Lettings ISPs Sell Your Data, Seriously Weakens Existing Consumer Protections.
With the newly passed Senate resolution, that protection is gone, leaving ISPs free to share and sell “data, including online browsing activity, mobile app data, and emails and online chats” to third-party companies. The vote was 50-48 in favor, exclusively supported by Republican senators.
Now you know who to thank when your Social Security Number is spread all over the place (that may seem dramatic, but SSID is one of the pieces of information that your ISP can now share without permission).
This is an absolutely atrocious invasion of privacy – one that provides no benefits to consumers and only gives ISP more means for making a profit off a service they already charge users for. During the resolution’s debate, Senator Ed Markey (D) said “the acronym ‘ISP’ now stands for ‘information sold for profit,’ and ‘invading subscriber privacy,’ rather than ‘Internet service providers.’”
This outcome demonstrates the importance of sensible policies on digital privacy – something that the US government has a bad track record with. While we often like to champion the capabilities of technology, that alone cannot solve all of our problems.
For instance, even with these new regulations, SSL/TLS can still provide some privacy from your ISP’s prying eyes. When using HTTPS, a network observer cannot see the specific page you have visited on a website, but they can still see the hostname.
This means that HTTPS prevents your ISP from seeing what you have searched for on Google. But they will be able to see that you navigated from Google to WebMD.com, and then to Diabetes.org. This demonstrates the trivial ease with which a network-level observer with aggregate data can identify what you are doing, even with some protections. (By the way, this is another good reason for you to adopt HTTPS for your site. Give your users the ability to value and prioritize their privacy instead of taking that decision away from them by only offering HTTP).
Users could go further and bolster their protections by also using a VPN – which would encrypt all traffic from their local computer and effectively blind their ISP. But in the digital realm, privacy and safety are usually unrelated. So unless your VPN provider isn’t rubbish – which is a big assumption to make – you may be sacrificing one protection for another.
By using a VPN you are really just shifting your exposure instead of limiting it. After all, instead of your ISP seeing everything you’re doing, now your VPN provider will. Given that there is less oversight over VPN providers, they may not provide any privacy improvement at all.
So that is another technology solution which fails to really work…
This does not even get into the topic of usability or the fact that keeping a shred of privacy online will take money, know-how, and the inevitable troubleshooting and inconveniences of such a complicated method just to do some simple web browsing.
So, what’s more reasonable – to play a cat and mouse game with various protocols, services, and software to keep your basic privacy rights intact? Or would it be better for our government to start taking our digital rights seriously, and start passing sensible legislation?