Want privacy? Congress says you'll have to pay for it

What to expect after the repeal of FCC broadband privacy rules: Hackers, VPNs, and a privacy tax, for starters

Want privacy? Congress says you'll have to pay for it

When Congress voted down broadband privacy regulations this week, it threw data security under the bus as well. Internet users who want to protect their data can expect to pay a "privacy tax" as a result.

The House voted 215-205 to repeal rules that, among other things, required broadband providers to take "reasonable" steps to protect customers' information. The rules also would have mandated that telecoms notify customers within 30 days "after reasonable determination of [a data] breach." And if a breach affected at least 5,000 customers, they would have had to notify the FBI, the Secret Service, and the FCC within seven business days. The privacy rules regarding notifications were slated to take effect in June.

No Democrats voted in favor of the resolution to repeal, and only 15 Republicans broke rank. Last week the Senate also voted along party lines, 50-48, to kill the privacy protections. President Trump has indicated he will sign the resolution.

Spiceworks polled IT professionals to discern how the repeal might affect their day-to-day work. It found that 61 percent believe the change will make it more challenging to protect business data, while 23 percent weren't sure.

"The effect on the security marketplace will be negative," commented Clay Nicholson. "Expect to see more leaks and (if it was even possible) less responsibility taken by companies for the breaches."

An invite to hackers

Many privacy groups worry that "broadband providers, and their trove of data, will be an enticing target for hackers."

While broadband providers collect information legitimately connected to providing you with internet service (such as your name, address, IP address, and current subscription level), the real mother lode—the sensitive data that would have been protected under the FCC rules—consists of customers' health and financial details, geographic locations, web browsing histories, app usage histories, and the contents of communications.

All of that data can be monetized. "If ISPs weren't targets before, the dissolution of the Broadband Privacy Rules guarantees that these providers will be collecting and selling more data than ever, making them lip-smacking hacker bait," says Mashable.

Read my lips, ignore my actions

The websites of Republican senators who voted for repeal give great lip service to the idea of online privacy. Senator Jeff Flake, who filed the Senate resolution to repeal, states in his website's privacy policy: "I am committed to protecting the personal privacy of individuals who use the Internet."

Over in the House, Republicans like Speaker Paul Ryan also proclaim on their sites that "your right to privacy online is important."

But here's the thing: "If you're a U.S. lawmaker, protecting privacy doesn't just mean avoiding collecting their data when they visit your website. It means standing up for users' rights every day on Capitol Hill—the exact opposite of which is to roll back the strong privacy protections already on the books," the Electronic Frontier Foundation points out.

Having voted to strip protections that would have required ISPs to ask their customers for permission before sharing sensitive data, surely Republicans in Congress won't object to the campaign to crowdsource funding to purchase their browsing histories. Political activist Adam McElhaney set a $10,000 goal on his GoFundMe page, and as of Friday morning had raised more than $186,700 from nearly 12,000 donors.

Pay-to-play government

TechDirt calls the broadband industry's effort to kill the privacy rules "one of the uglier examples of pay-to-play government in recent memory." Representative Marsha Blackburn, who wrote the House resolution to repeal the privacy rules, has racked up at least $693,000 in campaign donations while representing telecom interests in Congress.

"The only people who seem[ed] to want this [repeal] are the people who are going to make lots of money from it," writes The Verge, which published a list of the 256 Republicans who voted for repeal, along with an accounting of how much money they received from the telecom industry in their most recent election.

Republicans and telecoms whined that it was unfair to hold ISPs to a different standard than internet companies like Google and Facebook. But comparing the lot of broadband and edge providers ignores the fact that ISPs have monopolies that edge providers do not. "People can use the internet without using Facebook, but consumers often have little to no choice in who their actual internet provider is," New York magazine writes. In addition, "Google can only track you across sites that it owns or has contributed code to; your ISP can track your entire internet-browsing history."

Besides, if they really desired a level playing field, Congress could have passed legislation requiring the privacy rules be applied equally to internet giants. Instead, they removed the bar altogether. New York magazine noted that, when the telecom trade association NCTA was asked whether it would support similar privacy rules that also covered edge providers, NCTA's representatives hedged.

Taking responsibility for your privacy

Having been sold down the river, there are some steps internet users can take to improve their privacy. "There is a risk that many people will think that simply using private or incognito mode in their browsers will be sufficient protection—it's not," said Fatemeh Khatibloo, principal analyst at Forrester.  

For starters, PC World recommends using the EFF's HTTPS Everywhere browser extension, which requires that all websites connect to the browser using SSL/TLS encryption, to protect against ISPs collecting the content of what users are viewing. However, the extension can't force HTTPS if the site doesn't support the protocol. Using HTTPS Everywhere doesn't stop ISPs from seeing which sites are visited, only the contents. (Your ISP will know you visited YouTube, but not what you watched.)

Users should probably also subscribe to a paid virtual private network service, which blocks third parties from snooping by routing internet browsing through another hub. However, it's important not to use a service that collects users' data and sells it to third parties, negating the entire point.

According to Mehmood Hanif, brand strategist at PureVPN, whose privacy policy states that it does not monitor user activity or keep any logs, his company "observed a 37 percent increase in sales when the [repeal resolution] was presented to Senate. As soon as the bill passed, this number shot up to 52 percent, particularly in the U.S." 

(Note: ISPs can see when users are connected to a VPN, so you have to hope Republicans don't move on to their next pet telecom project: killing net neutrality. In that case, look for ISPs to possibly block or throttle traffic when a paid VPN is used.)

PC World also recommends users adjust their DNS. PCs are usually configured to use an ISP's DNS, which means the ISP sees all browser requests. "VPNs typically configure your PC to use their DNS, and there is usually a DNS leak protection feature that makes sure your PC doesn't ignore the VPN and use your default DNS settings," PC World says. "Nevertheless, to be doubly sure, it's a good idea to set your PC to use a third-party DNS provider such as OpenDNS."

Privacy at a price

Users who aren't prepared to take these steps can also wait for ISPs to offer pay-for-privacy plans, like AT&T once did and Comcast has proposed.

"We anticipate the return of 'pay-for-privacy'—tiered pricing models that would effectively make privacy a privilege for those who could afford to pay more for these services every month," Khatibloo said.

Expect to pay as much as $30 more per month for that privilege of privacy. Whereas a VPN subscription will set you back $40 to $60 per year. Either way, consider it the privacy tax on consumers, passed by the party of Grover Norquist at the behest of telecoms.

Copyright © 2017 IDG Communications, Inc.