FCC Information Act Repeal Impact From a Technology Perspective

There is a lot of news about how the latest change in the FCC's Information Act Section 222 will impact the privacy of individuals; I'd like to take a few moments to review what data can and likely will be collected, how it could be used and what can be done.

When an individual uses a computer that is connected to the Internet, they create records of their activity. Some of these records are stored on the device used, be it a laptop, tablet, phone, etc. in the form of browsing history or local log data. Some of these records are stored in a device that the individual may own such as a wireless router. In either of these cases, the user can elect to disable the collection of logging or delete it. However, because anytime the Internet is accessed, that access must eventually pass through an Internet Service Provider (ISP), the ISP can log and store ALL access--and the user does not have control over what is done with this data. While the collection and storage of logs by the ISPs is nothing new, what has changed is what can be done with it. Previously ISP data was typically accessible only by legal proceedings (well, usually) on behalf of a law enforcement agency or sometime as part of a civil lawsuit. With the changes that are soon to be enacted, the ISP can monetize your log data by selling it to potentially anyone with the ability to fund the purchase.

The Value of Privacy

To understand the impact of what this new ruling will be, it's important to understand the value of privacy. The common response to this news is "I have nothing to hide" or "I don't really do anything on the Internet anyway". While at first thought, it's easy to dismiss this change as inconsequential to your day-to-day life. If you've ever researched a disease or medical condition, you probably don't want to make that public knowledge. If you've ever read politically-aligned media you may want to keep that to yourself. If you've ever researched getting a divorce, filing for bankruptcy, purchasing a weapon, or even searching for a new job, you likely don't want to share that information. Now perhaps the value of privacy is apparent if you consider what could be done with the data that you generate is sold by the ISP. Health organizations could buy any user data that is related to the search of mental disease or cancer, law firms could target the data of those seeking a divorce, your employer could purchase data about your activity on a job search site or your political leanings. Other individuals could research this same data for malicious purposes (does an individual own a weapon and if so, when are they most likely to not be home).

Metadata and You

No doubt that you've heard of the term metadata (data describing data) in relation to monitoring of Internet usage. In simple terms, metadata is the log data of what an individual has accessed on a network. On a simple level, ISPs can collect your browsing data that includes fields such as, time/date of access, what URL you viewed, type of web browser (and thusly what operating system/device you used), is the connection encrypted, how many bytes of data did you transfer, what site referred you to the current site, etc. However, there is so much more that can be extracted from this data; where are you geographically located, location data if using a mobile device, what your use patterns are, what devices are in your household, how many devices are there, what type of router do you use, what type of TV do you have, do you have a security system that frequently talks to the provider, how much Netflix do you watch in a day, are there any other wireless network devices nearby, if there is no network usage, what hours are you home, do you have any network-connected security cameras, etc. Metadata is extremely powerful once put into the microscope of modern analytics systems and current analytics systems are VERY good at what they do. They can transform raw network traffic into extremely rich datasets that can be combined with other datasets in near real-time. Every bit that leaves your device (router, mobile phone, etc) can go under the microscope to be analyzed and sold and as of current, you can do nothing about it. Maybe.

My ISP Wouldn't Do That!

Some may think that their ISP would not sell their data, but the economics of the change would likely make the sale of data all but a done deal. A suitable analogy would be comparing this to an oil company finding out that they can now sell seawater as fuel. The biggest ISPs have the most customers which will result in massive income streams generated by collecting, analyzing and selling research, and even raw data. If an ISP were to take the position that they aren't going to monetize this resource, they would very quickly find that their competition can undercut the price of their service now funded by the sale of data. Customers would naturally flock to the lower price and the ISP that doesn't sell data would quickly lose market share and revenue. The other side of that is ISPs could now charge a premium for the service of not selling off your data (which used to be free). So the customer ends up paying more for the same service. There may be niche players that pop up that advertise "private" Internet services but the customer will still have to pay a premium if they are even available in their market. The customer loses in any case.

The argument has been made that Google, Facebook, et al. currently extract and monetize personal data. This is indeed true, as the saying goes, if you're not paying for the product, you ARE the product. However, the major difference is that you don't have to use Google if you don't want to, nor are not required to use Facebook. If you don't like their privacy policies, use an alternative search engine or avoid social media. With an ISP we typically have very few choices since there exists the dependency upon physical infrastructure; that is the wires to our homes. Furthermore, while Google and Facebook can collect data from you, Google can't collect data about all of your browsing habits, nor can Facebook or any other individual site. Your ISP is the aggregation point for all of your traffic, so it can log your activity to Google, Facebook, and any other site you visit or service you use. The argument that this change levels the playing field is extremely weak and does not serve the customer.

A profile of your usage data will likely be created by various entities, packaged up and sold to whomever would like to buy it. Profiles could be created about you, your children, anyone who uses the Internet. Maybe future employers will use this data as part of the application process. Perhaps this data will be sold to credit reporting agencies to make a determination of your creditworthiness. Schools could look at your children's habits to determine if they're a good fit for the university they've applied to (there is no language currently that excludes minors from monitoring). Any site that's deemed unsavory would be part of your personal profile even if someone else used your computer or network.

What Can I Do?

Before looking at what works, it is important to consider what does not work. Modern web browsers such as Google Chrome and Firefox allow the user to enter Incognito or Private browsing mode; other browsers such as the Chromium-derived Brave or Firefox Focus enable these modes by default. However, using a brower's privacy features DO NOT prevent your ISP from collecting data. All they do is disable the browser from storing a record of your usage within the browser itself. Also, some may be under the impression that sites that use encryption (HTTPS instead of HTTP) will thwart the ISP-level logging. While HTTPS is very important, it doesn't stop logging. What it does is scrambles the contents of the data going to and from your computer, but where you go is still visible. You can view your Gmail and the session will be encrypted, but it will still be known that you went to Gmail, that you transferred a known number of bytes (upload an attachment?), how long you spent there, etc.

What WILL work is to mask the entirety of your traffic from your ISP. Sadly, there isn't a simple or convenient way to do so, but if you care to maintain your privacy (even a portion of it), there are tools at your disposal. The most common free tool is the Tor Browser. While I won't get into extreme detail about how it works, it effectively masks your activity with certain limitations. It will be known that you use Tor and the next point that you've connected to, but the entirety of the traffic that's going through the connection will be masked. Metadata is limited to time/date, connection to the Tor node you're using, volume of data transfer, certificate info and a few other fields. While Tor is far from perfect, it's reasonably easy to install and use. The limitations are that it's slower than your ISP since the traffic traverses several other connection points and may actually be routed out of the country you live in. Also, it's important to realize that not all traffic can pass through the Tor browser; applications such as Adobe Flash will still go directly to a server and this activity will not be masked.

The most effective technology-based tool that an individual can leverage is a Virtual Private Network (VPN) that tunnels and encrypts all traffic from your device (or entire home network if you choose) to a connection point that typically resides outside of the USA (if you use a US VPN service, your activity can still be logged and monitored); if you're extremely concerned about privacy you will want to select a VPN provider that exists outside of the Fourteen Eyes countries. Your ISP will see that you are connected to a VPN host, where that host is, what type of tunnel you're using and how much data is moving back and forth, but that's about it. As with using Tor, your traffic has a long way to go between you and the content you want to access, and as a result it will be slower. You may have to create special exceptions for services such as streaming video or perform other modifications, so using a VPN isn't something that a novice would get right on the first try, but is certainly worth attempting. Most VPN services make setup relatively simple for popular mobile devices and operating systems, some even have a pre-configured applications that simplifies setup.

Finally, if you don't think that any of this is a good idea, that if privacy is important and that you don't want to play cat-and-mouse games with the ISP that you are paying for service just to keep them out of your affairs, you should take a moment to engage the political process and tell those who are responsible for the current state of affairs.