For privacy wonks and internet companies alike, April was a bellwether month: President Donald Trump signed Senate Joint Resolution 34 into law, rolling back internet privacy rules issued last December by the Federal Communications Commission.
Under the new law, internet service providers can legally mine and sell information about the sites people visit, without asking their permission first.
“Unfortunately, this new law actually just sort of codifies the status quo,” says Julia Angwin, a senior reporter for ProPublica and author of "Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance." She explains that for years, ISPs “have been desperate to get into the business that Google and Facebook have, of creating dossiers about people and getting advertisers to pay for that access.”
In response to the new law, companies like Comcast, AT&T and Verizon have come forward, saying that they do not sell “individual” or “personal” browsing data. But for Angwin, such privacy vows can come down to semantics: “Most companies don't sell it, like, 'Here's where [Science Friday host Ira Flatow] went today, and here is a list of the URLs.’”
“It's actually much more about, 'I want to reach somebody who's really into science and has a radio show on Fridays, and can you follow that person around the web?'” To do that, she says, ISPs put people into categories and then sell those categories to advertisers.
“That allows them to say that they're not selling your individual data, that it’s more compiled or an analysis. But in reality, you know, there may well just be only one person who fits that criteria.”
And for Angwin, while the new law is a boon for ISPs — allowing them both to charge consumers for services and make money selling consumer data — it underscores an internetwide issue.
“This is troubling that the ISPs got this special pass, but we've also built a system where we've allowed everyone kind of total surveillance of us, and we don't have a lot of options as consumers for a better way,” she says.
That said, if you don’t want your data going to advertisers, there are a few practical steps you can take to help mask your browsing history. Eva Galperin, director of cybersecurity for the Electronic Frontier Foundation, suggests using a virtual private network to connect online, which creates a secure tunnel for your data to travel through. Just remember that not all VPNs are equal, she says.
“If you are concerned about your ISP having a great big log of all of your browsing data and possibly selling it, then that concern also extends to your VPN provider — you're essentially just sort of moving the nexus of trust.”
She recommends looking for VPN services based in countries where it’s illegal to log customer browsing data. Also, she says, prepare to pay at least a few dollars per month for your VPN. “I would be very suspicious of free VPNs, or VPNs that are very cheap,” she says. “Because usually, if you don't understand who is paying for the product, you are probably the service.”
Consumers can include free protections in their arsenals, too. The Electronic Frontier Foundation offers a browser extension called HTTPS Everywhere, which forces the sites you visit to use HTTPS, the secure version of HTTP (at the start of web addresses), whenever possible. With HTTPS encryption, ISPs can still “see what website you're going to, but they can't see what you're doing on the website, and they can’t see what part of the website you’re going to,” Galperin explains.
And there’s always Tor, a web browser that anonymizes your traffic. “So what your ISP would see is that you're going through Tor, but it wouldn't know what websites you're visiting,” Angwin says. “And it's probably, in my opinion, the best protection we have in the situation that we're in, where the ISPs have been given carte blanche to look at everything that we're doing online.”
The downside to Tor? It can be a bit slow, Angwin admits — the browser scrambles your traffic by bouncing it all over the world. “But I keep it open most of the time and try to use it for the searches that I don't want anyone to see.”
For your phone, Galperin recommends using text-messaging apps like Signal or Wire to encrypt messages between contacts. Regular SMS text messages are easy to spy on, she says — not just who you’re talking to, but what you’re saying. (Users of Apple’s iPhone are in luck, at least part-time: iMessage conversations between iPhone users are encrypted end to end.)
These tools will all help consumers protect their own privacy online, Angwin says. “So yes, we should — we can try to do all this. And I use a VPN and I use Tor and I use Signal and I use all those things.”
But in the internet’s newly codified status quo, she says consumers are “up against people who have much greater resources.”
“I would really love it if at some point, you know, we were able to rebalance this equation slightly more in favor of the citizen,” she adds.