The new Republican Congress hasn’t gotten much done in its first three months, but one thing it has accomplished is rolling back internet privacy regulations passed in the waning days of the Obama administration.
The regulations, if they had gone into effect, would have prohibited internet service providers from selling information about your online activities to advertisers. But yesterday the House of Representatives blocked the move. Companion legislation has already passed the Senate, and President Donald Trump is expected to sign the bill.
That has sparked a backlash from Democrats and many privacy advocates. Michael Copps, a former member of the Federal Communications Commission, called the bill a “perversion of what the internet was supposed to be.” And many ordinary internet users wondered what they should do to protect their online privacy.
The good news is that nothing is going to change right away. The Obama regulations weren’t scheduled to take effect until later this year, so the Republican bill simply preserves the status quo, which allows ISPs to sell customer data to advertisers. And while the law currently allows ISPs to do this, most aren’t currently doing it.
What the bill does do, however, is open the door for ISPs to sell customer data to advertisers in the future. Which means that customers who don’t want their ISPs sharing this kind of information with advertising networks are going to have to do some extra work to opt out of any programs their ISPs eventually put into place.
It won’t be easy for customers to protect their privacy
Ars Technica’s Jon Brodkin has the most thorough explanation of the Republican bill and the Obama regulations it blocks. A key point he makes is that all the major ISPs have promised that if they start selling customers’ private data to advertisers, they’ll give customers a chance to opt out.
So if you don’t want to participate in a program like this, you’ll need to keep an eye out for announcements by your ISP.
The problem is that it’s not clear where a program like this might be announced and what customers might have to do to get themselves excluded. It’s possible customers will get an email announcing the change, but it’s also possible ISPs will simply post a notice in an obscure corner of their websites, where most customers won’t notice. We also don’t know when any particular ISP might announce a program like this. So if you’re worried, there might not be a better option than periodically checking your ISP’s website or setting up a Google News alert for your ISP’s name and privacy.
This, of course, is exactly what ISPs were counting on when they lobbied for this change. In theory, there shouldn’t be much difference between the opt-in regime established by the Obama administration and the opt-out regime advocated by Republican lawmakers. But most customers have better things to do with their lives than constantly monitor their ISPs’ privacy policies. So in practice, an opt-out regime means that almost everyone winds up participating without their knowledge, while an opt-in regime will mean that hardly anyone participates.
There’s also a fair amount of bad advice floating around the internet about how customers can protect themselves. For example, some people have suggested that people regularly delete the search histories in their web browsers. But that won’t do any good because this isn’t where ISPs get information about customer browsing history. Rather, they would keep their own records as customers browsed around the web and store it on servers owned by the ISP — servers customers don’t have any direct access to.
One step customers can take is to use a virtual private network (VPN), a product that uses encryption to “tunnel” out of your own ISP’s network, giving your ISP no information about your browsing history.
This isn’t a perfect solution, however. Good VPNs generally cost money, they take some effort to set up, and they will slightly degrade the speed of your internet connection. Also, while your ISP won’t be able to gather information about your browsing history, your VPN provider will — so you’d still need to check to make sure your VPN provider has strong privacy policies, and that those policies don’t change over time.
ISPs would likely take some steps to protect customer privacy
There also seems to be some confusion about how these ISP data-sharing plans would work in practice. One crowdfunding campaign, for example, is trying to raise $1 million to buy the browsing history of Republican officeholders like Senate Majority Leader Mitch McConnell, Speaker Paul Ryan, and FCC Chair Ajit Pai. It’s a funny gimmick, but no ISP is currently selling this kind of raw data on individual subscribers. And it’s unlikely they ever will.
What ISPs are likely to do is to build profiles of customers based on their browsing history — whether customers visit sites related to travel, baseball, gun rights, LGBTQ issues, and so forth. Then, they’ll help advertisers target ads at people in particular demographic groups — say 40-something gun-rights enthusiasts. In most ad-targeting programs, no human being is ever given access to the raw data about any particular user’s browsing histories.
Many of the privacy advocates who oppose ISP data sharing also oppose this kind of tracking by ad networks and technology companies. But most find ISP tracking extra creepy because ISPs have access to all of your browsing data, not just data from sites that choose to share with a particular ad network. Disabling cookies or installing an ad blocker can prevent tracking by conventional ad networks, but it won’t prevent tracking if it’s done with help from your ISP.
This, of course, is why many privacy advocates believe that legal protections for privacy are more effective than self-help by individual internet users. It’s possible for users to protect themselves with exotic tools like VPNs, but most users aren’t going to bother to do so. The advantage of a national privacy regulation is that customers get privacy by default, and ISPs have to explicitly ask them before they start sharing private data with third parties.