Charter Communications is sending letters to its customers informing them of an “enhanced online experience” that involves Charter monitoring its users’ searches and the websites they visit, and inserting targeted third-party ads based on their web activity. Charter, which serves nearly six million customers, is requiring users who want to keep their activity private to submit their personal information to Charter via an unencrypted form and download a privacy cookie that must be downloaded again each time a user clears his web cache or uses a different browser.
Reader Matt copied The Consumerist on a letter he sent to Charter’s VP of Customer Operations and CEO:
Dear Mr. Stackhouse,
I am a high speed internet subscriber in the Fort Worth, TX area. For the last year or so I have had CharterÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢s 10 Megabit service and I am a satisfied customer. I am writing, however, because I am concerned by your recent letter discussing the ÃƒÂ¢Ã¢â€šÂ¬Ã…â€œenhancementÃƒÂ¢Ã¢â€šÂ¬Ã‚Â that will be coming soon to my Charter web browsing experience (targeted, in-line advertisement manipulation). I appreciate CharterÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢s respect for my privacy, but the method that Charter has provided to opt-out of this tracking scheme is insecure and woefully inadequate.
The method that you provide to opt-out is as follows. First, a customer must visit www.charter.com/onlineprivacy. Once at the site, the customer must enter his or her complete name and address. Upon submission of this personal information, the customer must accept a cookie from Charter that indicates his or her opt-out status. While this process sounds simple on face, further consideration reveals that this opt-out method is fraught with privacy concerns and places the burden on your paying customer, rather than Charter.
The most pressing privacy issue with this opt-out method is that the opt-out form presented at the aforementioned URL is not encrypted. As IÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢m sure you realize, this means that a user submitting his or her address to Charter is doing so in the clear, leaving this personal information open to eavesdropping. It is not difficult to create an SSL-encrypted web form. It is troubling that Charter has not done so in this case.
The fact that this opt-out system relies on a cookie to keep users opted out is also a privacy issue. By telling customers who visit the opt-out page that, ÃƒÂ¢Ã¢â€šÂ¬Ã…â€œif you delete your cookies or cache filesÃƒÂ¢Ã¢â€šÂ¬Ã‚Â¦ you will have to opt-out again,ÃƒÂ¢Ã¢â€šÂ¬Ã‚Â you are encouraging users to keep those files that good privacy practices dictate should be frequently purged. Ironically, the best reason to purge oneÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢s cookies often is to prevent internet marketers from tracking oneÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢s behavior online.
I suggest that rather than force your customers through unending iterations of opting out of this advertising system, you should allow customers like me to opt-out at the cable modem level via a secure, encrypted form on your website. IÃƒÂ¢Ã¢â€šÂ¬Ã¢â€žÂ¢m glad to hear that Charter has an appreciation for my privacy, but please change your opt-out process to demonstrate that you also have an appreciation for my time and security online.
Matt’s letter focuses on the flawed opt-out clause, but the program itself, an implementation of “deep packet inspection,” is more worrying. Deep packet inspection allows an ISP to monitor not only its users’ searches and visited websites, but also the type of activity (e.g., email or peer-to-peer), which could be used for traffic shaping and threatens net neutrality.