ISPs Can Continue to Collect and Sell All of Our Browsing History, and We'll Never Know

4 min read

Yesterday, on March 28, 2017, Congressional Republicans gave a huge gift to Internet Service Providers (ISPs) by killing rules that would have prevented them from selling our browsing history. Because Congressional Republicans killed these rules, ISPs - companies like Comcast, Verizon, Qwest (aka CenturyLink), AT&T, etc - can continue to sell information about how we browse the web. All browsing we do on the web - from a young child looking for information about dinosaurs, to a teen curious about their sexual identity, to a person reading the news, to a parent looking for medical information, to a person browsing pornography - all of these activities, done inside people's homes, can continue to be tracked and sold to anyone, without our knowledge or consent.

We need to pause here - this is actually as bad as it sounds. If you have kids in your house, their browsing activity can be bundled and sold by your ISP. As their parent, you will never be told that any sale took place, who the buyers are, and how they are using that information. So, the next time your kids are having a playdate, if your kid's friends connect to your internet, your ISP is profiting from the playdate. Thanks to the actions of congressional Republicans, this is universal across the US. Every ISP in the US can continue to do this.

However, this isn't the worst of it. An element that has gone largely undiscussed is how this rule change puts ISPs in a commanding position when it comes to connecting online and offline behavior. Connecting online and offline identity is a leading concern with advertisers - and rest assured, they are looking at this through a racial lens as well. For people who connect to the internet via a phone and a computer, our ISP can now identify both devices as belonging to a specific home. This is incredibly valuable information - and because this information can be shared and sold indiscriminately, it allows for a solid connection to be made between an individual, their home address, their computer, and their phone.

In practical terms, this sets ISPs in a position to be able to track our physical location over time, and predict our location in real time. For all of us who carry smartphones, our phones connect to multiple ISPs over the course of every day - from different cell towers, to coffee shop wireless, to library wireless, to connectivity provided by our school or workplace. If our ISP shares our device information, we can be precisely identified across a range of locations, and a record of our movement can be stored and collected. Location data has been shown to be a strong predictor of identity, but our ISPs are in a position where location data is just a small part of their overall data set

At this point, the only real protection is to use a VPN. However, many VPNs only protect a single device - to protect a home requires setting up a VPN on all devices, or configuring a router to connect to the internet via a VPN. While setting up a router to connect via a VPN is not enormously complicated, it's a significant technical barrier that will definitely be beyond the reach of many consumers.

It's also worth noting that VPNs will only be a realistic alternative if our ISPs don't throttle VPN connections, and reduce their speed to a crawl. Because of actions taken in the FCC under Tom Wheeler, we currently have some protections, but Republicans are also looking to kill net neutrality. This would be bad for a variety of reasons, but would also be another blow to personal privacy.