April 5th, 2017

The US Online Privacy Law Repeal: How It Will Affect You

As with any politicized issue, there is a lot of misinformation surrounding the repeal of the data privacy framework. Regardless of whether you are a Republican or a Democrat, your online security and privacy rights are going to be affected, so let’s just get the story straight.

This whole issue began back in February 2015, when the Federal Communication Commission (FCC) set up an Open Internet Order. This established net neutrality rules and also reclassified ISPs as carriers under Title II of the Communications Act. This meant that ISPs would be subjected to a new set of regulations.

ISPs opposed the reclassification, claiming that they were disadvantaged against companies such as Google and Facebook, who didn’t have to abide by the additional regulations. A common response to this is that people can choose which search engine or social media company they use, however they often have no choice when it comes to their ISP, due to monopolies in many locations.

In October 2016, the FCC passed The Order which set out the rules on how carriers could collect and use customer data. The new framework required individuals to opt in to share any sensitive information, but also enabled them to opt out of sharing most non-sensitive data. They mandated that ISPs must implement adequate data security policies as well, along with many other rules.

The framework was originally scheduled to be enacted on March 2, 2017, but the change of government paused the roll-out. On March 23, the Senate voted to repeal these laws, followed by a House vote on the 28th that also voted to undo them. On Monday, Trump signed a resolution to reverse the laws, putting a halt to any further online privacy regulations.

Most of the arguments against the privacy framework focused on free market ideals and not burdening businesses with additional regulation. While there may be some merit to these claims, the market for internet access is hardly free and open.

Infrastructure requirements, long term contracts and cancellation fees often mean that consumers don’t have much choice in their ISP. They cannot easily hop over to another provider if they don’t like the service. While many individuals may feel trapped into using the services of huge companies like Google, they can switch over to Bing or another search engine with ease. Nevertheless, it was deemed that these regulations were unfair and the privacy framework was repealed.

What Does the Repeal Mean?

Under the Obama Administration’s privacy framework, ISPs would have only been able to collect and share your sensitive information if you opted in, while you would have had the option to opt out of most other data processing activities.

Without these protections, privacy advocates fear that ISPs will ramp up their data collection and selling practices. There is a lot of uncertainty in place, because the existing FCC policy is confusing and nebulous. Strangely enough, the FCC regulates ISPs through the Telecom Act of 1934. As this law clearly wasn’t designed for the internet era, what ISPs can and cannot do is open to the FCC’s interpretation.

The privacy framework was brought in when the FCC was headed by a Democrat and the rules were essentially based on their understanding of the Telecom Act. The FCC is currently headed by a Republican, which means that the Act is subject to their interpretation for the time being. In a Washington Post article, the current chairman of the FCC, Ajit Pai, stated that he intends to return the regulation of ISP privacy practices to the Federal Trade Commission (FTC). He claims that the FTC is a more experienced entity for forming and policing privacy regulations. If ISP privacy regulation is moved back to the FTC in the future, it is likely that privacy protections for individuals will remain weaker.

What Can ISPs Do Without Your Permission?

Your ISP tracks you. Some of this is for a good reason – the more things they know about the internet habits of their customers, the better they can tune their networks to optimize traffic. Because of this, your ISP knows which domains you visit and how much data is transferred. They can’t see what you specifically do on HTTPS-secured websites, but they do know that you have visited them.

This information is valuable to advertisers. An ISP also knows your name, physical address and IP address, which can make the data even more useful. They have piles of data concerning your habits and interests, alongside your personal information, which allows advertisers to target you very precisely.

Your ISP isn’t able to sell data based on individuals or specific groups, because of laws regarding individual identifiable data. Instead, ISPs admit that they use your data in aggregate for targeted advertising. Many ISPs consider the mere use of their service by an individual as consent (which like a browse-by agreement, is highly dubious), however most do have the option to opt out. This will allow you to avoid ads, but it doesn’t necessarily stop them from collecting your data.

It is also likely that the repeal will enable ISPs to use supercookies again. These aren’t technically cookies – cookies are stored locally on your device. Supercookies are Unique Identifier Headers that are injected by an ISP at the network level. They allow an ISP to build up user profiles based on their online behavior. These profiles can then be sold to third parties, who use them for advertising. Under the old FCC, users should have been able to opt out of their ISP sharing this data, but it is unknown what will happen now.

How Is Your Online Security Affected?

The repealed framework was set to bolster security standards for ISPs. The Order required ISPs to employ data security practices that were adequate for the scope of their activities. It also required them to notify the FCC, the FBI, the Secret Service and the affected customers in the event of a breach. Without these rules in place, it is only natural to assume that data security standards will remain lax.

There is also the potential for ISPs to set up SSL-proxies that their customers are forced to use. This would mean that an ISP could inspect all of a user’s data, and the lack of encryption would have terrible ramifications for user and business security. Our article on SSL can help to clarify its role in keeping users safe online.

Data collection is never good for your online security. The more organizations that collect and store your data, the more chances for your data to be breached and fall into the hands of hackers. Because the repeal seems to open up the gates for ISP related data collection as well as loosen security standards, this significantly heightens everyone’s risk.

What Can You Do If You Care About Your Privacy?

The first thing that you should do is inquire whether your ISP enables you to opt-out of their targeted advertising. This may not stop them from collecting data on you, but at least it’s a start. One of the simplest ways that you can stop your ISP from tracking your online activity is by downloading and using TOR browser. It encrypts and randomly bounces your online activity around the world to help conceal what you are doing.

If you want to secure the traffic to your WebMail and Email, you can use LuxSci’s VPN access. This will encrypt all of your traffic between your computer and the LuxSci servers, in a way that is safe from SSL proxies. If you would prefer to take things a step further, you can use a full blown VPN. These encrypt all of the traffic from the VPN client on your computer, so all your ISP can see is that you are using a VPN. A VPN is a great way to both secure yourself online and stop your ISP from collecting your data. Research your VPN provider carefully before you sign up for one, because many vendors aggressively market their services with affiliate schemes.

What Happens Now?

Honestly, no one knows for sure. Now that the FCC privacy framework has been repealed, it is likely that ISPs will see much more limited oversight. This is worrying, because ISPs have a long track record of putting their financial interests ahead of their customers’ privacy. It may be the case that the more expensive ISP “business level” accounts will be exempt from  these consumer-oriented privacy invasion tactics.  There is also the potential that government eavesdropping will expand under this new direction.

If you really care about your online privacy and security, you can’t rely on the government to protect you. The best thing you can do in the short term is to get a VPN – without the privacy framework in place, you are simply being exposed to too much risk.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.