How ISPs can sell your Web history—and how to stop them
How the Senate’s vote to kill privacy rules affects you.
By Jon Brodkin
Mar 24 2017
The US Senate yesterday voted to eliminate privacy rules that would have forced ISPs to get your consent before selling Web browsing history and app usage history to advertisers. Within a week, the House of Representatives could follow suit, and the rules approved by the Federal Communications Commission last year would be eliminated by Congress.
So what has changed for Internet users? In one sense, nothing changed this week, because the requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017. ISPs didn’t have to follow the rules yesterday or the day before, and they won’t ever have to follow them if the rules are eliminated.
But the Senate vote is nonetheless one big step toward a major victory for ISPs, one that would give them legal certainty if they continue to make aggressive moves into the advertising market. The Senate vote invoked the Congressional Review Act, which lets Congress eliminate regulations it doesn’t like and prevent the agency from issuing similar regulations in the future. For ISPs, this is better than the FCC undoing its own rules, because it means a future FCC won’t be able to reinstate them.
Unless the House or President Donald Trump oppose the Senate’s action, ISPs will not have to worry about any strong privacy rules getting in the way of using your browsing history for profit. There won’t be any specific rules requiring them to get opt-in consent before sharing browsing history, even if that data is related to just one customer instead of being aggregated with other customers’ data in order to anonymize it.
Senate Democrats warned before yesterday’s vote that ISPs will be able to “draw a map” of where families shop and go to school, detect health information by seeing which illnesses they use the Internet to gather information on, and build profiles of customers’ listening and viewing history.
The Senate vote was 50-48, with every Republican senator voting to kill privacy rules and every Democratic senator voting to preserve them.
ISPs can’t see encrypted traffic, so if you visit an HTTPS site, ISPs will see only the domain (like https://arstechnica.com) rather than each page you visit. But that’s still plenty, said Dallas Harris, an attorney who specializes in broadband privacy and is a policy fellow at consumer advocacy group Public Knowledge.
ISPs might be able to figure out where you bank, your political views, and your sexual orientation based on what sites you visit, Harris told Ars.
“You don’t need to see the contents of every communication” to develop efficient ad tracking mechanisms, she said. “The fact that you’re looking at a website can reveal when you’re home, when you’re not home.”
An ISP might notice that a particular tablet often visits children’s websites. From that, “they can infer that this tablet then belongs to a child” and deliver advertising targeted to kids. “The level of information that they can figure out is beyond what even most customers expect,” Harris said.
How the rules have changed
The legal changes all stem from the FCC’s decision in February 2015 to reclassify home and mobile ISPs as common carriers. The reclassification had numerous effects: it allowed the FCC to impose net neutrality rules, but it also stripped the Federal Trade Commission of its authority over ISPs because the FTC’s charter from Congress prohibits the agency from regulating common carriers.
Before the February 2015 reclassification, ISPs could have been punished by the FTC for violating customers’ privacy. But following the FTC rules wasn’t too onerous—the FTC recommends opt-in consent before selling or sharing the most sensitive information, like Social Security numbers, financial information, and information about children. But ISPs could use an opt-out system for everything else, including Web browsing history.