.
3. We don't know enough about these tryouts to assess how they plan to align with GDPR: perhaps they'll ask for consent, perhaps they don't use IP addresses, perhaps they plan to bargain a deal with the governments or pay the fines.
4. We need effective laws and luckily some laws are effective. Privacy laws and GDPR are somewhat unsettled and the ultimate effects remain to be seen, but EU courts have already ordered some significant fines in cases that have made sense so I'm still optimistic.
Correct. Another example was "If you take the vaccine then the government will be able to track your location", which also turned out to be true, from a certain point of view.[0]
Anyway, judging by the reaction to my earlier comment, I perhaps should have phrased things differently, e.g. "I'm not sure how I feel about Deutsche Telekom being chosen by the WHO to implement their global vaccine passport app, given that this is how they treat their customers' personal data".
Fuck the ad-tech industry. Seriously. Is there any line they won't cross?