Internet Providers Are Cashing In on Your Browser History

Since the appointment of former Verizon lawyer Ajit Pai to chair the Federal Communications Commission (FCC), internet service providers (ISPs) have received a steady stream of good news from Washington. Last December, Pai indicated his desire to take a “weed whacker” to many FCC regulations. With full control off the government, Pai and congressional Republicans are starting to cut.

In October of last year, the FCC adopted a set of privacy rules that mandated stronger consumer protections. The order required broadband providers to obtain a positive opt-in from consumers before sharing sensitive information and allowed consumers to opt-out of letting ISPs use or share non-sensitive information.

The order also required broadband providers to clearly tell consumers what data they collect and how they use it and prohibited plans contingent on a consumer surrendering privacy rights. According to a statement by the FCC, the rules were intended to “empower consumers to decide how data are used and shared by broadband providers.”

The new rules never went into effect. In late March, both the Senate and House of Representatives voted to repeal the portion of the rules that would have required ISPs to get permission from consumers before selling their personal data.

Republicans used the Congressional Review Act to repeal the rules, a little-known method used only once to overturn a regulation before 2017. The CRA allows Congress, through an expedited process, to review and invalidate newly enacted regulations. If a regulation is overturned, a new rule that is substantially similar cannot be issued unless Congress passes a law to that effect.

At the time of this writing, the 115th Congress has used this power 13 times to target Obama era regulations. Speaker Paul Ryan has declared publicly that CRA actions are "the first priority of the 115th Congress."

By using the Congressional Review act, Republicans stripped the FCC of it’s power to regulate consumer privacy online. The FCC cannot regulate anything similar on its own without congressional involvement.

Big spenders

Telecom companies are some of the most generous spenders on the hill, contributing almost $88 million in the last year alone. The cable industry puts great effort into influencing legislation which would affect its bottom line. Usually that money is spread on both sides of the isle, but Republicans were particularly receptive to this bill.

Individual contributions ranged from $1,000 for Senator Roy Blunt (R-MO) up to an eye-opening $251,110 for Senator Todd Young (R-IN). Senator Jeff Flake (R-AZ), who introduced the legislation, received $27,955 from the telecom industry. According to data compiled by the National Institute on Money in State Politics, the cable industry spent $9,156,812 acquiring all 265 yay votes.

According to Flake, “What we need with the internet is uniform rules, and not to regulate part of the internet one way and another part of the internet another way, just based on who provides the data. It ought to be the data that provides the basis for regulation.”

Sen. Flake’s defense of the bill sounds like a fair assessment, claiming that since companies like Google and Amazon already collect user information and build profiles for advertising, others like Comcast and AT&T should be able to do the same.

In his dissent to adopting the privacy order last October, Pai stated, “Were it up to me, the FCC would have chosen a different path — one far less prescriptive and one consistent with two decades of privacy law and practice. The FCC should have restored the level playing field that once prevailed for all online actors using the FTC’s framework.”

Pai dismisses the argument that edge providers, like Netflix and Apple, only see a slice of the information consumers generate online. Like Senator Flake, Pai believes the FCC overreaches when it regulates one group of companies to a greater extent than others. Unfortunately, these arguments contain several notable flaws.

Dozens of email providers, web hosts and cloud storage platforms exist, with new ones emerging all the time. When consumers are online, they have a choice between many services and products, and which companies to which they give their personal information.

Getting online is a different story. ISPs have divided and conquered, avoiding competition except for a few select areas. The average customer has between one or two options for internet service. There is almost no choice when it comes to who is responsible for managing everything you do online.

What happens now?
President Trump frequently expresses outrage and alleges violations of his own privacy, but he did not hesitate to sign this bill into law. Congress and the Trump administration have made it clear: the right to privacy does not apply when you are online.

Privacy protections were enacted because data collection activities were already occurring, so ISPs that were already collecting and sharing the information will likely continue.

America’s largest ISP, Comcast, says it does not participate in the selling of customer browsing information to third parties, unless the consumer has already opted in. Gerard Lewis, Comcast’s Chief Privacy Officer, says “We did not do it before the FCC’s rules were adopted, and we have no plans to do so.”

AT&T was one of the targets of the privacy protections rule. In 2013, it introduced “standard” and “premium” fiber tiers. For $29 less, you could have several installation and hardware fees waived and be included in AT&T’s targeted advertising platform. Several technologies were used to collect browsing information on users, such as global tracking cookies and deep packet inspection. The information would theoretically have personal identifiable information removed, but it will still contain confidential and revealing metadata such as a timestamp, location, IP address and what sites have been accessed. The plan was scrapped shortly before the FCC’s October 2016 vote.

Just about every entity on the web collects some identifiable information on you, for reasons like analytics and advertising, or with malicious intent. Even the most innocuous information that has been stripped of personally identifiable information can still be analyzed for patterns. If a tablet is visiting kid friendly sites before and after school hours, for example, it is an indication that user is a child.

All information transmitted through your internet connection is potentially at risk, including browsing history, demographic information, financial and medical records.

Netflix famously held a competition to improve their recommendation system by releasing a huge data set of anonymous movie ratings. Two researchers from the University of Texas at Austin were able to de-anonymize individual users by parsing the dataset against IMDB ratings.

Who picks up the slack?
The telecom industry does not see an obligation to ask for permission to sell confidential information. In fact, the industry believes asking for consumer opt-ins is wasteful and counterproductive to the public interest.

Just days after S.R.Res.34 was passed, Congresswoman Jacky Rosen (D-NV) introduced the Restoring American Privacy Act of 2017, which is effectively a repeal of the repeal. Rosen had a career in programming before joining Congress and believes “keeping privacy protections in place is essential for safeguarding vulnerable and sensitive data from hackers.”

Since federal lawmakers voted to axe privacy protections, many states have decided to pick up the slack. Minnesota, Illinois and Maryland are just three states that are introducing strong privacy protection laws similar to the one the FCC had implemented.

Depending on how well the states write their rules, it is possible they can see success in implementing reasonable protections. But considering the lobbying strength of the telecom industry, those measures are sure to be met with lengthy legal battles.

Protect your online privacy now
Connecting to sites over HTTPS is the most common way to protect your information. Secure connections are becoming ubiquitous and can effectively hide what you are doing from your ISP.

However, even though service providers will not be able to see what you are sharing, they can still track the initial secure handshake to know which sites you visit and when.

The strongest tool for protecting your online activities is through the use of a virtual private network (VPN). A VPN creates a secure, encrypted tunnel between two computers and has been a tool used by businesses with remote employees for years. VPNs prevent snooping from your ISP, the government and neighbors with a WiFi password. Additionally, your gateway is likely used by other VPN customers, further anonymizing your activity.

Many providers offer VPN services, and unlike internet service providers, there are plenty to choose from.

VPN Providers speak out about their security practices

Torrent Freak has an annual VPN review in which several of the biggest providers comment about their security practices. The most important question is; what information do providers keep on you, like access logs and data retention policies. Here is how a few companies answered:

Private Internet Access (privateinternetaccess.com)
“We do not store any logs relating to traffic, session, DNS or metadata. There are no logs for any person or entity to match an IP address and a timestamp to a user of our service. In other words, we do not log, period. Privacy is our policy.”

NordVPN (nordvpn.com)
“As stated in our terms of service, we do not monitor, record or store any VPN user logs. We do not store connection time stamps, used bandwidth, traffic logs, or IP addresses.”

TorGuard (torguard.com)
“No logs or time stamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no-logging policy we run a shared IP configuration across all servers. Because there are no logs kept and multiple users share a single IP address, it is not possible to match any user with an IP and timestamp.

With little progress being made to legislate consumer privacy, doing nothing can result in having your internet history sold or ending up in the wrong hands. Investing in a VPN ensures a reliable protection from legal and malicious actors alike.