US-ISPs allowed to sell browsing history: How to protect your private data

The United States Congress voted to eliminate privacy rules for Internet Service Providers issued by the Federal Communications Commission. On Monday, President Trump’s signature finally nullified the legislation, allowing ISPs to sell users’ browsing histories and online activities without seeking prior approval.

US-Kongress hebt FCC-Datenschutzregeln für ISP auf (Bild: iStock)

Björn GreifEditor

How can I prevent Internet providers from selling my whole browsing history to the highest bidder? Many Internet users in the United States are currently asking this question. Last Tuesday the US House of Representatives voted to undo the FCC privacy regulations for ISPs planned by the Obama administration. The vote was 215 to 205, with the majority of Republicans voting for the resolution. As promised, Donald Trump signed the bill on Monday. As a result, companies like Verizon, AT&T, and Comcast do not have to ask for the users’ approval before they can sell data like search queries, website visits, or app usage to advertisers or other third parties. It’s a nightmare for privacy advocate groups as only a few URLs from a browsing history are sufficient to identify the person behind it.

There’s a difference between the overall browsing history and the history in a specific browser. The latter refers to the websites visited and optionally saved in a browser software like Firefox, Cliqz or Chrome. The browsing history on the other hand includes all online activities on a device independent of the browser software used. Internet Service Providers can log this browsing history.

ISPs in the United States are governed by the Federal Communications Commission (FCC) while the Federal Trade Commission (FTC) is responsible for internet companies like Google or Facebook. The two agencies, however, have handled data protection regulations differently. The regulation issued by the FCC in October 2016 would have prevented ISPs from passing on users’ personal data like search queries, web visits, content from online communications, and financial or health-related data without requesting the users’ permission first (opt-in method). In addition, ISPs would have been required to let users choose if less sensitive data like their email addresses can be shared with third parties. These regulations have now been revoked. The FTC generally supports an opt-out model.

Provider Interest > User Interest

Communications companies like Verizon, AT&T and Comcast felt disadvantaged by the FCC regulations. They argued that the rules that apply for Google or Facebook should apply for ISPs, too. The majority of Republicans obviously felt the same way (only 15 voted against the resolution, 6 abstained from voting).

FCC Chairman Ajit Pai (Source: FCC)
FCC Chairman Ajit Pai (Source: FCC)

Current FCC Chairman Ajit Pai, a Republican designated by President Trump, said after the Congress had made its decision that removing the planned regulation would benefit a more balanced online market. Republicans could have achieved that by strengthening data protection rules for Internet companies. Instead they chose to loosen regulations for ISPs.

Electronic Frontier Foundation (EFF), an organization devoted to defending user rights in the digital world, described the decision as “putting the interests of Internet providers over Internet users”. “This breaks with the decades long legal tradition that your communications provider is never allowed to monetize your personal information without asking for your permission first. This will harm our cybersecurity as these companies become giant repositories of personal data. It won’t be long before the government begins demanding access to the treasure trove of private information Internet providers will collect and store”, stated the EEF.

It’s no secret that Internet companies collect user data and use them to create comprehensive profiles that serve as a basis for customized services and personalized advertisements. So why shouldn’t ISPs do the same? For one, Internet service providers differ from web companies in a way that consumers generally have little or no choice of Internet providers, while they have more control over which websites they visit. In addition, ISPs can see the complete unencrypted Internet traffic in their network. This includes search queries, visited websites and the content of e-mails. They can also see websites visited in private mode. And even for encrypted websites, ISPs can detect the domain. If users have multiple devices within one ISP’s network, this provider can track them across devices.

"What the heck are you thinking?"

“I have a simple question: what the heck are you thinking?” democratic Rep. Michael Capuano asked the Republicans in debate on the House floor. “Why would you want to give up any of your personal information to a faceless corporation for the sole purpose of them selling it? Give me one good reason why Comcast should know my mother’s medical problems.” ISPs can discover customers’ medical conditions by seeing what illnesses and drugs they search for on the Internet, Capuano said. “Just last week I bought underwear on the Internet. Why should you know what size I take or the color?” ISPs could take that information and sell it to underwear companies who might show him advertisements, he said.

Targeted advertisements are only a relatively small part of the problem. The more important question is how the huge amounts of collected and sold personal data will be protected and who else could gain access. Hacker attacks on insufficiently secured corporate servers are almost daily fare. Based on EFF’s statement, governments and secret services are also interested in the data.

VPN, Proxy Network or Tor?

So what can users do to protect their data from their ISP? A simple solution to hide at least part of your web activities is to use HTTPS Everywhere. The browser extension developed by EFF establishes encrypted (HTTPS) connections to websites whenever this option is available. For encrypted connections, ISPs can only see the domain, but not the single pages visited within a domain. If a user visits the CNN website, the Internet provider can only see CNN.com, but not which articles the user read on that website.

Users who want to hide their complete Internet traffic from their ISP can use a VPN service, Tor, or a peer-to-peer-proxy network. However, these tools require some technical knowledge. To set up a Virtual Private Network (VPN) you need to select a VPN company and configure your devices according to this provider’s instructions. A VPN hides your IP-address and location by redirecting all your web traffic. In addition, all content is encrypted making it no readable for third parties, including the ISP. However, the VPN company is able to access all online activities and could technically collect and sell your data.

Using a VPN requires that you trust the company. Unfortunately there are plenty of negative examples of insufficiently or not encrypted VPN traffic. At least users have a broad choice of VPN providers. Users with technical knowledge can even set up their own VPN server. A disadvantage of VPNs is the fact that some online applications block VPN connections. Video streaming service Netflix, for example, aims to avoid that users bypass the service’s geo-blocking. Another disadvantage when using a VPN is longer response times due to the redirection of data.

Response times are even slower when using the Tor network with its onion-like multi-layer structure. Thus the name The Onion Router or Tor. Correct configuration requires a good deal of expert knowledge. Tor Browser Bundle based on Mozilla’s Firefox offers a relatively simple entry point. Tor anonymizes data by sending encrypted requests via multiple proxy servers of the global Tor network. The method is not free of vulnerabilities, as the developers admit, especially when visiting unencrypted websites. At the exit nodes where requests are passed on to the Internet, third parties can theoretically read all data.

Peer-to-peer-proxy-networks are the fastest of the three described methods. Non-professionals may find the setup challenging, though. A proxy server sends requests to target sites using its own IP-address and thus hides the user’s identity. Users can create their own proxy in their networks or use a pre-configured one from a country of their choice. Proxies have the disadvantage that website owners can detect and block their redirected traffic easier than when using a VPN. Therefore proxy networks are not an ideal solution either, especially for standard users.

Users need to actively protect their privacy

Users should be aware that ISPs can read not only their browsing history, but their complete Internet activities. This includes unencrypted communications like e-mails or chat messages. Privacy conscious people should use end-to-end encryption. For sending and receiving e-mails, an active TLS/SSL connection should be used.

There is currently no silver bullet. Users should try to use encrypted HTTPS websites whenever possible. HTTPS Everywhere is a proven tool to automate this effort. In addition they should keep a low marketing profile, meaning they should limit the amount of personal data that can be shared with advertisers. Anti-tracking tools like Ghostery and ad-blocking software block third-party trackers. Some questionable approaches, like the browser extension Internet Noise, are also being discussed on the web. This add-on automatically creates fake web traffic. Such tools have not been proven to be effective and may paint a false picture of being protected.