Your web history for sale to highest bidder: United States Congress votes to shred privacy ISP rules

The measure passed by 215 votes to 205.

The US House of Representatives has just approved a "congressional disapproval" vote of secrecy rules, which gives your ISP the right to sell your internet history to the best bidder.

The measure passed by 232 votes to 184 along party lines, with one Democrat voting in favor and 14 not voting.

This follows the same vote in the Senate last week.Just prior to the vote, a White House spokesman said the president supported the bill, meaning that the decision will soon become law.

This acceptance means that whoever you pay to give you internet access – Comcast, AT&T, Time Warner Cable, etc. – will likely be able to sell everything they know about your utilization of the web to third parties without notifying you and without needing your approval.

Your ISP knows quite a lot about you: your name as well as address possibly your age, as well as a bunch of other personally identifiable info, for example, your social security number. That's to the client info side. On the service side, they know which websites you visit, when, and how often.

That info can be used to construct an incredibly detailed image of who you are: what your political and sexual leanings are; whether you have children; when you're at home; whether you've any medical conditions; and so on – a thousand distinct data points that, if they will have sufficient value to firms prepared to cover them, will shortly be traded without your knowing.

As one high-profile venture capitalist lately found, your previous search history may also influence what result you see in future. Although in his case, he probably wishes he hadn't openly criticized Apple on Twitter for giving him the details of a porn actress at the top of his search results.

The precise user profiles that may be built applying this information are worth their weight in gold to advertisers and clarifies why Google and Facebook are two of the whole world's largest companies despite just being a search facility and an internet noticeboard.

In reality, thanks to your quirk that resulted from efforts to make such selling of information that is private illegal, we understand how much that information is worth to your ISP: $30 per household per month. That jumps to $60 per month in case you get internet access throughout your cable provider – which most Americans do because it also allows the business to monitor your TV usage and connect the two –.

With over 100 million homes on-line in the United States, that means Congress has given Large Cable an annual payday of $ and between $35bn 70bn.


It is hard to underestimate the impact that the shift far from data privacy to open season on personal info sales may have. With cable companies given powerful financial incentive to draw on user information and habits, and together with the stick of regulatory intervention efficiently thrown away, it may bring about significant social changes.

When US comms watchdog the FCC controversially declared that broadband providers were "common carriers" along the same lines as telephone companies, one among the many impacts was that it pulled enforcement of data privacy rules away from US commerce watchdog the FTC and gave it to the FCC (which has very small experience in consumer issues).

This opt-in issue is what exposed the worthiness of such info to ISPs: when Google started its Fiber Gigabit offering in various cities for only $70 a month, AT&T responded by offering pretty much the same service in the same price point – but to get that cost you had to consent to be a component of its "Internet Settings" program, which gave it permission to examine your online traffic and sell it on.

Take that "service" off, and the price soared $29 per month. $60 per month soared if you also had TV or phone service.

Meanwhile, back in the FCC, thanks to presidential politics and the election of Donald Trump, two commissioners – both Democrats – left. That meant a majority was held by the two Republican commissioners.

The newest chair, Ajit Pai, killed off the new FCC privacy rules days there aren't any FCC rules for them to adhere to and before they were due to take effect, leaving a predicament where ISPs are no more under FTC authority.

In addition to this, of what was an obscure piece of legislation until two months ago Congressional use – the Congressional Review Act – efficiently introduces a permanent ban on the FCC rules. Secrecy rules which are "substantially similar" cannot be reintroduced without the acceptance of Congress now that the "congressional disapproval" vote has passed.

Therefore, unless the FCC or Congress scrap the web neutrality rules that pulled ISPs under the FCC's jurisdiction – something which, if it can happen, is going to take some time – the result of the vote, for ISPs, is they have an open field to market their clients' data. Critically, but, the situation seems set to keep unchanged for many years, which gives an incentive to create new systems that provide a maximum financial return on selling customer information to ISPs. In summary, the constraints are off.

So, setting aside hyperbole or extrapolation, what does this mean for end users? What can ISPs see? And what can they sell?

Well, at the moment, it gives them the right to effectively sell advertising like Facebook and Google. Both these businesses then sell them and build up a huge quantity of information on individual users. They sell the data in aggregate and keep a tight control on the fine aspects.

Which means that a company selling, say, a fresh electric car, is going to have the ability to cover Social Media Giant Facebook to place its advertisements facing you based on its criteria: we are targeting families with parents aged between 30 and 45 who live in the San Francisco Bay Area.

Facebook knows who you are because you are forever logged into Facebook, and not only do you post a great deal of info there but additionally you use your Facebook login to get into other sites. Facebook pulls all this info together, figures out who you are, and after that sends you ads that are contained in its huge pool of advertisements.

Google does the same thing in a way that is different: it uses your search results, it could use the Chrome browser. Also it uses its various services – Gmail being the huge one – to develop a profile of who you are. You might have Chrome as your default browser – so all you do possibly find its way back, and you are likely always logged into Gmail, and they aggregate and sell it.

ISPs now have this power too. Except they have one tremendous advantage: they do not have to get you pick or to log into anything.

Should you log out of Gmail, and your search engine is switched by also you to something which isn't Google, then Google efficiently goes blind.

Your ISP – your ISP sees everything you're doing because its service can be your connection that is very internet. Even though you apply the "incognito" mode that many browsers offer where you can't be tracked by cookies, your ISP can, however, see where you are going because it has to go get the information from the sites you are looking at.


Now, the really big question is: can your ISPs see the information of your interactions that are online? Can it read your e-mails? Can it search and save through the words you typed into a webpage?

Along with the clear answer is: yes, occasionally.

Your ISP can see precisely everything you might be doing if the website you visit isn't fastened with HTTPS – meaning that any information between you and the website is encrypted – then.

Now, this chilling reality is tempered by two things: first, most websites these days, especially huge ones, use HTTPS. And second, it is lots of hassle for ISPs make something valuable out of it and to require this tremendous quantity of advice.

In short, it is not worth the price of hunting through your (and millions of others') web traffic to locate advice they can sell. What they make from that will not cover the expenses of hunting. But that may change with this specific Congressional vote: the economics may shift in favor of seeking that traffic.

It is a guarantee that ISPs will run experiments to view whether money can be made by them from digging into this information. Pharmaceutical companies, in particular, pay a lot of funds for info on users seeking specific drugs, from getting individuals using their particular drug since they can potentially make tens of thousands of dollars.

Again, ISPs have been in a position to try it, nevertheless with this congressional vote; they don't have to fear the FTC touchdown them with a multi-million-dollar fine. They don't have to disclose to anyone that they're doing this. Plus they don't have to fret that the hands-on FCC will come after them either.

What to do

So, the legitimate question is: what are you able to do about it?

Well, we'll leave away contacting your Congressional representative to whine, the vote's already gone through, and there is very little that is going to alter that reality now since. And we'll leave aside the Congressional elections in two years that could change Washington dynamics back.

What is it possible to do today, right now, in your PC to limit what other businesses can do with your info?

We have five general suggestions:

  1. Use Tor or a VPN

    If you connect to the Tor anonymizing system, or use Tor's browser, your ISP will only know that you have connected to Tor; from there it loses the data trail. Of course the downside to this is that your browsing will be slower.

    Be aware, your unencrypted traffic to websites outside the Tor network passes through a complete stranger's exit node: the person running the exit node can watch what you're doing. All you've done is move from your ISP snooping on you to an exit node admin watching you. On the other hand, you'll cycle through different exit nodes, so it's harder to be identified and tracked by websites outside the Tor network.

    A virtual private network is an alternative that will work for lots of people, especially if your work has a VPN service that you can use for free. This again will cut off your ISP's ability to see what you are doing.

    But – and this is a big but – do some research on your VPN provider. Do NOT use a free VPN provider because they face even stronger financial temptations to sell your information. If you use a VPN, you are effectively giving that company the same level of insight into your online life as your ISP. So pay for one, and check out their policies on what they do with the data they build on you.

    In short, unless you have a work VPN service you can use, you are going to have to pay to hide your data from your ISP effectively. If you can set up a VPN server yourself, do so, or use a tool to do it for you. Be aware, some websites – such as Netflix – clamp down on VPN use, so you won't be able to use every site with one.

  2. Use a different search engine

    Google offers a wonderful service, but everything you type in its search box is logged and connected to you in as many ways as possible. It is then sold on.

    So why not use a different search engine? Rather than simply type into Chrome's internet address bar, or using the search box in Firefox, why not stick a shortcut on your browser's top bar to a search engine like DuckDuckGo, which will not track you or store your information?

    It is one step more than, say, using Google but it is easy to make it a habit, and you would be protecting your personal data.

  3. Log out and/or use two browsers at the same time

    You don't have to be logged into Facebook and/or Gmail all the time, you really don't. So why not log out when you're done with them?

    In fact, as studies have shown repeatedly, if you can keep the distractions away – oh, look, someone 'liked' my post; there's another email from my co-worker, I wonder what it's about – then you can not only be much more effective and efficient but you also feel less overwhelmed and more at peace. Try it.

    If you do insist on being logged into Facebook/Gmail all the time, why not use one browser – say, Chrome – for that and another – say, Firefox – for all your browsing? It is easy to switch between browsers on your computer, and using two will limit what third parties can see about what you are doing. Again, it's a habit thing: hard to do at first; automatic shortly after.

  4. Use HTTPS

    If the website you are visiting has HTTPS, your ISP can see you have visited it – and how long you spent there – but it cannot see beyond there, including any particular pages you may have visited or any searches or other data you typed in.

    The HTTPS Everywhere browser plugin will enable that same kind of encryption to be applied to websites without the extra security. It's not perfect but it's a good way to cut down on data leakage.

  5. Call your ISP and ask them about opting out

    Seemingly an obvious thing to do, but one that hardly anyone bothers doing: call your ISP.

    Tell them you are concerned about them tracking your activity and ask them for their policies. Ask them what information they have on you. Ask them what they are allowed to sell. Ask them what you are allowed to opt out of (they are obliged to tell you), and then opt out of it.

    Basically, make it clear you aren't happy with them being able to sell your data. Companies are still companies: they don't want unhappy customers. If this becomes a big thing for companies, if they fear losing your business, then at the same time they develop new systems to make the most from this Congressional loosening up of data privacy rules, they will look at allowing customers to opt out.

    The number of customers who complain will probably have a direct impact on how much the additional privacy would end up costing.

FCC Congress Ftc Privacy