President Trump just repealed landmark internet privacy rules that restricted what Internet service providers (ISPs) could do with customers’ private information. Now, companies like Verizon, AT&T, and Comcast will no longer be obligated to obtain your consent before selling and sharing your data, and they don’t have to notify you about what kind of data they collect.
Congress approved the rollback on March 28 in a 215-205 vote. The Federal Communications Commission had only approved the rules in October 2016, and they hadn’t fully taken effect yet.
“A measure to roll back crucial privacy protections has crossed the finish line, and Internet users are worse off for it,” the Electronic Frontier Foundation said in a statement emailed to BuzzFeed News. It also noted that the measure to repeal the privacy rules also bars the FCC from creating similar protections in the future.
Republican lawmakers opposed the original regulations before and after they passed. Telecommunications companies argued that the rules gave unfair competitive advantages to internet companies like Google and Facebook, which are allowed to track and sell data.
Democratic lawmakers have pointed out that the comparison is not entirely accurate: ISPs have the capability to monitor all unencrypted browsing, whereas companies that offer specific services and platforms have a much more limited capacity to do so.
Verizon and Comcast have not immediately responded to requests for comment. AT&T referred to a statement posted Friday on its policy blog.
On Friday, Verizon, AT&T, and Comcast all released statements assuring customers that they would respect their privacy. But privacy advocates said these promises are misleading. There are a few ISPs out there that have pledged to never sell any of their customers’ information to third parties. But because most Americans live in areas with only a single internet provider, they’re forced to accept that company’s data sharing practices if they want internet access.
Last week, my colleague Hamza Shaban’s talked to privacy experts about what would happen if Trump repealed the privacy rules:
1. Sell Your Browsing History
“The consequences of repeal are simple: ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you,” wrote Gigi Sohn, counselor to former FCC chairman Tom Wheeler, in an op-ed on The Verge Monday.
While Americans can use free browser tools to block many types of web tracking, monitoring by internet providers is much harder to prevent. “Your ISP is in a privileged position where they can see everything,” said Gillula, who has written about the “creepy” data collection that ISPs can conduct if the regulations are gutted.
“Any attempt to block the ISP from monitoring you, they have the power to override,” Ernesto Falcon, legislative counsel at EFF, told BuzzFeed News.
2. Compile Internet Profiles And Inject Targeted Ads
“There are major medical, financial, and legal websites — like the US Courts, for example — that are largely unencrypted. ISPs will be able to build detailed profiles of their customers — knowing when they’re at vulnerable points in their lives — and sell that information to practically whomever they wish,” Gaurav Laroia, policy counsel at Free Press, told BuzzFeed News. If someone is visiting a medical website, for instance, third parties can infer what illnesses they may suffer from, revealing sensitive health information.
“It’s well-established that these internet companies are looking hungrily at companies like Facebook and Google; they want in on that advertising action,” Jay Stanley, a senior policy analyst with the ACLU, told BuzzFeed News. “This is an effort by them to preserve the ability to monetize people’s information. And without these rules, they are going to plow forward.”
3. Deploy Hidden Tracking Cookies On Our Phones
Following a 15-month investigation, the FCC settled with Verizon Wireless last year over the company’s use of so called “supercookies” — tracking code that could not be deleted, which Verizon used to monitor customers’ online activity without their permission.
“It didn’t matter if you were browsing in Incognito or Private Browsing mode, using a tracker-blocker, or had enabled Do-Not-Track: Verizon ignored all this and inserted a unique identifier into all your unencrypted outbound traffic anyway,” the EFF’s Gillula wrote. The browsing history, according to the FCC, was collected for several years without consent; Verizon and other third-party companies used it for targeted advertising.
For privacy advocates, pervasive data collection of your internet activity can be enormously invasive. “The websites you visit can indicate information about your financial life, your sexual life, your medical life, what disease you have, what diseases you might be worried you have,” said Stanley.
“We don’t even know what other derivative uses exist, because no one has ever had this type of information on consumers,” Falcon said, referring to new types of data collection and novel forms of the sale of personal data. “That’s what’s most frightening.”