Recently, as you may have heard, Congress passed a new law to roll back an FCC regulation limiting the types of information about you and your activities online that your Internet Service Provider (ISP) can use, share, and sell.Whatever your political persuasion, this flagrant violation of your privacy rights should leave leave you apoplectic. The bill encountered fierce resistance from many tech-savvy people online in the brief time it spent being “debated” in Congress, but since the subject matter involved is fairly technical, because the information in question is fairly obscure to most users, and because there the bill spent such a short time in the phase where it might have been subjected to such protest, we never reached the critical mass necessary to strike the bill down.
Of course, in this corporacratic Republican Congress, no amount of protest may have been enough. These people are bent on enacting their agenda no matter how unpopular it may be with Americans. And there are so many Americans who are so ignorantly excited for enacting literally anything the Democrats don’t like just because the Democrats don’t like it, there will always be a sizable reservoir of support for such things, anyway.
Now, quite a number of articles are floating around online about how awful this is, and they do a good job of castigating the act in no uncertain terms. I don’t think there is any particular value in adding my voice to that chorus, even though I too detest not only this law, but the conditions that allow it and others like it to exist in the first place. So as far as political commentary, that’s all I’m going to say on the subject.
What may be more useful, now that the bill has passed and will surely be signed into law by Chief Cheeto, is an attempt to lay out exactly what it means for you. What data, exactly, is at risk here? How can it be used? And most importantly, is there any way to prevent your ISP from getting its hands on the data in order to use it in accordance with this law?
The Basics: Who is doing what, now?
The law repeals an FCC regulation that went into effect last year that prohibited your ISP (that’s whoever sells you Internet access — so, your phone or cable company as well as your cell provider) from using certain specific kinds of your information without your express consent. Now that the rule has been rolled back, your ISP can now collect this information as it pleases, with or without your consent or even your knowledge, and use it however it damn well likes. So it can sell the data to advertisers or share it with other companies or individuals for free. The main thing to remember is that, according to the logic of this law, once you generate any information and transmit it over their network, that information becomes their property — you no longer have any right to it, or any say over how it gets used.
What Information is at Risk?
The regulation undone by this law specifically protected a wide array of data. Importantly, this is not just “metadata”, or “information about information”. This is actual data, pertaining to you personally. It can be used to identify you, track you, and even spy on you. That sounds like paranoid rambling, but it isn’t. Just look at the data this law now gives your ISP, with absolutely no oversight, to do whatever it wants:
- Precise geolocation. That is, information about where you are, physically, anywhere on the planet. This data is often of such high quality that anyone who receives this information will be able to tell which room of your house you are in.
- Financial information. Your specific financial information is partially protected by other laws, but without this FCC regulation, your ISP is now free to share things like the fact that you are shopping around for a credit card, a car loan, or a mortgage. They can share or sell the fact that you have been looking for bankruptcy lawyers or are searching for a new job, for example. They generally won’t have access to things like bank account balances or the like, but often that is secondary information anyway.
- Web browsing history. This is a huge problem. Your ISP is able to see exactly where you go online, because they operate the network you have to cross in order to go anywhere on the Internet. It doesn’t matter how many times you clear your browser’s history or how religiously you use Incognito Mode or Private Browsing: there’s a record on file at your ISP telling them (and now, anyone they want to share it with) which sites you have visited, how many pages you looked at on those sites, how long you spent there. By comparing data from multiple ISPs, a third party will be able to piece together things like who you were likely speaking to on those sites, which items you ordered, and other sensitive data.
- App usage history. Nearly all smart phone apps use the Internet in a way that allows them to be individually identified. Thanks to this new law, it is now common knowledge which apps are installed on your phone and how often you use them.
- Content of communications. Another enormous red flag. Your ISP may be able to read your email and listen in on your chat sessions. The FCC had prevented them from doing much of anything with that information, but Congress has now untied their hands. Your ISP can now snoop through your personal correspondence and sell anything it finds in there to the highest bidder. If this doesn’t make your skin crawl, then you really don’t understand anything about what a “Free Society” is supposed to be.
- Basically everything else. Social Security numbers, credit card details, and medical information are now unencumbered by the FCC regulation protecting your information. While some of this is “protected” by other laws, your ISP is generally not subject to the same strict regulations as hospitals or banks, and even if they don’t sell this data, they might store it someplace where it is vulnerable to theft or snooping.
This is not a comprehensive list, but it should give you an idea of what’s at stake here. It’s important to note here that the FCC’s original regulation actually allowed this type of information to be shared already — on the firm condition that it be “de-identified”. That is, all of the above data was already available for general demographic use, so long as it had been modified to remove any parts of it that could specifically and personally identify you. So if it was just demographics or general advertising that the ISP was after, there would have been no problem at all with the statute as it was already enforced. The fact that they felt so strongly they needed to rescind those regulations indicates clearly that their objective here is — specifically — to be able to buy, sell, and trade information about individual people.
Beyond these pieces of information as items in a list, you should also consider what this information can do when analysed as a whole. Say you shop on Amazon for a new TV, and you shop at Wal-Mart online for a Blu-ray player. Knowing both of these pieces of information would easily tell anyone paying attention that you own a TV and a Blu-ray player, so they should try to sell you Blu-ray discs. Simple, right? Now, imagine that same dynamic as applied to any other combination of products you buy or communications you engage in online. By correlating all of your data points, a very accurate picture can be drawn of you as an individual, to the point of being able to predict everything from the type of shoes you’re likely to buy to whether or not you’re likely to engage in next week’s protest downtown.
Starting to get the picture? Remember, all of this data was already available for advertisers — so what, exactly, is the point of zeroing in on people?
So what can you do about it?
Unfortunately, in order for you to be very effective in depriving your ISP (and their “customers”) of this data, you’ll have to learn a bit about how the Internet works. I’ll try not to bore you to death here.
When you connect to the Internet, you’re actually connecting to your ISP’s network first. This works just like the network you have in your house, only bigger. Anything you do inside that network is immediately visible to your ISP. Luckily most of your traffic goes directly through the “gateway” on their network and off into the Internet. But that isn’t really much consolation, because before you can go, for example, to Google, your computer has to ask your ISP how to get there — that means your ISP knows, even before you reach Google, that that’s where you’re going.
On your way to Google, you cross through multiple other ISPs’ networks as well — and they are just as free to track your activity as your own ISP is. So it turns out that you’re not very “safe” at all. So how would you “hide” this traffic from your ISP? There is no fool-proof way to guarantee your data remains under your control (after all, even if your ISP can’t see what you’re doing, all the servers you connect to can). But there are a few fairly straightforward tips you can take advantage.
Use a VPN.
A VPN (or “Virtual Private Network”) is a service you can subscribe to that takes everything you do online and “wraps” it into a single connection to a nondescript server on the Internet, and encrypts the traffic so that it’s impenetrable to your (and any other) ISP. That means every web address you look up, every website you visit, every file you download or chat session you participate in, is effectively invisible to your ISP and the data is therefore useless. They will know you’re connecting to a VPN — they just won’t be able to see what you’re doing there.
Please, please understand, however, that VPNs do not really provide any actual “anonymity”. Larger monitors of the Internet, such as are operated by governments, are able to piece together information in a somewhat more sophisticated way than ISPs are. They can also sometimes break the VPN encryption. So don’t do anything illegal (obviously). VPNs are a good way to obscure your activity from a snooping ISP, but that’s about it. Also you’ll suffer a noticeable penalty in connection speed while connected to a VPN. It’s up to you whether the trade-off is worth it.
Recommended Service: NordVPN. This VPN service is inexpensive, easy to set up on any platform, and offers the ability to use a plain OpenVPN client (so you can bring your own client software if you want, without relying on a 3rd-party application whose activity you can’t track). They have servers all over the world, allowing you to bypass local firewalls. For the seriously paranoid, you can also look into Obfsproxy, a system that helps not only hide the content of your traffic from your ISP, but even hide the fact that you’re using a VPN. Again, however, this isn’t usually necessary — we are concerned with your private data, not hiding some heinous crime, after all.
Don’t use your ISP’s email service.
Your ISP is now free to do whatever it wants with your email, including reading it and selling the contents of your messages. It’s much more advisable to use a reputable 3rd-party email provider (outlook.com, Gmail, Yahoo!, etc.) for your email needs. Another benefit to using these services is that you can more easily reach your inbox from any computer in the world, and the connection is encrypted. Your ISP’s email server may not require encryption, allowing people besides your ISP to “eavesdrop” on your email.
General Note: Remember that email in general is not a secure method of communication no matter which service you use. Messages you send and receive traverse so many networks and servers to and from their destinations, never with any real guarantee of encryption or any other privacy protections, that you should always assume your email is being monitored. There are ways to make email more secure (PGP encryption, for example, is supported by most major email clients), but these are inconvenient for the average user. If you need to send personally identifiable information to someone else, such as credit card information or your Social Security number, you should absolutely refuse to do so over email.
Encrypt your communications.
Everything you do online should be encrypted. Sadly, many major websites (especially news outlets) still operate their websites without encryption, but most services will at least have an encrypted option available. Just like with a VPN, the purpose of encrypting your web traffic is to make the content of your communications unusable from the perspective of an ISP or any other eavesdropper. You can tell whether the website you’ve visiting is encrypted by looking at the address bar (where the site’s URL is displayed) and looking for a green padlock icon:
You can look for browser extensions and add-ons to keep you as safe as possible (I use KB SSL Enforcer). You should at least ensure that any site where you have to log in to an account, or where you are communicating directly with other people, is encrypted. If you run any services of your own on your own, especially if you run them on your home network, definitely secure them with an SSL certificate. There’s no need to pay for this — you can use Let’s Encrypt to get a trusted certificate for non-commercial websites for free. That’s what we use here!
SSL encryption is of paramount importance on shared WiFi networks (like at Starbucks or inside hotels, or at work) because your communications are technically the “property” of whoever a network belongs to. There’s no guarantee of privacy on these networks, so you should always be mindful of what you’re doing on them. Ideally, on any shared or public WiFi network, you should conduct all your business under the protection of a secure VPN connection. If you don’t have access to that (or if the network blocks such connections), then you should limit yourself to destinations on the Internet that support SSL encryption. You should assume any unencrypted traffic is being stored, inspected, and used without your permission.
The ultimate point of all of this is that in Trump’s America, nobody is looking out for you or your personal information. None of these tips are new — they have always been good ideas, in a sort of “best practices” way. But Congress has made it clear with this despicable violation of your privacy that the last thing they’re concerned about is safeguarding your information online. You can expect this to be the law of the land for at least the next 4 years; and very likely, this is only the tip of a very big turdberg lurking in the murky waters of the Republican legislative agenda. It’s up to you to protect your own privacy now, because nobody else is going to do it and because very powerful forces are now actively trying to undermine your privacy and sell your personal information to the highest bidder.
And don’t take the few tips offered here as a comprehensive regimen for protecting yourself online. The rules have changed in America, and if you want to stay safe online (or in the streets, for that matter), you have to take a little more time to educate yourself and be vigilant. Good luck out there.