What Individuals Should Do Now That Congress Has Obliterated the FCC鈥檚 Privacy Protections
Congress has voted to reverse new FCC privacy protections that would have required Internet service providers (ISPs) like Comcast, Verizon, and AT&T to seek your permission before sharing information about your browsing history, location history, contacts, and other personal information. Last Tuesday, President Trump signed the measure.
There are some limited steps we as individuals can still take to protect our data. But the truth is that none of them are adequate when the companies that run wires into our home are determined to spy on our use of their services. The best thing Americans can do is to exercise their rights as citizens in a democratic society through activism, voting, working to support and oppose candidates, etc. Right now, people need to make their displeasure heard, loud and clear. Check to see if your senators and representative voted to protect the interests of Big Telecom, or the interests of individuals who don鈥檛 want to be spied upon, profiled, bought and sold, and possibly . If they did the former, voice your displeasure. Speak up online, support federal legislation to restore these protections, advocate for your to fill the gap left by Congress鈥攁nd don鈥檛 let your memory of this travesty fade away, as telecom-supporting members of Congress are counting on you to do.
A common but inadequate response in situations like this is that we should 鈥渓et the market decide.鈥 The reality for most Americans is that the market has failed to provide meaningful choice among network operators. Fully 51 percent of Americans of broadband Internet service provider, and even the lucky Americans with access to two or more providers may not see any meaningful difference between the providers in terms of user privacy. This makes it difficult, if not impossible, to 鈥渧ote with your wallet.鈥
What are the limited steps that people can take to restore the privacy that ought to be their right? There is no perfect solution, but we have a few suggestions.
Contact Your ISP and Opt Out of Data Sharing
Despite the obliteration of the FCC鈥檚 privacy protections, most ISPs (for now) offer consumers limited opportunity to 鈥渙pt out鈥 of data sharing about their Internet use, often referred to by the legal term 鈥淐ustomer Proprietary Network Information,鈥 or CPNI. Although this step has definite limitations, it is something that every customer should take advantage of.
Unfortunately, the telecoms have every incentive to make it difficult for you to do so, and often do not present discoverable, meaningful options. This is a highly imperfect solution from a policy standpoint 鈥 because of the difficulty in opting out, because it throws the burden of protecting privacy onto the customers when the law clearly places it on carriers, and because it attempts to normalize surveillance by making surveillance the default when the default should be privacy.
To look at what it takes to opt-out, we explored the sites of the top ISPs in the United States. What we found is that their 鈥渙pt-out鈥 procedures and options are hopelessly inadequate, and that it was very difficult and time-consuming to get accurate information from the companies. When we sought help from Comcast鈥檚 customer service chat, for example, it took over 20 minutes to get a link to their privacy policy, and they did not provide any information on how to opt out of information sharing. We also found that the companies鈥 privacy policies were generally vague and lacking in information about exactly what data is collected by the ISP and what a broadband user can expect in terms of privacy. Furthermore, none of the opt-out options appeared to allow a user to opt out of having information about their personal browsing histories retained and stored, which many people find offensive鈥攕ome ISPs merely let users opt out of getting ads based on the collection and storage of that data. Other ISPs will still send some marketing materials based on the information they have collected, even if the user has opted out.
Here are links to opt-out pages for the leading ISPs:
AT&T: Instructions on opting out of various uses of data are , including this
CenturyLink: Instructions for opt-outs on marketing contacts as well as other practices are .
Charter Spectrum: Privacy preferences can be set and by calling the company as described in Charter鈥檚 in the sections entitled 鈥淐an I prohibit or limit Charter鈥檚 use and disclosure of my personally identifiable information?鈥 and 鈥淐harter Residential Customer Proprietary Network Information (CPNI) Policy.鈥 Charter has acquired Time-Warner Cable, but TWC still has a 鈥淐PNI Opt Out鈥 form online .
Cox: Features a 鈥溾 page to opt out of marketing based on CPNI as well as other uses of data such as location-based advertising.
Comcast: Information about opting out of various uses of information is contained within Comcast鈥檚 xfinity .
Verizon: Instructions to opt out of various uses of Internet, cell phone, and television services are (in the section 鈥淗ow to limit the sharing and use of your information鈥) and .
If you use a smaller ISP not listed above, a provider鈥檚 privacy policy is generally the place to look for opt-out instructions and links. Nearly all companies include a link to a privacy policy on their main page, though it is often in very small print at the very bottom of the page.
Encryption
Encryption is an effective way of hiding the content of your communications from an ISP鈥檚 prying eyes (not to mention those of other parties). Encryption will block your ISP from seeing the content of your communications, but depending on the application it may still permit them to see your metadata (such as who you are communicating with and/or when).
Nevertheless, using encrypted communications and apps as much as possible is a good idea. As we鈥檝e recommended before, for example, everyone should use Signal where possible to replace traditional text messaging or voice calls. Of course, many of your friends may use an end-to-end encrypted messaging app like Signal or Apple鈥檚 iMessage, but many may not, and you will be obliged to communicate with those friends over channels that your ISP鈥攁nd theirs鈥攃an snoop on. So encourage your friends to move to better messaging platforms!
You can also use the browser extension, developed by our friends at The Tor Project and the Electronic Frontier Foundation, to force more of your web browsing to HTTPS. When a customer connects to a web site that uses HTTPS (as opposed to plain unencrypted HTTP), the ISP can鈥檛 see the exact pages within a site that a customer is reading, or the content of the pages that he or she downloads. The ISP will, however, still see that you鈥檙e visiting the site itself (i.e. or ). Another limitation is that while many web sites have shifted to HTTPS, many have not, and the end-user has no control over that.
Despite such limitations, moving to encrypted communications as much as possible is a good idea and is a step that will protect your privacy not only from your ISP, but also potentially from other parties ranging from the IT workers in your office to the NSA.
Virtual Private Networks
In addition to using encrypted communications, you might want to protect more of your metadata (information about where you are going and who you are communicating with on the Internet). One approach is to use a Virtual Private Network (VPN), which creates an encrypted connection between a customer鈥檚 computer and the VPN鈥檚 network, and routes all of the customer鈥檚 traffic through that remote network, leaving the customer鈥檚 ISP unable to see either the content or the destination of a customer鈥檚 communications. Configured this way, the VPN acts as an encrypted proxy to the rest of the Internet. VPNs can be an effective way of preserving some degree of privacy against some parties, including ISPs.
The use of VPNs has a number of significant limitations you should be aware of.
VPNs cost money, forcing you to pay for privacy that should be your right (and which many Americans cannot afford). Unless expertly configured, a VPN may not cover the growing eco-system of Internet of Things devices that is appearing in many homes, such as personal assistants (like the Amazon Echo), smart or GPS watches, FitBits, appliances, etc. Even with use of a VPN, your ISP can still see the amount of data you are sending and receiving, and at what times. And VPNs can slow down your Internet data speeds, because all your traffic has to be funneled through a remote server. It might introduce delay into video chats or VoIP phone calls, for example.
Finally, use of a VPN just shifts the privacy issues to a new party. When you use a VPN, many details about your Internet usage become invisible to your ISP鈥攂ut whatever party is operating the VPN service (employer, third-party service, etc.) then gains access to all that information. For this and other reasons, it鈥檚 important to do good research and be very careful about whom you select as a VPN provider. Your choice may depend on whom you're trying to protect yourself from: someone who is trying to avoid the local advertising agency might have a different set of choices than someone who is trying to avoid immigration authorities or a vindictive city councilmember. The Electronic Frontier Foundation lists questions that should guide your VPN choice .
Use the Tor Browser
Another option for protecting privacy is to do your browsing through , which is an encrypted network of servers that bounce your traffic around between you and the site you鈥檙e visiting so that it can鈥檛 be tracked. The simplest way to use Tor is to the Tor Browser and use it instead of your normal web browser. Installing and using the Tor Browser won鈥檛 have any effect on your normal web browser, so you can try it out and still easily switch back, or use Tor for some of your browsing and another web browser the rest of the time.
As with a VPN, your ISP will be able to see the amount and timing of your data transmissions over Tor, but it will all come and go from the Tor 鈥溾 to which you are connected, and it will all be encrypted. Even more than a VPN, Tor can slow down a user鈥檚 Internet speeds. Furthermore, some website operators , which can be frustrating if you need to visit those sites.
Defend Network Neutrality
To avoid losing advertising dollars, ISPs might be tempted to detect customers鈥 use of Tor Browser or VPNs and deliberately slow down that traffic in order to discourage people from protecting their privacy in that way. Fortunately, the FCC鈥檚 network neutrality rules prohibit that kind of interference with customers鈥 traffic. That鈥檚 great鈥攁s long as Congress or Trump鈥檚 FCC doesn鈥檛 undo the network neutrality rules as they have the privacy rules. So privacy-conscious Americans are advised to politically agitate for the preservation of network neutrality in addition to agitating for the restoration of broadband privacy.
Overall, nobody should view any of the above suggestions as a permanent fix for the problem that Congress has created by nuking the FCC鈥檚 privacy protections. When something bad happens, it鈥檚 natural to want assurance that we still can be in control of our own destiny. Taking advantage of the limited steps that are available can be a good idea, but the best thing Americans can do about this betrayal of their privacy is to exercise their right to support and oppose candidates, to vote, and to engage in vocal speech and vigorous activism.