On March 23, the internet lit up with chatter about Senate Joint Resolution 34 a.k.a the bill the Senate voted on to allow Internet Service Providers to sell your information to advertisers and marketers without your explicit consent. This bill is meant to repeal a new rule from the FCC signed during the Obama administration that requires ISPs get your opt-in as a customer to sell your data to other organizations. Yesterday, March 28th, Congress made it official it.
Upon taking over as Chairman of the FCC, Ajit Pai (known opponent to Net Neutrality) put an immediate hold on a part of these protections concerning customer privacy. The bill is the result of ISPs feeling like a requirement to get consent from customers before selling their data places them at a disadvantage against companies such as Google, Facebook, and Twitter. You can read more about the bill here and more about the law this bill repeals here. With the passage of this bill, along with not requiring opt-in to sell non-sensitive customer data (your browsing data mostly), the FCC is now prohibited from adopting any rules in the future that are similar to the privacy rules that were repealed.
The concerns of selling data to third parties in the world of rampant data breaches, still exist whether we're talking about ISPs, data brokers, or internet services like Twitter or Facebook. The same goes for the risk of an ISP selling your data to known scammers. ISPs are different because the data ISPs have access to differ drastically from the information collected by individual services (i.e. Google doesn't have access to anything you do on a non-Google service). Your internet service provider can see everything and I'm not being hyperbolic. While many articles specifically reference your browsing history when discussing the data ISPs might sell, they actually have access to anything your devices talk to on the internet (think IoT), browser or no browser. Whether or not they collect, log, and report on that information is something you will have to find in their individual privacy policies.
ISPs are also different because you don't always have a choice in internet service providers. If I don't want to be tracked by Google or Facebook, I can easily choose not to use their services. There are alternatives available with internet services. That same kind of choice doesn't always exist in the context of internet service providers. Many internet users only have one choice in ISP.
For more information on what your ISP can do check out this article from The Electronic Frontier Foundation.
In January, a few of the major ISPs voluntarily signed a set of privacy principles based on the rules set forth by the FTC. The document specifically mentions providing "an opt-out choice to use non-sensitive customer information for personalized third-party marketing". This is the section to pay attention to because your browsing history is considered non-sensitive customer data. This voluntary agreement is based on the opt-in suggestions from the FTC. Since the agreement is voluntary and not legally binding, there are doubts about whether or not the FCC will monitor the collection and selling of information by ISPs and take legal action should it become necessary.
VPN - Set up an encrypted tunnel to hide all of your traffic. If you're a networking person this will probably be easy. As I write this, my co-workers are talking about how to set up a policy based VPN with high throughput as a reaction to the repeal. Warning: Netflix can detect VPN and proxy traffic and will block it. This option may complicate your life if you don't have more than a basic understanding of networks.
HTTPS all the things - This option will obscure the content of the pages you visit. However, the URLs will still be visible. Depending on your level of paranoia, that might be just fine. This is by far the simplest option.
I want to hear what you think. Talk to me.