So my ISP can now sell my browsing history – what can I do?
Find a good VPN
So, the US House of Representatives has voted away internet privacy (in concert with the Senate), and the legislation will be heading to the White House for Trump's imprimatur. He's expected to sign quickly, so as internet users it's time to get really serious about privacy.
Under the terms of the legislation, your ISP would have the right to collect and store all of your browsing history – what domains you visited, how long you spent on certain sites, and even what pages you viewed for some websites. From a privacy standpoint, all rules are now gone and it's up to the ISPs to decide what they want to do with your data.
This goes for wireless as well as fixed line ISPs. Remember the impossible-to-delete supercookies that Verizon and AT&T decided to put on people's phones a few years ago and forgot to tell anyone about? They're back on the cards, as are search engine redirects from ISPs that check to see if they can divert an inquiry for profit.
"If this bill goes through there's nothing you can do; you're screwed," security guru Bruce Schneier told The Register earlier. "It used to be just Google knew what kind of porn everybody liked, now it's going to be ISPs that have that data and they are going to store and use it."
It's the storing that's particularly worrying. Having a complete browsing history for a target makes social engineering very easy and, as Schneier points out, ISPs have a lousy reputation for protecting their data against hackers. He said their security makes the NSA and CIA look good.
While it would be possible to record an individual's browser history and sell it on, ISPs are more likely to collect the data in aggregate. If the government comes knocking, an ISP could put someone on surveillance, but ISPs are expected to take the approach used by Facebook and Google and offer advertisers a package whereby they can reach a certain number of people with the right interests.
"I don't think ISPs will be selling an individual's records – that would be commercial suicide to do that," Dane Jasper, CEO of California ISP Sonic.net told The Reg. "Instead I think we'll see group selloffs coming, and maybe also see ISPs developing specific advertising tools for customers to allow them to push out personalized adverts."
Sonic has lobbied as hard as it can against the new laws, Jasper said, as it was part of a coalition of ISPs that signed a public letter asking Congress not to strip away privacy protections. His company won't be collecting and selling this data, but Schneier was skeptical as to how long that could last.
"Corporate America is all about a race to the bottom," he opined. "What are these companies going to do when shareholders demand they take advantage of the new revenue stream? I don't buy it that they'll take the high road."
So what then is to be done for US internet users?
Practical steps for protection
The first thought when this came out was to simply use Tor to maintain privacy online. However, that comes with its own set of problems.
For a start, Tor isn't the easiest bit of software to set up and use securely. If you're on Windows or macOS then you have it easier than most, but getting Tor running on a Chromebook is very difficult and requires a lot of jiggering around to get it to work.
That technical complexity has already seen a low take-up of Tor among internet users and the software isn't getting any easier to use. "Try and tell your aging mother about Tor and you might as well be speaking Martian," Schneier said.
Then add in the factor that a lot of providers online don't like Tor and actively work against it. Content distribution networks like Cloudflare have had a rocky road with Tor users for years now and the situation still isn't resolved. Other websites simply downgrade traffic they can't sell adverts around because the visitor is using Tor.
If you do manage to get Tor up and running you may also have to deal with slower internet speeds on average. Maintaining a secure connection also requires effort. Since Tor is constantly under attack, the organization releases software updates regularly and it's really important to make sure that these are up to date before browsing begins.
Virtual private networks – services that set up a secure connection that runs traffic through their own servers – are another option. These come in two varieties, free and paid for, and the latter is preferable.
"Free VPNs are to be avoided, but that means VPNs cost money and you are just passing the trust issue to another company," Jeremy Gillula, senior staff technologist at the Electronic Frontier Foundation told The Reg.
While there are free VPNs out there, they tend to be unreliable at times and a lot of security experts won't touch them with a bargepole. As the old saying goes, if someone's giving something away for free then you, most likely, are the product.
Bear in mind that VPNs do have to work under the rules of their home country, so your data isn't safe from official scrutiny. The VPN itself will also have a copy of your browsing history, and it's unclear at this stage whether they will be authorized to sell this on to third parties. If they may, permission to do so will probably be buried in the terms and conditions.
Check out the competition
We are supposed to live in a free market in the US, but when it comes to residential wireline ISPs, the market isn't very free or competitive. If you want anything over basic broadband speeds, then nearly two-thirds of US households don't have a choice of supplier.
That said, there are smaller ISPs that have said publicly that they won't collect, store, and sell their users' data. Check out what the competition is offering and see if you want to make the change.
If that's not possible then contacting your ISP to complain might work – don't bet on it. Technically companies are supposed to respond to consumer pressure, but the only chance of that happening is if there is a competitor to go to.
"The irony is that if you had proper competition, with six or seven ISPs to choose from, then all these problems with privacy and net neutrality would wither and die," Jaspers opined. "Companies could differentiate and the market could shake down the best solutions for people."
Some companies, such as AT&T, will allow customers to opt out of data collection, at a price. In AT&T's case that's $30 per month on top of your internet bill, or $60 a month if it runs your TV cable as well. It turns out there is a price on privacy after all. ®
Sponsored: Becoming a Pragmatic Security Leader