This week, Congress completely eliminated consumer privacy protection for internet service provider (ISP). This is an issue that impacts all of us. Therefore, this article summarizes what this truly means, and what we can do about it from a technical standpoint.
As many supporters of the privacy rule repeal have noted, these regulations weren’t going into place until later this year. Therefore, nothing is really changing. This is extremely misleading. These rules were put in place due to changes in the regulatory classification of broadband internet in order to implement net neutrality rules in 2015.
To understand the facts and truth about what congress just did, and how it affects you; we will need a little background on ISP privacy
A Brief History of ISP Privacy Rules
The issues surrounding which agency regulates ISP consumer privacy is due to a mistake made in 2002. Then, the FCC voted to classify cable internet as an information service. Consumer protection regulations of information services are the job of the Federal Trade Commission (FTC.) Therefore it was up to the FTC to regulate the business practices of those provided cable internet service.
At the time, however, DSL and dial up internet services were considered “telecommunications services” with a common carrier designation. Common carrier implies that the service is provided to the public without discrimination. Telecommunications common carrier services like telephone service are regulated by the FCC.
This makes sense, as the internet is a communication service that transports data to and from information services. Intrinsically, the internet provides no information to anyone. If there were no applications, websites, or information servers internet access would be useless. It is solely a communications transport technology. If the internet can’t naturally provide information it makes little sense to classify it as an information service.
Unfortunately, that’s exactly what the FCC did in 2002. Furthermore they compounded their mistake twice; once in 2005 went they reclassified DSL and Dial-up as information services, and again in 2007 when wireless internet providers were similarly labeled.
Privacy Rules under the FTC
With all ISPs mislabeled as “information services,” the responsibility of consumer privacy protection regulations came under the authority of the FTC. Over the years the FTC developed a privacy framework through the Network Advertising Initiative (NAI.) The NAI is a self-regulatory trade organization for online advertising.
The FTC privacy framework essentially required companies do the following;
- have customer opt-in consent for the use and sharing of sensitive information
- opt-out choice to use non-sensitive customer information for personalized third-party marketing
- rely on implied consent to use customer information in activities like service fulfillment and support, fraud prevention, market research, product development, network management and security, compliance with law, and first-party marketing.
Opt-in consent for sensitive information like Social Security Numbers, financial account numbers, real-time location information and precise information about medical conditions request the customer actively agree to terms when the data is provided. All other information is usually covered in an online services privacy policy, which should provide information on how your information is used and how to opt-out.
While the FTC has developed this framework it is presented as “guidance.” That is likely due to the fact that the FTC lacks rule making authority. In fact , it’s best privacy enforcement mechanism has been through it’s power to prevent “unfair or deceptive acts or practices.” Essentially, the FTC will go after a company that makes a privacy promise it neglects to execute. If a company doesn’t mislead customers, it’s difficult for the FTC to make a case. Ultimately, the FTC has little enforcement power, which is exactly why they’re the ISPs regulator of choice.
Luckily, regulatory jurisdiction changed hands in 2015
Net Neutrality and FCC Privacy Rules
In 2015, the FCC adopted net neutrality rules to ensure a fair and open internet. In order to this, it had to correct it’s 2002 mistake and designate ISPs as common carrier telecommunications service. Therefore, the FTC lost its regulatory jurisdiction as it explicitly has no authority over common carrier entities.
This regulatory gap prompted the FCC to write consumer privacy protections rules regulating ISPs. Unlike the FTC, the FCC has rule making ability. The rules enacted are nearly identical with one major exception. The FCC rules consider web browsing history and app usage history as sensitive information. That means consumers would actively have to opt in for ISPs to profit from tracking their online habits. This information is worth billions in advertiser dollars.
However, due to the repeal, the FCC privacy rules will never see the light of day. They were set to go into effect this year.
Who Protects Online Privacy Now
While many of the Senators and members of congress that voted for the repeal say it’s the FTC, this is not the case. Currently there are no regulations or oversight when it comes to your privacy and your ISP.
As I wrote earlier, the FTC has no jurisdiction over companies with a telecommunications common carrier designation. To make matters worse, in August of 2016, the Ninth Circuit Appeals Court ruled in favor in AT&T judging that the FTC has no jurisdiction over a company that offers common carrier services. This holds true even if the service in question isn’t common carrier, but the company offering the service also provides a common carrier service. Update: The 9th circuit has filed to rehear this decision.
Even if Ajit Pai’s FCC repeats past mistakes and classifies all ISPs as Title II common carrier, the FTC will still lack oversight when it comes to ISPs that offer common carrier services. Those would be ISPs with telecommunications services like Verizon, AT&T and Sprint. If cable companies like Comcast and Charter want to avoid oversight, all they would need to do is to start a small phone company. Comcast is already planning to offer mobile voice service later this year.
Not only will the FTC lack authority when President Trump signs this into law, but there is little the FCC can do to give the FTC the power to regulate ISP in regard to consumer privacy. Therefore, it will literally take an act of congress to give power to the FTC to regulate ISPs in regard to consumer privacy. Can anyone imagine this congress passing a bill to regulate a industry?
Why ISPs Should Be Regulated by the FCC
This lack of oversight gives ISPs unregulated access to the following customer data;
- Geographic location
- Children’s information
- Health information
- Financial information
- Social Security numbers
- Web browsing history
- App usage history
- The content of communications
- Your name
- Home address
- Device IP address
- Your current subscription level
In the age of “Big Data” this information could be used to piece together when you wake up, places you frequent, and more. However, ISPs know it would be unwise to take full advantage of this unchecked power when the profits are in advertising. If they show too much bravado with their newly unchecked power, they would be an easy political target.
While privacy advocates fear the worse (and there fears are legitimate), the clear and present danger is the smorgasbord of marketing information the federal government just handed your ISP. ISPs have access to everything you do online.
The FCC privacy rules were intended to curtail that unfair information advantage. Hence, browsing history was considered “sensitive” under the repealed FCC rules. Customers would have had to actively give their expressed consent for their ISP to use this information for marketing purposes.
The Myth of FTC and FCC Rule Redundancy
New FCC Chairman Ajit Pai and most republicans in congress always claim there is a redundancy in rules between the FTC and FCC. This isn’t the case, because ISPs and information services like FaceBook, Google, and Lyft are completely different entities. It’s analogous to claiming McDonalds and Roads need the same regulatory body because their drive thru uses roads.
When you use a service like FaceBook or Google Search, they are collecting information on how you use their service. As far as your browsing history goes, a website only knows the link you clicked to get to that website, and possibly the linked you clicked on exit. Some services partner and share information, but you have to use those services for them to obtain the data.
This is vastly different from how your ISP operates. First, consumers don’t pay for services like FaceBook and Google search. They profit off how you use the site by using that information to advertise to you. We all already pay our ISP for internet access. Taking our data is ultimately paying them twice for internet access.
Second, your ISP has access to all you do online. It’s not the same as a website you visit taking your usage data. They have access to your entire online existence. Like that creepy Police song, ever click you make they’ll be watching you.
People who make this FTC\FCC argument pretending there isn’t a fundamental difference between Comcast Internet and Facebook are either intellectual dishonest, or lack understanding of how the internet is architected.
The fact that the FTC is incapable of regulating consumer privacy without another congressional act amounts to our government playing a deregulatory shell game. Ultimately, this is a profit giveaway to an already uncompetitive oligopoly. This repeal is anti free market.
How You Can Protect Your Privacy Online
There is no substitute for the law when it comes to ensuring your privacy online. In the past, ISPs have installed snoop software on customers phones. Only the law is going to be able to help when it comes to tactics like that. However, there are a few things you can do to make violating your privacy online a bit more difficult.
Use HTTPS instead of HTTP
If a website you visit uses “HTTPS://” prior to the domain, that means the site is encrypted (Like https://www.groundedreason.com). The ISP will see that you visited the domain, but won’t be able to see what you did within the site.
Use a VPN
Unfortunately, not all websites use encryption. However, a virtual private network or VPN, will encrypt all of your internet traffic. Furthermore, it will provide your computer with an IP address from the VPN. This is essentially a disguise for your online footprint.
However, you can’t just subscribe to any VPN and expect your privacy to remain intact. Your VPN has an ISP as well. There are certain things to look for to ensure your information isn’t just being passed on to your VPN’s ISP. Namely, you want to make sure the VPN service has it’s own DNS server, and you want to perform a DNS leak test to make sure the information stays within the VPN. I explain all this and more in my article on How To Choose the Best VPN.
Choose the Right Privacy Browser
I wear my tinfoil hat when it comes to trusting Chromes Incognito mode. Therefore, I recommend coupling your VPN with Epic Privacy Browser. Epic blocks cookies, protects your history, encrypts your traffic and even blocks technology like webRTC which in some cases get data to leak from behind a VPN.
Many recommend Tor. Tor is a perfectly fine substitute and is designed to provide obfuscation. However, I find it to be a bit slow.
TLDR
In summary, just because the repealed FCC rules were never in place doesn’t mean nothing has changed. These rules were meant to fill the gap left when regulatory power over ISPs rightly switched from the FTC to the FCC. However, during the switch the courts made it practically impossible for ISPs to now be regulated by the FTC. Therefore, lot’s has changed and ISPs effectively have no regulations in regard to the privacy of your information.
The law would be the best cure for this problem we’re all in. However, since the law has abandoned us, get a VPN you can trust and a privacy browser. Be careful out there.