How ISPs can sell your Web history—and how to stop them

The US Senate yesterday voted to eliminate privacy rules that would have forced ISPs to get your consent before selling Web browsing history and app usage history to advertisers. Within a week, the House of Representatives could follow suit, and the rules approved by the Federal Communications Commission last year would be eliminated by Congress.

So what has changed for Internet users? In one sense, nothing changed this week, because the requirement to obtain customer consent before sharing or selling data is not scheduled to take effect until at least December 4, 2017. ISPs didn’t have to follow the rules yesterday or the day before, and they won’t ever have to follow them if the rules are eliminated.

But the Senate vote is nonetheless one big step toward a major victory for ISPs, one that would give them legal certainty if they continue to make aggressive moves into the advertising market. The Senate vote invoked the Congressional Review Act, which lets Congress eliminate regulations it doesn't like and prevent the agency from issuing similar regulations in the future. For ISPs, this is better than the FCC undoing its own rules, because it means a future FCC won't be able to reinstate them.

Unless the House or President Donald Trump oppose the Senate's action, ISPs will not have to worry about any strong privacy rules getting in the way of using your browsing history for profit. There won’t be any specific rules requiring them to get opt-in consent before sharing browsing history, even if that data is related to just one customer instead of being aggregated with other customers’ data in order to anonymize it.

Senate Democrats warned before yesterday’s vote that ISPs will be able to “draw a map” of where families shop and go to school, detect health information by seeing which illnesses they use the Internet to gather information on, and build profiles of customers' listening and viewing history.

The Senate vote was 50-48, with every Republican senator voting to kill privacy rules and every Democratic senator voting to preserve them.

ISPs can’t see encrypted traffic, so if you visit an HTTPS site, ISPs will see only the domain (like https://arstechnica.com) rather than each page you visit. But that’s still plenty, said Dallas Harris, an attorney who specializes in broadband privacy and is a policy fellow at consumer advocacy group Public Knowledge.

ISPs might be able to figure out where you bank, your political views, and your sexual orientation based on what sites you visit, Harris told Ars.

“You don’t need to see the contents of every communication” to develop efficient ad tracking mechanisms, she said. "The fact that you’re looking at a website can reveal when you’re home, when you’re not home.”

An ISP might notice that a particular tablet often visits children’s websites. From that, “they can infer that this tablet then belongs to a child” and deliver advertising targeted to kids. “The level of information that they can figure out is beyond what even most customers expect,” Harris said.

How the rules have changed

The legal changes all stem from the FCC's decision in February 2015 to reclassify home and mobile ISPs as common carriers. The reclassification had numerous effects: it allowed the FCC to impose net neutrality rules, but it also stripped the Federal Trade Commission of its authority over ISPs because the FTC's charter from Congress prohibits the agency from regulating common carriers.

Before the February 2015 reclassification, ISPs could have been punished by the FTC for violating customers' privacy. But following the FTC rules wasn't too onerous—the FTC recommends opt-in consent before selling or sharing the most sensitive information, such as Social Security numbers, the content of communications, financial and health information, information about children, and precise geo-location data.  But ISPs could use an opt-out system for everything else, including Web browsing and app usage history.

ISPs “want to be the advertising powerhouse.”

The FCC's reclassification of ISPs removed FTC authority but imposed privacy requirements from Title II, Section 222 of the Communications Act. The problem is that Section 222 was written in 1996 for telephone service, so the FCC said it would write new broadband-specific rules explaining exactly how Section 222 would be enforced on ISPs. Those rules, including the opt-in requirements, were finalized in October 2016.

Theoretically, Congress and the FCC could return jurisdiction to the FTC by eliminating the privacy rules and eliminating the ISPs' common carrier classification. But even that might not work, because a federal appeals court ruling in August 2016 said that any company with a common carrier business cannot be regulated by the FTC at all, even when they're offering non-common carrier services. The common carrier designation is also used for landline phone and mobile voice service; that means ISPs like AT&T, Verizon, T-Mobile, and Sprint could be entirely exempt from FTC oversight. Comcast and other cable companies are only common carriers for Internet service because their VoIP phones are regulated differently, so they could more easily go back under FTC oversight.

But even if the FTC regains jurisdiction, its guidelines are weaker than the FCC's privacy rules. Thus, yesterday's Senate vote could leave us with no rules preventing ISPs from selling your Web browsing histories to advertisers and data brokers without obtaining opt-in consent.

When AT&T charged extra for privacy

The most prominent example of an ISP monetizing customers' browsing history comes from AT&T. Starting in 2013, AT&T charged fiber Internet customers at least $29 extra each month unless they opted in to a system that scanned customers' Internet traffic in order to deliver personalized ads.

AT&T killed this "Internet Preferences" program shortly before the FCC finalized its privacy rules. But that doesn't mean ISPs are giving up on advertising.

ISPs “want to be the advertising powerhouse, which is why they fought so hard against these rules,” Harris said. “They want to compete with Google and Facebook and other edge providers in the advertising space. This is going to be their new frontier, a new way for them to increase their profits.”

ISP lobby groups have argued that privacy rules would prevent them from showing Internet users more relevant advertising via “data-driven services” and would prevent ISPs from competing in the online advertising market. They’ve argued that Web browsing and app usage history should not be classified as “sensitive” information.

Advertising lobby groups, knowing that they could end up working more closely with ISPs, recently thanked Republican lawmakers for taking steps to kill the privacy rules.

AT&T sells advertising via its AdWorks division, which boasts of “more targeted” ads to “more screens,” via TV set-top boxes and online video. Comcast sells online advertising that can appear on xfinity.com and NBC sites. Verizon boosted its online advertising technology when it purchased AOL and is trying to finalize a purchase of Yahoo.

Because these ISPs operate their own advertising networks, they don't need to share individuals' browsing history with third parties in order to serve targeted ads. But they can use customers' browsing history to sell targeted ads. Businesses would pay the ISPs to have their advertising reach people who are more likely to buy their products, but only the ISPs would know exactly who those customers are.

“They’ve already begun marketing [to advertisers], explaining how they have the ability to track you on four devices,” Harris said. “Because they’re also your cable [TV] providers, they can combine what you’re watching on TV with what you’re doing on the Internet and looking at on your phones and your tablets. They’re heavily invested in this idea that they have a lot of data that can be valuable to advertisers and want to build up that part of their business.”

For ISPs that don't operate their own ad networks, getting into the targeted advertising business could involve sharing customers' browsing with third parties. The FCC privacy rules would have prevented both the internal use and sharing of such information without opt-in consent.

It's up to ISPs to interpret law

If ISPs could only use your browsing history when you make a conscious choice to opt in to tracking programs, they might not get very many Internet subscribers on board. But if there are no rules, or if browsing history is subject only to an opt-out system, ISPs could share the data of most or all of their customers.

ISPs may still be subject to the underlying requirements of Section 222, but it isn’t clear how that affects broadband providers. Section 222 limits how carriers can use “customer proprietary network information” but doesn’t define what that means in a Web browsing context. Harris says that 222 requires ISPs to give customers a chance to opt out of sharing information.

“It’s just not clear what information they’re going to require an opt-in for and what information they’re going to require an opt-out for,” she said. “That will all be up to the ISP to determine what they feel they need to get opt-in for as opposed to opt-out.”

Public Knowledge believes that opt-in systems are necessary to put customers in control of sensitive information, "and we think Web browsing history and app usage history is squarely under that sensitive category,” she said.

But CTIA, which represents the biggest wireless carriers, argues that Section 222 does not cover “personal” information and can’t be applied to broadband service. Absent specific rules, attempts to enforce Section 222 on broadband providers could get the FCC sued—and FCC Chairman Ajit Pai opposes the privacy rules anyway.

Is there anything holding ISPs back?

In January, all the major ISP lobby groups signed on to a voluntary set of privacy principles based partly on the FTC framework. They specifically pledged to follow FTC guidance for opt-in consent before sharing sensitive information and to “offer an opt-out choice to use non-sensitive customer information for personalized third-party marketing.” Browsing history would be subject to an opt-out system.

Harris encourages Internet users to go to their ISP’s website or call the ISP to figure out exactly how they can opt out of tracking. It’s not convenient, but the option should be there.

This week at the US Senate, ISPs received a victory.

Credit: Chip Somodevilla/Getty Images

VPNs, Tor, and HTTPS: Preserving your privacy

To protect your browsing history from your ISP, you need to encrypt your Internet traffic, and there are three primary methods of accomplishing that: VPN services, Tor, and HTTPS.

"That’s basically it," Electronic Frontier Foundation Senior Staff Technologist Jeremy Gillula told Ars. "Those are the three ways you can encrypt [your browsing] so that the ISP can’t see it."

Your ISP can see that you're using a VPN or Tor, "but that's all they'll see," Gillula said.

With a VPN, you're paying a company to encrypt all of your Web traffic and prevent others from tracing your Web browsing back to your IP address. You're trusting that the VPN company will not keep logs of your activities and that it will generally be more respectful of your privacy than your ISP.

Readers have been asking us for a definitive list of the best VPN services. But as we covered last year, this is really an impossible task. You can find out whether a VPN provider promises not to keep logs of your Internet activities, but there's no way to verify whether the VPN provider actually keeps logs, Gillula said.

A VPN provider would see exactly what your ISP would see, but "in some cases, that may be better than trusting your ISP, because your ISP may just straight out say, 'we’re going to be snooping through your browsing history,'" Gillula said.

For guidelines on what to expect and what not to expect from VPN services, read our feature from last year. We also discussed VPNs and other technologies in this beginner’s guide to boosting your privacy and security online.

While each VPN is operated by a single provider, Tor is a distributed network that tries to preserve anonymity by routing traffic through a series of relays.

"When you use the Tor software, your IP address remains hidden and it appears that your connection is coming from the IP address of a Tor exit relay, which can be anywhere in the world," the EFF explains.

Tor is not without vulnerabilities. But generally speaking, while operators of Tor exit nodes "can see traffic going back and forth, they wouldn't be able to trace it back to you," Gillula said. They'd know that someone is going to the websites you're visiting, but they "wouldn’t know that it originated from your home IP address." Tor is thus "a little more privacy preserving than the VPN," he said.

VPNs have an advantage over Tor in ease of use if you want to configure your router to tunnel all of your traffic through the VPN, Gillula said.

"You can do that with Tor, but that takes a little more tech savvy than firing up the Tor browser bundle," which only encrypts traffic in and out of the browser, rather than throughout your home, he said. But there are Tor-enabled routers, which we have reviewed in the past.