For Sale: Your Private Browsing History
The US House of Representatives voted Tuesday to eliminate ISP privacy rules, following the Senate vote to take the same action last week. The legislation to kill the rules now heads to President Donald Trump for his signature or veto.
[…]
The rules issued by the FCC last year would have required home Internet and mobile broadband providers to get consumers’ opt-in consent before selling or sharing Web browsing history, app usage history, and other private information with advertisers and other companies. But lawmakers used their authority under the Congressional Review Act (CRA) to pass a joint resolution ensuring that the rules “shall have no force or effect” and that the FCC cannot issue similar regulations in the future.
[…]
ISPs can track customers’ Web browsing even when they enable their browser’s “private mode,” which does not encrypt Internet traffic. Google, for example, says that Chrome’s incognito mode prevents the Chrome browser itself from saving the sites that you visit, but does not stop ISPs and websites from seeing which websites you’ve visited.
Those in support of the original FCC protections argued that ISPs require strict regulations because they represent a much broader scope of access to user data, unlike search engines which only access a snapshot of a user’s browsing data. If a user is unhappy with a site’s data access they can decide to stop using it, the FCC supporters argued, but switching ISPs because of potentially intrusive data mining “is far more difficult.”
Virtual Private Network services allow you to get on the Internet without the ISP seeing where you are actually going. The VPN company will know but, assuming you use a reputable one, they won’t sell your data. I’ve been using VPNs for years. They’re particularly helpful if you spend a lot of time on the road using WiFi that you don’t control.
Jeff Johnson notes that the privacy rules that are being eliminated had not yet gone into effect. ISPs apparently already have the right to sell our histories. I don’t know whether any have been doing so.
This blog is now available via SSL, and any http links should redirect to https. So this should keep private which posts you are reading. You would need a VPN to keep private that you are accessing this site at all or to keep your IP address out of my server logs. Unfortunately, VPNs slow everything down.
Update (2017-03-29): Karl Bode:
Many people seem to think a VPN provides total, magical protection of your privacy. It doesn’t.
But here’s the real problem: you can’t buy Congress’ internet data. You can’t buy my internet data. You can’t buy your internet data. That’s not how this works. It’s a common misconception. We even saw this in Congress four years ago, where Rep. Louis Gohmert went on a smug but totally ignorant rant, asking why Google won’t sell the government all the data it has on people. As we explained at the time, that’s not how it works*. Advertisers aren’t buying your browsing data, and ISPs and other internet companies aren’t selling your data in a neat little package. It doesn’t help anyone to blatantly misrepresent what’s going on.
When ISPs or online services have your data and “sell” it, it doesn’t mean that you can go to, say, AT&T and offer to buy “all of Louis Gohmert’s browsing history.” Instead, what happens is that these companies collect that data for themselves and then sell targeting.
The Telecommunications Act explicitly prohibits the sharing of “individually identifiable” customer information except under very specific circumstances. It’s much more permissive when it comes to “aggregate” customer information, which is where things get squishier and the FCC rules become more important. We could argue all day about whether a targeted ad is individually identifiable or not, but if you’re paying Verizon to find out which sites Paul Ryan visited last month, that’s pretty clearly individual information, and pretty clearly illegal to sell. If you want to get really clever, the Wiretap Act also makes it illegal to divulge the contents of electronic communications without the parties’ consent, which arguably includes browsing history.
See also: Hacker News.
Update (2017-03-31): See also: Bruce Schneier.
Update (2017-04-04): Juli Clover:
United States President Donald Trump today signed into law a bill that reverses Obama-era broadband privacy rules preventing Internet Service Providers from selling a subscriber's web browsing history and other personal information without permission.
Even many VPNs tend to leak DNS query data. Also be careful as to whether the VPN leaks IPv6.