Your internet history on sale to highest bidder: US Congress votes to shred ISP privacy rules
As House passes law, here's what you should do about it
The US House of Representatives has just approved a "congressional disapproval" vote of privacy rules, which gives your ISP the right to sell your internet history to the highest bidder.
This follows the same vote in the Senate last week. Just prior to the vote, a White House spokesman said the president supported the bill, meaning that the decision will soon become law.
This approval means that whoever you pay to provide you with internet access – Comcast, AT&T, Time Warner Cable, etc – will be able to sell everything they know about your use of the internet to third parties without requiring your approval and without even informing you.
Your ISP already knows quite a lot about you: your name and address, quite possibly your age, and a host of other personally identifiable information such as your social security number. That's on the customer information side. On the service side, they know which websites you visit, when, and how often.
That information can be used to build a very detailed picture of who you are: what your political and sexual leanings are; whether you have kids; when you are at home; whether you have any medical conditions; and so on – a thousand different data points that, if they have sufficient value to companies willing to pay for them, will soon be traded without your knowledge.
As one high-profile venture capitalist recently discovered, your previous search history can also impact what result you see in future. Although in his case, he probably wishes he hadn't publicly criticized Apple on Twitter for giving him the details of a porn actress at the top of his search results.
The precise user profiles that can be built using this data are worth their weight in gold to advertisers, and explains why Google and Facebook are two of the world's largest companies despite only being a search facility and an online noticeboard.
In fact, thanks to a quirk that resulted from efforts to make such selling of personal information illegal, we know how much that information is worth to your ISP: $30 per household per month. That jumps to $60 per month if you get internet access through your cable provider – which most Americans do – because it also enables the company to monitor your TV usage and connect the two.
With over 100 million households online in the United States, that means Congress has just given Big Cable an annual payday of between $35bn and $70bn.
It is difficult to underestimate the impact that the shift away from data privacy to open season on personal information sales may have. With cable companies now given strong financial incentive to draw on user information and habits, and with the stick of regulatory intervention effectively thrown away, it may result in significant societal changes.
The irony is that just a few months ago the situation was the polar opposite.
When US comms watchdog the FCC controversially declared that broadband providers were "common carriers" along the same lines as telephone companies, one of the many impacts was that it pulled enforcement of data privacy rules away from US trade watchdog the FTC and gave it to the FCC (which has very limited experience in consumer issues).
As a result of that, the FCC passed new privacy rules that are a little stronger than FTC rules, mostly in that they are preemptive and that they require ISPs to give customers an opt-in option for their most sensitive information – in other words, they have to actively get your permission before selling that data.
This opt-in issue is what exposed the value of such data to ISPs: when Google launched its Fiber Gigabit offering in various cities for just $70 a month, AT&T responded by offering pretty much the same service at the same price point – but to get that price you had to agree to be a part of its "Internet Preferences" program, which gave it permission to examine your web traffic and sell it on.
Take that "service" off and the price jumped $29 per month. If you also had TV or phone service, the price jumped $60 per month.
Meanwhile, back at the FCC, thanks to presidential politics and the election of Donald Trump, two commissioners – both Democrats – left. That meant the two Republican commissioners held a majority.
The new chair, Ajit Pai, killed off the new FCC privacy rules literally days before they were due to take effect, leaving a situation where ISPs are no longer under FTC jurisdiction and there are no FCC rules for them to adhere to.
On top of that, Congressional use of what was an obscure piece of legislation until two months ago – the Congressional Review Act – effectively introduces a permanent ban on the FCC rules. Privacy rules that are "substantially similar" cannot be reintroduced without the approval of Congress now that the "congressional disapproval" vote has passed.
So, unless the FCC or Congress scrap the net neutrality rules that pulled ISPs under the FCC's jurisdiction – something which, if it does happen, is going to take some time – the result of the vote, for ISPs, is that they have an open field to sell their customers' data. Critically, however, the situation looks set to stay unchanged for several years, and that gives ISPs an incentive to build new systems that provide maximum financial return on selling customer data. In short, the constraints are off.
What are we looking at in reality?
So, setting aside hyperbole or extrapolation, what does this actually mean for end users? What can ISPs really see? And what can they really sell?
Well, at the moment, it gives them the right to effectively sell ads like Facebook and Google. Both these companies build up a huge amount of information on individual users and then sell them. They sell the data in aggregate and keep a tight control on the fine details.
That means that a company selling, say, a new electric car, will be able to pay Facebook to put its ads in front of you based on its own criteria: we are targeting families with parents aged between 30 and 45 who live in the San Francisco Bay Area.
Facebook knows who you are because you are permanently logged into Facebook, and not only do you post a lot of information there but you also use your Facebook login to get into other sites. Facebook pulls all this information together, figures out who you are, and then sends you ads that are included in its massive pool of ads.
Google does the same thing in a different way: it uses your search results, it may use the Chrome browser, and it uses its various services – Gmail being the big one – to build up a profile of who you are. You are probably always logged into Gmail, and you have Chrome as your default browser – so everything you do potentially finds its way back to Google and they aggregate and sell it.
ISPs now have this power too. Except they have one huge advantage: they don't have to get you to log or opt into anything.
If you log out of Gmail, and you switch your search engine to something that is not Google, then Google effectively goes blind. Likewise, if you log out of Facebook (and any sites you used Facebook to log into) and delete all the cookies it has installed on your system, it also goes blind.
Not so your ISP – your ISP sees everything you are doing because its service is your very internet connection. Even if you use the "incognito" mode that many browsers offer where you can't be tracked by cookies, your ISP can still see where you are going because it has to go get the information from the websites you are looking at.
Now, the really big question is: can your ISPs see the content of your online interactions? Can it read your emails? Can it read your search results? Can it store and search through the words you typed into a webpage?
And the answer is: yes, sometimes.
If the website you visit is not secured with HTTPS – meaning that any data between you and the website is encrypted – then your ISP can see exactly what you are doing.
Now, this scary reality is tempered by two things: first, a majority of websites these days, especially big ones, use HTTPS. And second, it is a lot of hassle for ISPs to take this enormous quantity of information and make something valuable out of it.
In short, it is not worth the cost of searching through your (and millions of others') web traffic to find information that they can sell. What they make from that will not cover the costs of searching. But that may change with this Congressional vote: the economics may shift in favor of searching that traffic.
It is a certainty that ISPs will run experiments to see if they can make money from digging into this information. Pharmaceutical companies in particular pay a lot of money for information on users looking for specific drugs, because they can potentially make thousands of dollars from getting people using their particular drug.
Again, ISPs have always been able to do this, however with this congressional vote, they don't have to fear the FTC landing them with a multi-million-dollar fine. They don't have to disclose to anyone that they are doing this. And they don't have to fret that the hands-on FCC will come after them either. It is a free-for-all with potentially billions of dollars there for the taking.
What to do
So, the logical question is: what can you do about it?
Well, we'll leave aside contacting your Congressional representative to complain, because the vote's already gone through and there's not much that's going to change that reality right now. And we'll leave aside the Congressional elections in two years that could change Washington dynamics back in favor of user privacy.
What can you do today, right now, on your computer to limit what other companies can do with your data?
We have five general suggestions:
- Use Tor or a VPN
If you connect to the Tor anonymizing system, or use Tor's browser, your ISP will only know that you have connected to Tor; from there it loses the data trail. Of course the downside to this is that your browsing will be slower.
Be aware, your unencrypted traffic to websites outside the Tor network passes through a complete stranger's exit node: the person running the exit node can watch what you're doing. All you've done is move from your ISP snooping on you to an exit node admin watching you. On the other hand, you'll cycle through different exit nodes, so it's harder to be identified and tracked by websites outside the Tor network.
A virtual private network is an alternative that will work for lots of people, especially if your work has a VPN service that you can use for free. This again will cut off your ISP's ability to see what you are doing.
But – and this is a big but – do some research on your VPN provider. Do NOT use a free VPN provider because they face even stronger financial temptations to sell your information. If you use a VPN, you are effectively giving that company the same level of insight into your online life as your ISP. So pay for one, and check out their policies on what they do with the data they build on you.
In short, unless you have a work VPN service you can use, you are going to have to pay to hide your data from your ISP effectively. If you can set up a VPN server yourself, do so, or use a tool to do it for you. Be aware, some websites – such as Netflix – clamp down on VPN use, so you won't be able to use every site with one.
- Use a different search engine
Google offers a wonderful service, but everything you type in its search box is logged and connected to you in as many ways as possible. It is then sold on.
So why not use a different search engine? Rather than simply type into Chrome's internet address bar, or using the search box in Firefox, why not stick a shortcut on your browser's top bar to a search engine like DuckDuckGo, which will not track you or store your information?
It is one step more than, say, using Google but it is easy to make it a habit, and you would be protecting your personal data.
- Log out and/or use two browsers at the same time
You don't have to be logged into Facebook and/or Gmail all the time, you really don't. So why not log out when you're done with them?
In fact, as studies have shown repeatedly, if you can keep the distractions away – oh, look, someone 'liked' my post; there's another email from my co-worker, I wonder what it's about – then you can not only be much more effective and efficient but you also feel less overwhelmed and more at peace. Try it.
If you do insist on being logged into Facebook/Gmail all the time, why not use one browser – say, Chrome – for that and another – say, Firefox – for all your browsing? It is easy to switch between browsers on your computer, and using two will limit what third parties can see about what you are doing. Again, it's a habit thing: hard to do at first; automatic shortly after.
- Use HTTPS
If the website you are visiting has HTTPS, your ISP can see you have visited it – and how long you spent there – but it cannot see beyond there, including any particular pages you may have visited or any searches or other data you typed in.
The HTTPS Everywhere browser plugin will enable that same kind of encryption to be applied to websites without the extra security. It's not perfect but it's a good way to cut down on data leakage.
- Call your ISP and ask them about opting out
Seemingly an obvious thing to do, but one that hardly anyone bothers doing: call your ISP.
Tell them you are concerned about them tracking your activity and ask them for their policies. Ask them what information they have on you. Ask them what they are allowed to sell. Ask them what you are allowed to opt out of (they are obliged to tell you), and then opt out of it.
Basically, make it clear you aren't happy with them being able to sell your data. Companies are still companies: they don't want unhappy customers. If this becomes a big thing for companies, if they fear losing your business, then at the same time they develop new systems to make the most from this Congressional loosening up of data privacy rules, they will look at allowing customers to opt out.
The number of customers who complain will probably have a direct impact on how much the additional privacy would end up costing.
You can find more advice here. ®
Sponsored: Becoming a Pragmatic Security Leader