One of the most discussed stories of last week concluded Monday when President Trump signed legislation repealing the soon-to-be implemented FCC Internet privacy rules regarding Internet Service Providers’ (or ISPs) use of consumer data. Given the multifaceted nature of this issue, it might feel overwhelming following this story, but since it impacts essentially all consumers who use the Internet, we decided to dig deeper. Continue reading below as we reflect on ISPs’ capabilities, the ways you can protect your privacy now that these rules have been overturned and some of the broader implications you need to be aware of as the issue develops.
What will ISPs do now?
It’s very important to note that the legislation signed Monday simply prohibits FCC Internet privacy rules from the previous administration from taking effect and doesn’t introduce anything new. In that regard, ISPs have argued that the legislation merely preserves the status quo and that consumers should expect no changes to privacy. Indeed, Internet tracking existed long before the Obama-era protections introduced under former FCC chairman Tom Wheeler, and it’s even possible (to some extent) that this data was sold, meaning privacy advocates’ worse fears have already been realized.
That said, to mitigate any recent concerns, a number of companies issued statements on March 30, as reported by Reuters, articulating their stance on protecting “customer browsing histories.” It’s important to be aware, however, as Business Insider noted, that regardless of what’s said in public statements, these companies are free to define phrasing as they wish in their Terms of Service. For example, AT&T directly stated in a blog post that it “ … will not sell your personal information to anyone, for any purpose. Period.” However, in a FAQ on its site, it defines personal information as “ … information that directly identifies or reasonably can be used to figure out the identity of a customer or user.” As defined, ‘personal information’ is likely already illegal to sell, but it remains somewhat ambiguous as to whether there are other types of data AT&T may sell (if it doesn’t already). As you can see, these public statements might not address other concerns that consumer and privacy advocates may have.
With this in mind, one of the biggest qualms shared by advocates is that now consumers simply have to take ISPs at their word – regardless of how ambiguous their policies are. With the FCC poised to take a hands-off approach towards ISP regulation, some believe particularly egregious abuses of privacy – some of which historically prompted action from the agency – might get a pass under the current administration. For example, in 2011, some ISPs got into hot water for “hijacking” users’ search results. In an infamous and more recent example, in 2016 Verizon was fined for using what are known as supercookies, which cannot be disassociated with their assigned user and tracked them everywhere online.
What can you do to protect your privacy?
Currently, it’s unclear exactly how this will play out, which is why many are encouraging users to take precautions. With various advocacy groups telling us to brace for the worse, here are just a few options you can consider:
1. Use HTTPS. Hopefully, you’re no stranger to HTTPS, as it’s something we’ve talked about repeatedly, and for good reason – HTTPS connections can’t be tampered with by third-parties, nor can their contents be seen by anyone other than the intended recipients. With regards to your ISP, this means they can’t see any content you view on HTTPS pages. While more sites are applying HTTPS their pages, it’s not something every site provides. Luckily, there are plugins for major browsers like Chrome and Firefox, such as HTTPS Everywhere, created by the Electronic Frontier Foundation, that automatically add HTTPS to every web page. If you’re more tech savvy, you can combine this with other resources like the encrypted browser Tor or a VPN for even more privacy.
2. Consider Identity theft protection. Critics of this legislation warn that lenient ISP regulation could have severe cybersecurity repercussions. With ISPs not being obligated to report breaches, some fear that the opportunities for hacking consumers might increase. As such, it might not be a bad idea to invest in some form of identity theft protection – especially if you’re using an ISP that’s been breached before. If you decide to go this route, make sure you sign up for a service that monitors your personal information on the Internet black market because that’s where breached information usually ends up. That said, it will also be helpful if you get a service with three-bureau credit report monitoring to ensure that you will be alerted in the event that a new credit account is opened in your name.
3. Look for a new ISP. While some ISPs may be selling your data, others, such as local, smaller ISPs, may have no interest in collecting or selling data. If you worry that your current ISP may be selling your data (or plans to do so), you should consider switching to one that offers clear Terms of Service stating that they do not wish to sell any of your information.
What else should you know?
Finally, there are a few important details you should keep in mind as this issue unfolds and as you look for ways to protect your privacy:
1. HTTPS protects your data, but ISPs can still see the site’s name. If you’re on a HTTPS site or even using an HTTPS plug-in, keep in mind that your ISP will still be able to see the names of the websites you visit. While the specific contents might not be viewable because of encryption, simply knowing the names of websites you visit is enough to conduct basic Pattern of Life analysis about you — or analyze your online behavior.
2. Your metadata will almost always be visible to someone. We’ve talked before about metadata, or the data that’s created whenever you do activities online. Certain types of metadata will always be visible to the providers of the services you use. For example, your cell phone carrier will always know your phone number, your location (if you have your geolocation disabled, they can determine your location by looking at which local cell towers your phone’s signal bounced off of), who you’ve called, when you called them and for how long. While there’s no indication that telecommunications companies will sell this information to advertisers, they’ve already sold it to the government. To add to the uncertainty, there are growing industries focused on providing this information to institutions like banks. While there’s no indication that telecoms have or will provide this information to anyone else, it’s clear that there is incentive for them to do so.
3. VPNs (and Tor) are not silver bullets. VPNs are great because, unlike HTTPS, which simply hides the contents of your web activity (and not the site’s name), VPNs and Tor (which itself is not a VPN, despite behaving like one) take it a step further, as they hide both the names of the sites you visit and your location — meaning your device’s IP address. Unfortunately, VPNs range heavily in quality and if you don’t choose carefully, you might literally find yourself in the exact same situation you’d be in without the VPN. This is because you route your traffic through a VPN and if the VPN provider decides to sell your data or track you, it perpetuates the problem it was supposed to solve. If you make your own VPN, you’re guaranteed to avoid this problem, but those who can’t do so shouldn’t despair, as Ars Technica provides a great guide for choosing a reputable VPN and combining it with other privacy solutions. As for Tor, while the software gets a bad rap as the dark web browser, it has legitimate uses for those seeking privacy, but it could have the opposite effect if it’s poorly configured.
4. State laws might provide a much needed silver lining to this story. Despite the uncertainty regarding the impacts of the legislation, some states like Minnesota are taking control of the matter by strengthening regulations around what Internet companies and services can do with data. The effect of this is yet to be known, but it could begin to fill the void left by the gutted FCC regulations.
For more information regarding ongoing developments in this story and others, continue reading our technology blog.