Today, the US Senate voted 50-48 to overturn broadband privacy rules that would have required internet service providers get consumer consent before selling their web browsing data to advertisers or other data companies.
Update: As expected, the House of Representatives voted in favor as well, which means this is off to the President’s desk next.
The rules, which passed in October of last year, govern the collection and selling of private data by ISPs like Verizon, Comcast, or AT&T. Those rules would have required internet providers to ask for permission before selling data about your usage, like web browsing history and location, as well as data about finances, health, app usage, and more. The Senate just voted against it.
Essentially, your ISP would need your approval before they could tell advertisers what web sites you like, what apps you use, where you’re at, or any health and financial information it has on you. These protections weren’t in place yet; the privacy protection rules would go into effect as early as December 4, 2017.
Today, the Senate used the Congressional Review Act to overturn the rules and ensure the FCC can’t make similar rules in the future. Sen. Jeff Flake (R-Ariz) introduced the overturning measure, who argues that:
The FCC’s midnight regulation does nothing to protect consumer privacy. It is unnecessary, confusing and adds yet another innovation-stifling regulation to the internet...My resolution is the first step toward restoring the FTC’s light-touch, consumer-friendly approach. It will not change or lessen existing consumer privacy protections. It empowers consumers to make informed choices on if and how their data can be shared.
The “confusion” stems from the fact that ISPs would be held to different privacy standards than web sites like Facebook or Google, who can and do collect all kinds of data about your browsing habits. The difference, of course, is that you need an ISP to access to the internet, whereas we can all chose not to use Facebook or Google. It’s not that confusing.
As for the Democrats, Sen. Ed Markey (D-Mass) is one of the more vocal opponents of the measure. Markey released this statement today:
President Trump may be outraged by fake violations of his own privacy, but every American should be alarmed by the very real violation of privacy that will result of the Republican roll-back of broadband privacy protections.
With today’s vote, Senate Republicans have just made it easier for American’s sensitive information about their health, finances and families to be used, shared, and sold to the highest bidder without their permission. The American public wants us to strengthen privacy protections, not weaken them. We should not have to forgo our fundamental right to privacy just because our homes and phones are connected to the internet.
This measure still has to go through the House, which is also controlled by Republicans, before it heads to President Trump.
Let’s roll back time a little bit here to better understand why this matters.
Back in 2015, the FCC reclassified internet service providers as information services, giving oversight to the FCC. This was important because it meant any rules about how ISPs act, including what they do with private data, now falls to the FCC, which has historically been pretty good at protecting our privacy when it comes to telephone companies. Fast forward to October of 2016, and the FCC passed the rules in question today under previous FCC chairman Tom Wheeler. These rules would not go into effect until 2017, which is why the Senate decided to intervene using the Congressional Review Act, which allows Congress to eliminate agency rules with a simple majority vote.
ISPs have been collecting data about you and selling it for a very long time, though most claim they anonymize that data and don’t include individual IP addresses. ISPs have long been interested in metadata, which boils down to generalized information about your habits, because that’s easier to share with outside companies without breaking any current consumer privacy laws.
Those laws have been confusing, opaque, or non-existent for a while, but in the last few years we’ve finally started to see some form of regulation. If this measure gets through the House, it doesn’t undo standard consumer privacy protections, handled by the Federal Trade Commission, but things do get confusing. Ars Technica points out that ISPs claim they’ll support the FTC approach that “protected consumers from harmful data collection practices while permitting the flexibility necessary to allow the internet to flourish,” but the problem there is that the FTC can’t regulate ISPs, that’s the FCC’s job. Which means that Congress would need to find a way to take control away from the FCC and give it to the FTC.
See, told you that it’s confusing. More confusing than the difference between a Google and a Comcast, anyway.
If you’re curious about what a modern day ISP might collect and share, here’s Xfinity’s Privacy Policy as an example. Keep in mind that Comcast owns Xfinity, a company who last year high-fived AT&T and suggested a cheaper tier of internet service for anyone who opted in to data collection.
It’s been widely thought that the after the FCC started the ball rolling on consumer protections, most ISPs dialed back their tracking in preparation for these new rules.
Now, the Senate has voted to strip away any potential rules, and assuming this measure gets through the House, ISPs will be able to collect everything about you and sell it to data brokers for whatever they want without asking your consent.
So, what does any of this actually mean to us normal people who use the internet to look at adorable pictures of bears and shop for new shoes?
In the simplest terms, it means that an ISP could potentially collect and sell a personal dossier on you. The whole thing is about about making money off of advertising.
Take a second right now to think about everywhere you’ve been on the internet in the last day. Look at your browser’s history if you want a more detailed look. Who is that person who went from searching for Waluigi poetry one second and hockey skates the next. Think about how much an ISP knowns about you based on all that. It’s a gold mine of data.
Your ISP knows when you wake up and get on the internet. It knows what weird health ailments you might have searched for at 1am. It knows where you shop. It might also know what you’re listening to, where you’re listening to it, and how many times you’ve put “Blank Space” on repeat. It probably knows your sexual preferences, your fetishes, and your deepest worries. It knows your political leanings, the protests you’ve been to, and the books you’ve searched for.
The more data an ISP has, the better profile it builds of you, which they can then sell for more money to the data brokers who take that information and turn it over to advertisers.
Aside from the general grossness of the ISP you already pay an exorbitant fee just for internet access turning around and making more money off you without your consent, if history is any indication, all that data will get hacked and released at some point. Even if you “don’t have anything to hide,” you’ve got some embarrassing web searches in your history.
Beyond advertising, the Electronic Frontier Foundation points to a whole slew of worst case scenario things an ISP might do without regulation, including snooping on traffic and injecting ads, preinstalling software on your phone, injecting cookies to better track your data, or hijacking your searches and redirecting them.
You do have some options though. The easiest way to circumvent any of this is to use a Virtual Private Network (VPN). The next problem, then, is that VPNs are also completely unregulated, and choosing one that doesn’t sell your data off is complicated mess. Most of us have more choices for a VPN provider than we do for an ISP, but it’s still a gamble where you’re assuming a company is as legit as they claim to be.
Regardless, this still has to get through the House of Representatives, and while it’ll presumably pass, nothing is set in stone yet.