Upturn - What ISPs Can See v.1.0

What IP Can ee
Clarifing the technical landcape of the roadand
privac deate
March 2016
Verion 1.0
© 2016 Upturn.
Licened under a Creative Common Attriution 4.0 International Licene.
Tale of Content
1 Introduction
2 Four Ke Technical Clarification
1. Trul pervaive encrption on the Internet i till a long wa off.
2. ven with HTTP, IP can till ee the domain that their ucrier viit.
3. ncrpted Internet traffic itelf can e urpriingl revealing.
4. VPN are poorl adopted, and can provide incomplete protection.
3 Concluion
4 Aout Thi Report
Aout the Author
Introduction
In 2015, the Federal Communication Commiion (FCC) reclaified roadand
Internet ervice provider (IP) a common carrier under Title II of the
Communication Act. 1 Thi hift triggered a tatutor mandate for the FCC to
protect the privac of roadand Internet ucrier’ information. 2 The FCC i now
conidering how to craft new rule to clarif the privac oligation of roadand
provider. 3
Lat week, the Intitute for Information ecurit & Privac at Georgia Tech releaed a
working paper whoe enior author i Profeor Peter wire, entitled “Online Privac
and IP.” 4 The paper decrie itelf a a “factual and decriptive foundation” for the
FCC a the Commiion conider how to approach roadand privac. 5 The paper
ugget that certain technical factor limit IP’ viiilit into their ucrier’
online activitie. It alo highlight the data collection practice of other (non-IP)
plaer in the Internet ecotem. 6
We elieve that the wire paper, although technicall accurate in mot of it
particular, could leave reader with ome mitaken impreion aout what
roadand IP can ee. We offer thi report a a complement to the wire paper, and
an alternative, technicall expert aement of the preent and potential future
monitoring capailitie availale to IP.
We oerve that:
1. Trul pervaive encrption on the Internet i till a long wa off. The fraction of
total Internet traffic that’ encrpted i a poor prox for the privac interet of a
tpical uer. Man ite till don’t encrpt: for example, in each of three ke
categorie that we examined (health, new, and hopping), more than 85% of the top
50 ite till fail to encrpt rowing  default. Thi long tail of unencrpted we
traffic allow IP to ee when their uer reearch medical condition, eek advice
aout det, or hop for an of a wide gamut of conumer product.
2. ven with HTTP, IP can till ee the domain that their ucrier viit. Thi
tpe of metadata can e ver revealing, epeciall over time. And IP are alread
known to look at thi data — for example, ome IP analze DN quer information
for jutified network management purpoe, including identifing which of their uer
are acceing domain name indicative of malware infection.
3. ncrpted Internet traffic itelf can e urpriingl revealing. In recent ear,
computer cience reearcher have demontrated that network operator can learn a
urpriing amount aout the content of encrpted traffic without reaking or
1
weakening encrption.  examining the feature of network traffic — like the ize,
timing and detination of the encrpted packet — it i poile to uniquel identif
certain we page viit or otherwie otain information aout what the traffic
contain.
4. VPN are poorl adopted, and can provide incomplete protection. VPN have
een commerciall availale for ear, ut the are ued parel in the United tate,
for a range of reaon we decrie elow.
We agree that pulic polic need to e uilt on an accurate technical foundation, and
we elieve that thoughtful policie, epeciall thoe related to Internet technologie,
hould e reaonal rout to foreeeale technical development.
We intend for thi report to ait policmaker, advocate, and the general pulic a
the conider the technical capailitie of roadand IP, and the roader technical
context within which thi polic deate i happening. Thi paper doe not, however,
take a poition on an quetion of pulic polic.
2
Four Ke Technical Clarification
1. Trul pervaive encrption on the Internet i till a long wa off.
Toda, a ignificant portion of Internet activit remain unencrpted. When a we ite
ue the unencrpted Hpertext Tranfer Protocol (HTTP), an IP can ee the full
Uniform Reource Locator (URL) and the content for an we page requeted  the
uer. Although man popular, high-traffic we ite have adopted encrption 
default, 7 a “long tail” of we ite have not.
The fraction of total traffic that i encrpted on the Internet i a poor guide to the
privac interet of a tpical uer. The wire paper argue that “the norm ha ecome
that deep link and content are encrpted on the Internet,” aing it claim on the
true oervation that “an etimated 70 percent of traffic will e encrpted  the end
of 2016.” 8 However, thi numer include traffic from ite like Netflix, which itelf
account for aout 35% of all downtream Internet traffic in North America. 9
enitivit doen’t depend on volume. For intance, watching the full Ultra HD
tream of The Amazing pider-Man could generate more than 40G of traffic, while
retrieving the WeMD page for “pancreatic cancer” generate le than 2M. The
page i 20,000 time le data  volume, ut likel far more enitive than the movie.
(WeMD ha et to offer uer the option of ecure HTTP connection, much le to
make that option the ole or default choice.)
We conducted a rief urve of the 50 mot popular we ite in the each of three
categorie — health, new and hopping — a ranked  Alexa. 10
The Long Tail of Unencrpted We Traffic
Alexa Top 50 ite,  Categor
Categor
Percent of ite
that Do Not ncrpt
rowing  Default
xample URL for Unencrpted We ite
http://wemd.com/hiv-aid/guide/…
http://maoclinic.org/…cancer…
Health
86%
http://medicinenet.org/…eczema…
http://health.com/exual-health
http://who.int/…childhood-hearing-lo…
3
http://ntime.com/…tax-tip…
http://huffingtonpot.com/divorce
New
90%
http://video.foxnew.com/…ex-after-50…
http://time.com/…ga-right…
http://ankrate.com/det-management…
http://ikea.com/…athroom…
http://target.com/…tud-ile…
hopping
86%
http://mac.com/…maternit-clothe…
http://edathandeond.com/…acne-wah…
http://toru.com/…Toddler-To…
We found that the vat majorit of thee we ite — more than 85% of ite in each
of the three area — till do not full upport encrpted rowing  default. 11 Thee
ite included reference on a full range of medical condition, advice aout det
management, and product liting for hundred of million of conumer product. For
thee unencrpted page, IP can ee oth the full we ite URL and the pecific
content on each we page. Man ite are mall in data volume, ut high in privac
enitivit. The can paint a revealing picture of the uer’ online and offline life, even
within a hort period of time.
ite truggle to adopt encrption. From the perpective of one of thee
unencrpted we ite, it can e ver challenging to migrate to HTTP, epeciall
when the ite relie on a wide range of third-part partner for ervice including
advertiing, analtic, tracking, or emedded video. In order for a ite to migrate to
HTTP without triggering warning in it uer’ rower, each one of the third-part
partner that ite ue on it page mut upport HTTP. 12
4
Ad tracker HTTP upport rate on the Alexa top 100 new ite (via Citizenla)
Getting third-part partner to upport HTTP i a eriou hurdle, even for ite that
want to make the witch. 13 For example, in a 2015 urve of 2,156 online advertiing
ervice, more than 85% did not upport HTTP. 14 Moreover, a of earl 2015, onl
38% of the 123 ervice in the Digital Advertiing Alliance’ own dataae upported
HTTP. 15 In the figure aove, decriing the top 100 new ite, each unit of red or
urgund indicate a third-part partner that doe not upport HTTP. In order for
an one of thee new ite to provide it content to uer ecurel (without creating
warning or error meage) the puliher mut either wait for all of it red and
urgund partner to turn green, or ele aandon thoe partner on an ecure part
of it ite. The online advertiing indutr i working to improve it ecurit poture, 16
ut clearl there remain a long road ahead.
Internet of Thing device often tranmit data without encrption. It’ not onl we
ite that fail to encrpt traffic tranmitted over roadand connection. Man
Internet of Thing (IoT) device, uch a mart thermotat, home voice integration
tem, and other appliance, fail to encrpt at leat ome of the traffic that the
end and receive. 17 For example, reearcher at the Center for Information
Technolog Polic at Princeton recentl found a range of popular device — from the
Net thermotat to the Ui voice tem, to the Pixtar photo frame — tranmitting
unencrpted data acro the network. 18 “Invetigating the traffic to and from thee
device turned out to e much eaier than expected,” oerved Profeor Nick
19
5
Feamter. 19
A more uer adopt moile device, the communicate with a greater numer of
IP. Ue of moile device i growing rapidl a a portion of uer’ overall Internet
activit. The wire paper oerve that toda’ IP face a more “fractured world” in
which the have a “le comprehenive view of a uer’ Internet activit.” 20 It i true
that toda, man conumer’ peronal Internet activitie are pread out over everal
connection: a home provider, a workplace provider, and a moile provider. However,
a uer often ha repeated, ongoing, long-term interaction with oth her moile and
her wireline provider. Over time, each IP can ee a utantial amount of that uer’
Internet traffic. There’ plent of activit to go around: The amount of time U..
conumer pend on connected device ha increaed ever ear ince 2008. 21
2. ven with HTTP, IP can till ee the domain that their
ucrier viit.
The increaed ue of encrption on the We i a utantial privac improvement for
uer. When a we ite doe ue HTTP, an IP cannot ee URL and content in
unencrpted form. However, IP can till almot alwa ee the domain name that
their ucrier viit.
DN querie are almot never encrpted. 22 IP can ee the viited domain for each
ucrier  monitoring requet to the Domain Name tem (DN). DN i a pulic
director that tranlate a domain name (like „ƒ‘ˆƒ‡”‹ ƒŜ ‘) into a
correponding IP addree (like ɨɮɨŜɨɭɨŜɨɫɯŜɨɬɥ). efore the uer viit
„ƒ‘ˆƒ‡”‹ ƒŜ ‘ for the firt time, the uer’ computer mut firt learn the ite’
IP addre, o the computer automaticall end a ackground DN quer aout
„ƒ‘ˆƒ‡”‹ ƒŜ ‘.
ven if connection to „ƒ‘ˆƒ‡”‹ ƒŜ ‘ are encrpted, DN querie aout
„ƒ‘ˆƒ‡”‹ ƒŜ ‘ are not. In fact, DN querie are almot never encrpted. IP
could impl monitor what querie it uer are making over the network.
Collection and ue of DN querie  IP i practical, i cot effective, and
happen toda on IP network. ecaue the uer’ computer i aigned  default
to ue the IP’ DN erver, the IP i generall capale of retaining and analzing
record of the querie, which the uer themelve end to the IP in the normal
coure of their rowing. The wire paper aert that it “appear to e impractical
and cot-prohiitive” to collect and ue DN querie, ut cite no technical or other
authorit for that aement. 23 Our technical experience indicate that logging i
oth feaile and relativel cheap to do: Modern networking equipment can eail log
thee requet for later anali. Moreover, even if the uer’ computer i peciall
configured to ue an external DN erver (not operated  the uer’ IP), the DN
querie mut till reach that external erver unencrpted, and thoe querie mut till
travel over the IP’ network, creating the opportunit to inpect them.
In fact, IP alread do monitor uer DN querie for valid network management
purpoe, including to detect potential infection of maliciou oftware on uer
device. 24 Certain domain name are ued olel  maliciou oftware tool, and real
uer traffic can e analzed to identif and lock uch domain. 25 Moreover, when an
individual uer viit a compromied domain, thi i a trong ign that one or more of
6
that uer’ device i infected, and commerciall availale tool allow IP to notif
the uer aout the potential infection. 26 According to literature from a network
equipment vendor, Comcat currentl deplo thi ecurit-focued, per-ucrier
DN monitoring functionalit on it network. 27
Reearcher in 2011 alo found that everal mall IP were alread leveraging their
role a DN provider to not onl monitor, ut activel interfere with, DN reolution
for their uer. 28 To e clear, we are not aware of an evidence that large IP have
et egun to ue DN querie in privac-invaive wa, much le to interfere with
ucrier’ querie along the line detected in 2011. We oerve here onl that it i
technologicall feaile toda for IP oth to monitor and to interfere with DN
querie.
Although network ecurit i not utantiall impacted  a modet to moderate
amount of VPN uage, there are meaningful engineering downide to a future in
which mot or all DN querie are crptographicall concealed from the end uer’
IP. (uch a future could, for example, make it more difficult for IP to provide earl
and detection and wift repone for ome kind of malware attack.) At the ame
time, a long a the uer’ DN querie are viile to the IP for network management
purpoe, the IP will alo have a technologicall feaile option to analze thoe
querie in wa that would compromie uer privac.
ven a hort erie of viited domain from one ucrier can e enitive. A
pivotal moment in a uer’ life, for example, could generate the following log at the
uer’ IP (auming the uer han’t inveted in pecial privac tool):
ƃɩɥɨɬŵɥɪŵɥɰɨɯśɪɫśɫɫƄƒ„‘”–‹‘ˆƒ –•Ŝ ‘
ƃɩɥɨɬŵɥɪŵɥɰɨɯśɪɬśɩɪƄ’Žƒ‡†’ƒ”‡–Š‘‘†Ŝ‘”‰
ƃɩɥɨɬŵɥɪŵɥɰɨɯśɫɩśɩɰƄ† ƒ„‘”–‹‘ˆ—†Ŝ‘”‰
ƃɩɥɨɬŵɥɪŵɥɰɨɰśɥɩśɨɩƄƒ’•Ŝ‰‘‘‰Ž‡Ŝ ‘
Over a longer period of time, metadata can paint a revealing picture aout a
ucrier’ hait and interet. A other polic dicuion have made clear in
recent ear, metadata i ver revealing over time. 29 For example, in the context of
telephon metadata, the Preident’ Review Group on Intelligence and
Communication Technologie found that “the record of ever telephone call an
individual make or receive over the coure of everal ear can reveal an enormou
amount aout that individual’ private life.” 30 The Group went on to note that “[i]n a
world of ever more complex technolog, it i increaingl unclear whether the
ditinction etween ‘meta-data’ and other information carrie much weight.” 31
Thi reaoning applie with equal trength to domain name, which we elieve are
likel to e even more revealing than telephone record. uch a lit of domain could
alo indicate the preence of variou “mart” device in the ucrier’ home, aed
on the known domain that thee device automaticall connect to. 32
3. ncrpted Internet traffic itelf can e urpriingl revealing.
ncrption top IP from impl reading content and URL information directl off
the wire. However, it i important to undertand that encrption till leave open a
wide variet of other, le direct method for IP to monitor their uer if the
7
choe.
A growing od of computer cience reearch demontrate that a network operator
can learn a urpriing amount aout the content of encrpted traffic without
reaking or weakening encrption.  examining the feature of the traffic — like the
ize, timing and detination of the encrpted packet — it i poile to uniquel
identif certain we page viit or otherwie reveal information aout what thoe
packet likel contain. In the technical literature, inference reached in thi wa are
called “ide channel” information.
ome of thee method are alread in ue in the field toda: in countrie that cenor
the Internet, government authoritie are ale to identif and dirupt targeted data
acce aed on it econdar trait even when acce i encrpted. Concerningl,
uch nation often rel on Wetern technolog vendor, whoe advanced product
allow cenor increaingl to analze and act on traffic at “line peed” (that i, in real
time, a the data pae through a network). 33
The ide channel method that we decrie elow are likel not ued (or at leat not
widel ued)  IP toda. ut a encrption pread, thee technique might
ecome much more compelling. Policmaker hould have a clear undertanding of
what’ poile for IP to learn, oth now and in the future.
Identifing pecific ite and page. We ite fingerprinting i a well-known
technique that allow an IP to potentiall identif the pecific encrpted we page
that a uer i viiting. 34 Thi technique leverage the fact that different we ite
have different feature: the end differing amount of content, and the load
different third-part reource, from different location, in different order. 
examining thee feature, it’ often poile to uniquel identif the pecific we
page that the uer i acceing, depite the ue of trong encrption when the we
ite i in tranit.
Reearcher have pulihed numerou tudie on the topic of we ite fingerprinting.
In one earl tud uing a relativel aic technique, reearcher found that
approximatel 60% of the we page the tudied were uniquel identifiale aed on
uch unconcealed feature. 35 Later tudie have introduced more advanced
technique, a well a poile countermeaure. ut even with variou defene in
place, reearcher were till ale to ditinguih preciel which out of a hundred
different ite a uer wa viiting, more than 50% of the time. 36
Thi od of reearch illutrate that decrpting a communication in’t necearil
the onl wa to “ee” it. The wire paper aert that “[w]ith encrpted content, IP
cannot ee detailed URL and content even if the tr.” 37 To e full accurate,
however, that claim require qualification: IP generall cannot decrpt detailed
URL and content. ut, thi cla of reearch demontrate that with ome amount of
effort, it would indeed e feaile for IP to learn detailed URL (and through thoe
URL, in ome intance, the actual content of we page) in a range of real-world
ituation.
8
The autocomplete feature on Google’ earch engine.
Deriving earch querie. Popular earch engine — like Google, Yahoo and ing —
provide a uer-friendl feature called auto-ugget: after the uer enter each
character, the earch engine ugget a lit of popular earch querie that match the
current prefix, in an attempt to gue what the uer i earching for.  analzing the
ditinctive ize of thee encrpted uggetion lit that are tranmitted after each
ke pre, reearcher were ale to deduce the individual character that the uer
tped into the earch ox, which together reveal the uer’ entire earch quer. 38
Inferring other “hidden” content. Reearcher have applied imilar method to infer
the medical condition of uer of a peronal health we ite, and the annual famil
income and invetment choice of uer of a leading financial we ite — even though
oth of thoe ite are onl reachale via encrpted, HTTP connection. 39 (Again,
the reearcher otained thee reult without decrpting the encrpted traffic.)
Other reearcher of ide-channel method have een ale to recontruct portion of
encrpted VoIP converation, 40 and uer action from within encrpted Android
app. 41
uch example have led reearcher to conclude that ide-channel information leak
on the we are “a realitic and eriou threat to uer privac.” 42 Thee tpe of leak
are often difficult or expenive to prevent. There ha een ignificant computer
cience reearch into practical defene to defeat thee ide-channel method. ut
a one group of reearcher concluded, “in the context of weite identification, it i
unlikel that andwidth-efficient, general-purpoe [traffic anali] countermeaure
can ever provide the tpe of ecurit targeted in prior work.” 43
Thee method are in the la toda — not et in the field, a far a we know. ut the
path from computer cience reearch to widepread deploment of a new technolog
can e hort.
4. VPN are poorl adopted, and can provide incomplete protection.
One wa that ucrier can protect their Internet traffic in tranit i to ue a virtual
private network (VPN). VPN are often found in uine etting, enaling emploee
who are awa from the office to connect ecurel over the Internet to their
compan’ internal network (often with etup help from the emploer’ IT
department). When uing a VPN, the uer’ computer etalihe an encrpted tunnel
to the VPN erver (a, the one operated  the emploee’ compan) and then,
depending on the VPN configuration, end ome or all of the uer’ Internet traffic
through the encrpted tunnel.
The wire paper preent VPN (and other encrpted prox ervice) a an up-andcoming ource of protection for ucrier. 44 However, there are reaon to
quetion whether VPN will in fact have a ignificant impact on peronal Internet ue
9
in the United tate.
U.. ucrier rarel make peronal ue of VPN. VPN have een commerciall
availale for ear, ut the are ued parel in the United tate. According to a
2014 urve cited  the wire paper, onl 16% of North American uer have ued a
VPN (or a prox ervice) to connect to the Internet. 45 Thi figure decrie the
percent of uer who have ever ued a VPN or a prox efore — not thoe who ue
uch ervice on a conitent or dail ai, which i what protection from peritent
IP monitoring would actuall require. Moreover, man of the 16% of uer who have
ued a VPN are likel uine uer, rather than peronal uer looking to protect
their privac. It i fair to conclude that onl a ver mall numer of U.. uer actuall
ue a VPN or prox ervice on a conitent ai for peronal privac purpoe.
Moreover, everal adoption hurdle are likel to deter unophiticated uer. Reliale
VPN can e cotl, requiring an additional paid monthl ucription on top of the
uer’ Internet ervice. The alo low down the uer’ Internet peed, ince the
route traffic through an intermediate erver. (There are free VPN ervice availale,
ut ucrier generall get what the pa for. 46 )
Relative to other countrie, the rate of VPN ue in the U.. i among the lowet in the
world. 47 VPN ue i much more pronounced in other countrie like Indoneia, Thailand
and China, where Internet uer turn to VPN a wa to circumvent online cenorhip,
and to activel gain acce to retricted content. 48
VPN are not a privac ilver ullet. The ue of VPN and encrpted proxie merel
hift uer trut from one intermediar (the IP) to another (the VPN or prox
operator). In order to more thoroughl protect their traffic from their IP, a
ucrier mut entrut that ame traffic to another network operator.
Furthermore, VPN ma not protect uer a well a the wire paper might lead
reader to elieve. The paper tate that “Where VPN are in place, the IP are
locked from eeing . . . the domain name the uer viit.” 49 ut thi i not alwa
true: whether IP can ee the domain name that uer viit depend entirel on the
uer’ VPN configuration — and it would e quite difficult for non-expert to tell
whether their configuration i properl tunneling their DN querie, let alone to know
that thi i a quetion that need to e aked. Thi i particularl common for
Window uer. 50
10
Concluion
Toda, IP can ee a ignificant amount of their ucrier’ Internet activit, and
have the ailit to infer utantial amount of enitive information from it. Thi i
epeciall true when that traffic i unencrpted. However, even when Internet traffic
i encrpted uing HTTP, IP generall retain viiilit into their ucrier’ DN
querie. Detailed anali of DN quer information on a per-ucrier ai i not
onl technicall feaile and cot-effective, ut actuall take place in the field toda.
Moreover, IP and the vendor that erve them have clear opportunitie to develop
method of inferring important information even from encrpted data flow. VPN are
one tool that ucrier can ue to protect their online activitie, ut VPN are
poorl adopted, can e difficult to ue, and often provide incomplete protection.
We hope that thi report will contriute to a more complete undertanding of the
technical capailitie of roadand IP, and the roader technical context within
which the roadand privac deate i happening.
11
Aout Thi Report
Thi report i deigned to provide technical grounding for policmaker and other
intereted partie, regarding the extent of IP viiilit into the activitie of their
ucrier.
The report aim to provide technical information onl, and i not intended to take a
poition on an matter of pulic polic.
Reader who identif an factual error in thi report, or who have other feedack
regarding it content, are warml invited to contact u at hello@teamupturn.com.
Thi report wa upported  the Media Democrac Fund.
Aout the Author
Aaron Rieke i a Principal at Upturn. Previoul, he erved a an attorne in the
Federal Trade Commiion’ Diviion of Privac and Identit Protection and a a Ron
Pleer Fellow at the Center for Democrac & Technolog. He earned hi J.D. at
erkele Law.
David Roinon i a Principal at Upturn, with a hrid ackground in law and
technolog polic. David hold a J.D. from Yale Law chool, and previoul erved a
the inaugural Aociate Director of Princeton Univerit’ Center for Information
Technolog Polic.
Harlan Yu i a Principal at Upturn. He hold a Ph.D. in computer cience from
Princeton Univerit and ha extenive hand-on experience working on technolog
polic iue. He received hi .. in electrical engineering and computer cience
from UC erkele.
12
ndnote
1
Federal Communication Commiion, Protecting and Promoting the Open
Internet, No. 14-28, 30 FCC Rcd. 5601, 2015 WL 1120110 (FCC Fe. 26, 2015)
(reclaifing roadand Internet ervice provider a common carrier under Title II
of the Communication Act).
2
ee generall 47 U..C. § 222 (concerning the privac of cutomer information in
the context of telecommunication ervice). ee alo H.R. Rep. No. 104- 458, at 204
(1996) (Conf. Rep.).
3
ee generall Federal Communication Commiion, “Pulic Workhop on
roadand Conumer Privac” (Apr. 2015), http://www.fcc.gov/newevent/event/2015/04/pulic-workhop-on-roadand-conumer-privac.
4
Peter wire et al., “Online Privac and IP: IP Acce to Conumer Data i
Limited and Often Le than Acce  Other” (Fe. 29, 2016),
http://www.iip.gatech.edu/ite/default/file/image/online_privac_and_ip.pdf
(hereinafter “wire paper”). Throughout thi report, we refer to the Feruar 29, 2016
verion of the wire paper, which ma change in the future.
5
wire paper, at 6.
6
ee generall wire paper, at 6-14.
7
wire paper, at 36-37.
8
wire paper, at 3.
9
andvine, “Gloal Internet Phenomena potlight: ncrpted Internet Traffic” at 4
(2015), http://www.andvine.com/download/general/gloal-internetphenomena/2015/encrpted-internet-traffic.pdf (hereinafter “andvine 2015
report”).
10
Alexa, Top ite  Categor, http://www.alexa.com/topite/categor (lat
viited March 5, 2016).
11
To compile the figure in the tale aove, we viited each ite lited in Alexa’
“Top ite  Categor” liting for the categorie of Health, New, and hopping
uing the Google Chrome we rower on March 5, 2016. We counted a we ite a
having “ncrpted rowing naled  Default” if the ite ued an HTTP connection
after clicking through the we ite (e.g., looking up a particular medical condition,
reading new torie, or rowing product liting). Man hopping we ite,
including Amazon.com, witch to HTTP onl after a uer initiate a checkout proce
or acce a private account page. However, ecaue uch we ite till tranmitted
lot of “hopping” ehavior over HTTP connection, we did not claif them a
“ncrpted rowing naled  Default.”
12
itan Koningurg, Rajiv Pant & lena Kvochko, “mracing HTTP,” N.Y. Time
13
- OPN log (Nov. 13, 2015),
http://open.log.ntime.com/2014/11/13/emracing-http. (“To uccefull
move to HTTP, all requet to page aet need to e made over a ecure channel.
It’ a daunting challenge, and there are a lot of moving part. We have to conider
reource that are currentl eing loaded from inecure domain — everthing from
Javacript to advertiement aet.”) (hereinafter “mracing HTTP”).
13
mracing HTTP (“Conidering the importance of advertiement, thi i ver
likel to e a ignificant hurdle to man media organization’ implementation of
HTTP.”).
14
Andrew Hilt, "ome impreion on Internet advertier ecurit," The Citizen
La (Mar. 30, 2015), http://citizenla.org/2015/03/ome-impreion-on-internetadvertier-ecurit.
15
Id.
16
rendan Riordan-utterworth, “Adopting ncrption: The Need for HTTP,”
IA (Mar. 25, 2015), http://www.ia.com/adopting-encrption-the-need-for-http.
17
Nick Feamter, "Who Will ecure the Internet of Thing?," Freedom to Tinker
(Jan. 29, 2016), http://freedom-to-tinker.com/log/feamter/who-will-ecure-theinternet-of-thing.
18
Id.
19
Id.
20
wire paper, at 24.
21
Danl oomworth, "Moile Marketing tatitic compilation," mart Inight
(Jul. 22, 2015), http://www.martinight.com/moile-marketing/moile-marketinganaltic/moile-marketing-tatitic.
22
. ortzmeer, DN Privac Conideration, Internet ngineering Tak Force,
Augut 2015, http://tool.ietf.org/html/rfc7626 ("Almot all thi DN traffic i
currentl ent in clear (unencrpted)."). In addition, aide from DN, an encrpted
connection ometime expoe it own domain name  deign, in the header of the
encrpted packet. Thi i called erver Name Indication (NI). We won’t get into the
technical weed here aout NI, ut uffice it to a that there are multiple wa for
IP to collect thi information.
23
wire paper, at 15 (claiming that “it appear to e impractical and cotprohiitive” for IP to collect and ue DN lookup data).
24
ee, e.g., Xerocole Partner with Damalla for otnet Detection on Carrier
Network, Pre Releae (Aug. 6, 2012),
http://www.reuter.com/article/idU129911+06-Aug-2012+W20120806 (explaining
that “Damalla CP protect ome of the larget cale and wirele IP network in
the world.  monitoring DN activit to detect infected ucrier, Damalla CP i a
‘light weight,’ highl calale and powerful olution for identifing network aue and
infected ucrier.”) (emphai added.)
25
ee, e.g., Mano Antonakaki, Roerto Perdici, David Dagon, Wenke Lee & Nick
Feamter, “uilding a Dnamic Reputation tem for DN,” 19th UNIX ecurit
mpoium, Wahington D.C. (Aug. 11, 2010), availale at
http://www.uenix.org/legac/event/ec10/tech/full_paper/Antonakaki.pdf
(decriing a ecurit tem that “ue paive DN quer data[,] uild model of
known legitimate domain and maliciou domain, and ue thee model to compute
a reputation core for a new domain indicative of whether the domain i maliciou or
14
legitimate,” noting that the author “have evaluated [the tem] in a large IP’
network with DN traffic from 1.4 million uer,” and oerving that the tem “can
identif maliciou domain with high accurac (true poitive rate of 96.8%) and low
fale poitive rate (0.38%), and can identif thee domain week or even month
efore the appear in pulic lacklit.”).
26
ee, e.g., Damalla CP: Advanced Threat Protection for Communication
ervice Provider (product rochure), availale at http://www.damalla.com/wpcontent/upload/2014/08/Damalla-CP.pdf (explaining that the compan’ tem
“monitor DN traffic [of] million of ucrier” with “[z]ero impact to network
performance,” “[a]utomaticall detect compromied ucrier IP addree,”
“[c]apture maliciou querie and correlate finding to generate infection report,”
and “[e]nale ucrier notification” o that ucrier can diinfect their
machine).
27
Id. (quoting an unnamed Comcat executive a aing that “Comcat i uing
otnet detection ervice from Damalla to recognize the command-and-control
erver and will notif cutomer whoe computer are found to e communicating
with thoe erver.”).
28
Chao Zhang et al., “Inflight Modification of Content: Who Are the Culprit?,”
LT (2011),
http://www.uenix.org/legac/event/leet11/tech/full_paper/Zhang.pdf. ee alo
Nate Anderon, “mall IP ue 'maliciou' DN erver to watch We earche, earn
cah,” Ar Technica (Aug. 5, 2011), http://artechnica.com/techpolic/new/2011/08/mall-ip-turn-to-maliciou-dn-erver-to-make-extracah.ar.
29
ee generall The Preident’ Review Group on Intelligence and
Communication Technologie, “Liert and ecurit in a Changing World” (Dec. 12,
2014), availale at http://www.whitehoue.gov/ite/default/file/doc/2013-1212_rg_final_report.pdf (hereinafter “Preident’ Intelligence Review”); ee alo
Tetimon of dward W. Felten, “enate Hearing on Continued Overight of the
Foreign Intelligence urveillance Act” (Oct. 2, 2013) at 8, availale at
http://www.c.princeton.edu/~felten/tetimon-2013-10-02.pdf (“Although thi
metadata might, on firt impreion, eem to e little more than “information
concerning the numer dialed,” anali of telephon metadata often reveal
information that could traditionall onl e otained  examining the content of
communication. That i, metadata i often a prox for content.”); ee alo Jonathan
Maer, “MetaPhone: The enitivit of Telephone Metadata” (Mar. 12, 2014),
http://wepolic.org/2014/03/12/metaphone-the-enitivit-of-telephonemetadata.
30
Preident’ Intelligence Review, at 116-117.
31
Preident’ Intelligence Review, at 120-121.
32
Nick Feamter, "Who Will ecure the Internet of Thing?," Freedom to Tinker
(Jan. 29, 2016), http://freedom-to-tinker.com/log/feamter/who-will-ecure-theinternet-of-thing.
33
ee e.g., Citizenla, “ehind lue Coat: Invetigation of commercial filtering in
ria and urma” (Nov. 9, 2011), http://citizenla.org/2011/11/ehind-lue-coat.
34
ee e.g., huo Chen, Rui Wang, XiaoFeng Wang & Kehuan Zhang, “ide-Channel
Leak in We Application: a Realit Toda, a Challenge Tomorrow,” at 3 (2010),
availale at http://reearch.microoft.com/pu/119060/WeAppideChannel-
15
final.pdf (hereinafter “We ide Channel”).
35
ee Qixiang un, Daniel R. imon, Yi-Min Wang, Wilf Ruell, Venkata N.
Padmanahan & Lili Qiu, “tatitical Identification of ncrpted We rowing Traffic”
(2002), availale at http://reearch.microoft.com/app/pu/default.apx?id=69918.
36
ee Xiang Cai, Xin Cheng Zhang, rijeh Johi & Ro Johnon, “Touching from a
Ditance: Weite Fingerprinting Attack and Defene” (2012), availale at
http://www3.c.tonrook.edu/~xcai/fp.pdf.
37
wire paper, at 23.
38
We ide Channel, at 6. (“Interetingl, the auto-uggetion in fact caue a
catatrophic leak of uer input, ecaue the attacker can effectivel diamiguate the
uer’ actual input after ever ketroke  matching the ize of the repone
carring the uggetion lit.”). The wire paper aert that “[w]hen the earch i
performed over an HTTP connection, a ha ecome the norm, the IP can onl ee
which earch engine wa ued . . . ut not the earch quer . . . .” However, while it i
true that IP can no longer directl oerve the earch quer in plaintext on the wire,
that i not the IP’ onl option. An IP that mimic the technique demontrated 
thee reearcher might till learn the earch querie that uer entered.
39
ee We ide Channel.
40
ee Andrew M. White, Autin R. Matthew, Kevin Z. now & Faian Monroe,
“Phonotactic Recontruction of ncrpted VoIP Converation: Hookt on fon-ik,” in
Proceeding of the I mpoium on ecurit and Privac, at 3-18 (Ma 2011),
availale at http://www.c.unc.edu/~faian/paper/fonik-oak11.pdf.
41
ee Mauro Conti, Luigi V. Mancini, Riccardo polaor & Nino V. Verde, “Can’t You
Hear Me Knocking: Identification of Uer action on Android App via Traffic Anali”
(Jul. 2014), availale at http://arxiv.org/pdf/1407.7844.pdf.
42
We ide Channel, at 1.
43
Kevin P. Der, cott . Coull, Thoma Ritenpart & Thoma hrimpton, “Peeka-oo, I till ee You: Wh fficient Traffic Anali Countermeaure Fail,” at 1
(2012), availale at http://ieeexplore.ieee.org/tamp/tamp.jp?
tp=&arnumer=6234422.
44
wire paper, at 34 (“At leat 30 million people in the U.. ue a VPN or other
prox ervice . . . Thi numer likel will clim harpl in coming ear.”).
45
Thi tatitic i actuall larger than the fraction of uer that are relevant to thi
dicuion, ince man prox ervice are not encrpted. Jaon Mander, “GWI
Infographic: VPN Uer,” GloalWeIndex (Oct. 24, 2014),
http://www.gloalweindex.net/log/vpn-infographic.
46
William Van Winkle, “The Pro and Con Of Uing A VPN Or Prox ervice,”
Tom’ Hardware (Mar. 28, 2015), http://www.tomhardware.com/review/vpn-vprox-ervice,4087.html (“You do get what ou pa for.”).
47
GloalWeIndex, “The Miing illion,” at 9 (2014),
http://inight.gloalweindex.net/h-f/hu/304927/file-1631708567pdf/GWI_The_Miing_illion_2014.pdf?t=1441899050488 (“It’ aundantl clear
that VPN uage i mot pronounced in fat-growth nation. . . . In contrat, uage i
conideral le common in the mot mature internet market – with the UA,
Canada, France, the UK, Autralia and Japan coming at the ver ottom of the
tale.”); Chri mith, “erioul Dark Traffic: 500 Mil. People Gloall Hide Their IP
Addree,” Digida (Nov. 18, 2013), http://digida.com/puliher/vpn-hide-ip-
16
addre-ditort-analtic (“Fift percent of thee 410 million VPN uer a the jut
want acce to etter entertainment content, according to a GloalWeIndex urve
of 170,000 individual pread acro 32 countrie. Twent-eight percent a the do
o for acce to new and ocial networking ite, and to remain anonmou.”).
48
Id.
49
wire paper, at 31. (“Where VPN are in place, the IP are locked from eeing
the deep link and content (a with other encrption), and alo the domain name the
uer viit.”).
50
Vaile C. Perta, Marco V. arera, Gareth Ton, Hamed Haddadi & Aleandro
Mei, “A Glance through the VPN Looking Gla: IPv6 Leakage and DN Hijacking in
Commercial VPN client”, 1 Proc. Privac nhancing Technologie 84 (2015), availale
at http://petmpoium.org/2015/paper/02_Perta.pdf (“In particular, Window
doe not have the concept of gloal DN etting, rather, each network interface can
pecif it own DN. Due to the wa Window procee a DN reolution, an dela
in a repone from the VPN tunnel ma trigger another DN quer from a different
interface, thu reulting in a leak. . . . Under certain configuration, ome VPN client
do not change the DN etting, leaving the hot’ exiting DN erver a the default.
For intance, we oerved that the dektop verion of HideMA (v1.17) doe not
et a cutom DN when uing OpenVPN.”).
17