March 3, 2016
Today Professor Nick Feamster sent a letter to the FCC about our Working Paper on “Online Privacy and ISPs.” As with our own Working Paper, Professor Feamster says he is not taking a position on the policy debate. I agree with his statement that we “must bring more technical experts to this discussion.”
Professor Feamster writes: “To claim that ISPs cannot learn about user activity from the traffic they can see is simply not true.” We did not make any such claim. We did say there are limits on the comprehensiveness of ISP access to user information, notably including the sharp rise from 13% to 49% of encrypted traffic over the Internet backbone since April, 2014.
Professor Feamster writes: “While it is true that end-to-end encryption is becoming more pervasive, this also does not by itself prevent the ISP from observing user activity from network traffic.” Our paper carefully and accurately describes the change in ISP visibility when traffic becomes encrypted, notably that content and detailed URLs are blocked from view. Other information, including the host name, length of session and number of bits transmitted, remains available to view.
Our executive summary states: “Knowing that the facts can be complex and difficult to understand, we are creating a mechanism to receive factual comments, with the intention of correcting mistakes or lack of clarity where such exist. Comments can be submitted to firstname.lastname@example.org, and any updates will appear on the website of the Institute for Information Security and Privacy at Georgia Tech.”
We intend to carefully review Professor Feamster’s letter. On initial reading, the technical facts he discusses are essentially complementary to our discussion, rather than showing inaccuracies in the statements of what we deliberately called a “Working Paper.”