Mon Jan 1, 0001

Mesh Routers, ISP Data Collection, and DNS Surveillance

Proprietary Mesh Routers

What Any Router Operator Sees

All device MAC addresses, all DNS queries (unless DoH/DoT), traffic volume per device, connection timestamps, destination IP addresses, which services contacted.

Google Nest WiFi / Google WiFi

Privacy policy: collects device MAC addresses, network performance data, usage statistics. Cloud services process DNS queries by default. Google Home app shows device connection/disconnection times (presence detection). Policy permits aggregation across Google services.

Amazon Eero

Privacy policy (updated post-Amazon acquisition, 2019): collects device identifiers, network usage data, ISP information. Eero routers enrolled as Amazon Sidewalk nodes by default (June 2021), sharing bandwidth for Ring, Tile, and other Amazon devices. Opt-out required.

Comcast xFi

xFi app and gateway log every connected device, connection times, data usage per device. Privacy policy permits “network usage data” for advertising. xFi Advanced Security performs deep packet inspection (inspects traffic content metadata).

  • TP-Link (2023): security researchers documented routers sending data to third-party servers
  • Netgear Armor (Bitdefender-powered): routes traffic data through Bitdefender cloud
  • Asus: FTC settlement (2016, File No. 142-3156) over security failures exposing consumer data

Business Model

Hardware sold at low margins or at cost. Value is in recurring data collection, service subscriptions, ecosystem lock-in. The router manufacturer becomes another third party holding your data.

ISP Data Collection and Selling

FCC Privacy Rules Repealed

S.J.Res. 34, signed April 3, 2017. Repealed FCC broadband privacy rules adopted October 2016. Repealed rules would have required ISPs to obtain opt-in consent before selling browsing history, app usage, location data. Post-repeal: ISPs operate under FTC’s weaker opt-out framework.

FTC Staff Report (2021)

Confirmed major ISPs collect and monetize browsing data, location data, and demographic information at scale.

Specific ISP Practices

  • Verizon: $1.35M FCC fine (2016) for undeletable “supercookies” (UIDH) tracking mobile subscribers without consent
  • AT&T: “Internet Preferences” program charged $29-$70/month MORE to opt out of browsing-data-based advertising
  • Comcast: Launched Effectv (formerly Comcast Spotlight) using subscriber viewing and network data for targeted advertising

DNS as Surveillance

Default DNS

ISP-provided DNS resolvers see every domain name queried by every subscriber in plaintext.

Google Public DNS (8.8.8.8)

Launched 2009. Policy: logs full IP addresses for 24-48 hours, retains anonymized data permanently. Google sees queries instead of ISP.

Cloudflare (1.1.1.1)

Launched April 1, 2018. Committed to purging DNS logs within 24 hours (KPMG audited). Still a centralized third party.

DNS over HTTPS (DoH) / DNS over TLS (DoT)

Encrypt DNS queries between client and resolver. ISP/network cannot see domain lookups. DoH uses port 443 (blends with HTTPS traffic). DoT uses port 853 (identifiable and blockable). Neither hides destination IP address from ISP.

ISP Opposition to DoH

2019: Major ISP trade groups (NCTA, CTIA, USTelecom) wrote to Congress opposing Mozilla’s DoH rollout in Firefox. Argued it would “centralize” DNS data. ISPs have financial interest in retaining visibility into subscriber queries.

Sources

  • S.J.Res. 34 (signed April 3, 2017)
  • FTC Staff Report on ISP privacy (2021)
  • FTC v. Asus (2016, File No. 142-3156)
  • FCC enforcement re: Verizon UIDH (2016)
  • ISP trade group letter to Congress (2019)