What Individuals Should Do Now That Congress Has Obliterated the FCC’s Privacy Protections

Congress has voted to reverse new FCC privacy protections that would have required Internet service providers (ISPs) like Comcast, Verizon, and AT&T to seek your permission before sharing information about your browsing history, location history, contacts, and other personal information. Last Tuesday, President Trump signed the measure.

There are some limited steps we as individuals can still take to protect our data. But the truth is that none of them are adequate when the companies that run wires into our home are determined to spy on our use of their services. The best thing Americans can do is to exercise their rights as citizens in a democratic society through activism, voting, working to support and oppose candidates, etc. Right now, people need to make their displeasure heard, loud and clear. Check to see if your senators and representative voted to protect the interests of Big Telecom, or the interests of individuals who don’t want to be spied upon, profiled, bought and sold, and possibly discriminated against. If they did the former, voice your displeasure. Speak up online, support federal legislation to restore these protections, advocate for your state governments to take action to fill the gap left by Congress—and don’t let your memory of this travesty fade away, as telecom-supporting members of Congress are counting on you to do.

A common but inadequate response in situations like this is that we should “let the market decide.” The reality for most Americans is that the market has failed to provide meaningful choice among network operators. Fully 51 percent of Americans have only one real choice of broadband Internet service provider, and even the lucky Americans with access to two or more providers may not see any meaningful difference between the providers in terms of user privacy. This makes it difficult, if not impossible, to “vote with your wallet.”

What are the limited steps that people can take to restore the privacy that ought to be their right? There is no perfect solution, but we have a few suggestions. 

Contact Your ISP and Opt Out of Data Sharing

Despite the obliteration of the FCC’s privacy protections, most ISPs (for now) offer consumers limited opportunity to “opt out” of data sharing about their Internet use, often referred to by the legal term “Customer Proprietary Network Information,” or CPNI. Although this step has definite limitations, it is something that every customer should take advantage of.

Unfortunately, the telecoms have every incentive  to make it difficult for you to do so, and often do not present discoverable, meaningful options. This is a highly imperfect solution from a policy standpoint — because of the difficulty in opting out, because it throws the burden of protecting privacy onto the customers when the law clearly places it on carriers, and because it attempts to normalize surveillance by making surveillance the default when the default should be privacy. 

To look at what it takes to opt-out, we explored the sites of the top ISPs in the United States. What we found is that their “opt-out” procedures and options are hopelessly inadequate, and that it was very difficult and time-consuming to get accurate information from the companies. When we sought help from Comcast’s customer service chat, for example, it took over 20 minutes to get a link to their privacy policy, and they did not provide any information on how to opt out of information sharing. We also found that the companies’ privacy policies were generally vague and lacking in information about exactly what data is collected by the ISP and what a broadband user can expect in terms of privacy. Furthermore, none of the opt-out options appeared to allow a user to opt out of having information about their personal browsing histories retained and stored, which many people find offensive—some ISPs merely let users opt out of getting ads based on the collection and storage of that data. Other ISPs will still send some marketing materials based on the information they have collected, even if the user has opted out.

Here are links to opt-out pages for the leading ISPs:

AT&T: Instructions on opting out of various uses of data are here, including this CPNI Restriction Request Form

CenturyLink: Instructions for opt-outs on marketing contacts as well as other practices are here.

Charter Spectrum: Privacy preferences can be set here and by calling the company as described in Charter’s privacy policy in the sections entitled “Can I prohibit or limit Charter’s use and disclosure of my personally identifiable information?” and “Charter Residential Customer Proprietary Network Information (CPNI) Policy.” Charter has acquired Time-Warner Cable, but TWC still has a “CPNI Opt Out” form online here.

Cox: Features a “Privacy Settings” page to opt out of marketing based on CPNI as well as other uses of data such as location-based advertising.

Comcast: Information about opting out of various uses of information is contained within Comcast’s xfinity privacy policy.

Verizon: Instructions to opt out of various uses of Internet, cell phone, and television services are here (in the section “How to limit the sharing and use of your information”) and here.

If you use a smaller ISP not listed above, a provider’s privacy policy is generally the place to look for opt-out instructions and links. Nearly all companies include a link to a privacy policy on their main page, though it is often in very small print at the very bottom of the page.

Encryption

Encryption is an effective way of hiding the content of your communications from an ISP’s prying eyes (not to mention those of other parties). Encryption will block your ISP from seeing the content of your communications, but depending on the application it may still permit them to see your metadata (such as who you are communicating with and/or when).

Nevertheless, using encrypted communications and apps as much as possible is a good idea. As we’ve recommended before, for example, everyone should use Signal where possible to replace traditional text messaging or voice calls. Of course, many of your friends may use an end-to-end encrypted messaging app like Signal or Apple’s iMessage, but many may not, and you will be obliged to communicate with those friends over channels that your ISP—and theirs—can snoop on. So encourage your friends to move to better messaging platforms!

You can also use the “HTTPS Everywhere” browser extension, developed by our friends at The Tor Project and the Electronic Frontier Foundation, to force more of your web browsing to HTTPS. When a customer connects to a web site that uses HTTPS (as opposed to plain unencrypted HTTP), the ISP can’t see the exact pages within a site that a customer is reading, or the content of the pages that he or she downloads. The ISP will, however, still see that you’re visiting the site itself (i.e. www.autism.org or www.aids.gov). Another limitation is that while many web sites have shifted to HTTPS, many have not, and the end-user has no control over that.

Despite such limitations, moving to encrypted communications as much as possible is a good idea and is a step that will protect your privacy not only from your ISP, but also potentially from other parties ranging from the IT workers in your office to the NSA.

Virtual Private Networks

In addition to using encrypted communications, you might want to protect more of your metadata (information about where you are going and who you are communicating with on the Internet). One approach is to use a Virtual Private Network (VPN), which creates an encrypted connection between a customer’s computer and the VPN’s network, and routes all of the customer’s traffic through that remote network, leaving the customer’s ISP unable to see either the content or the destination of a customer’s communications. Configured this way, the VPN acts as an encrypted proxy to the rest of the Internet. VPNs can be an effective way of preserving some degree of privacy against some parties, including ISPs.

The use of VPNs has a number of significant limitations you should be aware of.

VPNs cost money, forcing you to pay for privacy that should be your right (and which many Americans cannot afford). Unless expertly configured, a VPN may not cover the growing eco-system of Internet of Things devices that is appearing in many homes, such as personal assistants (like the Amazon Echo), smart or GPS watches, FitBits, appliances, etc. Even with use of a VPN, your ISP can still see the amount of data you are sending and receiving, and at what times. And VPNs can slow down your Internet data speeds, because all your traffic has to be funneled through a remote server. It might introduce delay into video chats or VoIP phone calls, for example.

Finally, use of a VPN just shifts the privacy issues to a new party. When you use a VPN, many details about your Internet usage become invisible to your ISP—but whatever party is operating the VPN service (employer, third-party service, etc.) then gains access to all that information. For this and other reasons, it’s important to do good research and be very careful about whom you select as a VPN provider. Your choice may depend on whom you're trying to protect yourself from: someone who is trying to avoid the local advertising agency might have a different set of choices than someone who is trying to avoid immigration authorities or a vindictive city councilmember. The Electronic Frontier Foundation lists questions that should guide your VPN choice here.

Use the Tor Browser

Another option for protecting privacy is to do your browsing through Tor, which is an encrypted network of servers that bounce your traffic around between you and the site you’re visiting so that it can’t be tracked. The simplest way to use Tor is to download and install the Tor Browser and use it instead of your normal web browser. Installing and using the Tor Browser won’t have any effect on your normal web browser, so you can try it out and still easily switch back, or use Tor for some of your browsing and another web browser the rest of the time.

As with a VPN, your ISP will be able to see the amount and timing of your data transmissions over Tor, but it will all come and go from the Tor “guard node” to which you are connected, and it will all be encrypted. Even more than a VPN, Tor can slow down a user’s Internet speeds. Furthermore, some website operators block traffic that arrives over Tor, which can be frustrating if you need to visit those sites.

Defend Network Neutrality

To avoid losing advertising dollars, ISPs might be tempted to detect customers’ use of Tor Browser or VPNs and deliberately slow down that traffic in order to discourage people from protecting their privacy in that way. Fortunately, the FCC’s network neutrality rules prohibit that kind of interference with customers’ traffic. That’s great—as long as Congress or Trump’s FCC doesn’t undo the network neutrality rules as they have the privacy rules. So privacy-conscious Americans are advised to politically agitate for the preservation of network neutrality in addition to agitating for the restoration of broadband privacy.

Overall, nobody should view any of the above suggestions as a permanent fix for the problem that Congress has created by nuking the FCC’s privacy protections. When something bad happens, it’s natural to want assurance that we still can be in control of our own destiny. Taking advantage of the limited steps that are available can be a good idea, but the best thing Americans can do about this betrayal of their privacy is to exercise their right to support and oppose candidates, to vote, and to engage in vocal speech and vigorous activism.

View comments (22)
Read the Terms of Use

The IT guy at t...

The only real solution is a VPN service. I use https://www.privateinternetaccess.com/, but there are a bunch available. One problem is that you need to install this VPN app on all your devices, however, some wireless routers come with OpenVPN Client as a feature. (DD-WRT, for example). Some sites, like the one I mentioned, actually sell the routers pre-configured, so you sign up for the service, they send you a router and any device connected to it is encrypted. The only information your ISP can track is that you connected to a VPN server. that's it.

Problems:

If you're used to uber fast speed.... VPN will slow things down to about 2mb. (at least mine does)

If you host things at home, like a NEST camera or a DiskStation or Qnap Server or Plex server, etc... anything you'd access remotely; you've just anonymized your internet, so even YOU can't find it. :)

Obviously, if you leave your network, you'll need to have the local apps installed on your phone.

Notes:
Comcast is really sketchy. We have comcast business service. First of all, when they installed it, the tech plugged in an extra router and wouldn't explain what it was or why it was plugged into my network AND my electricity. Turns out it was an xFinity broadcaster. They were using my electric and internet to sell their exfinity wireless! (I ditched that immediately).
Then, just a month ago, I was checking my logs for some network problems and noticed a lot of little calls to _tracker.comcastbusiness.com. WTF? It seems a lot of these were tagged onto the top of webpages, kind of like google tracks pages with their addsense. Now, I'm not sure, but with a router, I can tag unencrypted html docs with just about anything I want. The page comes through "my hands", so I can easily pop in a few meta tags or a link. It's possible that Comcast does this to, not only track the domains and pages you visit, but also to get additional data. For example, this page you are on right now has a link to https://aclu.tt.omtrdc.net/ that pulls in a marketing script, executed on adobe's marketing server. They can EASILY change the content of this page, send data back and forth from this page, even change the text I'm typing as I type it. (I could do this in about 15 minutes.) They automatically get the name and version of my browser, what page I was on before this, my IP address, what plugins I have installed, etc...

Comcast can do the very same thing, except they have even more power.

If you're on a VPN, at least they don't immediately know who you are, but if you go on your gmail, then browse around a bit, google knows who you are, vpn doesn't matter, encryption doesn't matter, because they automatically get it on the script request.

Finally.... I'd say that there is currently so MUCH data and so many people involved with boring log files that tracking it all down and piecing it together is too much work. But it is getting easier. I know the guy that works with Siri data. They store every single "Hey Siri?" question, and track it to an "anonymous" ID. However, that same ID is also tracked in another department, that has your phone number in it. So, if they can dig through thousands of petabytes.... I'm talking warehouses full of servers... and analyze AUDIO, you can see what can be done with simple text. I really don't see a good technical solution.

So, donate to the ACLU, because a legal solution is probably our only hope.

Anonymous

The only thing that really works is for members of Congress, agency heads and judges to be on the "receiving end" of privacy abuses. They do care about their own privacy.

Anonymous

Keep in mind that not all VPN providers will protect your identity due to the laws of the country on which they operate. Do your homework and use one that does not log traffic and allows use of open source VPN software that has been vetted by thousands of independent actors. Once you have that VPN, use Tor through it to further mask your traffic.

For those who are seriously in jeapordy, think an activist journalist in N Korea, stop accessing accounts used prior to establishing the VPN, because those accounts can be used to trace back to the user.

Xander

^^This is a very relevant point about VPNs that often goes unnoticed due the fact is seems to conflict with the very purpose/behind VPNs and how mostconsumers consideration vis-à-vis the perceived/expected advantages VPNs offers VPNs can offer many of us are smart enough to employ

Xander

^^This is a very relevant point about VPNs that often goes unnoticed due the fact is seems to conflict with the very purpose/behind VPNs and how mostconsumers consideration vis-à-vis the perceived/expected advantages VPNs offers VPNs can offer many of us are smart enough to employ

Scott

This article is wrong by saying that the market decided internet providers in America. There has been ZERO free market amongst internet providers in America. All the Internet providers in America paid off the government to allow them monopolies in their respective areas. The government should've stopped this from happening, but they enjoyed the payouts too much. So we ended up having crony capitalism with Internet service providers, instead of free market capitalism. A return to free market capitalism in Internet service providers would have fixed this problem.

Anonymous

Few of the major news and media outlets have properly informed Americans that: domestic spying, without confronting the target, almost always creates an inaccurate and incompetent result - it's the worst tactic to finding out the truth ever invented.

Intelligence results should always be viewed as inaccurate and likely wrong until they literally confront their targets with direct questions under penalty of perjury (which is usually not possible).

Article III, courts of law, have the best system for obtaining accurate truths. In courts, the target is confronted with harder evidence. Most important, there is a risk of perjury for the government official, which helps distill the truth more accurately.

The major Press/Media organizations should be informing voters that intelligence, without confrontation, is usually wrong or inaccurate - by police, by national security agencies or by a spouse.

This inaccuracy combined with excessive secrecy and lack of constitutional oversight means innocent good people get destroyed from domestic spying.

Anonymous

Correct link for XFINITY (COMCAST) OPT-OUT: http://my.xfinity.com/adinformation/

"""
Comcast may sell graphical display, text, and other ads, and deliver promotional offers for its products and services, on the Comcast Web Services and other digital properties. These ads and promotional offers may be based on information that you have provided to Comcast or its affiliates (such as the ZIP code of your XFINITY Internet service address), information about your current subscription or use of Comcast’s or its affiliates’ products or services, or other generally available information about you. To opt out of or opt back into these customizations, you’ll need to sign in first. You will still see ads and promotional offers, but they won’t be customized to the likely interests of certain groups of customers.

Comcast may also present graphical display ads within the e-mail tab of the XFINITY Connect e-mail service. To turn these ads on or off, you’ll need to sign in first. This option only applies to the graphical display ads within the e-mail tab. It does not apply to sponsored text links on any XFINITY Connect pages or to graphical display ads on the XFINITY Connect homepage.
"""

Nacnud

Please don't believe everthing you read in these comments, because people are posting things without doing their research, and they are often just plain wrong. Especially when it comes to Tor. Most people don't understand what it is and how it works, and will post incorrect information - do you own research. (It is the best widely available solution - no doubt about it, though it may slow things down for you.)

Anonymous

Tor and VPN - it is probably not a good idea to do this unless you have no choice. If you must, do You > VPN (or SSH) > Tor, instead of You > Tor > VPN. Please see: https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN

Pages

Stay Informed