Both the US Senate and the House of Representatives have cleared the way to remove privacy rules for internet service providers (ISPs) like AT&T, Charter, Comcast and Verizon. The President signed the executive order to repeal these rules, which were originally put in place by the FCC in 2016 to protect consumers on the web.
While the nation’s largest ISPs have pushed hard for this move, most internet users in the U.S. are only now learning that their entire web browsing history may be collected, sold, and/or used for marketing purposes - no “opt-in” or other permission required.
This is a good time to take a step back and assess what it all means. The privacy rules were fairly recent and had not yet been enacted. And, it's not back to the old state - the lawmakers went a step further, issuing a joint resolution that aims to ensure that the FCC will be barred from issuing similar regulations in the future. Add to this that the FCC has paused the requirement that ISPs take “reasonable” steps to secure and protect consumer data.
To understand why this is so important, we need to look at what makes an ISP different from other parties on the internet - such as Google or Facebook or e-commerce sites - that track your data.
How my ISP sees my data
Internet service providers process all traffic on the internet. Since they own the “last mile” connection between the device and the internet, they are privy to the activities of every user on each device on a customer’s network.
Each time someone, somewhere in your household or office goes online for banking, streams a movie or makes a Voice-over-IP (VOIP) call, their IP address is associated with the request. Each IP address is tracked and used to build unique profiles over time.
ISPs, unlike search engines, web services or e-commerce sites that track your behavior for advertising have access to the “full picture.” They can collect everything you access online - medical, financial, recreational websites, porn, gambling, online searches, movie downloads, social media consumption… everything.
Lawmakers justified their decision by saying ISPs are at a disadvantage, compared to popular websites like Google or Facebook, who collect your data while you visit their respective sites.
ISPs and web services are distinctly different, a point that remains largely unacknowledged by lobbyists and politicians. Users can choose the sites and services they use on the web, and can decide what information they share with them.
Their ISP choices, on the other hand, are limited, and large ISPs occupy a unique vantage point which allows them to build more detailed profiles of user behavior and sell the data to the highest bidder. By my read, they are now in an advantaged position relative to the websites.
Who would be interested in my data? Isn’t it already out there anyway?
News reports have mentioned that ISPs were free to collect this information before, and that they’ll use the data primarily for advertising purposes. While that may be technically accurate, the way ISPs treat your data may be quite different than the Googles or Facebooks.
- As mentioned above, ISPs are collecting much more data than an individual site would have access to.
- When ISPs start placing targeted advertisements, the context will be more broad than Google placing an ad based on a particular search. And advertising networks have proven vulnerable to exploits, delivering malicious code like ransomware, rootkits, or spyware to the local browser.
- If they anonymize user data and resell it (as they’d be allowed to do), de-anonymization is frighteningly easy. I wrote about it previously in my post on the legal marketplaces for healthcare data.
- As part of the repeal, ISPs are no longer required to take additional steps to protect these data warehouses. Given that four of the five largest ISPs have experienced significant data breaches in the last several years, they will be even more attractive targets now.
So am I on my own? What can I do?
What hasn’t changed is that many state governments have been watching ISPs closely to ensure that they adhere to the consumer privacy protection provisions in their own terms of service. And ISPs are still governed by FTC rules which determine what consumer data they can sell.
As things stand, it would take a future Act of Congress to revive or expand the “old” rules. Until that happens, we’re pretty much left on our own to protect our privacy on the web.
You may already be taking steps to preserve your privacy with commonly used tools and techniques. But these may not be delivering the privacy you thought.
Browsing in “Incognito” or “Privacy” mode
….doesn’t give you the privacy you think, simply stated. This common browser setting won’t prevent your ISP from seeing which websites you visit and which pages or services you access.
Switching to privacy mode simply keeps your browser from storing its own version of a browsing history, tracking cookies and other data cached on the local computer. It may shield your browser activity from someone with access to your computer, but it will not in any way affect the ISP’s ability to generate and store its own version of your activity online. I wrote about this way back in 2011.
What about only connecting to secure websites?
Making sure your connection is encrypted via HTTPS will protect your privacy - to a degree.
And as researchers have demonstrated, Encryption Won’t Stop Your Internet Provider from Spying on You . By looking at patterns across top level domains, interested parties can distill intricate profiles from a household’s or company’s accumulated web activity logs and the fingerprint your browser leaves when you visit a site.
An HTTPS connection doesn’t mean the site content is safe. It does nothing to prevent a site from dropping a tracking cookie that collects even more data. This bulk collection can give the ISP or other provider detailed information on where you bank, that you may have personal debt, if a family member is suffering from a serious illness, and what your political leanings are - the list goes on.
Doesn’t a Virtual Private Network (VPN) give me privacy?
VPNs can be an important tool to protect yourself. But using a VPN isn’t for the faint of heart. For a real-world assessment, I recommend this excellent blog post by Brian Krebs.
In short, VPN users download an app that will establish an encrypted secure connection (“tunnel”) between their device and a VPN server. This tunnel passes your web traffic through the ISP in an encrypted format, preventing ISPs from tracking you.
Think of a VPN as a web version of a disguise. You can use coke-bottle eye glasses and a fake moustache, but when you go out and say hello to someone, your voice may still give your identity away.
A VPN will prevent the ISP from seeing the top level domains you visit, as described above. But they don’t keep your privacy intact when you log in to a website, or if a site drops a tracking cookie. Consider these points when assessing a VPN to protect your privacy:
- Depending on which VPN provider you choose, they may or may not be building their own profile of your web activity data. Diligent users may find this comparison chart helpful: VPN services comparison chart.
- ISPs are still free to install software on subscriber devices, which may be used to track your activity - regardless of VPN.
- Using a VPN is not seamless. VPNs typically require that you establish a secure connection before launching the browser and connecting to a site. If you forget, you’re subject to the ISP’s harvesting.
- VPN performance can be sloooooooow. The connection could be slowed down by the encryption overhead, capacity of the service provider may not be up to par, or perhaps a site you want to visit will block VPN connections, or throttle bandwidth. Browsing through a VPN probably won’t feel like your native browser.
A “surprise and delight” feature of Silo: Privacy
I’m not sure who coined the term - probably some management guru from the 80s, but “surprise and delight” features are those unexpected but beneficial capabilities that reinforce a positive association with the product.
When I co-founded Authentic8 in 2010, privacy wasn’t the primary reason. Privacy was several items down the list, ranked below more profound issues like insecurity of the web, lack of enterprise management controls in the browser, inherently weak passwords, and a few more.
As a result of our focus on those core issues, Silo, the secure, remote browser that we deliver, protects your privacy and your data by combining the tools I mentioned above (incognito mode, HTTPS everywhere, and VPN) with a completely isolated browser. The total is greater than the sum of its parts.
Unlike regular browsers, which fetch web code and process it locally, Silo runs on our servers in the cloud. The only thing that reaches your devices is our encrypted remote display of the browser data. That means:
- Your ISP can’t see what websites you visit, even if they install something on your device.
- Your IP address is never exposed. It’s the IP address of the virtual browser that the destination website sees.
- When a site drops a cookie or a tracker, it stays in the cloud and gets deleted at the end of your session.
Silo puts the essential pieces together for you to stay private and secure online. It’s like Private Mode + VPN + Secure Browser. But it does a lot more - Silo keeps you completely safe from malicious code. Silo can help you manage secure and unique passwords for each website. Plus, you can get to your Silo account from any computer or iPad.
But for ISPs, nothing to see - and sell - that you haven’t given consent to. Give Silo a try, risk free:
Scott Petry is Co-Founder and CEO of Authentic8. Before Authentic8, Scott was the founder of Postini.