By ICSI researchers Christian Kreibich, Nicholas Weaver and Vern Paxson, with Peter Eckersley and Cindy Cohn.
Two weeks ago, EFF published an analysis with researchers at Berkeley ICSI about the redirection of search traffic at a number of US ISPs. The company involved, Paxfire, contacted us to discuss its practices, and based upon those discussions and some further analysis we have a number of clarifications and updates to report. These clarifications are of course our own, and not Paxfire's.
Overall, Paxfire admits that it sends users' searches through its proxy servers (we call this redirection; Paxfire disagrees), and that while the proxies look at the searches for specific things, Paxfire maintains that it does not retain logs of these queries unless the user is searching for specific trademark terms using the search box in the browser. In those cases, the search and IP address are logged and the user is sent to the brand’s website directly, rather than to the search engine, and Paxfire and the ISP collect a fee for the referral. Thus, while the Paxfire technology examines and processes users’ queries and sometimes sends users a response different than the search engine results page they might have expected (and that is often even branded as a search engine in their browser), Paxfire strongly denies collecting or using any of that information for any purpose other than conducting its affiliate marketing businesses.
Based upon their representations, and assuming for these purposes that they are correct (a pending lawsuit may delve into the matter further), we agree that the blog post wasn’t clear enough about the possible differences between the fact that this data is redirected to Paxfire's proxies and what Paxfire says it actually retains, and is limited to retaining by its contracts with ISPs. We do think that the post should have been clearer on that issue. Accordingly, our blog post will be revised as follows:
- In our post we said that Paxfire "collects" copies of all search terms and results. Taking Paxfire at its word, it would be more precise to say that it “receives, examines and processes all search terms and results, but only logs a small subset of search queries that were entered into a browser search box and are related to major trademarked brands.”
- We said that "this allows Paxfire and/or the ISPs to directly monitor all searches made by the ISPs' customers and build up corresponding profiles, a process on which Paxfire holds a patent." Paxfire first disputes our characterization of "monitoring" and “profiles.” We should clarify that while the code on Paxfire's proxy servers examines and processes all affected users' searches, Paxfire maintains that its employees do not. And while it is true that Paxfire's proxies could be reconfigured to do more invasive monitoring of searches, Paxfire says that it does not do this and that its contracts with the ISPs do not allow it to do so. Again, for purposes of this blog post, we take them at their word and have removed these terms, but we will be watching the situation closely as it develops in the lawsuit and elsewhere.
- Paxfire next disputes the characterization of one of their patents as describing the construction of profiles from searches. Accordingly, we have read that patent more closely. As with many software patents, it is a complicated and ambiguous document. There is no question that the patent overall describes tracking and profiling of Internet users. For instance, it says:
"In certain embodiments, the Internet appliance may return customer-specific, geographically-relevant, and/or time-relevant content based upon a profile stored for that particular requesting computer or ISP.", and
"In addition, the result page may be built dynamically in real time and/or on-the-fly based upon profile information stored for the ISP or based upon the IP Address of the requester. The IP Address may be used to localize the requester all the way down to a known individual user and/or provide information about the geo-location of the requesting computer."
However the actual claims in the patent are only about DNS-based profiling. Accordingly, in mentioning the patent, our post should have said that this Paxfire patent has patent claims only about DNS-based profiling, and not search-term based profiling. Paxfire also asserts that this particular patent has nothing to do with its current business activities. As a result, we're removing the reference to the patent entirely.
- Paxfire has told us that it believes it has consent from the affected Internet users to perform the search redirections (and the typo-redirections, which is Paxfire’s other service) via ISPs' privacy policies and terms of service. Paxfire also claims that ISPs allow users to opt-out. We have a couple of things to say about this:
- We have read a number (although not all) of the privacy policies and terms of service of the ISPs that use Paxfire, and we respectfully disagree that they create anything resembling informed consent for Paxfire’s behavior by users. In most instances, subscribers reading these documents would have no idea that Yahoo!, Bing or Google searches in their browser are actually not going to those search engines directly and, in some cases, aren’t going to the search engines at all.
- If ISPs intend to make significant deviations from the way that Internet users expect the network to function, these changes should be opt-in, especially when the goal (as Paxfire makes crystal clear in its website come-on to ISPs) is not to serve customers as much as to leverage customer activities to create revenue for the ISP and Paxfire. This sort of business model needs to be made especially clear to the customers it affects.
Overall, while we believe these changes to our original blog post are appropriate, we remain deeply concerned by both the privacy and the network neutrality implications of Paxfire's business. We also still strongly recommend HTTPS Everywhere for users who don’t want to have to read the fine print of their ISP privacy policy in order to ensure that they are actually talking to the sites they think they are.