What Individuals Should Do Now That Congress Has Obliterated the FCC’s Privacy Protections
& Daniel Kahn Gillmor, Senior Staff Technologist, ACLU Speech, Privacy, and Technology Project
Congress has voted to reverse new FCC privacy protections that would have required Internet service providers (ISPs) like Comcast, Verizon, and AT&T to seek your permission before sharing information about your browsing history, location history, contacts, and other personal information. Last Tuesday, President Trump signed the measure.
There are some limited steps we as individuals can still take to protect our data. But the truth is that none of them are adequate when the companies that run wires into our home are determined to spy on our use of their services. The best thing Americans can do is to exercise their rights as citizens in a democratic society through activism, voting, working to support and oppose candidates, etc. Right now, people need to make their displeasure heard, loud and clear. Check to see if your senators and representative voted to protect the interests of Big Telecom, or the interests of individuals who don’t want to be spied upon, profiled, bought and sold, and possibly discriminated against. If they did the former, voice your displeasure. Speak up online, support federal legislation to restore these protections, advocate for your state governments to take action to fill the gap left by Congress—and don’t let your memory of this travesty fade away, as telecom-supporting members of Congress are counting on you to do.
What are the limited steps that people can take to restore the privacy that ought to be their right? There is no perfect solution, but we have a few suggestions.
Contact Your ISP and Opt Out of Data Sharing
Despite the obliteration of the FCC’s privacy protections, most ISPs (for now) offer consumers limited opportunity to “opt out” of data sharing about their Internet use, often referred to by the legal term “Customer Proprietary Network Information,” or CPNI. Although this step has definite limitations, it is something that every customer should take advantage of.
Unfortunately, the telecoms have every incentive to make it difficult for you to do so, and often do not present discoverable, meaningful options. This is a highly imperfect solution from a policy standpoint — because of the difficulty in opting out, because it throws the burden of protecting privacy onto the customers when the law clearly places it on carriers, and because it attempts to normalize surveillance by making surveillance the default when the default should be privacy.
Here are links to opt-out pages for the leading ISPs:
CenturyLink: Instructions for opt-outs on marketing contacts as well as other practices are here.
Cox: Features a “Privacy Settings” page to opt out of marketing based on CPNI as well as other uses of data such as location-based advertising.
Encryption is an effective way of hiding the content of your communications from an ISP’s prying eyes (not to mention those of other parties). Encryption will block your ISP from seeing the content of your communications, but depending on the application it may still permit them to see your metadata (such as who you are communicating with and/or when).
Nevertheless, using encrypted communications and apps as much as possible is a good idea. As we’ve recommended before, for example, everyone should use Signal where possible to replace traditional text messaging or voice calls. Of course, many of your friends may use an end-to-end encrypted messaging app like Signal or Apple’s iMessage, but many may not, and you will be obliged to communicate with those friends over channels that your ISP—and theirs—can snoop on. So encourage your friends to move to better messaging platforms!
You can also use the “HTTPS Everywhere” browser extension, developed by our friends at The Tor Project and the Electronic Frontier Foundation, to force more of your web browsing to HTTPS. When a customer connects to a web site that uses HTTPS (as opposed to plain unencrypted HTTP), the ISP can’t see the exact pages within a site that a customer is reading, or the content of the pages that he or she downloads. The ISP will, however, still see that you’re visiting the site itself (i.e. www.autism.org or www.aids.gov). Another limitation is that while many web sites have shifted to HTTPS, many have not, and the end-user has no control over that.
Despite such limitations, moving to encrypted communications as much as possible is a good idea and is a step that will protect your privacy not only from your ISP, but also potentially from other parties ranging from the IT workers in your office to the NSA.
Virtual Private Networks
In addition to using encrypted communications, you might want to protect more of your metadata (information about where you are going and who you are communicating with on the Internet). One approach is to use a Virtual Private Network (VPN), which creates an encrypted connection between a customer’s computer and the VPN’s network, and routes all of the customer’s traffic through that remote network, leaving the customer’s ISP unable to see either the content or the destination of a customer’s communications. Configured this way, the VPN acts as an encrypted proxy to the rest of the Internet. VPNs can be an effective way of preserving some degree of privacy against some parties, including ISPs.
The use of VPNs has a number of significant limitations you should be aware of.
VPNs cost money, forcing you to pay for privacy that should be your right (and which many Americans cannot afford). Unless expertly configured, a VPN may not cover the growing eco-system of Internet of Things devices that is appearing in many homes, such as personal assistants (like the Amazon Echo), smart or GPS watches, FitBits, appliances, etc. Even with use of a VPN, your ISP can still see the amount of data you are sending and receiving, and at what times. And VPNs can slow down your Internet data speeds, because all your traffic has to be funneled through a remote server. It might introduce delay into video chats or VoIP phone calls, for example.
Finally, use of a VPN just shifts the privacy issues to a new party. When you use a VPN, many details about your Internet usage become invisible to your ISP—but whatever party is operating the VPN service (employer, third-party service, etc.) then gains access to all that information. For this and other reasons, it’s important to do good research and be very careful about whom you select as a VPN provider. Your choice may depend on whom you're trying to protect yourself from: someone who is trying to avoid the local advertising agency might have a different set of choices than someone who is trying to avoid immigration authorities or a vindictive city councilmember. The Electronic Frontier Foundation lists questions that should guide your VPN choice here.
Use the Tor Browser
Another option for protecting privacy is to do your browsing through Tor, which is an encrypted network of servers that bounce your traffic around between you and the site you’re visiting so that it can’t be tracked. The simplest way to use Tor is to download and install the Tor Browser and use it instead of your normal web browser. Installing and using the Tor Browser won’t have any effect on your normal web browser, so you can try it out and still easily switch back, or use Tor for some of your browsing and another web browser the rest of the time.
As with a VPN, your ISP will be able to see the amount and timing of your data transmissions over Tor, but it will all come and go from the Tor “guard node” to which you are connected, and it will all be encrypted. Even more than a VPN, Tor can slow down a user’s Internet speeds. Furthermore, some website operators block traffic that arrives over Tor, which can be frustrating if you need to visit those sites.
Defend Network Neutrality
To avoid losing advertising dollars, ISPs might be tempted to detect customers’ use of Tor Browser or VPNs and deliberately slow down that traffic in order to discourage people from protecting their privacy in that way. Fortunately, the FCC’s network neutrality rules prohibit that kind of interference with customers’ traffic. That’s great—as long as Congress or Trump’s FCC doesn’t undo the network neutrality rules as they have the privacy rules. So privacy-conscious Americans are advised to politically agitate for the preservation of network neutrality in addition to agitating for the restoration of broadband privacy.
Overall, nobody should view any of the above suggestions as a permanent fix for the problem that Congress has created by nuking the FCC’s privacy protections. When something bad happens, it’s natural to want assurance that we still can be in control of our own destiny. Taking advantage of the limited steps that are available can be a good idea, but the best thing Americans can do about this betrayal of their privacy is to exercise their right to support and oppose candidates, to vote, and to engage in vocal speech and vigorous activism.