This information, although not new, sheds light on the misconception prevalent even amongst industry professionals today that ISPs only retain customer usage data related to IP address assignment. If they were to sell browsing data with corresponding timestamps to government agencies, it could theoretically allow them to perform large-scale traffic correlation attacks on unsuspecting Tor and VPN users.
The indiscriminate collection of large amounts of data may be abused, as it enables law enforcement to bypass 4th amendment protections by accessing an individual’s private information already on file from a prior unrelated investigation, for example. Otherwise, the article was shared to inform readers about unconventional deanonymizing methods.
In the TV show Blue Bloods, my favorite scene occurs when the Chief of Police confronts a cell phone company CEO. They portray him as a strawman and attempt to guilt-trip him into providing them with backdoor access to everyone’s phones.
The practice of deanonymizing individuals by cross-referencing bulk webpage visitation data within known windows of time that they visited those separate pages, while previously known to be theoretically possible, has now been shown to be actively employed by law enforcement. This emphasizes the significance of employing a VPN at all times and maintaining a high degree of separation between online identities to hinder comparisons based on similarity.
In 2017, Trump revoked regulations put in place by the Obama administration that would have compelled ISPs to obtain user consent before selling their browsing data.