By Daniel Ayala, Director of Global Information Security
On March 28th, the U.S. House of Representatives approved Senate Joint Resolution 34, a bill rolling back a number of privacy controls approved by the FCC last year. This bill, which both covers the ability of Internet Service Providers (ISPs) to use the Internet usage and browsing data of its customers, as well as limits the FCC's ability to reinstate such privacy provisions on Internet usage in the future, was approved by the Senate last week and is currently headed to President Trump for final signature, which he has indicated he will give when it arrives.
Online activity leaves footprints -- log files, access entries or data that is created in the systems they used. Once these privacy controls are rolled back, Internet Service Providers will be able to sell the information they capture about how you and your patrons use the Internet.
Much like Facebook and Google have created two of the largest companies in the world by gathering and using such data to advertise to users, so do automakers, light bulb manufacturers, credit card issuers… and ISPs want to join in the profits.
The difference between the ISPs and other data gatherers is that ISPs (both fixed line and mobile) have access to a very detailed view into every interaction an individual has online; they can use that data to make very precise assessments of who they are, what they use/like/do ...even what types of advertising will resonate with them. That makes the data they collect extremely valuable to a laundry list of possible purchasers: advertisers, commercial competitors, law enforcement or intelligence outlets, and more.
Further, the rollback of the law also undoes the requirement that the ISPs ask for permission to capture and use your data before doing so; they will also be under no obligation to ask or give individuals a way to exclude themselves.
As guardians of patron privacy, librarians can offer their users some tips on understanding the changes as well as protecting themselves and their footprints
Private Browsing is not private
The Private Browsing mode on most modern browsers is sometimes misunderstood. The “privacy” it offers is limited, concealing only site visits from History listings and deleting cookies when the "private" session is closed. When using Chrome, Google searches aren’t attached to the logged-in user's Google account. Private mode does not encrypt the traffic across the Internet (if it is not already being encrypted by the site or service provider) and it does not prevent ISPs from being able to see (and therefore sell) user information.
HTTPS is a great start for protection
HTTPS encrypts the data between a user and the service they are accessing enabling the user to hide much of the information being sent from the ISP. When browsing to Internet services, type https:// in front of the URL instead of http:// and look for an indicator that the session is secure, such as an image of a green lock or a message saying "Secure." If you don't see these, then the ISP can potentially see every piece of information sent from your Internet connection. Please note, even with HTTPS in use, any data sent in the address bar as part of the URL will be seen and captured by the ISP.
P.S. If your library is not using the HTTPS version of the services it subscribes to, the searches undertaken by your patrons can be captured and used by ISPs. Talk with your service providers about how to leverage the HTTPS versions they offer. If they do not offer HTTPS, ask them when they will.
Tor and VPNs aren’t completely safe either
Unfortunately, there is no perfect alternative to the protections of law as both Tor and VPN shift the risk somewhere else. Tor is a means of encrypting and routing Internet traffic out of various exit locations around the world. This means that while ISPs cannot collect this information, the proprietor of the exit points can. And, increasingly, exit points are being blocked from accessing common Internet services based on higher historical misuse by Tor users over non-Tor users. Purchasing a VPN service to encrypt all the traffic from your ISP to another location shift the full usage data created on your Internet connection to a completely unregulated location, sometimes in another country. Neither are bad options but warrant further investigation before implementing.
While the right to some level of privacy for U.S. citizens, including library patrons, is on the federal chopping block a number of new bills are starting to take shape in state legislatures to close the privacy gaps left by this rollback. Encourage your patrons to join you in making your voice heard at both state and federal level.